Professional Documents
Culture Documents
Personal Data Protection Act (PDPA) 2010
Personal Data Protection Act (PDPA) 2010
LAW AND
ETHICS
Individual
Assignment
Name :
Matric Number :
22003961
Instructor’s Name
:
Dr. Muhammad
Zaiamri Bin
Zainal Abidin
Introduction
personal data privacy laws. The effectiveness of this protection scheme is debatable, though.
(Alibeigi and A. B. Munir, 2000). In Malaysia, there have been an estimated 20,000 cases of
cybercrime in recent years, resulting in an RM560 million loss overall. Therefore, how well is
Malaysians' personal information protected by the Personal Data Protection Act (PDPA) 2010
and how significant is this law to both Malaysia and the media sector?
The Personal Data Protection Department (PDPD), an organization within the Ministry of
Personal Data Protection Act (PDPA) 2010, a law governing media. In order to prevent any party
or business from misusing anyone's personal data, the Personal Data Protection Department
(PDPD) is responsible for monitoring and safeguarding the processing of personal data of
The Personal Data Protection Act (PDPA) 2010 went into effect in Malaysia in 2013 with
the aim of protecting people's personal information related to business activities. The goal of the
Personal Data Protection Act (PDPA) 2010 is to safeguard the personal information and data of
natural individuals. (Alibeigi, A. B. Munir, & A. Asemi, 2021). This law contains seven
principles that must be followed when processing personal data by a data user.
Data protection principles and its relation to employment
The Personal Data Protection Act (PDPA) 2010 contains seven principles, as was
previously indicated, and each one of them is crucial to employment. The General Principle is
the first principle of the Personal Data Protection Act (PDPA) 2010. The essential component is
the employee's consent, which is required. Before the employer can use any of their personal
information about them, they must express their consent. However, there is an argument that
claims employees have consented to the use of their personal data if they are already aware of it
and do not reject. But in my view, an employee's consent is the most crucial factor, and the
employer should only utilize their personal information after a "yes." Because some people tend
to keep quiet unless they are questioned, communication is crucial, so we won't presume their
consent and enable the employment to proceed just because they remained silent.
The Notice and Choice Principle comes after that. Employers and management are
required to notify employees whose personal information is being processed. In order for the
data subject to decide whether to limit or extend the processing of their personal data, this
information is provided. There are disagreements on whether the notice must be in written,
notably for the "sensitive data". It is not necessary to be in writing form, in my opinion.
The third principle is the Disclosure Principle. Without the employee's consent or unless
necessary for the original purpose, their personal information cannot be disclosed to a third party.
Unless the employees have consented for their data to be revealed for numerous purposes, as
specified in the General Principle, the employer is not permitted to share the employees' personal
Security Principle is the next guiding principle. The management must ensure that none
of the personal data is lost, mishandled, or mistakenly accessible by third parties while being
processed. This is crucial for both the security of employee data and for the employees' safety.
Therefore, management has a duty to protect employee personal information in every way
possible. This is true because modern data processing is done electronically, making it simple for
Moreover, the next principle is Retention Principle. The employer must take into account
how long the employer keeps its employees' personal information. The employer typically
retains the personal information for the duration of the employment agreement. It shouldn't go on
past the allotted time. In other words, once the contract is over, the employer no longer has any
legal right to retain the personal information of the employees. In reality, the Employment Act of
The Integrity Principle is the sixth principle as well. The employer must only process the
most recent, accurate, complete, and truthful personal information. The employer's involvement
determines how accurate the personal data is. It is unlikely to affect the employee if the data
obtained is already inaccurate. However, it is the employer's duty to make the necessary
corrections as soon as they become aware that the personal data they have received is inaccurate.
The Access principle is the final guiding concept. The data subject must grant the staff
members access to and the ability to amend their personal information. This method of
the employees' personal information is stored in electronic files, and they can only access it via a
secret password.
Therefore, the management or employer have to ensure that all the seven principles of the
Personal Data Protection Act (PDPA) 2010 are applied in their daily administration. It is
important to apply all these principles not only for the security of the employees and the
employer themselves, but also for the operations to be smoother as well as to protect the
reputation of a company.
