Tag: pdpa (Page 1 of 2)

We are Minerals being Mined

It is often said, and its almost cliche – Personal Information is the new currency.

And now, with the news on Facebook and Cambridge Analytica, we are faced with the sort of global privacy crisis that we always knew it would be coming. Furthermore, it wasn’t as if Cambridge Analytica was a key data broker/trusted partner/premier solutions arm of Facebook. It just developed software to get the data. That’s it. 50 million users.

It was as simple as getting an app to use your facebook login to enter the app and that’s it. We think we are just logging into the app, but we are actually allowing the app to login into our facebook and take everything. Everything.

But what did we actually expect? Think about it.

Did we expect to have such a service like facebook where we can get information, connect with long lost friends, advertise our solutions and products, express our opinions in a global platform, create online value, message and chat, have thousands of hours of free access to apps etc etc – FOR FREE?

Unless Zuckerberg has the title of a ‘Saint’ in front of him, then that would be a hard sell.

No, Facebook says. You guys agreed to it. The terms of services says it. The one that is too long for you to humanly read. The one that they update without letting you know, and allowing trickles of liberality of information usage to seep in.

Facebook even contends that developers who have these information from their app cannot “transfer any data that you receive from us (including anonymous, aggregate, or derived data) to any ad network, data broker or other advertising or monetization-related service.”. That’s pretty kind of them. But in the first place, did Facebook inform users that their apps would be literally stealing the entire bank of information from the users?

It’s the sort of finger pointing activity you would expect – a phrase and sentence here and there that says, “Hey, we told you we are getting your information and we told these guys not to share! What can we do if they do share??!” But is Facebook giving excessive details? So in PDPA terms, it’s not just about third party sharing of information, it is about excessive collections.

In any case, I don’t think we have a case of PDPA against Facebook here as they do not have any systems in Malaysia processing personal information. But the point is that we have wittingly or unwittingly sold our information to Facebook in order to get the services they provide. Same for Google. Same for Apple. Same for Instagram. Same for Pokemon-go.

A great site we always give in our presentation of PDPA or information privacy to clients is: https://tosdr.org/

Terms of Services Didn’t Read. It’s a great site that basically summarises all the terms of services to human readable content and rate them according to how cavalier they are with our information. All the big guns are there. Even if not rated, we can look through their terms and have a little more details on what we are ‘paying’ them.

Take a look at Google, Youtube, Twitter to start with.

Facebook’s TOS:

  • The copyright license that you grant to Facebook goes beyond the requirements for operating the service. For instance, it includes the right for Facebook to transfer the license or to license it others on their terms (“sublicense”). Also, the copyright license does not end when you stop using the service unless your content has been deleted by everyone else.
  • This service uses cookies to track you even if you are not interacting with them directly. Amazon for instance, use cookies to track your device and serve targeted advertisements on other websites (Amazon associates, websites using Amazon Checkout). They “obtain certain types of information when your Web browser accesses Amazon.com or advertisements and other content served by or on behalf of Amazon.com on other Web sites”.
  • Facebook automatically shares your information with Bing, Pandora, TripAdvisor, Yelp, Rotten Tomatoes, Clicker, Scribd, and Docs, unless you manually opt-out.
  • Including: data analysis, testing, service improvement, control of the effectiveness of the personal ads, and location features and services.
  • You must use your legal name publicly on the service. Using a pseudonym or a pen name is not allowed. This can have negative consequences on the freedom of expression, especially for people who exercise certain professions, or who live in certain countries.
  • Facebook uses, pixels and local storage in order to gather information about you, your device, your browser cache, your use of Facebook. Facebook also uses cookies for adversing purposes.

For years I have advocated clients (and also my personal friends and family) to use Facebook with these in view. For family: Never post about your current location. Never put photos of your children up online. Never reveal too much about your views and opinions. For work: Never give any views on your current work, the time you finish work, the after drinks parties etc etc. Basically, never give any relevant information.

Will Facebook be able to still get information? For sure. Every “Like” you click. Every news you click. Even when you are not on Facebook, and you are browsing the web, there are Facebook plugins that can track what you are searching for. Even if you search on Google, whatever you are looking for will appear eventually on Facebook. Data brokers and advertisers trade our information like anything – and what you do on Google surfaces in other social media platforms.

But we know. Services aren’t free. Our parents says, “There is no free lunch” and this is certainly true. But how much do we know about this lunch we are paying? We might be getting Subway sandwiches, but paying the money for Burgers and Lobsters dining. That, I suppose, is what the world is now only finding out.

