The Personal Data Protection Regulations 2013 require data users to comply with standards issued by the Personal Data Protection Commissioner ("Commissioner"). However, the standards, namely the Security Standard, Data Integrity Standard and Data Retention Standard ("Standards") have not yet been finalised.
In order to prepare the Standards, the Commissioner has issued a public consultation paper which propose the standards to be adopted by data users. Data users are invited to provide their feedback and comments on the paper before 27 July 2015.
Highlights of the Consultation Paper
Proposed Security Standard
The proposed Security Standard distinguishes between conventional and electronic management of personal data and requires different security measures to be taken. By way of example, the security measures which have been proposed for personal data managed electronically include restricted access, password protection, protection against malware and viruses as well as the implementation of a back up or recovery system to prevent any loss of data. Correspondingly, conventional records are required to be kept in an orderly fashion under lock and key.
Proposed Data Retention Standard
The proposed Data Retention Standard focuses on the destruction and deletion of the personal data once it is no longer required. For example, the standard contemplates requiring data users to destroy data collection forms and customer data after seven days unless the data user is legally obliged to retain the same.
Proposed Data Integrity Standard
The proposed Data Integrity Standard also distinguishes between conventional and electronic management of personal data. However, the proposed steps, which are similar between the two categories, include preparing standard forms to be used for data correction requests and correcting the data within seven days of receiving a correction request.
A data user who fails to comply with the Standards may consequently be in breach of the data protection principles set out in the Personal Data Protection Act 2010 ("PDPA"), and upon conviction, may be liable to a fine of up to RM 300,000 and/or imprisonment for a term not exceeding two years.
In view that the Standards will apply to all data users, whether or not they are required to register under the PDPA, it is crucial that data users take this opportunity to review the proposed Standards and submit their feedback on whether the said Standards are practical and may reasonably be complied with.
A copy of the consultation paper can be obtained on the Personal Data Protection Department's website.