Following the coming into force of Malaysia’s first Personal Data Protection Act (PDPA) on Feb. 15 this year, ALB’s Data Protection Conference offered the latest guidelines from the government and private sector on compliance, strategic implementation and enforcement. The event, held on June 17 at the Royale Chulan Kuala Lumpur, brought together 100 data protection and privacy experts from across Asia, Australia, the Americas and Europe.

The conference was inaugurated by Honourable Datuk Che Azemi Haron, Deputy Secretary General of the Ministry of Communication and Multimedia and Tuan Haji Abu Hassan Ismail, the Malaysian Personal Data Protection Commissioner. Both high-ranking public officials highlighted some of the milestones achieved in the past four months, including public consultations on compliance with the PDPA, the management of employees’ data, consent, direct marketing and the management of CCTV. As of June 2014, more than 14,000 companies have registered as Data Users and by the third quarter of 2014, the JPDP will issue a call for consultation with regard to the No Call Registry System.

Back to top

Best practices from Europe, North America, North Asia and Australia

Sophie Kwasny, head of the Data Protection Unit of the Council of Europe, described the event as the first conference of its kind bridging Malaysia to Europe for future collaboration, and offered a fresh perspective on what the Asia-Pacific region could achieve by using the data protection legacy of Europe as an example. Europe’s data protection frameworks certainly boast advantages over Asia, created amid lower levels of risks posed by technology and rooted in the continent’s historical championing of civil rights. The Article 29 Working Party, comprising of selected EU member states’ data protection authorities, the EU Commission and the European Data Protection Supervisor may serve as the European best practice upon which Asian countries may model their own mechanisms. The learning process goes both ways, argued Kwasny, welcoming Malaysia’s data user registration process, which albeit quintessential for minimising data protection risks, is on certain occasions, missing from the EU member states’ legislative frameworks.

The European mechanisms are also undergoing transformation including the drafting of the new EU Data Protection Regulation and the ongoing consultation on the reform of Convention 108. Kwasny encouraged her Asian counterparts to participate in this consultative process, sharing experiences in the handling of sensitive information (for example religion and race) and Big Data, as well as sector-specific challenges including those affecting the police and law enforcement as well as the healthcare sectors. The Malaysian Commissioner expressed his commitment to such intercontinental cooperation, mentioning the Partnership and Cooperation Agreement (PCA) between the EU and Malaysia.

In keeping with its global nature, the conference adopted a multimedia format screening videos of current and former representatives of the Consumer Affairs Agency of Japan, the Personal Data Protection Commission of Korea, the  Office of the Privacy Commissioner of Ontario and the former Privacy Commissioner of Australia. Delegates gained an insight into global data protection best practices and innovative initiatives such as Commissioner Ann Cavoukian’s Privacy by Design concept, Japan’s Privacy Mark Programme and Privacy Governance in the context of corporate setting.

Back to top

360-degree data protection leadership

The conference saw a gathering of privacy experts from market-leading multinational corporations sharing practical solutions to the challenges posed by a lack of harmonised data protection frameworks globally. Valerie Tan of Microsoft shared her views on privacy, security and cross-border data transfers being some of the key issues faced by cloud computing service providers. As examples of best practice, the OECD Data Protection Guidelines, the EU Data Protection Directive and the EU Model Contracts were referenced as possible mechanisms towards a harmonised approach. As a demonstration of Privacy by Design in practice, Microsoft has set a default “do not track” feature in its Internet Explorer browsers. Development of the ISO 27018 standard as a code of practice for privacy security standards involving data intermediaries in a cloud environment was also mentioned.

Rob Borthwick of Axiata spoke about his company’s experience in dealing with the data protection challenges posed by cross-border data transfer: Axiata’s Service Assurance Platform collects customer data for service quality monitoring and enhancement. Customer data is anonymised for remote analysis and personal data is held nationally. Borthwick regarded the key pillars of privacy management by communications providers as: customer acceptance of the use of data (beyond signing of Terms & Conditions) and national horizontal privacy legislation. In certain markets, communications sector regulation also contributes to the requirements on providers.

Geraldine Kamalanathan and Punitha Kandiah briefed the audience on the lessons learnt by Maybank while educating its massive database of internal and external stakeholders on the new law. Maybank has commenced its data protection policies in compliance with the Financial Services Act 2013 (FIA), but continues to communicate to its customers/ data subjects through various channels of customer communication: its website, ATM screens which reveals a screen shot dedicated explicitly to data protection, and monthly bank statements. Each new customer’s on-boarding process includes an introduction to Maybank's data protection polices by it customer service officers. Some of the challenges voiced by Kamalanathan and Kandiah include justifying data retention to customers, consent management in the cross-selling of products, and compliance with the Data Access and Privacy Notice requirements. A cross-functional, dedicated steering committee meets regularly under the leadership of its Chief Risk Officer to address these challenges and consultation is on-going with the Data Protection Department (JPDP) through the Association of Banks, Malaysia. Kamalanathan and Kandiah emphasised that this is an extremely resource- and time-intensive project including system enhancement, training and non-quantifiable HR costs.

