Introduction (Suggestion only)
Data means information which is being processed by automatically operating equipment in response to instructions given for a particular purpose. Data is also a part of a “relevant filling system”. Data is recorded with the intention that it should be processed by means of such equipment. Data also is recorded information held by public authority. There are few other definitions on data which are data subject which means that any living individual who is the subject of personal data. Data user, the person who process or has control over or authorizes the processing of personal data. Data controller is those registered corporate body. Identification number Personal Data means any personal information in respect of commercial transactions, it relates directly or indirectly to a data subject. Besides, personal data includes sensitive personal data physical or mental health, political opinions, religious beliefs, offences or any other data as the Minister may determine. In a different view, personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. Personal data are valuable to entities in profiling customer, direct marketing, and also for the purpose of fraudulent transactions. Personal data many be in any form like:
It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”. Expression of opinion about the personal data shall mean any information relating to an identified or identifiable natural person or data Subject, an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. The definition can be deliberately a very broad one. In principle, it covers any information that relates to an identifiable, living individual. However, it needs to be borne in mind that data may become personal from information that could likely come into the possession of a data controller. There are different ways in which an individual can be considered ‘identifiable’. A person’s full name is an obvious likely identifier. But a person can also be identifiable from other information, including a combination of identification elements such as physical characteristics, pseudonyms occupation and address. Sensitive Personal Data refers to any personal data consisting of information as to:
specifically to racial or ethnic origin,
trade union membership,
physical or mental health condition of a data subject,
any other personal data determined by the Minister.
The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of theconditions for processingwhich apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate. The categories of sensitive personal data are broadly drawn so that, for example, information that someone has a broken leg is classed as sensitive personal data, even though such information is relatively matter of fact and obvious to anyone seeing the individual concerned with their leg in plaster and using crutches. Clearly, details about an individual’s mental health, for example, are generally much more “sensitive” than whether they have a broken leg. Many individuals choose to make their political allegiance public, for example by wearing badges or rosettes or by putting a sticker in their window. There is acondition for processing sensitive personal datathat covers information made public by the individual concerned. Religion or ethnicity, or both, can often be inferred with varying degrees of certainty from dress or name. For example, many surnames are associated with a particular ethnicity or religion, or both, and may indicate the ethnicity and religion of the individuals concerned. However, it would be absurd to treat all such names as “sensitive personal data”, which would mean that to hold such names on customer databases you had to satisfy a condition for processing sensitive personal data. Nevertheless, if you processed such names specifically because they indicated ethnicity or religion, for example to send marketing materials for products and services targeted at individuals of that ethnicity or religion, then you would be processing sensitive personal data. In any event, you must take care when making assumptions about individuals as you could be collecting inaccurate personal data. Various Roles Pertaining to Personal Data Protection Since computing power became a commercial reality, the value of data, especially in bulk, has escalated exponentially. Data today is a valuable asset on par with, and in some cases, far exceeding, hardware. With valuable data so easily transferable in this day and age, governments around the world have been compelled to move to protect individuals from the misuse or abuse of their personal information, especially from commercial exploitation. This is true also of ASEAN. In the first quarter of 2012, ASEAN was the most active region in the world for privacy developments. In keeping with global trends, ASEAN governments have begun to promulgate legislation in their respective countries to protect the personal information. Malaysia, Singapore and the Philippines have all introduced laws to protect data, in particular, personal data. These laws have consequences beyond the boundaries of the individual countries as they also cover the transmission or export of personal data obtained within those countries. Knowledge of what can or cannot be done is crucial to avoid the extensive penalties imposed for breaches of the statutorily imposed duties. These front-runners and other ASEAN countries had previously all agreed to develop best practices and guidelines on data protection by 2015 as part of their commitment to establish an integrated ASEAN Economic Community – the AEC – by 2015. The indicators are clear. Data protection regulation in the region will increase in coming years. The ability to keep up with these changes may make – or break – business enterprises with regional ambitions.