![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
The sensitivity and value of personal information, especially financial data concerning the increasing threats, particularly in the online domain, make it urgent to assess how far financial companies are serious about respecting and protecting individuals’ information privacy. The recent incidents and cases in Malaysia indicate this necessity. To date, there is not any official report or study concerning this issue in Malaysia. The purpose of the research was to assess the out-put of the Malaysian Personal Data Protection Act 2010 through evaluating the privacy policies of the Banks and Financial Institutions. In this qualitative research, the compliance assessment is delimited to compliance with specific requirements, especially the Notice and Choice Principle and individuals’ rights through document study. We proposed an evaluation model based on the standards of the PDPA. The qualitative analysis of the results showed a non-compliance with the requirements of the Act by the financial sector. Hence, suggestions and solutions are provided in line with a standard privacy policy for these types of companies.
Acknowledgements
The authors would like to thank the University of Malaya for its financial support.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 The Malaysian Personal Data Protection Act 2010 comprising 7 Principles and 146 Sections, as the first data protection law within the Association of Southeast Asian Nations (ASEAN) region, was gazetted on 10 June 2010.
2 The Personal Data Protection Bill was passed by the Malaysian Parliament in May 2010 and received the Royal Assent on 2 June 2010.
3 JPMorgan Chase Says Citation76 Million Households Affected by Data Breach (Citation2014).
4 The Notice and Choice Principle (NCP) is reflecting in the privacy policies and it directly affects the individuals’ rights.
5 Section 7 of the PDPA on the NCP provides that: 7. (1) A data user shall by written notice inform a data subject— (a) that personal data of the data subject is being processed by or on behalf of the data user, and shall provide a description of the personal data to that data subject; (b) the purposes for which the personal data is being or is to be collected and further processed; (c) of any information available to the data user as to the source of that personal data; (d) of the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data; (e) of the class of third parties to whom the data user discloses or may disclose the personal data; (f) of the choices and means the data user offers the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data; (g) whether it is obligatory or voluntary for the data subject to supply the personal data; and (h) where it is obligatory for the data subject to supply the personal data, the consequences for the data subject if he fails to supply the personal data. (2) The notice under subsection (1) shall be given as soon as practicable by the data user— (a) when the data subject is first asked by the data user to provide his personal data; (b) when the data user first collects the personal data of the data subject; or (c) in any other case, before the data user— (i) uses the personal data of the data subject for a purpose other than the purpose for which the personal data was collected; or (ii) discloses the personal data to a third party. (3) A notice under subsection (1) shall be in the national and English languages, and the individual shall be provided with a clear and readily accessible means to exercise his choice, where necessary, in the national and English languages.
6 For more information on the NCP, refer to pages 3–4.
7 Under Section 15(1) of the PDPA, a person who belongs to a determined class of data users by the Commissioner must register at the Commissioner Office. Section 15(1) of the PDPA provides that: ‘A person who belongs to the class of data users as specified in the order made under subsection 14(1) shall submit an application for registration to the Commissioner in the manner and form as determined by the Commissioner’. Under Section 14(1) of the PDPA and the Personal Data Protection (Class of Data Users) Order 2013, 11 classes of data users or the categories of companies have to register at the Commissioner Office.
8 10221 companies were registered under 11 classes till 8 April 2016.
9 Personal Data Protection Commissioner of Malaysia Mr. Mazmalek bin Mohamad.
10 We reached the saturation point with 20 samples. In other words, we found that we get redundant data by evaluating more than 20 samples. With respect to the number of samples in the qualitative research, there is not a generally accepted rule. The qualitative experts believe that the data collection must continue till you reach to ‘saturation’ level. However, many scholars have suggested a minimum of 15 samples for qualitative research. In this qualitative legal research, we felt that we reached the saturation level by 20 samples. For more information see: Guest, Bunce, and Johnson (Citation2006), Marshall et al. (Citation2013), Mason (Citation2010), Francis et al. (Citation2010).
11 Since there is no research or report on compliance with the PDPA, the qualitative method would be the right skill to gain deep knowledge on the subject at hand with details. Furthermore, qualitative research suits the socio-legal researches since it encompasses appropriate means of data collection and data analysis in society. The qualitative research method is looking for ‘why’ and ‘how’, making the explanation more complete. For the behavior test, qualitative research is one of the best approaches.
12 The selected criterion was discussed under the PDPA Requirements and will be explained in detail under the Discussion.
13 To rate the text of privacy statements as understandable or difficult, the authors asked the help of 10 master and bachelor students from different disciplines to read the texts and rank them.
14 For instance, the B8 company, which is originally a foreign company provided a general outline on information privacy in 2012, then within this statement, there is a hyperlink to the privacy policy for Malaysian branches in a Pdf format. Company B11 provided its privacy policy under an icon titled ‘other information’ in the middle of the homepage, which is not a proper name and place. Because of this difficulty, B11 was firstly listed under the companies with no privacy policy. Hence the assessor called the bank customer service. However, the person replied that they are not interested in responding. The assessor requested the number of the department in charge of privacy issues, however, the clerk replied that under the bank rules we could not disclose the number to any person. B12 and B19 as subsidiaries of a group company provided a privacy policy link on their website, however, the link is not in service. Hence, the privacy policy under the website of the parent company was analyzed.