For more on our information security services and PDPA services, drop us an email at avantedge@pkfmalaysia.com. The only thing we are collecting from you is whatever you tell us on that email. That’s our term of services!



PDPA and the Tale of the Telemarketer

We were working very late on Saturday to roll out a PCI manual for some of our merchant clients, so I only slept at around 4.30 am. I am usually up on Sunday around 9.30 am at the latest due to my kids utilising my body as a trampoline which I can probably ignore for about 15 minutes before being entirely awoken, but 5 hours of sleep is pretty good so I will take that regardless.

At around 9 am unfortunately, my phone rang and I saw a number I didn’t recognise. Thinking this could be an emergency, I picked up the call and on the other line, this unrecognised voice chirpily said, “Hi, I am calling from <name of telco> and I would like to do a marketing survey with you!”

“Do you know it’s a Sunday?”

“Yes, it is a Sunday, I know!”

“Don’t you realise that you shouldn’t be telemarketing me on a Sunday morning?”

“We believe that you would be too busy on a weekday, sir, that’s why I am calling you on a Sunday!”

“Well, I am too busy now on a Sunday. Goodbye.”

And I hung up.

Now, I was fuming, because I just felt it was completely distasteful and disrespectful for them to be calling me up on a Sunday morning because they think I would reject them on a weekday. They think they will get me on a better mood on a Sunday morning?!

For the record, I don’t usually do this, as in, be rude or just hang up even on telemarketers. I am always reminded, that telemarketers are people. The person on the other line has a family too, and she probably wish that she was with them on a Sunday morning, taking her kids out for breakfast or hanging out with her friends or something. I mean, I doubt she is jumping up and down with excitement at the prospect of going into the office and dialing up people on Sunday so she could make her survey quota. I never experienced being a telemarketer, but in our first year, I did experience the emptiness of having zero clients and doing cold calling if anyone wanted my audit services. So, yes, I do commiserate with them. On normal calls I am usually civil to them. I usually politely tell them that they have already called me many times (Astro calls me like every week asking me to upgrade), and even thank them before hanging up, before I put their number in my ignore list. Some, I admit, when they do call, and I am in a the middle of something, I tell them that I am currently busy and then I put their number on my ignore list. It’s hard for me to ignore phone calls on any number because there could be a potential sales opportunity and not a telemarketer. But if it is a telemarketer, I don’t shut them down rudely. At least not in my memory.

But Sunday morning is a different thing. I did kind of feel bad, and was contemplating to call her back again to take that survey, but then Sunday life started (me being a trampoline) and I lost track of it.

But how does our Personal Data Protection Act fit into all of this?

Contrary to many people’s beliefs, PDPA actually allows telemarketers to call you. There is nothing in the act that says telemarketers cannot call you. The problem isn’t so much of telemarketers calling. Them calling you is already way downstream of the actual issue. The actual issue is your information being shared, leaked, sold, brokered by service companies to information brokers. Sometimes it’s our fault. We sign up for things and we don’t read the fine print. When we get a direct marketing call we get all up in a tizzy and blame the entire planet for conspiring to wake us up on a Sunday morning. But hey, we agreed to it. Yes, in that terms of services we did not read. In that privacy statement we implicitly agreed to when we gave our information to get a chance to win that free trip to Tokyo.

Privacy statements from banks, telcos, service providers all have to include the section of ‘disclosure’. Google your favourite bank or telco and put in ‘privacy statement’ and click to get their privacy statement. In most cases you will find them defining who they intend to share your personal information with, and in most cases, some broad sweeping statement such as :

Our agents and service providers with whom we have contractual agreements for some of our functions, services and activities; and/or


Financial service providers in relation to the products and services that you have with us (e.g. mortgage brokers, insurance companies); and/or


Strategic partners with whom we have a relationship with for specific products and services if consented to, by you; and/or

Now, let’s break that down. The first one is very broad. “Agents” and “Service Providers” where they have contractual agreements  – this basically means the entire ecosystem of companies providing services to this bank! The second at least defines it, but generally these are a subset of the first. Finally the ‘strategic partners’ part isn’t so much of an issue but the ‘if consented to, by you’ sounds very good and positive, only for you to realise that the implied consent is usually obtained by you agreeing to the privacy statement in the first place! You see, there is no need for explicit consent if this is not considered ‘sensitive data’, so don’t expect your signature to mean consent. By you taking up their service and agreeing to pass your data – that’s a consent enough for them to share your information. Boom.

