by Sabrina Mohamed Hashim
Section 130 (1) PDPA, states that it is a criminal offence:
(1) for a person to knowingly or recklessly without the
consent of the data user collect or disclose personal data that is held by the
data user;
(2) for a person to knowingly or recklessly without the
consent of the data user procure the disclosure to another person of personal
data that is held by the data user.
Hence, if your organization collects personal data legally
from the individuals but your employee discloses or procures the disclosure to
a third party without your consent for monetary gain or otherwise then your employee
has committed an offence pursuant to Section 130.
Under Sections 130 (4) and 130 (5) PDPA, a person who sells
or offers to sell personal data commits an offence. For purposes of
understanding Section 130 (5), placing an advertisement indicating personal
data is or may be for sale is an offer to sell.
Employees who sell personal data during the course of his
employment or who knowingly or recklessly collect or disclose personal data
would be criminally liable for their actions. This also includes when a third
party procures the employee to disclose or to sell personal data held by the
employer.
Defences
If an employee breaches Section 130 there are several
defences provided under the PDPA. The defences set out in Section 130 (2) are
for the employee to prove:
(a) that the collecting or disclosing of personal data or
procuring the disclosure of personal data:
(i) was necessary for the purpose of preventing or detecting
a crime or for the purpose of investigations; or
(ii) was required or authorized by or under any law or by
the order of a court;
(b) that he acted in the reasonable belief that he had in
law the right to collect or disclose the personal data or to procure the
disclosure of the personal data to the other person;
(c) that he acted in the reasonable belief that he would
have had the consent of the data user if the data user had known of the
collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or
(d) that the collecting or disclosing of personal data or
procuring the disclosure of personal data was justified as being in the public interest
in circumstances as determined by the Minister.
If the employee is unable to provide proof then the employee
can be found guilty and the maximum fine is RM500,000.00 or imprisonment of up
to 3 years or both.
Case Studies
The United Kingdom’s Information Commissioner’s Office
(“ICO”)[1] has dealt with cases where employees have been found breaching its
Data Protection Act.
The first case involved a former health worker,[2] Ms.
Juliah Kechil, who unlawfully obtained patient information by accessing the
medical records of five members of her ex-husband’s family in order to obtain
their new telephone numbers. The Head of Enforcement, Steve Eckersley said:
“Unlawfully obtaining other people’s information for
personal gain is a serious offence which can have potentially devastating
effects. Ms Kechil accessed medical records for entirely personal reasons.
The breach of their privacy would obviously have been very distressing
for the individuals involved.
People should be able to feel confident that their personal
details will be stored securely and only accessed when there is legitimate business
need. We will always push for the toughest penalties
against individuals who abuse this trust.”
Ms. Juliah Kechil was convicted under Section 55 of the Data
Protection Act and was fined GBP500 and also ordered to pay GBP1,000 towards prosecution
costs and GBP15 victim surcharge.
The second case related to a bank employee,[3] Ms. Lara
Davies, who unlawfully accessed bank statements belonging to her partner’s
ex-wife. The partner was involved in a legal dispute over the terms of a
divorce settlement. When eBay transactions were raised in a meeting between the
estranged couple, the ex-wife became suspicious that her
account had been viewed. When the bank initiated an investigation the bank
employee resigned from her job. Ms. Davies pleaded guilty to 11 offences under Section
55 of the Data Protection Act and was fined GBP500 and also ordered to pay
GBP1,410.80 towards prosecution costs and GBP15 victim surcharge.
UK Information Commissioner, Christopher Graham, said:
“High street bank staff have access to financial information
on a day-to-day basis, and are expected to treat that privilege with professionalism.
When that trust is abused, and the personal data
they access is misused, the law is very clear, as this case
has shown.
The only surprise here is that-in an age where our personal information
is being stored and accessed by more organizations than ever - the penalties
for abusing the system are so inadequate”.
In a case published by the ICO on 23 May 2013, a former
manager of a council-run leisure centre was prosecuted for unlawfully obtaining
sensitive medical information relating to 2,000 people.[4] Paul Hedges used the
data for a new fitness company he was setting up. The council became aware of
his actions when it received complaints from patients referred to the leisure
centre that Paul Hedges was approaching them and offering similar services
provided by the leisure centre. Paul Hedges was prosecuted under Section 55 of the Data Protection Act and
was fined GBP3,000 and also ordered to pay GBP1,376 towards prosecution costs and
GBP15 victim surcharge.
Employers’ safeguards
To minimize risk of non-compliance, employers should
consider the following:
(a) provide adequate training to employees when processing personal
data and keep proper record of such trainings;
(b) inform employees of this Section 130, PDPA offence;
(c) ensure security measures are implemented to protect
personal data such as, passwords, secure location with security access, restrict
access on need to know basis;
(d) not to give consent to employees to disclose or use
personal data they obtain during the course of their employment for personal
purposes and non-work related purposes.
When implementing such measures it must be noted that the
employers should keep records of the measures taken and implemented. If an employer
is found to have committed an offence the employer can prove to the personal
data protection commissioner that it had “taken all reasonable precautions and
exercised due diligence” to prevent such actions from being taken by the
employee.
This article first appeared in CLJ [2013] 1 LNS(A)lii and is reproduced with permission from the Author.
____________________________________________________________
Endnotes:
[1] http://www.ico.org.uk .
[2] http://www.ico.org.uk/news/latest_news/2012/health-worker-convicted-ofobtaining-patient-details-unlawfully-12012012 accessed on 12 July
2013.
[3]
http://www.ico.org.uk/news/latest_news/2012/bank-employee-fined-for-readingpartners-ex-wifes-statements-06122012 accessed on 12 July 2013.
[4]
http://www.ico.org.uk/news/latest_news/2013/leisure-centre-employeeprosecuted-for-unlawfully-obtaining-health-information-23052013
accessed on 12 July 2013.