The Personal Data Protection Act (PDPA) 2010 gives employees some rights based on
the seven data protection principles. Employees shall, first and foremost, have a right under the
Access Principle to access their personal data. There is a claim that employees do not have the
right to access files or data, either manually or electronically; instead, they must ask management
for their personal information. In my opinion, an employee's personality and attributes determine
whether they are given access to the data. Based on their knowledge and trust of the employee,
data corrected. After having access to the data, the employee has the right to correct it if there is
a mistake. However, the employee must present the management with proof that the current
Next, in accordance with the Integrity Principle, employees have the right to stop the
collection of data that could harm or discomfort them. This is crucial for the employee since,
without a doubt, inaccurate information will harm their reputation or perhaps destroy their future
career.
Employees also have the right under the Notice and Choice Principle to notice of
automated data processing. It is similar to the right to access their personal data, as was stated
before in the Access Principle. Employees must provide the notice to the data subject so that they
are aware of the processing or disclosure of their personal information by the employer.
Additionally, under the Disclosure Principle, employees are entitled to the non-disclosure
of personal information. Employees are free to object to their personal information being
disclosed by their employer for any reason. The management has no power to compel employees
to give up their personal information or to reveal such information without their knowledge or
consent.
Employees also have the option to revoke their consent for data usage under the General
Principle. Employees have the same option under the Personal Data Protection Act (PDPA) 2010
to withdraw their consent for private reasons as they do to refuse having their personal data
released. Employers who forbid employees from withdrawing their permission are in violation of
the law.
The right to delete personal data that is no longer needed in accordance with the
Retention principle is also granted to workers. All employee personal information is only
retained for its original use. Employees have the option to have their information removed if it is
no longer needed for the stated reason. Employee personal information that is no longer required
Case study
tens of thousands of secondary school graduates in 2016 for marketing purposes. (Mail, M.,
2016). The Personal Data Protection Department (PDPD) cited eight businesses between January
2017 and February 2018 for violating this law. In 2017, there were charges against three of the
eight businesses.
This news relates to the implementation of the Malaysian Personal Data Protection Act
(PDPA) 2010, where a corporation has been charged as the first data user for suspected
violations of the Personal Data Protection Act (PDPA) 2010. The Personal Data Protection
Department (PDPD) and the Personal Data Protection Commissioner, Puan Khalidah binti Mohd
Darus, have officially started the enforcement phase of the Personal Data Protection Act
(PDPA).
Victoria International College's operator, Khas Cergas Sdn. Bhd, was prosecuted in the
Sessions Court in May 2017 with processing personal data belonging to their former employees
by the Personal Data Protection Commissioner despite not having a valid certificate of
registration. This act was reportedly perpetrated at the Victoria International College location in
Taman Batu 5, Jalan Ipoh's Jalan Kampong Batu. It was charged in accordance with Section
16(4) of the Personal Data Protection Act (PDPA) 2010, which carries a maximum penalty of
RM 5,000,000 and a maximum sentence of three years in jail, or both. The prosecution was led
by deputy public prosecutor, Izalina Abdullah from the Ministry of Communications and
Multimedia Commission (MCMC), who noted that this was the first instance under the Personal
According to my research on the Personal Data Protection Act (PDPA) 2010, this
instance that occurred on 3rd May 2017, was undoubtedly against the law, and the Personal Data
Protection Act (PDPA) 2010 has charged this corporation in the proper manner. The Retention
Principle and the General Principle under this law which must be followed by every company are
both violated by Khas Cergas Sdn. Bhd.'s handling of the personal data of former workers.
Because the word "former" implies that the employees' contracts with the company have already
ended and Khas Cergas Sdn. Bhd. no longer has the authority to process their personal data, this
corporation violated the Retention Principle by disclosing the personal information of their
former employees. Additionally, Khas Cergas Sdn. Bhd. processed personal data without telling
or obtaining authorization from the former employees, which is against the General Principle that
states that no corporation may disclose an employee's data without that employee's consent.
Moreover, Khas Cergas Sdn. Bhd. is opposed to several of the rights that employees have under
the Personal Data Protection Act (PDPA) 2010, including the right to request that personal
information be destroyed if it is no longer required and the right to request that personal
Therefore in my opinion, the Personal Data Protection Act (PDPA) 2010 has taken the
right action to charge the company that is against the law as well as the rights of the employees.
