Abstract
Essentially, the Personal Data Protection Act 2010 (‘PDPA’) protects data privacy (as opposed to general privacy). The PDPA basically applies to any form of processing of personal data in respect of commercial transactions. The PDPA governs the way personal data is collected, used, transferred or even deleted. Any person who processes personal data (‘data user’) of an individual (‘data subject’) is required to comply with the seven personal data protection principles (‘PDP Principles’) under the PDPA. The PDPA also grants several rights to data subjects. In this chapter, the author starts off by explaining the various definitions and terminologies under the PDPA, the application and non-application of the PDPA, followed by the detailed elaboration on the application of the PDP Principles. The author also sets out the various exemptions, the rights of data subjects as well as criminal offences in easy-to-read table formats.
Observations more than books and experience more than persons, are the prime educators (Amos Bronson Alcott, 29th November 1799 – 4th March 1888, Educator, Reformer, Writer & Philosopher)
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Greenleaf (2012).
- 2.
Section 2(1) of the PDPA.
- 3.
Section 4 of the PDPA.
- 4.
See the ‘Technical Guidance Note – Determining What is Data?’, Information Commissioner’s Office.
- 5.
Jay and Hamilton (1999), p. 32.
- 6.
Jay and Hamilton (1999), p. 32.
- 7.
Jay and Hamilton (1999), p. 32.
- 8.
[2003] EWCA Civ 1746; [2004] FSR 573.
- 9.
The court quoted with approval the following passage from Jay and Hamilton (1999):
‘Files or systems which do not have any clear systematic internal indexing mechanism should not fall under the definition. So a file with the name on the front arranged in date order may not fall within the term relevant filing system, whereas a file with the name on but arranged in sections to cover health, education, earnings or family connections is more likely to be; the more readily accessible the particular information, the clearer it is that it will be covered … the nature of the file, for example whether it is a personnel file or a customer file, is completely irrelevant’.
- 10.
[2005] EWHC 246.
- 11.
‘The Durant Case and Its Impact on the Interpretation of the Data Protection Act’, Information Commissioner’s Office, p. 6.
- 12.
‘The Durant Case and Its Impact on the Interpretation of the Data Protection Act’, Information Commissioner’s Office, p. 6.
- 13.
See the ‘Quick Reference Guide – What is Personal Data?’, and ‘Technical Guidance Note – What is Data?’, Information Commissioner’s Office.
- 14.
Wong JA in the Hong Kong case of Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692 said, ‘a photograph can tell many things. It tells the race, sex, approximate age, weight and height of the person shown in the photograph. On the other hand, the written description of a person … does not tell very much about the person … the person in the photograph can only be the person himself or herself and no one else.’
- 15.
Lloyd (2008), p. 41.
- 16.
Opinion 4/2007 on the Concept of Personal Data (2007), p. 6.
- 17.
Opinion 4/2007 on the Concept of Personal Data (2007), p. 6.
- 18.
Opinion 4/2007 on the Concept of Personal Data (2007), p. 7.
- 19.
Working Party document No WP 105: ‘Working document on data protection issues related to RFID Technology’ (2005), p. 7.
- 20.
‘The Durant Case and Its Impact on the Interpretation of the Data Protection Act’, Information Commissioner’s Office, p. 3.
- 21.
Jay and Hamilton (1999), p. 80.
- 22.
[2000] 1 HKC 692.
- 23.
Berthold and Wacks (2003).
- 24.
Munir and Yasin (2010a), MLJ cxix, p. 4.
- 25.
Bainbridge (2008) p. 506.
- 26.
The Guide to Data Protection, Information Commissioner’s Office, item 13 A3, p. 24.
- 27.
Art 2(b) of the EU Data Protection Directive defines ‘processing’ to mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction’.
- 28.
[2003] ECR I-12971; [2004] QB 1014, Case 101/01.
- 29.
Opinion 4/2007 (2007), p. 100.
- 30.
Section 4 of the PDPA.
- 31.
Section 13(2) of the PDPA.
- 32.
- 33.
Munir and Yasin (2010b), p. 74.
- 34.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, p. 16.
- 35.
Munir and Yasin (2010b), p. 74.
- 36.
Munir and Yasin (2010b), p. 75.
- 37.
Section 4 of the PDPA.
- 38.
Bainbridge (2008), p. 508.
- 39.
See the ‘Outsourcing: A Guide for Small and Medium-Sized Businesses’, Information Commissioner’s Office.
- 40.
Section 4 of the PDPA.
- 41.
Section 4 of the PDPA defines data user is to mean a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor.
- 42.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, para 2.5, p. 17.
- 43.
Pastor (2012), p. 62.
- 44.
Lloyd (2008), p. 55.
- 45.
The Guide to Data Protection, Information Commissioner’s Office, item 27, A3, p. 28.
- 46.
Stephenson and Kwan (2007), pp. 330–331.
- 47.
Section 4 of the PDPA.
- 48.
Section 2(3) of the PDPA.
- 49.
Munir and Yasin (2010b), p. 78.
- 50.