So, technically the moment we sign up for a service, we agree that we would allow telemarketers to call us – whether in the middle of the night or on a Sunday morning is irregardless – the fact is that we gave that permission, mostly without knowing it and all just because of that carrot they usually hang in front of us. Dang, I lost that Tokyo competition! Hey, here’s another one – “provide phone number to win a Mazda 3”. OK, here’s my number! Yaay! Let me be lucky!

You get the drift.

Now, back to telemarketers calling us. They have the right. They have a bunch of phone numbers given to them by the bank, and God knows what other information so they can sell us specific services: and so they make the call.

PDPA regulates telemarketing through Section 43 of the Act: Right to prevent processing for purposes of direct marketing. 

So the proper channel to stop this: Technically you are supposed to provide in ‘writing’ to the data user (company calling you), requesting you not to be contacted anymore for telemarketing. This can be a courtesy respond during the call itself, whereby you state to them, please remove your number from their list and not call anymore (it’s not in writing, but you can try this first). If they persist in calling, write to them (their email is found in their company’s privacy notice of who to contact if you have a complaint), and if you still get called up, you can formally complain to PDPA commissioner at aduan@pdp.gov.my and follow that up with a call to 03-89115000 (please check their website to see if this has changed).

So, there you go. Malaysia was supposed to implement a Do-Not-Call (DNC) registry to block these telemarketer phone numbers back in 2014, but it has seemingly died down and implementation is still not done. We are monitoring to see if this is being looked into again, but for now, it looks like we need to fend on our own here.

Remember though – the person calling you may not wish to be calling you at all, and they might just be a phone call away from losing their jobs. While I am not advocating you to entertain them just for the sake of being nice, but on the flip side, there is no reason for some of the foul-mouthed tirade I have seen some people venting on these callers, as if they want to personally reach into their mobile phone and strangle the guy on the other line. Cool down. Ask to be removed, and block the number and move on, knowing you can rely on PDPA if your notice of removal is constantly ignored.

If anyone needs to know more on PDPA, drop us a note at avantedge@pkfmalaysia.com. We have been working with many companies to sort their PDPA concerns out and also implementing controls to address the 7 requirements.


Personal Data Protection Act for Dong Zong


To kickstart the New Year, we spent two full days with The United School Committees Associations of Malaysia for the Personal Data Protection Act training. Which is really a mouthful to say, so we will go by its more well known alias, Dong Zong.

Now, this is a rather unique engagement, for the simple fact that both our lead trainers in PDPA do not speak a lick of Mandarin. The first is proficient in Malay (as he is Malay), the second (which is me) is proficient in English – although he is technically a Chinese. While I am Chinese by birth, my proficiency in language is as follows: English, Malay, Cantonese, German, Minionese, Mandarin. That is to say, I can talk in German and Minionese far better than I can talk in Mandarin. For those who are wondering, Minionese is the official language used by the Minions, the yellow, annoying creatures that so love bananas and my sons so love watching.

Thankfully, we had another colleague who was proficient in Mandarin, but needed a bit of update on the subject, as he was from our technical deployment team for SIEM. So we had a bit of crash course for both. I had to do the introductions, demo and clarifications in broken mando-canto-eng-nese, and he had to crash course the updated PDPA training.

We can usually do the training quite comfortably, including the technical demonstrations (which consist of us actually searching for personal information on the internet during the training itself, demonstrating how easy it is if you know which tools and how/where to look). But this was made infinitely harder because of my lack of command in the language. To put it simply, it was like wrestling with a 300 pound catfish or a giant python. You know what to say in English, but the translation facility in your brain is broken and you just can’t get it out of your mouth and what ends up coming up is meaningless dribble, which my 2 year old son would probably appreciate, but not a roomful of teachers and educationists…who are championing the Mandarin language and the progressive advancement of the Chinese community as a whole. It would be great if I told them I was actually Middle Eastern or Eskimo, then they won’t expect so much from me – but I look like a total Chinese, so there’s no hiding the complete embarrassment of not being able to speak in Mandarin.

To Dong Zong’s credit, they did take it in stride, and our Mandarin-speaking colleague performed admirably (I think, since I did not understand him) and at the end of the two days, we were very well appreciated because somehow between the both of us, we got the job not just done, but done with great feedback and participation from the group. There were some really excellent Q and A time, which I had to answer in English/broken Cantonese and got translated properly. We even had a chance to go through Dong Zong’s implementation of PDPA and did a impromptu, live commentary on the areas to improve in privacy notice and other policies.

