Personal Data Protection Standards

Malaysia’s Personal Data Protection Act 2010 (PDPA) was enforced in late 2013, and various issues have arisen since its implementation. Our goal is to provide you with a working knowledge of the PDPA and tips on what organisations should do to comply.

In our last e-alert, we reviewed the public consultation paper on the proposed standards by the Personal Data Protection Department (“Proposed Standards”) (view here). The finalised standards on personal data protection (“Standards”) were issued by the Personal Data Protection Commissioner pursuant to the Personal Data Protection Regulations 2013 and came into force on 23 December 2015.

Generally, the Standards are similar to the Proposed Standards. The more significant changes made relate to the removal of fixed time periods suggested for completion of a particular action. For example, the Proposed Standards suggested that where an employee has ceased to be involved in processing personal data, his password and ID must be cancelled or changed within three working days. This three working days’ requirement has since been replaced with the word “immediately”. Although the removal of a strict timeline affords greater flexibility in the implementation of the Standards, the subjectivity of the term “immediately” could lead to varied interpretations.

Also, in the Proposed Standards, personal data collection forms were to be disposed of within seven days. This has now been extended to 14 days, unless there are some other legal requirements which govern the transaction.

In the Proposed Standards, the transfer of personal data processed electronically, without the permission of an authorised officer, was prohibited. This could cover a wide range of modes of transfer, and could even include emails, thus potentially limiting the issuance of emails that contain personal data. The Standards have narrowed the reference to “electronic transfer”, by only focusing on the use of removable media devices and cloud computing services for the purposes of transfer. Transfer by removable media devices and cloud computing services will only be allowed with the written permission of an officer authorised to do so by the data user’s senior management. All such transfers would also have to be recorded and transfers via cloud computing services, in particular, would have to abide by the data protection principles of the PDPA and any available data protection laws in other countries.

As the Standards are already in force, companies are urged to comply, since any contravention could lead to a fine not exceeding RM250,000 or imprisonment for a term not exceeding two years, or both.