Malaysia’s data protection law, still in its infancy, is set to take some noteworthy next steps. These come in the form of mandatory minimum standards with regard to data security, data retention and data integrity which the Malaysian Data Protection Commissioner is expected to issue later this year. The standards will likely provide private sector organisations subject to the Malaysian Personal Data Protection Act (the "PDPA") with much-needed guidance on how to comply with their data security, data retention and data integrity obligations but they are also likely to raise practical issues for businesses if adopted in their proposed form.
Snapshot of Malaysia’s Data Protection Law
The PDPA was passed in 2010 but did not come into force until November 2013. The Malaysian law, often described as a European-style privacy law, applies to private sector organisations that are established in Malaysia or use equipment located in Malaysia to process personal data (other than for purposes of transit through Malaysia) and use data in connection with commercial transactions. It codifies seven high-level data protection principles. These include the usual suspects, namely a general principle (setting out under which conditions and for which purposes personal data may be processed), a notice and choice principle, a disclosure principle, a security principle, a data retention principle, a data integrity principle and a data access principle.
These principles are very broadly drafted and, on their own, create uncertainty as to what data protection measures and processes data users are required to implement in practice. However, they are supplemented by accompanying data protection regulations which clarify some of the key provisions of the PDPA, including the seven privacy principles. The regulations also empower the Commissioner to set binding standards for data security, retention and integrity. In July 2015, the Commissioner issued a public consultation paper seeking data users’ feedback (by 27 July) on proposed minimum standards to be adopted in respect of data security, retention and integrity.
The Proposed Standards
The proposed Data Security Standard distinguishes between conventional and electronic data management and prescribes various security measures in relation to each. For example, the security measures proposed for personal data managed electronically include restricted access, password protection, protection against malware and viruses as well as the implementation of a back-up or recovery system to prevent data loss. Correspondingly, conventional records are required to be kept in an orderly fashion under lock and key.
The proposed Data Retention Standard focuses on the destruction and deletion of personal data after it is no longer needed. For example, the standard contemplates requiring data users to destroy data collection forms and customer data seven days after the end of a commercial transaction unless the data user is legally obliged to retain the same.
The proposed Data Integrity Standard prescribes measures for ensuring personal data retained is accurate, complete and up-to-date. It proposes steps such as preparing standard forms for data correction requests and correcting customer data within seven days of receiving a correction request.
While providing some much-needed guidance to data users, the proposed standards are extremely prescriptive and detailed in nature. For example, they go as far as to prescribe that authorised access must be revoked within three days after relevant personnel has left an organisation, or that weekly user logs must be maintained to monitor access to data. These narrow requirements which allow no flexibility or differentiation whatsoever are likely to impose significant administrative burden on businesses. It remains to be hoped that at least some of the very specific requirements contained in the draft standards will be removed prior to their finalisation.