DATA PROTECTION Cyber Law & Islamic Ethics CICT3523 TRANSBORDER DATA FLOW(TBDF) TBDF is defined as all kinds of electronic transmission of personal information across political and boundaries for processing or storing in computer files. It concerns the transfer of personal information across sovereign geographic boundaries. WHY TBDF IS IMPORTANT? Because of its significance to economic growth and international trade Arises from 4 basic principles: a) b) c) d) The vital importance of the efficient exchange of information in the development and growth of modern international trade and production. The right of business to communicate freely within and outside its corporate structure. The right of business to access and utilize national and international communication facilities on a fair, competitive and nondiscriminatory basis. The necessity of recognizing the world-wide interdependence of modern business communication. WHY TBDF IS IMPORTANT? Because of this, many parties recommend the government to strike an appropriate balance in privacy and data protection legislation. Government in doing so, should recognize the world-wide dependence of modern business on transborder flows and not legislate in such a way as to restrict these flow. DEFINITION OF DATA This term is only used to refer to the transfer of personal information; that is information relating to individuals rather than information relating to companies or governments. For example, information relating to travel, or credit and health, as well as information about criminal convictions. DEFINITION OF DATA Personal data has been defined in the convention and OECD guidelines as; ‘any information relating to an identified or identifiable individual.’ The above definition is extremely broad; it can include a number of data of varying kinds (social security, bank accounts, etc) and all kinds of commercial activity. INTERNATIONAL INSTRUMENTS There are three different international instruments governing the issue of transborder data flow and privacy protection: a) b) c) Organization for Economic Cooperation and Development Guidelines (OECD). Council of Europe Convention For the Protection of Individuals with regards to Automatic Processing of Personal data. (Convention). European Community Directive on the Protection of Individuals (Directive). OECD PRIVACY GUIDELINES The guidelines seem to be a free data flow regulation rather than a data protection. Useful for establishing legal means to protect privacy on the electronic highway. A member country should refrain from restricting transborder flows of personal data between itself and another member country except where the latter does not yet observe these guidelines. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy which would create obstacles to transborder flows of personal data that would exceed requirements for such protection EIGHT BASIC PRINCIPLES 1. The collection limitation principle requires that information must only be obtained through lawful means and with the knowledge or consent of the data subjects. 2. The data quality principle provides that only information relevant for the purpose of the collection be required by the collector of the data and such data must be up-to-date, accurate and complete. 3. The purpose specification principle states that the purpose or purposes for which the data is gathered must be disclosed to the data subject at the time it is collected and that such data shall only be used for that purpose or purposes. EIGHT BASIC PRINCIPLES 4. The use limitation principle requires that information not be disclosed to a third party by the person who has collected it without the consent of the data subject unless it is demanded by law. 5. The information must be protected by the collector who must take reasonable precautions to guard against loss, destruction, and unauthorized use, access, modification or disclosure of it. 6. The data subjects ought to be able to readily determine the whereabouts, the use and purpose of personal data relating to them. EIGHT BASIC PRINCIPLES 7. A data subject can obtain confirmation from the data collector that information is held by it, obtain details of this information within a reasonable time. Data subjects should also be given reasons where access to data is denied. He also can rectify inaccurate information and where necessary erased it. 8. The data collector ought to be accountable for complying with the above principles. OECD PRIVACY GUIDELINES However, these guidelines do not form part of a binding legal document and accordingly may not be enforced. Many countries have put all these guidelines into their legislation. E.g, Australia, New Zealand, Hong Kong, Singapore and many other countries THE CONVENTION The Council of European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was promulgated because data protection has been seen as a question of human rights. The fundamental idea is to protect privacy rather than to prevent transborder data barriers. THE CONVENTION Unlike the OECD guidelines, these provisions form part of binding legal document to European countries and can be enforced. However, it only applies to automated processing of personal information so that the transfer of information in manual form is not be caught. EUROPEAN UNION DIRECTIVE The directive initiatives was based on two reasons; 1. 2. The possibility that different levels of data protection laws could cause obstacles for border crossing data transfers. The rights and freedoms of persons with regard to the processing of personal data. EUROPEAN UNION DIRECTIVE It requires EU Member States to ensure that individuals have certain rights and the standards are set for data quality such as how to process the data fairly and lawfully. The Directive regulates structured collections of manual data as well as data held in computerized form. The Directive only permits data to be held relating to the individuals with their consent. EUROPEAN UNION DIRECTIVE The Directive also covers judicial remedies and penalties. It requires Member States to establish standard appropriate sanctions and remedies for breach of domestic data protection legislation. The Member States are required to transpose the Directive’s principles into their national legislation within a time limit of three years (1998). By now all Member States have done so. THE UK DATA PROTECTION ACT 1998 The purpose of DPA is to regulate the use of automatically processed information relating to the individuals and the provisions of services relating to the individuals (data subjects). Regulation is carried out by placing obligations on those who record and use personal data (data users) and computer bureau providing services to data users. THE PRINCIPLES OF DATA PROTECTION The principles are derived from the 8 principles of OECD guidelines, directive and convention. RIGHTS OF DATA SUBJECT 1. 