Introducing a comprehensive assessment system for these corporate mechanisms, Karinna Neumann walked delegates through Nymity’s innovative privacy management framework. The pragmatic accountability scorecard approach evaluates the robustness of the privacy mechanism based on the categorisation, frequency and ownership of privacy management activities.  

Hearing the perspectives of both the government and private sectors, Dr. Sonny Zulhuda of the International Islamic University Malaysia urged for the strengthening of public-private partnerships (PPP) via the Data Users Forum, which connects industry and communities and could elevate the bargaining power of small- and medium-sized enterprises (SMEs).

Back to top

Opt in, opt out and data retention

Opt in and opt out as well as data retention have been frequent topics of discussion since the new law was ratified, and the conference concluded that many challenges persist necessitating sector-specific regulations and guidelines. Harminder Jaila of the Prince Court Medical Centre explained the difficulties faced in the handling of medical records beyond the maximum retention limit of six years in Malaysia, especially as Malaysia has yet to enact a healthcare-specific regulation. The rhetorical question stands: Does the privacy of patients override the obligation of medical practitioners to safeguard human health by all legal and ethical means? Practices differ across jurisdictions: Europe uses opt-in procedures, while the U.S. tends to follow the more lenient, opt-out approach and such divergence makes the handling of cross-border data transfer equally challenging. Jaila also differentiated between blanket, periodic and one-off consent: Blanket consent is ruled out by the PDPA, while Jaila solicited the explicit, deliberate consent (opt-in) on a periodic basis such as the duration of a medical surgery.

The issue surrounding medical data of internal employees was voiced by Maybank’s PDPA Project Manager. According to Kherk Ying Chew of Wong & Partners, Section 39 of the PDPA accords an exemption if the collection of sensitive data serves the legitimate purpose of employment (for example medical data for the purpose of securing health insurance and other medical benefits). Companies may adopt standards which go beyond compliance with the PDPA, collecting consent to the use of employee medical data right at the on-boarding process.

Companies also struggle to align their marketing practices to the PDPA requirements ensuring minimal impact on business operations and cost structures. Chew of Wong & Partners briefed the audience on the results of the latest consultation with the JPDP: Two regimes have been proposed, one addressing postal mail, where the opt-out approach suffices, and one focused on electronic Direct Marketing (eDM) and SMS marketing. For the latter, companies must obtain explicit opt-in and guarantee that in the case of cross-selling, both products/services are relevant to one another. Chew emphasised the importance of clear communication to customers at all times, serving to avoid complaints in the case of complex situations such as marketing across group businesses within a large conglomerate.

Rob Borthwick of Axiata addressed some of the regulatory gaps in consent mechanisms, calling for the more stringent regulation of third-party data intermediaries, especially companies specialised in selling customer data. Axiata, for instance, maintains a data security policy with each of its operating companies and data protection clauses are incorporated in all vendor contracts. These are accompanied by audit provisions and a recently commenced programme of audits.

The challenges often lie in the resources and technologies necessary for execution: Chew pointed out that many companies lack the systems to differentiate between opt in and opt out for postal, SMS or electronic marketing. Edmund Sia of Motorola Solutions described the processes needed for the tracking of non-responses to consent requests, the evaluation and quick response data access requests, and the classification of third-party data intermediaries.

Back to top

The information security agenda

Tan Tze Meng and Chan Chuey Hwye of the Multimedia Development Corporation (MDeC), the advisory agency in charge of “positioning Malaysia as a data centre hub," contextualised privacy management as one element of the wider data protection and information security agenda. PDPA is imperative to retain not only customer trust, but investor confidence in Malaysia. MDeC engages with the JPDP, foreign and domestic governments as well as data users to ensure the right balance between the fundamental respect of privacy rights and the collection of sufficient evidence for law enforcement actions. Tan and Chan spoke about the transparency measures undertaken by technology giants such as Apple, Microsoft and Facebook, who periodically disclose their response to government data requests, and the benefits offered by international legal frameworks such as the Mutual Legal Assistance Treaty (MLAT) between Malaysia and the U.S. MDeC is also in the process of introducing a standard Code of Practice, aligning the individual and somewhat disparate guidelines of Malaysia’s 20-plus enforcement agencies.

Back to top

Creating a world-class data protection team

In response to a question on how to implement privacy leadership in practice, Foong Cheng Leong of the Malaysian Bar’s PDPA Committee recommended the division of responsibilities across difference functions including client relations, IT, legal and HR. Surinta Abraham of the Malaysian Genomics Resource Centre Berhad added the importance of obtaining not only the buy-in, but the continuous engagement of C-level management and the board who will have the ultimate say on resource allocation towards building a “world-class data protection team."