That is why I feel that this law is needed for the employees, country and even the media industry.
This law is so important because without this law and its principles that are required to apply in
every company, the companies would have just simply disclosed the personal data of their
employees without any limitation or border line. Well it might be an advantage for the employer
but it is definitely unfair for the employees. When there is no fairness in an employment, there is
no justice in a country. Thus, without the application of this law will absolutely affect justice as
On the other hand, the Personal Data Protection Act (PDPA) 2010 also plays a very
important role in the existing media industry. Technologies are moving fast forward over time
and making different changes that are happening around the world. With the advance of the
technologies, users easily upload their personal data on the internet and the personal data are
more likely to be stolen through the internet. This is how dangerous it is for the digital world
nowadays and that is why it is so important to raise our awareness on protecting our personal
data on the internet. With the enforcement of this law, it not only protects the personal data of the
users from disclosure, it also helps to strengthen the methods businesses are using to hand users
personal data.
To summarize, the Personal Data Protection Act (PDPA) 2010 not only protects one’s
personal data, it also safeguards the existing media industry as well as our country. It is clear that
the Personal Data Protection Act (PDPA) 2010 is a positive step towards data protection, but
there is still need for improvement as seen by Malaysia's rising incidence of data breaches, data
leaks, frauds, and scams. (Noor Sureani, N., Awis Qurni, A. S., Azman, A. H., Othman, M.
B., & Zahari, H. S., 2021). These cases are still happening because the awareness of protecting
one’s own data is still low and the act of the companies against the law is still under control. That
is why better media law enforcement is needed and this is how the Personal Data Protection Act
information has lately been exploited. After receiving a request under Section 130 of the
Personal Data Protection Act (PDPA) 2010, on November 16, 2017, the Personal Data Protection
Act (PDPA) 2010 requested the Malaysian Communications and Multimedia Commission
(MCMC) to ban this website. The Personal Data Protection Act (PDPA) 2010 also brought legal
action against five organizations in 2019 for failing to process employee personal data with their
consent or for failing to register with this law. A corporation that disobeys will be punished or
put in jail.
Furthermore, the Personal Data Protection Act (PDPA) 2010 has established a guideline
for mobile applications that they must abide by even though they are not required to register in
accordance with this law because they process personal data in commercial operations. In order
to avoid instances of personal data misuse by the business, mobile applications must abide by
this law.
References
Alibeigi, A. and A. B. Munir (2020). "Malaysian personal data protection act, a mysterious
Alibeigi, A., Munir, A. B., & Asemi, A. (2021). "Compliance with Malaysian Personal Data
Protection Act 2010 by banking and financial institutions, a legal survey on privacy
https://doi.org/10.1080/13600869.2021.1970936
Astro Awani, N. (2017, May 3). Company charged with processing of personal data without
processing-personal-data-out-pdpd-certificate-141476
Azmi, I. M. (2011). "Bioinformatics and genetic privacy: The impact of the Personal Data
Protection Act 2010." Computer Law & Security Review 27(4): 394-401.
Baskaran, H., et al. (2020). Blockchain and the Personal Data Protection Act 2010 (PDPA) in
Chin, C. (2019, October 18). Universiti Malaya: No data compromised in E-Pay portal hack. The
no-data-compromised-in-e-pay-portal-hack
Ghani, F. A., Shabri, S. M., Rasli, M. A. M., Razali, N. A., & Shuffri, E. H. A. (2020). "An
Overview of the Personal Data Protection Act 2010 (PDPA): Problems and Solutions."
Hassan, K. H. (2012). "Personal data protection in employment: New legal challenges for
Mail, M. (2016, January 06). Education Ministry confirms SPM, STPM student data leak: Malay
https://www.malaymail.com/news/malaysia/2016/01/06/education-ministry-confirms-
spm-spm-student-data-leak/1035163
Mohd Shahwahid, F. and S. Miskam (2014). Personal Data Protection Act 2010: Taking the first
Noor Sureani, N., Awis Qurni, A. S., Azman, A. H., Othman, M. B., & Zahari, H. S. (2021). The
https://doi.org/10.47405/mjssh.v6i10.1087
Schwartz, P. M. (1995). European data protection law and restrictions on international data
Yusoff, Z. (2011). The malaysian personal data protection act 2010: legislation note. New