After enactment in 2010, Malaysia’s Personal Data Protection Act, and implementing regulations, finally went into effect on November 15, 2013. The law applies to the processing of “personal data” by entities operating in Malaysia but generally does not apply to data processed entirely outside of Malaysia. Additionally, official registration requirements will extend to many classes of “data users” (those who control or authorize data processing), including those in the communications, banking and financial, insurance, health care, and other industries.
“Personal data” is defined broadly within the Act as “any information in respect of commercial transactions” relating to any person “who is identified or identifiable from that information,” either by itself or in combination with other data. “Sensitive personal data,” subject to heightened regulation within the law, is defined as:
any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence
The law is structured around seven principles. These are:
“General Principle:” With narrow exception – where necessary to perform a contract to which the data subject is a party, to protect legal rights or comply with legal obligations, or to protect the “vital interests” of the data subject – this principle presumptively limits data processing in light of the data subject’s consent. “Consent” of the data subject is required for processing all non-sensitive data. “[E]xplicit consent” is required for all processing of “sensitive” data. The implementing regulation provides that consent shall be obtained “in any form that such consent can be recorded and maintained properly.” “Explicit consent” is not explicitly defined in the Act or the Personal Data Protection Regulations.
Additionally, the data subject is given the right to withdraw consent, after which the data user must cease processing the data subject’s data, with criminal penalties (including imprisonment) attached to any failure to cease processing.
Notice and Choice: This principle requires extensive and detailed disclosures to affected data subjects about the use of their data, the source of the data, the kind of data being processed, the data subject’s rights to access or inquire about his data, and more.
Disclosure: Disclosure must be limited by the purpose for which the data was originally collected, or, if, consistently with other provisions, data is disclosed to third parties, it may only be disclosed to third parties whose identity has itself been disclosed to the data subject in an appropriate notice. The implementing regulations additionally specify that data processors must keep a log of all third-party disclosures.
Security: The law requires data users to take “practical steps” to protect personal data from “loss, misuses, modification, [and] unauthorized or accidental access or disclosure, alteration or destruction.” Data users must also “ensure” that their outside data processors “provide sufficient guarantees” regarding data security measures and “take reasonable steps” to “ensure compliance with those measures.” The regulation also requires the data user to have and adhere to a security policy.
Retention: Data may only be retained for so long as is necessary to fulfill the purpose for which it was collected.
Data Integrity: The data user must take “reasonable steps” to “ensure that the personal data is accurate, complete, not misleading and kept up-to-to date.”
Access: Data subjects have the right to access and correct their personal data.