15 Regarding company B6, the text of its privacy policy is like a guarantee provided by an individual by using the statements like ‘I have to provide … , I understand and acknowledge … ’. In fact it is not a proper method of drafting a privacy policy since it is the standard to be observed and guaranteed by the company itself.
16 For instance, company B4 stated that we might processes sensitive personal data like health conditions, misconducts, and religious beliefs, however, by obtaining explicit consent. Company B12 specified the use of ‘expression of opinion’.
17 Company B12 specifies that: ‘In case there is a discrepancy on how we collect or use your personal data between this Privacy Notice and the terms and conditions of your specific product or service, the terms and conditions of your specific product or service shall prevail’. Company B7 states a limited list of purposes however it specifies that to enforce and to defend any of company’s rights, which is a vague statement and may include many purposes.
18 However, company B13 did not provide for the purpose(s) of data collection.
19 Companies B15 and B18.
20 B8 has addressed direct marketing under the purposes impliedly; however, it will obtain the prior express consent.
21 Six years retention period.
22 The legal provisions and discussion relating to access right are discussed at pages 25–26 in this article.
23 The legal provisions and discussion relating to correction right are discussed at page 27 in this article.
24 Company B15 provided that data Access Request with a copy will cost RM 10 and Data Access Request without a copy is RM2.
25 All companies have provided 21 days processing period.
26 All companies will process the correction request within 21 days.
27 In some countries like Australia (Under Principle 1 of the Privacy Act 1988 (as amended)), it is mandatory to publish the privacy policy, and its’ requirements are listed under the said Principle. It provides that ‘An APP entity must have a clearly expressed and up-to-date policy (the APP privacy policy) about the management of personal information by the entity’.
28 Under Australian Privacy Principle 1.5, the privacy policy must be available under two conditions: free of charge and by appropriate means.
29 The researches also indicate that most privacy policies have difficult wording and are lengthy, and most people do not read or understand the privacy policies. For more information see: Reidenberg et al. (Citation2015, 39), Egelman et al. (Citation2009, 319).
30 For instance, see the following texts:
This Privacy Statement sets out how A COMPANY and its holding, related and subsidiary companies, including but not limited to, B COMPANY, C COMPANY, D COMPANY, E COMPANY, F COMPANY and G COMPANY (collectively referred to as ‘A GROUP’, ‘us’ or ‘we’) collect, store and handle personal information (as defined below) of individuals in accordance with the Personal Data Protection Act 2010 (‘PDPA’) and the laws of Malaysia.
In the course of your dealings with Y COMPANY (hereinafter referred to as the ‘Company’ or collectively referred to as ‘us’, ‘we’ or ‘our’, as the case may be), we will request that you provide data and information about yourself (‘Personal Data’) to enable us … .
31 See Blume (Citation2012, 29).
32 According to the recommendations of the Australian Commissioner, the source of data like third parties, any individual or the method of data collection (like cookies) must be notified. See Office of the Australian Information Commissioner (Citation2014).
33 PDPA is silent to specify and explain the conditions, requirements of the purposes in detail. It is only provided for a lawful purpose and directly related to the activity of the data users under the General Principle.
34 Section 8 of the PDPA specifies that ‘Subject to section 39, no personal data shall, without the consent of the data subject, be disclosed—(a) for any purpose other than—(i) the purpose for which the personal data was to be disclosed at the time of collection of the personal data; or (ii) a purpose directly related to the purpose referred to in subparagraph (i); or (b) to any party other than a third party of the class of third parties as specified in paragraph 7(1)(e).
35 Section 32(1):
… (a) the data user is not supplied with such information as he may reasonably require—(i) in order to satisfy himself as to the identity of the requestor; or (ii) where the requestor claims to be a relevant person, in order to satisfy himself—(A) as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and (B) that the requestor is the relevant person in relation to the data subject; (b) the data user is not supplied with such information as he may reasonably require to locate the personal data to which the data access request relates; (c) the burden or expense of providing access is disproportionate to the risks to the data subject’s privacy in relation to the personal data in the case in question; (d) the data user cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless—(i) that other individual has consented to the disclosure of the information to the requestor; or (ii) it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual; (e) subject to subsection (3), any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data access request; (f) providing access would constitute a violation of an order of a court; (g) providing access would disclose confidential commercial information; or (h) such access to personal data is regulated by another law … .
36 Resolution 2003, adopted by the International Conference of Privacy and Data Protection Commissioners emphasized the significant role of a simple standard international privacy policy. Available at: www.privacyconference2003.org/resolution.asp.
37 The Australian Commissioner suggested that privacy policies should be accessible even for disabled people. It should be easily downloadable or must display at the company’s premises. The company must provide details on how customers can get a copy of the privacy statement. See Office of the Australian Information Commissioner (Citation2014).
