As stated in our previous Alert
, the Personal Data Protection Commissioner (“PDP Commissioner
”) recently issued the General Code of Practice of Personal Data Protection (“General COP
”) on its official website, which is effective from 15 December 2022.
The General COP can be found here
Application of the General COP
The General COP applies to classes of data users required to be registered as data users under the Personal Data Protection Act 2010 (“PDPA
”) who are currently not
subject to any codes of practice registered by the PDP Commissioner.
To date, the PDP Commissioner has registered codes of practice for the following sectors:
- the banking and financial sector;
- the insurance and takaful industry;
- the utilities sector (water);
- the utilities sector (electricity);
- the aviation sector;
- the licensees under the Communications and Multimedia Act 1998; and
- private hospitals in the healthcare industry.
Hence, the General COP applies to the classes of data users who do not fall within the sectors listed above. This would include data users in the following sectors:
- tourism and hospitalities (e.g. licensed persons who carry on or operate a tourism training institution, licensed tour operators, licensed travel agents or licensed tourist guides under the Tourism Industry Act 1992);
- education (e.g. private higher educational institutions registered under the Private Higher Educational Institutions Act 1996);
- direct selling (e.g. licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993);
- professional services (legal, audit, accountancy, engineering, architecture); and
- real estate (e.g. licensed housing developers under the Housing Development (Control and Licensing) Act 1966).
Set out below are some of the notable provisions in the General COP in comparison with the existing provisions under the main statute, the PDPA.
Presently, the PDPA does not define “consent”, nor expressly provide for specific consent methods. The Personal Data Protection Regulations 2013 (“PDP Regulations
”) merely states that consent must be “recorded” and “maintained”.
The General COP has provided some examples of acceptable forms of consent, including the following:
- Consent by conduct or performance: consent is considered as given by way of conduct or performance if:
Example: Consent is given by the data subject upon providing a copy of his identification document, whether or not it contains sensitive personal data to the data user.
- the data subject does not object to the processing;
- the data subject voluntarily discloses his personal data; or
- the data subject proceeds to use the services of the data user.
Example: Consent is given by a caller to the data user to process the caller’s personal data when the caller calls the data user’s customer service for their services.
- Consent by verbal consent: may be recorded either digitally (such as through the use of a call logger and/or recorder software) or by issuing a written communication (such as issuing a letter, a form or an email from the data user’s official email) to the data subject confirming that consent has been given.
While the General COP only applies to the specified classes of data users, this may be indicative of the consent methods that would be deemed acceptable under the PDPA.
Additional compulsory elements in personal data protection notices
The General COP also requires certain additional information to be incorporated into personal data protection notices (“PDP notices
”), as follows:
- whether personal data of children under 18 years old are processed;
- whether there is any regulatory requirement to collect certain personal data;
- how long the personal data will be retained;
- when the personal data will be disposed of;
- the practical measures that will be taken to ensure personal data is secured; and
- to name the third party to whom the personal data of the data subject is shared with, and for what purpose.
This appears to expand the scope of mandatory information as set out under the Notice and Choice Principle of the PDPA. In particular, the General COP now requires each third party to be named in PDP notices, as opposed to just setting out “the class of third parties to whom the data user discloses or may disclose the personal data
” (as required under the Notice and Choice Principle).
“Direct marketing” is defined in the PDPA as “the communication by whatever means of any advertising or marketing material which is directed to particular individuals”.
The PDPA prescribes that data subjects have the right to request that a data user “cease or not begin processing his personal data for purposes of direct marketing”. Data users are required to comply with such a request but the PDPA does not specify a timeline to respond to any such request by a data subject.
The General COP has now specified that data users are required to comply with such requests “within a reasonable time frame”, although there is no guidance provided as to what would constitute a “reasonable time frame”. In light of this, data users are advised to reassess their current practices and timelines for responding to such requests to ensure that there are justifications for the time frame determined.
The General COP requires data users to develop and implement appropriate compliance policies and procedures (compliance framework) to ensure compliance with the General COP, PDPA, and any regulations and standards enacted thereunder. This also appears to be an expansion of the existing provisions under the PDPA which only state that data users are required to develop and implement a security policy
that is compliant with the PDPA and the security standards under the Personal Data Protection Standard 2015.
The General COP also recommends that data users continuously monitor their compliance with the General COP, PDPA, and any regulations and standards enacted thereunder by: (a) implementing an internal monitoring framework; and (b) conducting self-audits.
Non-compliance of the General COP
The General COP is stated to have the force of law and non-compliance with the provisions therein is an offence under the PDPA, which may attract a fine of not exceeding RM 100,000 or imprisonment for a term not exceeding one year, or both.
The General COP appears to have introduced some additional obligations that the relevant classes of data users should take cognisance of.
In light of the additional requirements under the General COP, the relevant data users who come within the purview of the General COP are advised to reassess and review their existing data processing activities (including the PDP notices), and look into ensuring that their data processing practices comply with these new obligations under the General COP.
Alert by Jillian Chia (Partner), Natalie Lim (Partner), Beatrice Yew (Associate) and Cheam Tat Sean (Associate) of the Personal Data Protection Practice of Skrine.