Malaysia PDPA compliant school management software

Malaysia Personal Data Protection Act (PDPA), 2010



Malaysia’s first comprehensive data protection act Personal Data Protection Act (PDPA) was passed on June,2010. Malaysia defines PDPA as “an act to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto”.

• Since Eduwonka is not established in Malaysia but uses equipment in Malaysia for processing the personal data otherwise than for the purpose of transit through Malaysia thus according to Subsection 2 (b), it is applicable to Eduwonka.
• Eduwonka adheres to the data processing Sub-section 3 (b) of PDPA which states that this act shall not apply to any personal data processed outside Malaysia unless that personal data is intended to be further processed in Malayasia.
• PDPA interprets “personal data” as any information in respect of commercial transactions which –

I. is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose.
II. is recorded with the intention that it should wholly or partly by means of such equipment;
III. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, while “disclose” personal data, means an act by which such personal data is made available by a data user or here Eduwonka; “relevant person”, in relation to a data subject, howsoever described, means—

I. in the case of a data subject who is below the age of eighteen years, the parent, guardian or person who has parental responsibility for the data subject;
II. in the case of a data subject who is incapable of managing his own affairs, a person who is appointed by a court or authorized by the data subject to manage those affairs on behalf of the data subject
III. in any other case, a person authorized in writing by the data subject to make a data access request, data correction request, or both such requests, on behalf of the data subject;

• Eduwonka shall not process the data unless the data subject has given consent to process his/her personal data. While, in case of sensitive personal data, Eduwonka shall process sensitive personal data except in accordance with the provisions of section 40.
• Under the Notice and Choice principle Eduwonka shall inform a data subject by written notice —

I. that the personal data is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject;
II. the purposes for which the personal data is being or is to be collected and further processed;
III. of the class of third parties to whom the data user discloses or may disclose the personal data;
IV. whether it is obligatory or voluntary for the data subject to supply the personal data; and
V. where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data.

• According to the Disclosure Principle as Subject to section 39 of PDPA, Eduwonka shall not disclose no personal data without the consent of the data subject for any purpose other than the purpose for which the personal data was to be disclosed at the time of collection of the personal data.
• Adhering to the the Security principle of PDPA,

1. Eduwonka will take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction while processing personal data, by having regard—

I. to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
II. to the place or location where the personal data is stored; and to any security measures incorporated into any equipment in which the personal data is stored;
III. to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
IV. to the measures taken for ensuring the secure transfer of the personal data.

2. Where processing of personal data is carried out by a data processor on behalf of the Eduwonka, Eduwonka shall, for the purpose of protecting the personal data from any above-mentioned unfortunate condition ensure that the data processor—

I. provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
II. takes reasonable steps to ensure compliance with those measures.

• As per the Retention Principle of PDPA, Eduwonka shall not keep the personal data processed for longer than necessary period required for fulfilment of that purpose. Also, Eduwonka shall take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed.
• As per the Data Integrity Principle, Eduwonka shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, for which the personal data was collected and further processed.
• As per the Access Principle, a data subject shall be given access to his/her personal data held by Eduwonka and be able to correct that personal data where the personal data is inaccurate, incomplete, misleading or not up-to-date, except where compliance with a request to such access or correction is refused under PDPA.
• Subject to subsection (2) and section 32, Eduwonka shall comply with a data access request by the data subject under section 30 not later than twenty-one days from the date of receipt of the data access request.
• As per PDPA, Eduwonka may refuse to comply with a data access request under section 30 if-

1. (a) Eduwonka is not supplied with such information as he may reasonably require—
I. in order to satisfy himself as to the identity of the requestor; or
II. where the requestor claims to be a relevant person, in order to satisfy himself—

(A) as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and
(B) that the requestor is the relevant person in relation to the data subject;
(b) Eduwonka is not supplied with such information as he/she may reasonably require to locate the personal data to which the data access request relates;
(c) the burden or expense of providing access is disproportionate to the risks to the data subject’s privacy in relation to the personal data in the case in question;
(d) Eduwonka cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless—

I. that other individual has consented to the disclosure of the information to the requestor; or II. it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual;
subject to subsection (3), any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit Eduwonka from complying, whether in whole or in part, with the data access request;

(e) providing access would constitute a violation of an order of a court; or would disclose confidential commercial information; or such access to personal data is regulated by another law.
(2) In determining for the purposes of subparagraph (1)(d)(ii) whether it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual, regard shall be had, in particular, to—

(a) any duty of confidentiality owed to the other individual; or any steps taken by Eduwonka with a view to seeking the consent of the other individual;
(b) whether the other individual is capable of giving consent; and any express refusal of consent by the other individual.

(3) Paragraph (1)(e) shall not operate so as to excuse Eduwonka from complying with the data access request under subsection 30(2) to any extent that the data user can comply with the data access request without contravening the prohibition concerned.

• Eduwonka shall keep and maintain a record of any application, notice, request or any other information relating to personal data that has been or is being processed by him.

Source-

http://ilo.org/dyn/natlex/docs/ELECTRONIC/89542/102901/F1991107148/MYS89542 2016.pdf