Implica)ons of the PDPA 2010 on a Malaysian Telecom Operator

Transcription

1 Implica)ons of the PDPA 2010 on a Malaysian Telecom Operator

2 Contents Introduction Celcom Preparation for PDPA 2010 Implications and Future Challenges - Consent and Strategic Options for Giving Consent - Notice - Disclosure - Security - Retention - Data Integrity - Access - Fines and Jail Term Conclusion

3 Introduction q Telecommunications Service Providers are always innovating to develop product offerings to serve customers better. q Managing privacy is important in the long run as Service Providers can become trusted service providers by integrating the requirements of the PDPA with minimal impact to the business. q Customers who trust that Service Providers do not misuse their personal data will be more willing to to the use of their data. q The telecommunications sector is already highly regulated so most Service Providers have systems in place for customers especially prepaid customers to access and correct data themselves. There are provisions to manage customer data currently in the Banking and Financial Institutions Act 1989, Communications and Multimedia Act , Computer Crimes Act 1997, Money Services Business Act 2011, General Consumer Code of Practice. COMPANY CONFIDENTIAL 3

4 Introduction q Many Telecommunications Service Providers also have systems to control delivery of premium content required by regulation. These systems make it a requirement to opt in to receive premium content. q PDPA will take regulation one step earlier in the customer life cycle, the point of registration for a new user or a new service not initially bundled with the mobile service i.e. the point of obtaining to process personal data. There will have to be added processes to address existing users allowing them to opt out q Moving forward this presentation will consider at least one concern per data protection principle to highlight the concerns and clarity we will need to implement PDPA COMPANY CONFIDENTIAL 4

5 Celcom Preparation for PDPA 2010 q Company undertook PD Impact Assessment (PIA) to assess the level of compliance between company s own data protection system with PDPA to identify potential gaps and weaknesses in the date protection system to design an implementation program for data protection system review q Celcom s PIA process is shown here Module 1 Awareness Training - en)re organiza)on Module 2 (PIA) map out data flow in organiza)on Assess internal PD policies procedures Iden)fy gaps Module 3 - PIA workshop - implementa)on plan Module 4 - Actual implementa)on compliance training Module 5 On going audit to ensure compliance to new PD policies and procedures. COMPANY CONFIDENTIAL 5

6 Implications and Future Challenges - Consent What mode of seeking will be acceptable to the Data Protection Regulator as is also not defined in the Act q The preferred mode which is seen from recent examples contain the continued use or our service means you have ed to the use of your personal data being used for the purposes. q The PDPA 2010 allows the data user to process data if processing is necessary for the performance of a contract to which the data subject is a party? q The key question is what processing is necessary for the performance of the contract is it basic telephony or the full suite of innovative smart application services. COMPANY CONFIDENTIAL 6

7 Strategic Options for Gaining Consent 1. Tradi)onal Telco Approach 2. Aggressive Telco Approach 3. New Internet- based Approach Develop model no)ce of to process data. Give customers choice to opt- out of use of data for marke)ng / 3 rd party services. Encourage / incen)vize customers to opt- in at point of SIM / handset sale etc.. Market / adver)se to sub- set of customers who choose to who don t opt out. Introduce adver)sing on relevant Telco services Encourage customers to opt- in to receive relevant services by consen)ng to allow their data to be used. Model no)ce explains how supports more relevant / targeted services. Develop a framework for adver)sing partners which retains permission within Axiata, so permissions do not have to be extended to third par)es. More customers exposed to adver)sing => commercial benefit but also intrusion risk. Targeted services is an integral component of a new service. Consent to the use of customer data to support targeted marke)ng is effec)vely bundled as a condi)on of service use. This must be obvious to customers allowing them to make an overall, informed decision as to whether or not to use a service. Model no)ce of reflects this posi)on Framework for partners which retains permissions within Celcom Axiata. So as Google / Facebook / or a new ad- supported MVNO model. Telcos should prefer 2 to 1 for core services. 3 should be preferred for new services /applica)ons, but cannot simply be imposed on exis)ng mobile customers.

