4 days ago
PDPA breach: Student data misuse could lead to jail, hefty fine
KUALA LUMPUR: Many private higher education institutions have been found sending marketing materials without first obtaining permission from students or their parents, breaching personal data laws.
Personal Data Protection Department (JPDP) principal assistant director Mohamad Azrul Azmisaid such actions violate the Personal Data Protection Act (PDPA) 2010, which requires clear consent before personal data can be used or processed.
Disclosing personal information such as phone numbers without consent can result in a fine of up to RM1 million or a three-year jail term, Kosmo! reported.
"This clearly violates the first principle of the PDPA, which requires consent from the data owner before any use or processing of their personal data.
"For instance, if a private higher education institution sends promotional offers via WhatsApp without permission, that already breaches the core principle of the PDPA.
"Such offences may implicate not just the institution, but also third parties that supplied the data," he said.
Azrul said if student data was obtained through a third party such as a data broker company, both parties could face prosecution.
"Legal action will be taken if individuals or organisations continue to harass recipients after being warned.
"However, if the sender persists, individuals may lodge an official complaint with JPDP accompanied by supporting evidence such as screenshots," he said.
He added that many parents and students who receive unsolicited offers to further their studies are unaware they can file a direct complaint with JPDP.
"The complaints process begins with lodging a report directly with the sender.
"If the harassment continues after a warning, the complaint can be escalated to JPDP, which will then issue a Section 43 Notice," he said.
The public may submit complaints to JPDP through its website at if their personal data has been misused.
Meanwhile, Universiti Teknologi Mara (UiTM) Shah Alam Faculty of Information Science associate professor Dr Muhamad Khairulnizam Zaini said several key factors often lead to data leaks.
He said although every case requires specific investigation, breaches are commonly caused by two main factors: unauthorised access and weaknesses in system security.
"Leaks can occur when someone without permission infiltrates a system and accesses confidential data, whether from inside or outside the organisation," he said.
According to Kosmo!, many private higher education institutions have been using the personal data of SPM leavers to send unsolicited offers of admission, raising concerns over data privacy violations.
