AIM 1006 MEDIA

LAW AND
ETHICS

Individual
Assignment

Name :

Alvin Tay Hao Jia

Matric Number :

22003961

Instructor’s Name
:

Dr. Muhammad
Zaiamri Bin
 Zainal Abidin

Introduction

Among the ASEAN nations, Malaysia is a leader in developing and implementing

personal data privacy laws. The effectiveness of this protection scheme is debatable, though.

(Alibeigi and A. B. Munir, 2000). In Malaysia, there have been an estimated 20,000 cases of

cybercrime in recent years, resulting in an RM560 million loss overall. Therefore, how well is

Malaysians' personal information protected by the Personal Data Protection Act (PDPA) 2010

and how significant is this law to both Malaysia and the media sector?

Personal Data Protection Act (PDPA) 2010

The Personal Data Protection Department (PDPD), an organization within the Ministry of

Communications and Multimedia Commission (MCMC), is responsible for enforcing the

Personal Data Protection Act (PDPA) 2010, a law governing media. In order to prevent any party

or business from misusing anyone's personal data, the Personal Data Protection Department

(PDPD) is responsible for monitoring and safeguarding the processing of personal data of

persons that involves commercial transactions.

The Personal Data Protection Act (PDPA) 2010 went into effect in Malaysia in 2013 with

the aim of protecting people's personal information related to business activities. The goal of the

Personal Data Protection Act (PDPA) 2010 is to safeguard the personal information and data of

natural individuals. (Alibeigi, A. B. Munir, & A. Asemi, 2021). This law contains seven

principles that must be followed when processing personal data by a data user.
 Data protection principles and its relation to employment

The Personal Data Protection Act (PDPA) 2010 contains seven principles, as was

previously indicated, and each one of them is crucial to employment. The General Principle is

the first principle of the Personal Data Protection Act (PDPA) 2010. The essential component is

the employee's consent, which is required. Before the employer can use any of their personal

information about them, they must express their consent. However, there is an argument that

claims employees have consented to the use of their personal data if they are already aware of it

and do not reject. But in my view, an employee's consent is the most crucial factor, and the

employer should only utilize their personal information after a "yes." Because some people tend

to keep quiet unless they are questioned, communication is crucial, so we won't presume their

consent and enable the employment to proceed just because they remained silent.

The Notice and Choice Principle comes after that. Employers and management are

required to notify employees whose personal information is being processed. In order for the

data subject to decide whether to limit or extend the processing of their personal data, this

information is provided. There are disagreements on whether the notice must be in written,

notably for the "sensitive data". It is not necessary to be in writing form, in my opinion.

The third principle is the Disclosure Principle. Without the employee's consent or unless

necessary for the original purpose, their personal information cannot be disclosed to a third party.

Unless the employees have consented for their data to be revealed for numerous purposes, as
specified in the General Principle, the employer is not permitted to share the employees' personal

information for other reasons.

Security Principle is the next guiding principle. The management must ensure that none

of the personal data is lost, mishandled, or mistakenly accessible by third parties while being

processed. This is crucial for both the security of employee data and for the employees' safety.

Therefore, management has a duty to protect employee personal information in every way

possible. This is true because modern data processing is done electronically, making it simple for

scammers to steal personal information.

Moreover, the next principle is Retention Principle. The employer must take into account

how long the employer keeps its employees' personal information. The employer typically

retains the personal information for the duration of the employment agreement. It shouldn't go on

past the allotted time. In other words, once the contract is over, the employer no longer has any

legal right to retain the personal information of the employees. In reality, the Employment Act of

1955 makes this a necessity.

The Integrity Principle is the sixth principle as well. The employer must only process the

most recent, accurate, complete, and truthful personal information. The employer's involvement

determines how accurate the personal data is. It is unlikely to affect the employee if the data

obtained is already inaccurate. However, it is the employer's duty to make the necessary

corrections as soon as they become aware that the personal data they have received is inaccurate.
 The Access principle is the final guiding concept. The data subject must grant the staff

members access to and the ability to amend their personal information. This method of

employment law is groundbreaking. In reality, in situations involving electronical management,

the employees' personal information is stored in electronic files, and they can only access it via a

secret password.

Therefore, the management or employer have to ensure that all the seven principles of the

Personal Data Protection Act (PDPA) 2010 are applied in their daily administration. It is

important to apply all these principles not only for the security of the employees and the

employer themselves, but also for the operations to be smoother as well as to protect the

reputation of a company.

Rights of the employees as data subjects

The Personal Data Protection Act (PDPA) 2010 gives employees some rights based on

the seven data protection principles. Employees shall, first and foremost, have a right under the

Access Principle to access their personal data. There is a claim that employees do not have the

right to access files or data, either manually or electronically; instead, they must ask management

for their personal information. In my opinion, an employee's personality and attributes determine

whether they are given access to the data. Based on their knowledge and trust of the employee,

management will decide whether or not to allow access to the data.

