POLICY ON PRIVACY AND DATA PROTECTION

Version Approval by Approval date Effective Date Next review

1.0 President, 1 September 1 September 1 December
National Cancer 2020 2020 2022
Society of
Malaysia

Policy Statement

Purpose This policy sets out an explicit and clear public statement on NCSM’s
practices pertaining to privacy and data protection

Scope This policy covers all activities in which personal data is

collected/handled/processed by either NCSM or its collaborative
partners.

Policy Provisions

1. Background

In 2010, the Parliament of Malaysia passed the Personal Data Protection Act, which
subsequently came into force on 15th November 2013. The Act regulates the processing of
personal data in commercial transactions and confers rights on individuals (“Data Subjects”)
in relation to the collection, use and/or retention of their of their personal data as well as
defines the responsibilities on the entities processing this data (“Data User”).

In line with this Act, the Personal Data Protection Code of Practice was developed and
launched in 2017. The Code sets standards of conduct in respect of personal data; guides
entities engaged in data processing to ensure that in processing, they do not infringe an
individual’s rights are provided by the Act; and also serves data processing entities to set
effective standards and measures in relation to the processing of personal data.

In accordance with the Code and NCSM’s role as an organisation which is involved in various
aspects of processing of personal data (Data User), this institution makes a commitment to
adhere to the following policy.

2. Policy

i) NCSM as a Data User will obtain consent from Data Subjects for all purposes expect for
those conditions as stated below:

a) the performance of a contract entered into with a Data Subject

b) in addressing any pre-contractual inquiry of a Data Subject who is a potential customer
c) in order to comply with any non-contractual legal obligation that NCSM is subject to
d) in order to protect the vital interests of the Data Subject (e.g. disclosing the last known
location of the Data Subject where he/she has been reported missing for more than
24 hours)

Privacy and Data Protection V1.0 1 September 2020 1|P a ge

e) for the administration of justice in accordance with the requirements and
processes as set out by the law
f) for the exercise of any functions conferred upon any person by the law
g) where expressly exempted or otherwise permitted by the Personal Data Protection
Act (2010).

ii) NCSM as a Data User will obtain consent from Data Subjects in a format and manner
that is capable of being recorded and maintained in the following manner as determined
appropriate and suitable for the determined purpose:

a) written consent via signature(s) or ticks indicating consent

b) opt-in or opt-out consent,
c) verbal consent

iii) NCSM as a Data User will obtain consent from Data Subjects on paper or electronic
mediums including but not limited to SMS, email and other internet/social/application
based messaging systems.

iv) NCSM as a Data User, for the avoidance of doubt, deems that any consent given to
NCSM by the authorised representatives of the Data Subject, including but not limited to the
holders of any power of attorney, trustees, guardians or personal representatives, shall bind
the respective Data Subject.

v) NCSM as a Data User shall ensure that personal data shall only be processed if:

a) the personal data is processed for a lawful purpose directly related to the activities
of NCSM
b) the processing of personal data is necessary or directly related to that purpose
c) the personal data is adequate but not excessive in relation to that purpose

vi) NCSM as a Data User shall ensure that personal data sought and held is

a) relevant in relation to the purpose(s) for which it has been collected

b) adequate in relation to the purpose(s) for which it has been collected
c) not excessive in relation to the purpose(s) for which it has been collected

vii) NCSM as a Data User shall ensure to bring to the attention of Data Subjects their Privacy
Notice (a publicly available statement clearly expressing the privacy practices of how NCSM
uses, manages, discloses and provides Data Subjects with access to personal data collected
by NCSM), prior to or as soon as reasonably practicable, when collecting and processing their
personal data.

viii) NCSM as a Data User shall ensure that the Privacy Notice is communicated to the Data
Subject either when personal data is first collected, when the Data User first requests the
Data Subject for the personal data; or as soon as practicable thereafter.

ix) NCSM as a Data User will only disclose the Data Subject’s personal data pursuant to the
terms of its Privacy Notice; the relevant provisions under the Personal Data Protection Act
and/or such other applicable laws that NCSM is subject to.

Privacy and Data Protection V1.0 1 September 2020 2|P a ge

x) NCSM as a Data User will only disclose personal data to third parties where:

a) the disclosure is for the purpose declared at the point of the collection of the
personal data as stated in the Data User’s Privacy Notice
b) the disclosure is for a purpose directly related to the purpose declared in the Privacy
Notice at the point of the collection of the personal data (i.e. a purpose closely
associated to the primary purpose)
c) the disclosure is being made to a third party mentioned in the Privacy Notice
or to a class or category of third parties as identified in the Privacy Notice

xi) NCSM as a Data User may disclose personal data of Data Subjects under the following
circumstances:

a) the disclosure has been consented to by the Data Subject

b) the disclosure is necessary for the purpose of preventing or detecting a crime,
or for the purpose of investigations
c) the disclosure is required or authorized by or under any law or by the order
of a court
d) NCSM acted in the reasonable belief that it had in law the right to disclose the personal'
data to the other person
e) NCSM acted in the reasonable belief that it would have had the consent of the Data
Subject if the Data Subject had known of the disclosure of the personal data and the
circumstances of such disclosure
f) the Government determines the disclosure as being justified in the public interest.

xii) NCSM as a Data User will taken practical steps to protect all personal data from any loss,
misuse, modification, unauthorized or accidental access or disclosure, alteration or
destruction.