Section 5 DPA 1998 (UK) provides:
Except as otherwise provided by or under section 54, this Act applies to a data controller in respect of any data only if —
(a) the data controller is established in the United Kingdom and the data are processed in the context of that establishment, or
(b) the data controller is established neither in the United Kingdom nor in any other EEA State but uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.
(2) A data controller falling within subsection (1)(b) must nominate for the purposes of this Act a representative established in the United Kingdom.
- 51.
2nd limb of Section 2(2)(b) of the PDPA.
- 52.
Patrikios (2012), p. 75.
- 53.
Section 3(1) of the PDPA.
- 54.
Section 3(2) of the PDPA.
- 55.
Section 2(1) read together with Section 4 of the PDPA.
- 56.
Section 4 of the PDPA.
- 57.
Section 2(2)(b) of the PDPA.
- 58.
Section 45(1) of the PDPA.
- 59.
Levi Strauss & Co. v Tesco plc [2002] Ch 109. The court held that whilst consent cannot be inferred from silence, it could be inferred from conduct.
- 60.
Art 2(h) of the EU Data Protection Directive.
- 61.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, para 3.1.5, p. 29.
- 62.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, para 3.1.5, p. 29.
- 63.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, para 3.1.5, p. 29.
- 64.
The Oxford English Dictionary (1991) p. 310.
- 65.
Black’s Law Dictionary (1990) p. 305.
- 66.
[1980] 1 All ER 356 which was subsequently applied in Trustees of the Methodist Secondary School Trust Deed v O’Leary (1993) 25 H.L.R. 364.
- 67.
Munir and Yasin (2002), p. 184.
- 68.
Lloyd (2008), pp. 98–99.
- 69.
Case DA/92 31/49/1.
- 70.
Case DA98 3/49/2.
- 71.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, para.3.1.5.
- 72.
Section 13 of the Electronic Commerce Act 2006.
- 73.
R v R [1991] 4 All ER 481.
- 74.
The Guide to Data Protection, Information Commissioner’s Office, item 32, B1, p. 51.
- 75.
The Guide to Data Protection, Information Commissioner’s Office, item 15, B2, p. 56.
- 76.
Article 29 Working Party, Opinion 5/2000 on the Use of Public Directories for Reverse or Multi-criteria Searching Services.
- 77.
Article 29 Working Party, Opinion 8/2001 on the Processing of Personal Data in the Employment Context.
- 78.
The Guide to Data Protection, Information Commissioner’s Office, item 8, B3, p. 59.
- 79.
The Guide to Data Protection, Information Commissioner’s Office, item 13, B3, p. 60.
- 80.
The Guide to Data Protection, Information Commissioner’s Office, item 14, B3, p. 60.
- 81.
The Guide to Data Protection, Information Commissioner’s Office, item 14, B3, p. 60.
- 82.
The Guide to Data Protection, Information Commissioner’s Office, item 14, B3, p. 60.
- 83.
Munir and Yasin (2010a), MLJ cxix, p. 8.
- 84.
See the ‘Privacy Notices Code of Practice’, Information Commissioner’s Office.
- 85.
Jay and Hamilton (1999), p. 222.
- 86.
Section 39 of the PDPA provides that notwithstanding Section 8, personal data of a data subject may be disclosed by a data user for any other purposes only if the data subject has given his consent to such disclosure; the disclosure is necessary for the purpose of preventing or detecting a crime, or for investigations, or was required or authorised by or under any law or by the order of a court; or the disclosure was justified as being in the public interest in circumstances as determined by the Minister.
- 87.
The Guide to Data Protection, Information Commissioner’s Office, item 4 B5, p. 73.
- 88.
Lloyd (2008), p. 115.
- 89.
Jawahitha et al. (2007), p. 736.
- 90.
A leading international best practice known as ISO 27001 is available via http://www.itgovernance.co.uk/iso27001.aspx.
- 91.
Some of the suggested reasonable steps are such as obtain references; consider how long the proposed data processor has been in business; obtain technical information as to how the security system is to be operated and have it evaluated by a processing expert; ask for reports as to compliance or any breaches of security on a timely manner; ensure the guarantees offered by the processing company are worth the paper it is written on. See Paul Stephenson and Alisa Kwan, (n 53, p 332).
- 92.
The Guide to Data Protection, Information Commissioner’s Office, item 35 A3, p. 31.
- 93.
The Guide to Data Protection, Information Commissioner’s Office, item 4 B5, p. 73.
- 94.
Lloyd (2008), p. 114.
- 95.
The Guide to Data Protection, Information Commissioner’s Office, items 7-9 B5, p. 74.
- 96.
Section 13 of the Electronic Commerce Act 2006.
- 97.
The Guide to Data Protection, Information Commissioner’s Office, item 5 B4, p. 64.
- 98.
The Guide to Data Protection, Information Commissioner’s Office, item 5 B4, p. 68.
- 99.
Legal Guidance to Data Protection Act 1998, Information Commissioner’s Office, para 3.4, p. 38.
- 100.
Section 45 of the PDPA.
- 101.
Section 46 of the PDPA.
