An Overview of the Development in Personal Data Protection

Jillian Chia traces the developments in data protection laws in Malaysia since 2013.
 
It has been just over three years since the Personal Data Protection Act 2010 (“PDPA”) came into operation on 15 November 2013.  
 
The PDPA is Malaysia’s first data protection legislation of general application. It applies to “data users”, that is, any person who collects, uses, discloses or processes personally identifiable data in a commercial transaction. The PDPA is administered by the Department of Personal Data Protection (“PDP Department”) under the purview of the Ministry of Communications and Multimedia.
 
Chronology of developments
 
2014
 
Along with the implementation of the PDPA, various subsidiary legislation and instruments were issued, such as the Personal Data Protection Regulations 2013 which provided guidance on the consent, security, data retention and data integrity requirements.
 
The Personal Data Protection (Class of Data Users) Order 2013 and the Personal Data Protection (Registration of Data Users) Regulations 2013 set forth the requirements and procedures for registration of specified categories of data users. Classes of data users who had to be registered included those falling within the following sectors: Communications, Banking and Financial Institutions, Insurance, Healthcare, Tourism and Hospitalities, Transportation, Education, Direct Selling, Services (namely organisations which provide legal, audit, accountancy, engineering, architectural or private employment agency services or carry on retail or wholesale dealings), Real Estate and Utilities.
 
The PDP Department also issued several proposal papers in 2014 to seek feedback from relevant stakeholders on issues such as management of employee personal data, consent requirements, direct marketing and management of data collected from close circuit television (CCTV). The proposal papers did not however mature into official guidelines, but nevertheless serve as an indicator of the PDP Department’s stance on these issues.
 
In October 2014, the Personal Data Protection Commissioner (“Commissioner”) Abu Hassan bin Ismail was succeeded by Mazmalek bin Mohamad.
 
The focus of the PDP Department during the first year of implementation was on registration of data users and awareness.
 
2015
 
The PDP Department’s focus for 2015 was on compliance and appraisal. Data users who were required to be registered but had not yet done so were given the opportunity to register without imposition of penalties. The online registration portal was also launched on the PDP Department’s website (http://www.pdp.gov.my) in 2015. Manual applications were phased out and registrations are now accepted only if they are submitted through the online registration portal.
 
A public consultation paper was released on the proposed Personal Data Protection Standards which set out detailed measures to be taken by data users in respect of security, retention and integrity of data.
 
The Data User Forums were formed for specific industries, in particular, for the Communications, Banking and Finance, Insurance, Hospitality, Transport, Direct Sales, Professional Services and Utilities sectors. Each Data User Forum was directed by the Commissioner to develop its own codes of practice for adherence by data users in the respective sectors.
 
On 23 December 2015, the Personal Data Protection Standards (“Standards”) were issued by the PDP Department by publication on its website and came into force with immediate effect. The Standards were based largely on the consultation paper issued earlier in the year and spell out three main standards namely: Security Standards, Retention Standards and Data Integrity Standards which apply to personal data which are processed electronically and non-electronically. The Standards are prescribed as “a minimum requirement” which applies to all data users. Failure to comply with the Standards constitutes a breach of the PDPA and is subject to penalties.
 
The Standards introduced detailed measures to be undertaken by data users. These measures include the prohibition of transfer of personal data using removable media devices and cloud computing services save where there is written approval of an authorised officer from the upper management of the data user’s organisation, the requirement to enter into contracts with data processors (i.e. persons who process personal data on behalf of a data user) in respect of any data processing, the preparation and maintenance of records of disposal of personal data in a state which is ready for submission when directed by the Commissioner.
 
The PDP Department’s newsletter reported that 107 compliance audits had been carried out by the PDP Department in 2015.
 
2016
 
Investigation and enforcement was the theme of the PDP Department in 2016. The Personal Data Protection (Compounding of Offences) Regulations 2016 came into force on 15 March 2016. These regulations outline the offences that may be compounded with the written consent of the Public Prosecutor and stipulate the manner in which the offer, acceptance and payment of compounds may be made.
 
On 16 December 2016, the Personal Data Protection (Class of Data Users) (Amendment) Order 2016 came into force, specifying additional classes of data users who are required to be registered with the PDP Department. Notably, licensees under the Pawnbrokers Act 1972 and the Moneylenders Act 1951 are now required to be registered with the PDP Department. Failure to do so will amount to a breach of the PDPA and attracts penalties.
 
What to expect in 2017
 
In early 2017, Mazmalek bin Mohamad completed his tenure as Commissioner and was succeeded by Khalidah binti Mohd Darus. The policies and outlook of the PDP Department under the new Commissioner have yet to be discerned but it is anticipated that the codes of practice for each industry will be finalised this year.
 
It is also anticipated that enforcement of the PDPA would become a priority given that the PDPA is now in its third year of implementation.
 
COMPLIANCE REDUX?
 
In view of the developments in data protection laws that have taken place in Malaysia over the last three years, it may be appropriate for a data user to review the adequacy of the measures that it had previously taken to comply with the PDPA.
 
The checklist below may be adopted as a guide, but the data user should nevertheless seek advice from its legal counsel:
  • Register as a data user if you fall within any class of data user which is required to be registered
  • Prepare a Data Protection Notice/Privacy Policy and notify all relevant data subjects
  • If the Data Protection Notice/Privacy Policy has been issued over 12 months ago, to update such Notice/Policy (if required) and reissue the same to the data subjects
  • Ensure that consents obtained from data subjects are in a form which can be recorded and maintained
  • Prepare a third party disclosure list in a format which can be readily presented to the Commissioner upon request
  • Establish a security policy which complies with the Security Standards, and can be readily presented to the Commissioner upon request
  • Review contracts with data processors to ensure that they contain data protection clauses which comply with the PDPA
  • Establish a data retention policy and personal data disposal schedule which complies with the Retention Standards
  • Prepare and maintain records of disposal of personal data in a format which can be readily presented to the Commissioner upon request
  • Prepare a form for updating of personal data and make the same available online or in physical copy
  • Establish standard operating procedures (SOPs) to deal with access and correction requests and with inquiries or complaints pertaining to processing of personal data