Advocacy initiatives with the JPDP plays an imperative role for multinational conglomerates, burdened by a multitude of licensing requirements in addition to the annual data user registration. Privacy officials are, therefore, encouraged to keep up-to-date on the public consultation processes in relation to the PDPA and in places where the in-house counsel assumes this role, proactive engagement with the Commissioner becomes a key responsibility for the legal department.

Back to top

The “Appification” society

A familiar image of the Angry Bird app opened the “Appification” panel,  a reminder of the recent incident by the National Security Agency using the popular smart phone-based social game to access undisclosed amounts of personal data. Panelists unanimously agreed that the “Appification” society, comprising of app developers, device manufacturers, application stores, developers of the Operating System and other marketing service providers, is a blind spot in the data protection landscape. Dr. Norsidah Mohamed of the Universiti Teknologi Malaysia revealed alarming statistics, namely that 90 percent of mobile apps are exposed to traffic interception.  Tan of MDeC has been involved in the development of ISO 27034 on app security, but the creation of global standards is hindered by the diversity of Application Programming Interfaces (API). The absence of standards on mobile app design renders personal data on such platforms, especially on apps requiring the input of financial information, critically vulnerable to abuse.

The PDPA clarifies that apps should, at no times, access personal data without consent. But the challenge lies in policing this clause. Most start-up app developers only aim to meet the bare minimum of PDPA requirements of notice and disclosure due to time and financial restrictions, admitted Reza Razali of Terato Tech and Warren Leow of Guru App. Leow, a former management consultant-turned-entrepreneur pioneers educational apps targeting high school students. He explained that data collection and analytics (number of log-ins, time spent on the app, etc.) is crucial to user experience optimisation, but follows the Privacy by Design principle of retaining only the minimal amount of necessary data to ensure data security. This echoes the Malaysian Data Protection Commissioner’s comment, namely that eliminating unnecessary data contributes to reducing operational costs and improving privacy compliance. Leow also pointed out that many data breaches derive from consumer error through insufficient caution in granting permission to apps to access personal data (contact list, photos and social media membership).

Ultimately, as projected by Revantha Sinnetamby of the Malaysian Corporate Counsel Association (MCCA), transparency and data security should be mutually inclusive, involving the "Appification" society in stringent data protection enforcement. Companies such as Heineken have voluntarily pioneered industry self-regulation with the latter incorporating clauses on data security and audit in contracts with third-party app developers.

Back to top

The employer-employee context

Ainul Azlinda Binti Inon Shaharuddin described the rollout process for Telekom Malaysia’s privacy management programme starting with Global Leadership Training  for awareness raising purposes followed by the PDP Taskforce Meeting for budget approval, the PDP Working Groups in charge of gap analyses as well as HR interviews responsible for integrating PDPA in employment processes. Telekom Malaysia mapped the on-boarding, employment and termination phases against the PDPA’s 7 principles and conducted regular educational campaigns, enhancing the credibility of the PDPA training by linking it to corporate communications and general management programmes.

MCCA President Thavakumar Kandiahpillai gave a practical spin on embedding PDPA compliance in cross-border employer-employee dispute settlement cases. Kandiahpillai identified key challenges including the definition of personal data, the practical assessment of employee data requests, the varying degree of PDPA enforcement in different jurisdictions and the risk of abuse of the PDPA rules by employees in the context of litigation proceeding.

Indirani Viknaraja of K8 Data Protection Consultants defined that a mere mention of someone's name in a document does not make it their personal data, unless it becomes the focus of the discussion. Someone's personal opinion can also be classed as personal data. According to the European Data Protection Law, relevant exemptions can be used to withhold personal information; for instance, in cases when the information is directly relevant to an ongoing investigation or corporate restructuring. However, data requests by employees on issues such as performance evaluation or succession planning under normal circumstances are valid and must be accommodated. Kandiahpillai added that instead of debating the legal legitimacy of data requests, employer-employee relations should be driven by the highest standards of transparency at all times regardless of the PDPA. Transparency, he argued, is the best preventive medicine for disputes. Viknaraja promulgated that a “bad plan well executed is better than an excellent plan poorly executed,” impressing that simple user-friendly guides should be promoted rather than referral to complex legal texts and policies. Training in PDPA is “not to be a revolution, but to be an evolution” with senior management walking the talk.

This report covers only a minuscule part of the fruitful discussions conducted at the conference. Global data privacy expert Noris Ismail of the Data Protection Academy LLP, who chaired and moderated most of the panel sessions, concluded the event with a proactive call to action: Ismail encouraged delegates to participate in the national and EU consultation processes and to consider the position of Privacy by Design Ambassador through their respective organisations and companies. In keeping with Robert Borthwick’s suggestion, privacy professionals across all jurisdictions should work together towards a future of regional interoperability, based on the alignment of international principles as well as national, sector- specific and horizontal legislations.

Back to top