PERSONAL DATA PROTECTION
Division 1 - Personal Data Protection Principles
5 Personal Data Protection Principles
(1) The processing of personal data by a data user shall be in compliance with the following Personal Data Protection Principles, namely-
(a) the General Principle;
(b) the Notice and Choice Principle;
(c) the Disclosure Principle;
(d) the Security Principle;
(e) the Retention Principle;
(f) the Data Integrity Principle; and
(g) the Access Principle,
as set out in sections 6, 7, 8, 9, 10, 11 and 12.
(2) Subject to sections 45 and 46, a data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.
6 General Principle
(1) A data user shall not-
(a) in the case of personal data other than sensitive personal data, process personal data about a data subject unless the data subject has given his consent to the processing of the personal data; or
(b) in the case of sensitive personal data, process sensitive personal data about a data subject except in accordance with the provisions of section 40.
(2) Notwithstanding paragraph (1)(a), a data user may process personal data about a data subject if the processing is necessary-
(a) for the performance of a contract to which the data subject is a party;
(b) for the taking of steps at the request of the data subject with a view to entering into a contract;
(c) for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
(d) in order to protect the vital interests of the data subject;
(e) for the administration of justice; or
(f) for the exercise of any functions conferred on any person by or under any law.
(3) Personal data shall not be processed unless-
(a) the personal data is processed for a lawful purpose directly related to an activity of the data user;
(b) the processing of the personal data is necessary for or directly related to that purpose; and
(c) the personal data is adequate but not excessive in relation to that purpose.
7 Notice and Choice Principle
(1) A data user shall by written notice inform a data subject-
(a) that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;
(b) the purposes for which the personal data is being or is to be collected and further processed;
(c) of any information available to the data user as to the source of that personal data;
(d) of the data subject's right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data;
(e) of the class of third parties to whom the data user discloses or may disclose the personal data;
(f) of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
(g) whether it is obligatory or voluntary for the data subject to supply the personal data; and
(h) where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.
(2) The notice under subsection (1) shall be given as soon as practicable by the data user-
(a) when the data subject is first asked by the data user to provide his personal data;
(b) when the data user first collects the personal data of the data subject; or
(c) in any other case, before the data user-
(i) uses the personal data of the data subject for a purpose other than the purpose for which the
personal data was collected; or
(ii) discloses the personal data to a third party.
(3) A notice under subsection (1) shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.
8 Disclosure Principle
8. Subject to section 39, no personal data shall, without the consent of the data subject, be disclosed-
(a) for any purpose other than-
(i) the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or
(ii) a purpose directly related to the purpose referred to in subparagraph (i); or
(b) to any party other than a third party of the class of third parties as specified in paragraph 7(1)(e).
9 Security Principle
(1) A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction by having regard-
(a) to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
(b) to the place or location where the personal data is stored;
(c) to any security measures incorporated into any equipment in which the personal data is stored;
(d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
(e) to the measures taken for ensuring the secure transfer of the personal data.
(2) Where processing of personal data is carried out by a data processor on behalf of the data user, the data user shall, for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction, ensure that the data processor-
(a) provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
(b) takes reasonable steps to ensure compliance with those measures.
10 Retention Principle
(1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose.
(2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.
11 Data Integrity Principle
A data user shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
12 Access Principle
A data subject shall be given access to his personal data held by a data user and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under this Act.
Division 2 - Registration
13 Application of this Division
(1) This Division shall apply to a data user who belongs to a class of data users as specified in the order made under subsection 14(1).
(2) A data user who belongs to a class of data users not specified in the order made under subsection 14(1) shall comply with all the provisions of this Act other than the provisions of this Division relating to the registration of data users and matters connected thereto.
14 Registration of data users
(1) The Minister may, upon the recommendation of the Commissioner, by order published in the Gazette, specify a class of data users who shall be required to be registered as data users under this Act.
(2) The Commissioner shall, before making his recommendation under subsection (1), consult with-
(a) such bodies representative of data users belonging to that class; or
(b) such other interested persons.