 Second, under the Integrity Principle, employees have the right to have their personal

data corrected. After having access to the data, the employee has the right to correct it if there is

a mistake. However, the employee must present the management with proof that the current

statistics are inaccurate before their personal information can be corrected.

Next, in accordance with the Integrity Principle, employees have the right to stop the

collection of data that could harm or discomfort them. This is crucial for the employee since,

without a doubt, inaccurate information will harm their reputation or perhaps destroy their future

career.

Employees also have the right under the Notice and Choice Principle to notice of

automated data processing. It is similar to the right to access their personal data, as was stated

before in the Access Principle. Employees must provide the notice to the data subject so that they

are aware of the processing or disclosure of their personal information by the employer.

Additionally, under the Disclosure Principle, employees are entitled to the non-disclosure

of personal information. Employees are free to object to their personal information being

disclosed by their employer for any reason. The management has no power to compel employees

to give up their personal information or to reveal such information without their knowledge or

consent.
 Employees also have the option to revoke their consent for data usage under the General

Principle. Employees have the same option under the Personal Data Protection Act (PDPA) 2010

to withdraw their consent for private reasons as they do to refuse having their personal data

released. Employers who forbid employees from withdrawing their permission are in violation of

the law.

The right to delete personal data that is no longer needed in accordance with the

Retention principle is also granted to workers. All employee personal information is only

retained for its original use. Employees have the option to have their information removed if it is

no longer needed for the stated reason. Employee personal information that is no longer required

cannot be kept by the employer. (Hassan, K. H., 2012).

Case study

A private higher education institution received personal information about potentially

tens of thousands of secondary school graduates in 2016 for marketing purposes. (Mail, M.,

2016). The Personal Data Protection Department (PDPD) cited eight businesses between January

2017 and February 2018 for violating this law. In 2017, there were charges against three of the

eight businesses.

This news relates to the implementation of the Malaysian Personal Data Protection Act

(PDPA) 2010, where a corporation has been charged as the first data user for suspected
violations of the Personal Data Protection Act (PDPA) 2010. The Personal Data Protection

Department (PDPD) and the Personal Data Protection Commissioner, Puan Khalidah binti Mohd

Darus, have officially started the enforcement phase of the Personal Data Protection Act

(PDPA).

Victoria International College's operator, Khas Cergas Sdn. Bhd, was prosecuted in the

Sessions Court in May 2017 with processing personal data belonging to their former employees

by the Personal Data Protection Commissioner despite not having a valid certificate of

registration. This act was reportedly perpetrated at the Victoria International College location in

Taman Batu 5, Jalan Ipoh's Jalan Kampong Batu. It was charged in accordance with Section

16(4) of the Personal Data Protection Act (PDPA) 2010, which carries a maximum penalty of

RM 5,000,000 and a maximum sentence of three years in jail, or both. The prosecution was led

by deputy public prosecutor, Izalina Abdullah from the Ministry of Communications and

Multimedia Commission (MCMC), who noted that this was the first instance under the Personal

Data Protection Act (PDPA) 2010 to receive charges.

According to my research on the Personal Data Protection Act (PDPA) 2010, this

instance that occurred on 3rd May 2017, was undoubtedly against the law, and the Personal Data

Protection Act (PDPA) 2010 has charged this corporation in the proper manner. The Retention

Principle and the General Principle under this law which must be followed by every company are

both violated by Khas Cergas Sdn. Bhd.'s handling of the personal data of former workers.

Because the word "former" implies that the employees' contracts with the company have already
ended and Khas Cergas Sdn. Bhd. no longer has the authority to process their personal data, this

corporation violated the Retention Principle by disclosing the personal information of their

former employees. Additionally, Khas Cergas Sdn. Bhd. processed personal data without telling

or obtaining authorization from the former employees, which is against the General Principle that

states that no corporation may disclose an employee's data without that employee's consent.

Moreover, Khas Cergas Sdn. Bhd. is opposed to several of the rights that employees have under

the Personal Data Protection Act (PDPA) 2010, including the right to request that personal

information be destroyed if it is no longer required and the right to request that personal

information not be transmitted to third parties.

Therefore in my opinion, the Personal Data Protection Act (PDPA) 2010 has taken the

right action to charge the company that is against the law as well as the rights of the employees.

That is why I feel that this law is needed for the employees, country and even the media industry.

This law is so important because without this law and its principles that are required to apply in

every company, the companies would have just simply disclosed the personal data of their

employees without any limitation or border line. Well it might be an advantage for the employer

but it is definitely unfair for the employees. When there is no fairness in an employment, there is

no justice in a country. Thus, without the application of this law will absolutely affect justice as

well as the reputation of our country.

