by Sabrina Mohamed Hashim
Section 130 (1) PDPA, states that it is a criminal offence:
(1) for a person to knowingly or recklessly without the consent of the data user collect or disclose personal data that is held by the data user;
(2) for a person to knowingly or recklessly without the consent of the data user procure the disclosure to another person of personal data that is held by the data user.
Hence, if your organization collects personal data legally from the individuals but your employee discloses or procures the disclosure to a third party without your consent for monetary gain or otherwise then your employee has committed an offence pursuant to Section 130.
Under Sections 130 (4) and 130 (5) PDPA, a person who sells or offers to sell personal data commits an offence. For purposes of understanding Section 130 (5), placing an advertisement indicating personal data is or may be for sale is an offer to sell.
Employees who sell personal data during the course of his employment or who knowingly or recklessly collect or disclose personal data would be criminally liable for their actions. This also includes when a third party procures the employee to disclose or to sell personal data held by the
If an employee breaches Section 130 there are several defences provided under the PDPA. The defences set out in Section 130 (2) are for the employee to prove:
(a) that the collecting or disclosing of personal data or procuring the disclosure of personal data:
(i) was necessary for the purpose of preventing or detecting a crime or for the purpose of investigations; or
(ii) was required or authorized by or under any law or by the order of a court;
(b) that he acted in the reasonable belief that he had in law the right to collect or disclose the personal data or to procure the disclosure of the personal data to the other person;
(c) that he acted in the reasonable belief that he would have had the consent of the data user if the data user had known of the collecting or disclosing of personal data or procuring the disclosure of personal data and the circumstances of it; or
(d) that the collecting or disclosing of personal data or procuring the disclosure of personal data was justified as being in the public interest in circumstances as determined by the Minister.
If the employee is unable to provide proof then the employee can be found guilty and the maximum fine is RM500,000.00 or imprisonment of up to 3 years or both.
The United Kingdom’s Information Commissioner’s Office (“ICO”) has dealt with cases where employees have been found breaching its Data Protection Act.
The first case involved a former health worker, Ms. Juliah Kechil, who unlawfully obtained patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers. The Head of Enforcement, Steve Eckersley said:
“Unlawfully obtaining other people’s information for personal gain is a serious offence which can have potentially devastating effects. Ms Kechil accessed medical records for entirely personal reasons.
The breach of their privacy would obviously have been very distressing for the individuals involved.
People should be able to feel confident that their personal details will be stored securely and only accessed when there is legitimate business need. We will always push for the toughest penalties
against individuals who abuse this trust.”
Ms. Juliah Kechil was convicted under Section 55 of the Data Protection Act and was fined GBP500 and also ordered to pay GBP1,000 towards prosecution costs and GBP15 victim surcharge.
The second case related to a bank employee, Ms. Lara Davies, who unlawfully accessed bank statements belonging to her partner’s ex-wife. The partner was involved in a legal dispute over the terms of a divorce settlement. When eBay transactions were raised in a meeting between the
estranged couple, the ex-wife became suspicious that her account had been viewed. When the bank initiated an investigation the bank employee resigned from her job. Ms. Davies pleaded guilty to 11 offences under Section 55 of the Data Protection Act and was fined GBP500 and also ordered to pay GBP1,410.80 towards prosecution costs and GBP15 victim surcharge.
UK Information Commissioner, Christopher Graham, said:
“High street bank staff have access to financial information on a day-to-day basis, and are expected to treat that privilege with professionalism. When that trust is abused, and the personal data
they access is misused, the law is very clear, as this case has shown.
The only surprise here is that-in an age where our personal information is being stored and accessed by more organizations than ever - the penalties for abusing the system are so inadequate”.
In a case published by the ICO on 23 May 2013, a former manager of a council-run leisure centre was prosecuted for unlawfully obtaining sensitive medical information relating to 2,000 people. Paul Hedges used the data for a new fitness company he was setting up. The council became aware of his actions when it received complaints from patients referred to the leisure centre that Paul Hedges was approaching them and offering similar services provided by the leisure centre. Paul Hedges was prosecuted under Section 55 of the Data Protection Act and was fined GBP3,000 and also ordered to pay GBP1,376 towards prosecution costs and GBP15 victim surcharge.
To minimize risk of non-compliance, employers should consider the following:
(a) provide adequate training to employees when processing personal data and keep proper record of such trainings;
(b) inform employees of this Section 130, PDPA offence;
(c) ensure security measures are implemented to protect personal data such as, passwords, secure location with security access, restrict access on need to know basis;
(d) not to give consent to employees to disclose or use personal data they obtain during the course of their employment for personal purposes and non-work related purposes.
When implementing such measures it must be noted that the employers should keep records of the measures taken and implemented. If an employer is found to have committed an offence the employer can prove to the personal data protection commissioner that it had “taken all reasonable precautions and exercised due diligence” to prevent such actions from being taken by the employee.
This article first appeared in CLJ  1 LNS(A)lii and is reproduced with permission from the Author.
 http://www.ico.org.uk .
 http://www.ico.org.uk/news/latest_news/2012/health-worker-convicted-ofobtaining-patient-details-unlawfully-12012012 accessed on 12 July 2013.
 http://www.ico.org.uk/news/latest_news/2012/bank-employee-fined-for-readingpartners-ex-wifes-statements-06122012 accessed on 12 July 2013.
 http://www.ico.org.uk/news/latest_news/2013/leisure-centre-employeeprosecuted-for-unlawfully-obtaining-health-information-23052013 accessed on 12 July 2013.