Background

The Personal Data Protection Regulations 2013 ("Regulations")  require data users to comply with standards issued by the Personal Data Protection Commissioner (“Commissioner”).

The Commissioner had in July 2015, issued a public consultation paper proposing standards to be adopted by data users. Since then, the Commissioner has reviewed the feedback provided and the Personal Data Protection Standards 2015 ("Standards") have been finalised and are in force as of 23 December 2015.

Key Highlights of the Standards

The Standards generally address the same points previously raised in the consultation paper, save for certain adjustments which make the Standards more reasonable and practical for data users.

Security Standard

The Security Standard distinguishes between conventional and electronic management of personal data and requires different security measures to be taken. By way of example, the security measures which have been proposed for personal data managed electronically include restricted access, password protection, protection against malware and viruses as well as the implementation of a back up or recovery system to prevent any loss of data. Correspondingly, conventional records are required to be kept in an orderly fashion under lock and key.

Data Retention Standard

The Data Retention Standard focuses on the destruction and deletion of the personal data once it is no longer required. For example, the standard contemplates requiring data users to destroy data collection forms and customer data after 14 days unless the data user is legally obliged to retain the same. Note that the initial proposal was for the forms to be destroyed after 7 days.

Data Integrity Standard 

The Data Integrity Standard also distinguishes between conventional and electronic management of personal data. However, the proposed steps, which are similar between the two categories, include preparing standard forms to be used for data correction requests and correcting the data within seven days of receiving a correction request.

Conclusion

A data user who fails to comply with the Standards may consequently be in breach of the data protection principles set out in the Personal Data Protection Act 2010 (“PDPA”), and upon conviction, may be liable to a fine of up to RM 300,000 and/or imprisonment for a term not exceeding two years. In view that the Standards will apply to all data users, data users should review their personal data processing practices and ensure that the Standards are complied with.

Please click here for a copy of the Standards available in Malay.