Malaysia's Personal Data Protection Act 2010 is fully in force. The rocky roll-out was plagued with confusion, a scarcity of information, and an initially lackadaisical attitude toward compliance, despite the severe penalties.
There's abundant information available about the specifics of the act if you'd like to dig deeper - see the links at bottom. But here, let's do a quick overview and then look at some of the more interesting aspects of the PDPA.
The PDPA was created to regulate companies that process personal data in commercial transactions. The definition of "processing" is sufficiently broad to include just about any company that collects or uses personal data.
7 Principles and the 5 Rights of the Individual
The PDPA is based on seven principles which address the usual aspects of data processing and privacy. There are various, and numerous, exemptions to the principles, for example the handling of data processed while investigating a crime. Five "Rights of the Individual" are also laid out in the PDPA and cover matters regarding one's own data - the right to access it, to correct it, to withdraw consent, to prevent processing likely to cause damage and distress, and to opt out of direct marketing.
Scope of the PDPA
Some experts regard the PDPA to be limited in scope, and in fact it does not apply to federal or state governments, nor to companies involved in "Regulatory Functions". Also omitted are credit reference agencies, non commercial transactions, and personal/family affairs. Personal data processed outside Malaysia is also excluded, unless the intention is to bring it into Malaysia for further processing.
There are many more exemptions in addition to those mentioned here, so "narrow in scope" seems an accurate assessment.
Users and Processors are different
The PDPA distinguishes between Data Users and Data Processors. Processors handle data only on behalf of a Data User, and there are no obligations placed on the processors. (Think the IT guy).
Eleven classes of Data Users have been identified. Everyone in those classes is required to register as a Data User and pay a fee. The classes are: Communications, Banking & Financial institutions, Insurance, Health, Tourism & Hospitalities, Transportation, Education, Direct Selling, Services, Real Estate and Utilities.
Failure to register is punishable by fines up to 500,000 Ringitt (over $153,000) and imprisonment of up to three years.
But what about the Hippo?
Right about now is when we get to the hippopotamus in the story.
Doctors (and dentists) had been designated as Data Users in the Healthcare class. They found themselves beleaguered from without as well as within.
In Malaysia doctors dispense medication, unlike the US where generally a doctor writes a prescription and a pharmacy fills it. Doctors, especially general practitioners operating their own clinics, often charge little for their services, and their livelihood depends on access to medicine.
There are two primary pharmaceutical houses supplying drugs in Malaysia. When the PDPA was implemented both pharmas sent consent forms to their clients, most of whom are doctors who get the medicine they dispense from those pharmas. The forms requested information about the doctors themselves, and consent to use it however the pharmas chose.
At a time when data privacy and protection was coming into force, the pharmas demanded all contact and personal details, bank account numbers, info about personal assets, and more. They also required permission to disclose that information to third parties, and to transfer the data out of the country.
Doctors were told that if they did not comply, the pharmas had the right to terminate business with them. Many doctors speculated that their information had long been used this way, and that pharmas were trying to cover themselves in light of the new regulations.
After much upheaval and protest the Malaysian Medial Association had meetings with the heads of the pharmas. They finally got the matter resolved and different consent forms were issued.
Data User Requirements
Meanwhile, doctors were slowly learning that they were Data Users, and were supposed to register as such. And that they would be paying a fee, and that they were required to have extensive compliance procedures in place. And that the deadline was fast approaching.
The Malaysian Medical Association and most doctors claimed they hadn't been informed about being considered Data Users. Now they were finding out at the last minute and the compliance requirements were unclear and would take time to implement. And they were liable to be fined a large sum of money or go to prison if they hadn't registered, but most doctors still did not know.
They also felt they shouldn't have to pay a fee. But most of all they already had strict data privacy protocols in place as part of the Medical Act and the Malaysian Medical Council which they are governed by. Imposing more requirements was redundant and pointless they said.
An article on the MMA website noted that since the birth of modern medicine doctors had been guided by the Hippocratic oath. But, the author said, although the PDPA had started out as a law, it had changed into a Hippopotamus, and it was stampeding through their practice.