References
Article 29 Working Party, Opinion 5/2000 on the Use of Public Directories for Reverse or Multi-criteria Searching Services. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2000/wp33en.pdf. Accessed 18 May 2012
Article 29 Working Party, Opinion 8/2001 on the Processing of Personal Data in the Employment Context. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2001/wp48en.pdf. Accessed 18 May 2012
Quick Reference Guide – What is Personal Data?. Information Commissioner’s Office. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/160408_v1.0_determining_what_is_personal_data_-_quick_reference_guide.pdf> and a detailed ‘Technical Guidance Note – What is Data?’, available via http://www.ico.gov.uk/upload/documents/determining_what_is_personal_data/whatispersonaldata2.htm. Accessed 13 Jun 2012
Bainbridge D (2008) Introduction to Information Technology Law, 6th edn. Pearson, Essex
Berthold M, Wacks R (2003) Hong Kong Data Privacy Law: territorial regulation in a borderless world, 2nd edn. Sweet & Maxwell Asia, Hong Kong
Black’s Law Dictionary (1990) 6th edn. St. Paul., West Publishing Co. This was cited by Stirling J in Re Smith (59 LJ Ch 284), p. 305
Legal Guidance to Data Protection Act 1998. Information Commissioner’s Office. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf. Accessed 1 Jun 2012
Greenleaf G (2012) ASEAN ‘New’ Data Privacy Laws: Malaysia, the Philippines and Singapore, Privacy Laws & Business International Report, Issue 116, UNSW Law Research Paper No. 2012–14. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2049234&http://www.google.com.my/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CE4QFjAA&url=http%3A%2F%2Fpapers.ssrn.com%2Fsol3%2FDelivery.cfm%2FSSRN_ID2049234_code722134.pdf%3Fabstractid%3D2049234%26mirid%3D1&ei=aBDxT9LbJM3JrAf8w8G9DQ&usg=AFQjCNHfJpPF4IPqeIH6UQIleNn1NmdVnw&sig2=mHYmPdDMlI_wS8mjMDusAQ. Accessed 24 May 2012
Hawkins JM, Allen R (eds) (1991) The Oxford English Dictionary. Clarendon, Oxford, p. 310
Jawahitha S, Ishak M, Mazahir M (2007) E-Data Privacy and the Personal Data Protection Bill of Malaysia. J Appl Sci 7(5):732–742, http://scialert.net/qredirect.php?doi=jas.2007.732.742&linkid=pdf. Accessed 26 May 2012
Jay R, Hamilton A (1999) Data protection law and practice, 1st edn. London, Sweet & Maxwell
Lloyd I (2008) Information Technology Law, 5th edn. Oxford University Press, Oxford
Munir AB, Yasin SH (2002) Privacy and data protection. Sweet and Maxwell Asia, Kuala Lumpur
Munir AB, Yasin SH (2010a) The Personal Data Protection Bill 2009, [2010] MLJ cxix
Munir AB, Yasin SH (2010b) Personal data protection in Malaysia. Law and practice. Sweet and Maxwell Asia, Kuala Lumpur
Opinion 4/2007 on the Concept of Personal Data (2007) http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf. Accessed 5 Jun 2012
Outsourcing: A Guide for Small and Medium-Sized Businesses, Information Commissioner’s Office, which gives more advice about using data processors. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/outsourcing_gpn_version_2.1_080409.pdf. Accessed 13 Jun 2012
Pastor N (2012) Chapter Four, Data protection concept. In: European Privacy, Law and Practice for Data Protection Professionals. IAPP Publication, p. 62
Patrikios A (2012) Chapter Five, Application of the law. In: European Privacy, Law and Practice for Data Protection Professionals. IAPP Publication, p. 75
Privacy Notices Code of Practice, Information Commissioner’s Office. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/privacy_notices_cop_ final.pdf. Accessed 13 Jun 2012
Stephenson P, Kwan A (2007) Cyberlaw in Hong Kong, 2nd edn. LexisNexis, Hong Kong, pp. 330–331
Technical Guidance Note – Determining What is Data?. Information Commissioner’s Office. http://www.ico.gov.uk/upload/documents/determining_what_is_personal_data/whatispersonaldata2.htm. Accessed 6 Jun 2012
The Durant Case and Its Impact on the Interpretation of the Data Protection Act. Information Commissioner’s Office. http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/the_durant_case_and_its_impact_on_the_interpretation_of_the_data_protection_act.pdf. Accessed 5 Jun 2012
The Guide to Data Protection. Information Commissioner’s Office. http://www.ico.gov.uk/for_organisations/data_protection/the_guide.aspx. Accessed 1 Jun 2012
Working Party document No WP 105: Working document on data protection issues related to RFID Technology (2005) http://www.iot-visitthefuture.eu/fileadmin/documents/dataprotection/190105_Working_Document_on_Data_Protection_Issues_29_wp105_en.pdf. Accessed 10 Jun 2012
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Cieh, E.L.Y. (2013). Personal Data Protection Act 2010: An Overview Analysis. In: Ismail, N., Yong Cieh, E. (eds) Beyond Data Protection. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33081-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-33081-0_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33080-3
Online ISBN: 978-3-642-33081-0
eBook Packages: Humanities, Social Sciences and LawLaw and Criminology (R0)