Delay in panel formation hampers preparedness for Personal Data Protection Act
The delay in the official endorsement of those sitting on the Personal Data Protection Committee is expected to hinder preparedness by the private and public sectors, which need guidelines to comply with the Personal Data Protection Act (PDPA).
The PDPA ushered in the establishment of the 16-member Personal Data Protection Committee, which has a broad range of powers in the promotion and protection of personal data. These include drafting the master plan on personal data protection, issuing notifications or rules for the execution of the act, and advising the cabinet on the enactment or revision of the existing laws so as to protect personal data.
Ten of the members come from the selection process: a chairman and nine honorary directors. The other six sit on the body in accordance with their existing positions.
On May 19, the cabinet approved the list of 10 selected members, picked by a selection committee. The list was supposed to be announced in the Royal Gazette, but the move has yet to take place.
Digital Economy and Society (DES) Minister Buddhipongse Punnakanta said complaints were made about the selected members, so the ministry has asked the selection panel to revise the list in consultation with the Council of State.
"The DES Ministry is only the messenger during the selection process, while the selection committee has freedom to decide," Mr Buddhipongse said.
A source at the National Cybersecurity Committee revealed that a couple of selected names lack qualifications for the position because they have no specialisation in the targeted field, so complaints have been made.
Some 200 candidates joined the race to become committee members.
Putchapong Nodthaisong, deputy permanent secretary for DES, who oversees the temporary PDPA Office, said more than 200 issues have been raised for consultation with regard to the PDPA, which was partially enforced in May.
Many asked questions to seek better understanding of the law and how to deal with personal data collected before the PDPA came into force, he said.
Regarding human resources units that keep personal data of employees, if they switch to using this data for other purposes, they must seek consent.
As the Personal Data Protection Committee is still unavailable, the DES Ministry may have to draw up necessary regulations in relation to the complaint process, documents required for complaints and cross-border data transfer, Mr Putchapong said.
He recommended that the private and public sectors comply with the PDPA, including having a minimum security standard to prevent data leaks.
Paiboon Amonpinyokeat, a legal expert, said that those governed by specific laws, such as banks, Bank of Thailand and Stock Exchange of Thailand, should come up with a code of conduct or practices in line with the PDPA.
Those operators should have minimum security standards to prevent data leaks or illegal access.
Mr Paiboon expressed concern about the rampant ransomware and cyber threats that could affect critical information infrastructure.
"Progress is needed for the establishment of the Office of the National Cyber Security Committee, serving as a central agency overseeing projects and legislation with related laws and national strategies," he said.
The PDPA, which has seven chapters and 96 sections, was published in the Royal Gazette in May 2019.
The act was due to be enforced on May 27 this year after a one-year grace period, but enforcement was postponed.