What is the purpose of the protection of personal data?

To provide protection for an individual's personal information to be processed for the purposes of commercial transactions.

Who must comply with the Personal Data Protection Act?

All individuals and organizations that process personal data in their dealings must comply with the rules set out in the Personal Data Protection Act 2010. The Federal Government and the State are exempted.

What Are the Rules?

Personal Data Protection Act contains seven principles of information handling practices that must be followed, namely:

1. General Principle
2. Notice and Choice Principle
3. Disclosure Principle
4. Security principles
5. Retention Principle
6. Data Integrity Principle
7. Access Principle

What Data are being protected by the Act?

Any information/data or a chain of information that allows a living individual to be identified are covered under the Personal Data Protection Act. Below are some examples of data that can be considered as personal data:

    1. Name and address
    2. Identification card number
    3. Passport number
    4. Health Information
    5. E-mail Address
    6. Picture
    7. lmages recorded by the closed-circuit television (CCTV)
    8. Information contained in personal files

When does an organization "process" the personal data?

An organization must comply with the Act only if the organization is "processing" personal data. Personal Data Protection Act gives definition to the meaning of the word "processing". "Processing" personal data means doing something towards the data including collecting, recording, holding, storing, organizing, modifying, disclosing and destroying. Examples of activities that can be considered as "processing" includes:

    1. Collecting data through forms, by phone or via the web
    2. Publishing data
    3. Selling data
    4. Using administrative data
    5. Using data for marketing purposes
    6. Recording data
    7. Disclosing or providing data to other organizations
    8. Destroying data

Who is the Data User ?

Personal Data Protection Act applies to individuals and organizations if they are "data user". "Data User" is an individual or organization that:

    1. Processes personal data, or
    2. Has control over the processing of personal data, or
    3. Allows processing of personal data

Who is the Data Processor

A data processor is an individual or organization that processes personal data on behalf of the data user, and does not process the personal data for any of his own purposes. Personal Data Protection Act does not apply to a data processor.

Are Data Users responsible for the data processing activity?

If organization A engages organization B to process data on its behalf, in this connection, organization A is the data user while organization B is the data processor. Personal Data Protection Act requires organization A to ensure that organization B pledges to take measures to protect the security of data processed. Organization A is also required by the Act to ensure that organization B complies with such measures.

Who is the Data Subject?

Personal Data Protection Act provides rules concerning good practices in the processing of personal data of living individuals. The Act defines the individuals whose data is processed by data users as data subjects.

What are the rights granted by the Personal Data Protection Act to the data subject (people)?

Data subjects are given the following rights:

    1. The right to be told whether their data is processed by an organization
    2. The right to access personal data
    3. The right to rectify personal data
    4. The right to withdraw consent to process personal data
    5. The right to prevent processing likely to cause damage or distress (distress)
    6. The right to prevent processing for purposes of direct marketing

What is sensitivity of personal data?

Under the Personal Data Protection Act, sensitive personal data means any data consisting of information as to an individual's physical or mental health condition, political opinions, religious beliefs and other beliefs of a similar nature. In addition, the commission or alleged commission by the individual of any offence is also a sensitive personal data.

What are the requirements for the processing of sensitive personal data?

The Act does not allow the processing of sensitive personal data except for the purposes specified in the Act and must be with explicit consent of the data subject.

What can I do if someone finds that personal data are processed not in accordance with the Personal Data Protection Act?

Individuals who feel that their personal data have been processed in breach of any provision of the Act may make a complaint to the Personal Data Protection Commissioner.

Can an individual seeking compensation under the Personal Data Protection Act if their personal data have been processed in violation of the Act?

The Act does not provide for a specific right to claim for damages.

What remedies are available to the data subject?

Remedies under the Personal Data Protection Act is in the form of a criminal offense. The Act has created several new criminal offenses. Among them are the following:

   1. Processing of personal data without a certificate of registration
   2. Processing of personal data after the revocation of registration
   3. Non-compliance with the Personal Data Protection Principles
   4. Processing of personal data after consent is withdrawn
   5. Processing of sensitive personal data not in accordance with the conditions   that have been set
   6. Selling or offering to sell personal data
   7. Failure to comply with the requirements of the Personal Data Protection Commissioner to comply with the notice on direct marketing.