Personal Data Protection Act (PDPA) Disclaimer: - This power-point presentation is purely a training tool for the internal agency training programmes of Great Eastern Life Assurance (Malaysia) Berhad. All or any part of the contents of this presentation shall not be used directly or indirectly for soliciting insurance business, policyholder services and/or facilitating any other form of communications with any external party whatsoever. This information is correct as at 04032013 PAGE 1
Snap Shot on Personal Data Protection Act The Personal Data Protection Act 2010 ( PDPA ) is an overeaching legislation to regulate the processing of personal data in commercial transactions. The PDPA was gazetted on 10 June 2010, and it has been enforced on 1 January 2013. The Personal Data Protection Department has been established under the Ministry of Information, Culture and Communications, which will oversee compliance with the PDPA. PAGE 2
Personal Data Protection Act May be in form, so long its can identify a data subject: 1. Name 5. Photograph 2. Passport/NRIC No. 6. Finger Print 3. Email 7. DNA 4. Phone Number Personal Data means any information in respect of commercial transactions that: - relates directly or indirectly to a data subject who is identified or identifiable from that information or from that and other information in the possession of a data user including any sensitive personal data and expression of opinion about the data subject PAGE 3
Areas to be Aware The PDPA will affect how the Company uses agents personal data e.g. for the publication of personal production and photographs. In order for the Company to continue to publish agents personal data, the following steps have been or will be taken: a) For existing field force: - A circular has been issued and posted in epartner on 1 November 2012 to inform of how the Company will use agents personal data PAGE 4
Areas to be Aware The Company has incorporated a similar Data Protection Notice into its forms, to inform agents/customers of how their personal data will be processed. The relevant forms include: Agency Admin: - Data Protection Notice has been incorporated into e-appointment screen upon agent appointment. New Business: - NB Proposal Form has been revised (NBZ-FCPRO-V14-012012) Customer Service: - 1.CS Form such as PSF 01 (Request for Alteration) 2.Vesting Age Letter PAGE 5
Personal Data Protection Act: Areas to be Aware Excerpt from Data Protection Notice The Company will be processing your personal information provided in this form and/or further information and data that may be required by the Company either from you or from any third parties. Your personal information may be used, recorded, stored, disclosed or otherwise processed by or on behalf of the Company (and its successors in title) for the following purposes: to carry on insurance business any insurance or financial related product or service or any alterations, variations, cancellation or renewal of such product or service; research purposes including historical and statistical purposes; any claim or investigation or analysis of such claim; to ascertain your claims history in order to improve claims processing and prevent fraudulent claims; exercising any right of subrogation; and matching any data held by the Company relating to you from time to time. PAGE 6
Areas to be Aware Customers Data The forms also include a revised marketing consent clause: I would like to receive updates and information about the products, services, promotions, charitable causes or other marketing information from: ( ) the Company and its agents ( ) the related companies of the Company and relevant third parties In relation to this, Marketing & Customer Management have been conducting a marketing drive to obtain customers consent to receive marketing materials. Note: The Company and its agents would only be allowed to send marketing materials if the customer has consented to receiving such materials. PAGE 7
Always ensure that the customer s consent has been obtained prior to any collection of Personal Data, for the purpose of managing and servicing the customer s proposal / policy Ensure that the customer understands the purpose(s) of the collection of his Personal Data PAGE 8
Do not use the customer s Personal Data other than for the purpose of managing and servicing his policy Be particularly careful in processing the customer s sensitive Personal Data (i.e. political opinion, religious belief, physical or mental health and criminal offences) PAGE 9
Respect confidentiality of the customer s Personal Data i.e. do not view and process Personal Data that is sealed and addressed to the Company (e.g. the customer s Medical Report) Always keep proper records of all Personal Data collected PAGE 10
Remember that the PDPA applies to any Personal Data stated on paper, held electronically or recorded via videos, photographs and audiotapes Ensure that all Personal Data collected is accurate and up-to-date, and only kept for as long as it is necessary for the purpose it was first collected PAGE 11
If the customer updates his Personal Data to you directly, promptly inform the Company of such updates If the customer wishes to access, update or amend his Personal Data, direct the Customer to the existing channels available, such as the econnect Portal PAGE 12
Direct any official requests to obtain the customer s Personal Data to the Company Always ensure that all physical files/documents stating the customer s Personal Data are securely locked up and not exposed PAGE 13
Improve the security levels in devices that are used for the processing of the customer s Personal Data Use only software and hardware supported and/or suggested by the Company PAGE 14
Encrypt the customer s Personal Data that are electronically backed-up or transferred Avoid using public sites and networks, such as public Wi-Fi services, to process, get access to and store the customer s Personal Data PAGE 15
Avoid using email to transmit the customer s sensitive Personal Data Always use sealed and marked Private & Confidential envelopes for transmission of physical documents containing the customer s Personal Data PAGE 16
Other than for the purpose of managing and servicing the customer s proposal / policy, disclose Personal Data only when the customer s explicit consent has been obtained. Note: Consent can be obtained in oral as well as in written form. Best practice is to always obtain consent in written form Avoid sharing the customer s Personal Data within or amongst the Company s employees / other Members of the Field Force unless it is necessary for the purposes of providing insurance services to the said customer, and on a need-to-know and need-to-use basis PAGE 17
Other than in relation to the processes of death claims, refuse requests from any third parties (including but not limited to the customer s family members) to obtain the customer s Personal Data, unless, prior written consent has been obtained from the customer Retain the customer s Personal Data only for as long as it is required to facilitate the servicing of customer s policies PAGE 18
If you are no longer the servicing agent of a particular customer and/or is no longer an agent of the Company, you must destroy such customer s Personal Data Ensure that all of the customer s Personal Data when required to be disposed / destroyed are performed accordingly (e.g. shredding of physical documents) Note: All Personal Data kept in personal devices is included (e.g. laptops / mobile phones) PAGE 19
Any usage of Personal Data for purposes other than in relation to the insurance services may amount to: a breach of confidentiality obligations imposed under the LIAM s Code of Ethics & Conduct, Agency Agreement, Agency Rules & Regulations and/or other Company s circulars / directives and may lead to disciplinary action being taken against you an offence under the PDPA for unlawful collecting and/or processing of Personal Data Always seek advice from the Company if you have any doubt in processing the customer s Personal Data PAGE 20
PAGE 21
All rights reserved. No part of this publication may be produced,translated, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying and recording without the prior written permission of the copyright the developer and owner. PAGE 22