Alven went to Sand Chop Bank last Friday to deposit the cash. He realized the ATM Machine of Sand Chop Bank was requesting him to insert his MyKad/Identity Card (“IC”) before deposit the cash. Alven was reluctant to insert his IC as he wondered how the Bank will process his personal data contained in the IC. Nonetheless, he still inserted the IC.


Under Section 6 (3) of Personal Data Protection Act 2010 (“PDPA”), any personal data shall not be processed unless:-

  1. the processing is for lawful purpose directly related to an activity of the data user;
  2. the processing is necessary for or directly related to that purpose;
  3. the personal data is adequate and not excessive in relation to that purpose.

Applying the above section to Alven’s situation, the question which should be asked:-

  1. whether collection of the IC details is directly related to the cash deposit by the Bank;
  2. whether the collection of IC details is necessary for or directly related to cash deposit purpose;
  3. whether the collection of IC details is not excessive in relation to cash deposit.

Here, as Alven is not comfortable with the insertion of IC, he shall not deposit the cash using the ATM machine. By conduct, Alven is refusing his to give consent for the Bank to process his IC details. Then, he may write in to the Sand Chop Bank to seek clarification on the purpose of inserting IC for cash deposit. If he is unhappy with the rationale from the Bank, he may request to withdraw his consent to use his IC details and/or to limit the usage by the Bank in accordance to PDPA.

Bear in mind that, it is always a good practice to query the data user if you are not comfortable with the use of your personal data by the data user.

So, how much did you know about this Legal Myth?

Share with us your thoughts and feedback to us. Ask us a question on AskCA@Thursday or suggest a Myth Buster for us.