On the other hand, the Personal Data Protection Act (PDPA) 2010 also plays a very

important role in the existing media industry. Technologies are moving fast forward over time
and making different changes that are happening around the world. With the advance of the

technologies, users easily upload their personal data on the internet and the personal data are

more likely to be stolen through the internet. This is how dangerous it is for the digital world

nowadays and that is why it is so important to raise our awareness on protecting our personal

data on the internet. With the enforcement of this law, it not only protects the personal data of the

users from disclosure, it also helps to strengthen the methods businesses are using to hand users

personal data.

To summarize, the Personal Data Protection Act (PDPA) 2010 not only protects one’s

personal data, it also safeguards the existing media industry as well as our country. It is clear that

the Personal Data Protection Act (PDPA) 2010 is a positive step towards data protection, but

there is still need for improvement as seen by Malaysia's rising incidence of data breaches, data

leaks, frauds, and scams. (Noor Sureani, N., Awis Qurni, A. S., Azman, A. H., Othman, M.

B., & Zahari, H. S., 2021). These cases are still happening because the awareness of protecting

one’s own data is still low and the act of the companies against the law is still under control. That

is why better media law enforcement is needed and this is how the Personal Data Protection Act

(PDPA) 2010 flexes its muscles.

Enforcement of Personal Data Protection Act (PDPA) 2010

The website Sayakenahack.com belongs to a blogger named Keith Rozario. This

website's objective is to allow Malaysian residents to determine whether their personal

information has lately been exploited. After receiving a request under Section 130 of the
Personal Data Protection Act (PDPA) 2010, on November 16, 2017, the Personal Data Protection

Act (PDPA) 2010 requested the Malaysian Communications and Multimedia Commission

(MCMC) to ban this website. The Personal Data Protection Act (PDPA) 2010 also brought legal

action against five organizations in 2019 for failing to process employee personal data with their

consent or for failing to register with this law. A corporation that disobeys will be punished or

put in jail.

Furthermore, the Personal Data Protection Act (PDPA) 2010 has established a guideline

for mobile applications that they must abide by even though they are not required to register in

accordance with this law because they process personal data in commercial operations. In order

to avoid instances of personal data misuse by the business, mobile applications must abide by

this law.
 References

Alibeigi, A. and A. B. Munir (2020). "Malaysian personal data protection act, a mysterious

application." University of Bologna Law Review 5(2): 362-374.

Alibeigi, A., Munir, A. B., & Asemi, A. (2021). "Compliance with Malaysian Personal Data

Protection Act 2010 by banking and financial institutions, a legal survey on privacy

policies." International Review of Law, Computers & Technology 35(3): 365-394.

https://doi.org/10.1080/13600869.2021.1970936

Astro Awani, N. (2017, May 3). Company charged with processing of personal data without

PDPD certificate, https://www.astroawani.com/berita-malaysia/company-charged-

processing-personal-data-out-pdpd-certificate-141476

Azmi, I. M. (2011). "Bioinformatics and genetic privacy: The impact of the Personal Data

Protection Act 2010." Computer Law & Security Review 27(4): 394-401.

Baskaran, H., et al. (2020). Blockchain and the Personal Data Protection Act 2010 (PDPA) in

Malaysia. 2020 8th International Conference on Information Technology and

Multimedia, ICIMU 2020.

Chin, C. (2019, October 18). Universiti Malaya: No data compromised in E-Pay portal hack. The

Star Online. https://www.thestar.com.my/tech/tech-news/2019/10/18/universiti-malaya-

no-data-compromised-in-e-pay-portal-hack
Ghani, F. A., Shabri, S. M., Rasli, M. A. M., Razali, N. A., & Shuffri, E. H. A. (2020). "An

Overview of the Personal Data Protection Act 2010 (PDPA): Problems and Solutions."

Global Business & Management Research 12(4): 559-566.

Hassan, K. H. (2012). "Personal data protection in employment: New legal challenges for

Malaysia." Computer Law & Security Review 28(6): 696-703.

Mail, M. (2016, January 06). Education Ministry confirms SPM, STPM student data leak: Malay

Mail. Retrieved September 13, 2020, from

https://www.malaymail.com/news/malaysia/2016/01/06/education-ministry-confirms-

spm-spm-student-data-leak/1035163

Mohd Shahwahid, F. and S. Miskam (2014). Personal Data Protection Act 2010: Taking the first

steps towards compliance.

Noor Sureani, N., Awis Qurni, A. S., Azman, A. H., Othman, M. B., & Zahari, H. S. (2021). The

Adequacy of Data Protection Laws in Protecting Personal Data in Malaysia. Malaysian

Journal of Social Sciences and Humanities (MJSSH), 6(10), 488 - 495.

https://doi.org/10.47405/mjssh.v6i10.1087

Schwartz, P. M. (1995). European data protection law and restrictions on international data

flows. Iowa Law Review 80(3), 471-496.

Yusoff, Z. (2011). The malaysian personal data protection act 2010: legislation note. New

Zealand Journal of Public and International Law, 9(1), 119-136.