8 Implications and Future Challenges - Notice q The PDPA provides for the provision of written notice to inform the data subject that personal data is being processed and the purposes of use q Would notice in newspapers and websites be deemed acceptable written notice? q Would an SMS notice or e mail linking to a Web based Privacy Policy be acceptable? q For telecommunications service providers the best way to ensure customers have notice is by way of SMS and not by mail as the prepaid subscribers may not have updated address data

9 Implications and Future Challenges - Option to Limit processing of Data q The PDPA 2010 gives data subjects the right to limit the processing of personal data q This could be seen as an opt out and require the creation of a list of data subjects who do not want to be contacted q The are significant commercial implications for business as the customer may elected to limit processing of advertising or information about new products which reduce the value add of the service benefits to the customer q Yet data subjects give information freely to OTT applications providers like Whats App and Viber, including access to their address books which include personal data of contact in address books. Have you given informed?

10 Implications and Future Challenges - Withdrawal of to process personal data q This means that the Service Provider can no longer use the information and will not longer be able to supply the service q Examples of situations where this can occur Termination of Service Porting number to another operator q Effectively the Service Provider will not be able to engage in customer retention strategies after the customer has withdrawn his. What if there is a competitive come back offer?

11 Implications and Future Challenges - Disclosure q Purpose of use of personal data is will be disclosed in a Privacy Policy which will then be updated from time to time. q There could be concerns that this policy may be framed too widely. q If there are regulations issued for example, limiting the extent of purpose clauses disclosure for purpose may be required each time something not covered in the under the original needs to be launched. Customers to may be uncomfortable to continuously give or give it automatically to get the content they want

12 Implications and Future Challenges - Security q In general Service Providers are already taking reasonably practical steps to protect personal data from loss misuse, unauthorized access, accidental access etc, q Service Providers already have systems in place to protect access to customer data. How much more will the various regulators prescribe? Will the regulations apply in the same way to across other industries? q There will always be issues where data is released due to the misconduct of an employee. We at Celcom Axiata recognise a need for an internal awareness of data protection rules and security polices across the company

13 Implications and Future Challenges - Retention q There is a need to clarify the position as there are various laws covering the length of Service Providers are required to store data. In practice many Service Providers keep relevant data for 7 years because of these laws q Service Providers as an industry need to seek clarification on length of time data can be retained as well as the implication of written instructions to cease processing data q If we purge records at the request of customers or within a shorter time frame we may not be able to process information requests by the police, sector regulators or other authorities.

14 Implications and Future Challenges Data Integrity q Almost 80% of telecommunications data subjects on our network are prepaid customers. q Data Integrity has always been an issue. Service Providers have stringent prepaid registration regulations imposed by the telecommunications regulator. q Service Providers have online access and correction systems developed to allow prepaid users to access and correct their own information. q Collection of accurate data always be an uphill task most service providers dependant on dealers throughout the nation who are unregulated and in a position of strength as they control distribution networks. Some unscrupulous dealers do manipulate the systems for personal gain

15 Implications and Future Challenges- Access q The PDPA Act prescribes that access and the ability to correct be given to the Data Subject q As mentioned Service Providers have online access systems in place for prepaid users to access and correct their data. This will have to be extended to post paid users q Some care has to me taken to ensure data subject own access and correction of data cannot change data like identity card information without verification to limit misuse. q Inaccurate information uploaded onto our database by data subjects using an online method of personal correction may be an issue with the authorities in the event of an investigation

16 Implications and Future Challenges- Fines and Jail Term q A final an overriding concern is that it is extremely easy for an allegation of breach to be made. q Many people give personal data freely in contest forms in supermarkets online etc but will assume it s the Service Provider that released their information because the a call comes in from their hand held device q With fines ranging from RM $ 100k to RM $500 k and jail terms of 1 to 3 years a lot of man hours and cost may have to be spent addressing complaints and proving that the information did not come from a Service Provider q Another key implication is the Joint and Several liability with Body Corporate of CEO, COO, Manager etc. and this iswide enough to catch all Managerial Staff

17 Conclusion q The above is not an exhaustive list of implications q It shows the need to seek interpretations to support business continuity and balance this equally with personal data protection requirement q Service Providers will in parallel have to build trust of the customer/ data subject that the personal data will be protected and used for the benefit and utility of the customer/data user. q Building this trust will reduce potential complaints about noncompliance to the data protection principles and allow the industry to continue to develop a roust applications environment

18 THANK YOU