xiii) NCSM as a Data User will hold personal data only for as long as necessary for the
fulfilment of the purpose. Once that purpose has been fulfilled, NCSM will ensure that the
personal data is permanently destroyed/deleted. This, however is not applicable for personal
data held in accordance with other applicable statutory provisions for retention of
data/records/information for a specified minimum duration under Malaysian law.

xiv) NCSM as a Data User will take reasonable steps to ensure that the personal data
processed by NCSM is accurate, complete, not misleading and kept up-to-date.

xv) NCSM as a Data User is obliged to provide to Data Subjects access to their personal data
held by NCSM as well as to allow the Data Subject to correct their personal data where the
data is inaccurate, incomplete, misleading or not up-to-date.

xvi) NCSM as a Data User has the right to not comply to a data access request when NCSM:

a) has not been supplied with sufficient information (as reasonably required, i.e.
name, identification card number, address, and such other related information as the

Privacy and Data Protection V1.0 1 September 2020 3|P a ge

 Commissioner may determine) in order to establish the requestor’s identity, establish the
identity of the Data Subject, or establish the requestor’s connection to the Data Subject
b) has not been supplied with sufficient information as they may reasonably require to
locate the personal data to which the data access request relates
c) is unable to comply with the data access request without disclosing another person’s
personal data (unless the other person has consented to the disclosure of the personal
data to the requestor)
d) is of the view that the burden or expense of providing access is disproportionate to the
risks to the Data Subject’s privacy in relation to the personal data requested for via the
data access request
e) is at risk of violating a court order should NCSM provide access to the Data
Subject or requestor
f) is of the view that that providing access would disclose confidential commercial
information of NCSM
g) has not received the fees for making a data access request as per the Personal Data
Protection (Fees) Regulation 2013 (where and if required by the Data User).

3. Policy Definitions

In this section, certain terms referred to in the various sections above are defined clearly for
understanding and reference for all relevant parties and stakeholders. While some of the
terms may have differing definitions in other sectors including within a legal framework, the
definitions below are specifically for the use of the terms within this policy document.

i) Data Subject– defined as individual (living human being separate and distinct from
companies or other corporate entities) who is the subject of personal data.

ii) Data User – defined as an entity who either alone or jointly or in common with other
persons processes personal data or has control over or authorizes the processing of any
personal data (but does not include a data processor). In this document, this definition is
applied to and synonymous with the organisation named National Cancer Society of
Malaysia (or NCSM).

iii) Personal Data– defined as any information in respect of commercial transactions, which –
(a) is being processed wholly or partly by means of equipment operating automatically in
response to instructions given for that purpose
(b) is recorded with the intention that it should wholly or partly be processed by means of
such equipment

(c) is recorded as part of a relevant filing system or with the intention that it should form
part of a relevant filing system, that relates directly or indirectly to a Data Subject, who
is identified or identifiable from that information or from that and other information in
the possession of a Data User, including any sensitive personal data and
expression of opinion about the Data Subject

iv) Processing - in relation to personal data, this is defined as collecting, recording, holding or
storing the personal data or carrying out any operation or set of operations on the personal
data, including –

Privacy and Data Protection V1.0 1 September 2020 4|P a ge

(a) the organization, adaptation or alteration of personal data
(b) the retrieval, consultation or use of personal data
(c) the disclosure of personal data by transmission transfer, dissemination or otherwise
making available
(d) the alignment, combination, correction, erasure or destruction of personal data

v) Sensitive Personal Data – defined as any personal data consisting of information as to

the physical or mental health or condition of a Data Subject, his/her political opinions, his
religious beliefs or other beliefs of a similar nature, the commission or alleged commission by
him of any offence or any other personal data that may be determined by order of the
Government.

vi)Third Party- defined as any person other than -

(a) a Data Subject;

(b) a relevant person in relation to a Data Subject;
(c) a Data User other than NCSM;
(d) a data processor; or
(e) a person authorized in writing by NCSM to process the personal data under the
direct control of NCSM.

4. Policy Application

This policy applies to the following relationships that may arise in the course of activities in
which NCSM processes the personal data of individuals:

i) Relationship between NCSM and Individuals

This policy shall apply to the relationship between NCSM and individuals,
including but not limited to:-

a) individuals who are (or were) customers of NCSM;

b) individuals that represent customers of NCSM (e.g. parents of minors, trustees and
authorised representatives);
c) individuals that have been identified as potential customers of NCSM
d) individuals that have applied to be customers of NCSM, whether successfully
or otherwise; and
e) individuals that have entered into ancillary arrangements with NCSM (e.g. guarantors
and/or third party security providers) on behalf of another individual or entity.

(ii) Relationship between Data User and Third Party Service Provider
This policy shall apply to the relationship between NCSM and third party service providers
(“data processors”), for example, where the NCSM outsources certain functions (e.g.
marketing, debt collection) to third parties and provides the said third parties with the relevant
personal data of customers (Data Subjects inclusive).

Privacy and Data Protection V1.0 1 September 2020 5|P a ge

(iii) Relationship between the Data User and Personnel
This policy shall apply to the relationship between NCSM and their personnel, but only to the
extent that it involves the processing of personal data of Data Subjects by the personnel of
the NCSM.

Accountability
Contact Head, PR and Communications Dept
Person(s) Head, Marketing Dept

Compliance Officer General Manager

Version Approval by Approval date Effective Date Sections

modified
1.0 Dr Saunthari 1 September 1 September New document
Somasundaram 2020 2020
President,
National Cancer
Society of Malaysia

Authored by:
Version 1.0
Dr Murallitharan M. Medical Director
Niranjni Jayabalan Head, Department of PR & Communications

Privacy and Data Protection V1.0 1 September 2020 6|P a ge