For a non-legal, practical way to implement and assess your company on PDPA, please drop us an email at avantedge@pkfmalaysia.com. We have done a lot of practical training on compliance to PDPA, and taken a lot of good info from the PDPA Commission itself. Our content is based on the one we developed with the deputy commissioner of PDPA during the time when we worked together to deliver our training to companies in Cyberjaya. Over the years we have enhanced it with demonstrations, as well as updated with the latest development of Malaysia’s Personal Data Protection Act.

PKF Avant Edge is now HRDF certified training company


We are now a HRDF certified training company.

We have several training that is SBL claimable that includes training materials and certificate of attendance:

1) PCI-DSS Foundation Training (PCIP Led, QSA developed materials), certificate of training from PKF and our vendor QSA Control Case International

2) PCI-DSS Implementor Training (PCIP Led, QSA developed materials), certificate of training from PKF and joint QSA vendor Control Case International

3) GST Malaysia Training (Led by RMCD Certified Trainer)

3) Introduction to Technology Audit (Led by Certified Auditor and Certified Information Security Professional – CISA,CISSP)

5) Project Management Level 1: Foundations (Led by Project Management Professional Certified)

6) Project Management Level 2: Advance (Led by Project Management Professional Certified)

7) Personal Data Protection Act Training (Led by Certified Auditor and Certified Information Security Professional)

Stay tuned for more details. Our training site has been updated at http://www.pkfavantedge.com/training-programs/

If you need more information, please send your enquiries to training@pkfmalaysia.com.

PDPA Data User Classifications

Almost a year in since PDPA was enforced last year, we are still faced with slow adoption by many of our clients. We are still getting questions on whether they need to ‘register’ or not, and if they don’t, they assume they are exempted from the Act.

Registration and compliance are two different matters. Registration applies to the 11 categories of industries, while compliance applies to every organisation dealing with personal information for commercial purpose, including HR.

As for easier reference, the data user classifications and details, once more, as follows:

Class Description
Communications Licensees under the Communications and Multimedia Act 1998

Licensees under the Postal Act 2012

Banking and Financial Institutions Banks and investment banks licensed under the Financial Services Act 2013

Islamic banks and international Islamic banks licensed under the Islamic

Financial Services Act 2013

Development financial institutions under the Development Financial Institution Act 2002

Insurance Insurers licensed under the Financial Services Act 2013

Takaful operators and international takaful operators licensed under the

Islamic Financial Services Act 2013

Health Licensees, and holders of a certificate of registration of a private medical clinic or a private dental clinic, under the Private Healthcare Facilities and Services Act 1998

A body corporate registered under the Registration of Pharmacists Act 1951

Tourism and Hospitality Persons carrying on or operating tourism training institutions, licensed tour operators, licensed travel agents or licensed tourist guides under the Tourism Industry Act 1992

Persons carrying on or operating a registered tourist accommodation premises under the Tourism Industry Act 1992.

Transportation Malaysian Airlines (MAS), Air Asia, MAS Wings, Air Asia X, Firefly, Berjaya Air and Malindo Air
Education Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996

Private schools or private educational institutions registered under the Education Act 1996

Direct Selling Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993
Services Companies or persons in a partnership carrying on businesses in connection with legal, audit, accountancy, engineering or architecture services ;

Companies or persons in a partnership conducting retail dealing and  wholesale dealing as defined under the Control Supplies Act 1961;

Companies or persons in a partnership carrying on the business of a private employment agency under the Private Employment Agencies Act 1981

Real Estate Licensed housing developers under: the Housing Development (Control and Licensing) Act 1966; the Housing Development (Control and Licensing) Enactment 1978, Sabah; and the Housing Development (Control and Licensing) Enactment 1993, Sarawak.
Utilities Tenaga Nasional Berhad, Sabah Electricity Sdn Bhd, Sarawak Electricity, Supply Corporation, SAJ Holding Sdn Bhd, Air Kelantan Sdn Bhd, LAKU Management Sdn Bhd, Perbadanan Bekalan Air Pulau Pinang Sdn Bhd, Syarikat Bekalan Air Selangor Sdn Bhd, Syarikat Air Terengganu Sdn Bhd, Syarikat Air Melaka Sdn Bhd, Syarikat Air Negeri Sembilan Sdn Bhd, Syarikat Air Darul Aman Sdn Bhd, Pengurusan Air Pahang Berhad, Lembaga Air Perak, Lembaga Air Kuching and Lembaga Air Sibu.
« Older posts

© 2024 PKF AvantEdge

Up ↑