2. 3. The right to be informed by any data user whenever the data held by him includes personal data of which that individual is the data subject (upon written request). The right to have a copy of the information consisting of any such personal data held by him. The right to prevent processing likely to cause damage and distress. RIGHTS OF DATA SUBJECT 4. 5. 6. The right to claim compensation for inaccuracy of the data held by the data users. The rights to claim compensation for loss or unauthorized disclosure of data by data users including if the data users breach the Data Protection Act. The rights to have inaccurate data rectified, blocked, erased or destroyed. ENFORCEMENT OF DATA PROTECTION ACT If there be a breach, 3 actions may be taken; a) b) c) Action being taken by a registrar Subject to criminal proceeding Data subjects can claim compensation A. THE ACTION BY THE REGISTRAR If any complaints made by data subjects, registrar should investigate. If any breach happened, registrar will issue; 1. Enforcement notice - asking to make rectification of inaccurate data 2. De-registration notice - to remove a user entry on the register 3. Transfer prohibition - prohibit the transfer if the recipient state do not provide equivalent protection. B. CRIMINAL OFFENCES 1) 2) 3) 4) 5) 6) 7) Holds personal data of any description other than that specified in the register entry. Uses any such data other than for purposes described in the register entry. Discloses personal data to a person not described in the register entry. Transfers directly or indirectly personal data to an overseas countries other than those described in the register entry. Obtains personal data from a source not described in the register entry. Disobeying a registrar’s notice. Not register a data – strict liability offence meaning that even though the person does not know it needs registration, he still liable. C. CLAIM COMPENSATION Data subjects can claim compensation in the event that data is inaccurate or is subjected to an unauthorized disclosure. MALAYSIAN POSITION There is no specific provision on the right to privacy in the Constitution of Malaysia. The Personal Data Protection Act 2010 was drafted in 1998 in light of the OECD Guidelines and similar laws in the EU, Hong Kong and New Zealand and has been passed by the Parliament in May 2010. PERSONAL DATA PROTECTION ACT 2010 NON APPLICATION Federal & States Governments. Non-commercial Transactions. Personal, Family & Household Affairs. Data Processed Outside Malaysia. Credit Reference Agencies. Data Protection Principles General Principle - Personal Data cannot be processed without the consent of data subject. Exemptions: for the performance of a contract to which the data subject is a party. at the request of the data subject with a view to entering into a contract. to protect the vital interest of the data subject. Notice and Choice Principle A data user shall inform the data subject that; the personal data of the data subject is being processed and provide a description of the personal data. the purposes of the collection. the right of the data subject to request access. Disclosure Principle No personal data shall, without the consent of the data subject, be disclosed for other purposes. Retention Principle Personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose. Data Integrity Principle User shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-todate. Access Principle A data subject shall be given access to his personal data and shall be able to correct that personal data if it is inaccurate, incomplete, misleading or not up-to-date. Security Principle A data user shall take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Some Criminal Offences Contravene any of the Data Protection Principles. Failure to comply with the requirements of the Data Protection Commissioner in relation to the right to prevent processing that cause damage or distress. Failure to comply with the requirements of the Data Protection Commissioner in relation to the right to prevent processing for direct marketing purposes. Some Criminal Offences Transfer of data to places outside Malaysia whenever there is no law in force to protect the personal data or there is no adequate level of protection. Collect, disclose or procures the disclosure of personal data without the consent of data user. Failure to comply with the enforcement notice. If a body corporate commits an offence, any person who at the time of the commission of the offence was a director, chief executive officer, manager, secretary, etc, may be charged severally or jointly in the same proceeding. If the body corporate is found to have committed the offence, the officers are deemed to have committed the offence personally. OTHER LAWS In the area of security of networks and information placed in them, two laws have direct bearing: Computer Crimes Act 1997. Communications and Multimedia Act 1998 (CMA). COMPUTER CRIMES ACT 1997 Not specifically mentioned about the protection of data but it may be to protect the owner’s privacy. Hacking and disclose the password without authorization are among crimes under this Act. The Communications and Multimedia Act 1998 On security of networks and communications through them. The offences relating to privacy are: a) b) c) The use of any device with the intention of obtaining without authority, information on the contents, sender or addressee of any communication. The possession or creation of a system to gain fraudulent access to network facilities or services Unlawful interception of any communications; disclosure or use of such intercepted communication. ISLAMIC PERSPECTIVE ON DATA PROTECTION Al-Qur‟an 4: 148 “Allah does not like the public mention of evil except by one who has been wronged. And ever is Allah Hearing and Knowing”. ISLAMIC PERSPECTIVE ON DATA PROTECTION Al-Qur‟an 4: 114 “No good is there in much of their private conversation, except for those who enjoin charity or that which is right or conciliation between people. And whoever does that seeking means to the approval of Allah - then We are going to give him a great reward”. Islamic Principles on privacy protection Every man and woman have some information for which they have the right and obligation to keep it secret. The extent of secrecy changes according to the nature of the observer, the time of observation, and the amount of information observed. Some of the secret can be joint secrets and all the parties have the obligation to keep it secret. Islamic Principles on privacy protection Some of the secret can be shared (Disclosed to someone else) but the nature of the observer is conditional and then the one who receives it has the obligation to keep it secret. It is undesirable to investigate the secrets of someone else.