By Evelyn Gan, Irene Chang Hui Chung and Jefferson Sim Poh Thong
In today’s rapidly advancing, digital and borderless world, the confidentiality of our data is almost non-existent. We are regularly swarmed with unsolicited communications, leaving us none the wiser about how our data reached the sender’s hands. The handling and managing of personal data become part of our daily lives. Hence, we are either the data subject or the data user, of which either role have different expectations and rights. Do you know your rights as a data subject? Or do you know the responsibilities of a data user?
Swinburne Sarawak, as a foreign branch campus university operating in Kuching, Sarawak, is no exception when it comes to handling and managing personal data. As a higher education provider, Swinburne Sarawak handles an array of personal data from internal and external stakeholders, including employees, students, alumni, suppliers, and other members of the public.
In light of the Personal Data Protection Act 2010 (PDPA 2010), the University is committed to protecting the personal data of all our stakeholders through the establishment of a Personal Data Protection Management System. The system comprises an ecosystem of processes that monitor compliance with the seven Malaysian PDPA principles: 1. General Principle, 2. Notice and Choice Principle, 3. Disclosure Principle, 4. Security Principle, 5. Retention Principle, 6. Data Integrity Principle, and 7. Access Principle.
Data privacy is of paramount importance to the University’s core business as an education provider revolves around ongoing collaboration and interaction with various stakeholders beyond that of our employees and students. Sustainability hinges on the ability to operate smoothly, and the fundamental starting point is compliance with the regulatory environment, including PDPA.
In Swinburne Sarawak, the roles and responsibilities of a data protection officer or committee fall under the care of the Policy, Planning and Quality (PPQ) Unit to monitor the University’s data protection compliance with the PDPA. PPQ is the policy owner of the Personal Data Protection Policy and Procedures of the University. The unit manages a Personal Data Protection Repository consisting of all PDPA-related materials, which is accessible to all staff members. While the privacy information for students and the public is available on the university’s corporate website.
As part of PDPA awareness, PPQ has also prepared a pre-recorded info session for new staff. The content is to provide an overview of PDPA requirements and how it applies to staff members processing personal data on behalf of the University. In addition, at least one Personal Data Protection Nominee was nominated by the respective Head of Management Units to handle PDPA matters at the unit level, including reviewing/updating Personal Data Register twice per year and carrying out an annual disposal exercise.
For stakeholders’ inclusion and engagement, at the end of the year, PPQ organises PDP (Personal Data Protection) Nominees Annual Discussion Meeting to inform the nominees of the latest updates and discuss any concerns, and closing of any loops identified. For check and balance, PPQ carries out its annual PDPA internal audit to ensure that everything is in order.
With a strong system in place, the University is set to be agile and resilient in handling any challenges related to privacy with annual reviews in place for continuous quality improvement.
Without a doubt, data is the new oil, being one of the most important assets of the University; thus, ensuring responsible collection, processing, storage, and disposal processes is crucial. The comprehensive policies, procedures and guidelines form the cornerstone in implementing key initiatives, including training and awareness among our stakeholders to ensure they are well-equipped to handle personal data responsibly.
With an outcome-based approach and continuous quality improvement, the University remains committed to both maintaining and further streamlining our Personal Data Protection Management System.
Evelyn Gan is a Manager and Privacy Officer, Irene Chang Hui Chung is an Executive and Jefferson Sim Poh Thong is an Assistant Manager with the Policy, Planning Quality Unit at Swinburne University of Technology Sarawak Campus. They can be reached via email at firstname.lastname@example.org, email@example.com and firstname.lastname@example.org.