38 Office of the Australian Information Commissioner (Citation2014, 4).
39 Monitoring Division is already established as one of the three main bodies of the Commissioner Office.
40 According to the results of Form Development Project 2004, standardization of privacy notices among financial institutions simplifies and facilitates the reading of privacies by customers. See OECD Working Party on Information Security and Privacy (Citation2006).
41 In commenting on the results of research commissioned by the UK Information Commissioner’s Office (ICO) in 2005 which showed the majority of people learn little from privacy notices, for the effectiveness of privacy notices in the financial sector, ICO highlighted that companies can improve Fair Processing Notices (FPNs) by:
• Applying a clear and identifiable structure to all FPNs across all media;
• Including only necessary and relevant content;
• Using clear and understandable language, and cutting out jargon;
• Using a generic format ‘template’ for all FPNs;
• Designing FPNs appropriately for different media; and
•Increasing consistency of approach within sectors. The recommendation is accessible at: www.informationcommissioner.gov.uk/cms/DocumentUploads/DP%20Forum%207%20June%2005.pdf
Moreover, ICO has suggested for clear and easily understandable content, not hidden parts in the policy text or ‘small print’. The privacy policies must be free of ‘legal phrase and confusing double negatives’. See Information Commissioner’s Office (Citation2016, 24).
42 For more information see Office of the Australian Information Commissioner (Citation2014). Guide to developing an APP privacy policy.
43 According to Klaus, plain language is the first criterion which includes a ‘clear, direct and focuses on the message’. Plain language increases understandability and subsequently increases the level of reading. The text must address the target customers and the level of their education is important. Next, the design and format of the text are important. In this fashion, multilayered policies are highly suggested which increases readability by providing full information. And lastly, the placement of the policies is important. The suggested place is providing a link to the privacy policy on the homepage of the company’s website. See Klaus (Citation2015).
44 Munur and Mrkobrad have suggested some guidelines for drafting a plain language and multilayered privacy policy in order to increase the level of reading and understanding by customers. They suggested a table of content with hyperlinks at beginning of the privacy policy and link back to the table within the main body. The use of bullet points will increase visibility and facilitate the reading of the text. See Munur, Branam, and Mrkobrad (Citation2012).
45 The layered privacy policy is explained at page 9.
47 According to the Australian Commissioner’s Guidelines, the name of the countries must specify through notice or at least must inform the individual unless it is impracticable since the personal data may disclose to numerous recipients and determination of the recipients is ‘excessively time-consuming, costly or inconvenient’. For instance, the entity may merely mention the region recipient like European Union. See Office of the Australian Information Commissioner (Citation2014)
48 Office of the Australian Information Commissioner (Citation2014).
49 Office of the Australian Information Commissioner (Citation2014).
50 The Australian Privacy Commissioner Guidelines on Principle of Direct Marketing has suggested a simple means for opting out which includes a visible (proper font size with heading), understandable (simple English), fast (not time-consuming), free or low cost and easy method of opting out through direct and accessible communication means. See Office of the Australian Information Commissioner (Citation2014).
51 If the marketing approach is made by mail or fax to the customer, the marketing material should provide a ‘tick’ box and a return address for the customer to exercise his opt-out right. Where the customer is approached by e-mail, he should be provided with an electronic link to the address of the data user for exercising the opt-out right. See Office of the Privacy Commission for Personal Data, Hong Kong (Citation2012, 6).
52 According to the UK Information Commissioner’s Office, it is good practice to regularly review the personal data you hold, and delete anything you no longer need. Information that does not need to be accessed regularly, but which still needs to be retained, should be safely archived or put offline. See Information Commissioner’s Office (ICO) (Citation2016).
53 The new trend of the European Union is the obligatory role of personal data protection. Under Article 37 of the new GDPR, it is mandatory to appoint a data protection officer for some of the data controllers under certain activities.
54 Under Article 37(7) of the GDPR, the data controller must publish the contact information of data protection officer.
55 According to Article 29 Working Party Guidelines on Data Protection Officers (DPO), the contact information means the detail which enables data subjects and supervisory authorities to communicate with DPO easily.
56 Article 29 Working Party suggested the data controllers publish the name of Data Protection Officer. See Article Citation29 Working Party (Citation2017).
57 To have some idea on types and methods of training programs, the Privacy Commissioner’s Offices of Ireland, Australia, and New Zealand are good examples. They provided numerous and different types of training programs for all individuals, public and private companies. Australian Commissioner has developed online privacy training courses which are free of charge and is convenient with respect to the time and place.
58 For instance, the Australian Commissioner has recommended for training of the staff and its significant role while providing guidelines for notification of data collection and data collection methods.
59 An online tool called ‘Escalation Ladder’ was developed by the New Zealand Commissioner Office to help and educate the front-line staff to specify that what kind of information, to what extent, and with whom it can be shared. See: https://www.privacy.org.nz/privacy-for-agencies/sharing-information-about-vulnerable-children/