The first article out of a series of three provided a general overview of PDPA 2010, its scope and definitions, as well as where authority lies and the sectors that must register. We also briefly touched upon the seven underlying principles of the act.
In the second part, we’re going to discuss those seven key principles in detail, which Malaysian businesses (referred to as data user) must be familiar with in order to ensure compliance:
7 PDPA 2010 Principles businesses must know
A data user must comply with the following seven Malaysian PDPA principles:
Under this principle, data users must not process personal data, unless written consent has been given by the data subject. With that said, a data user is under no obligation to comply with the above requirement where data processing is needed for:
- Compliance with legal obligations to which the data user acts as a subject, apart from a contractual obligation
- Specific steps as per the data subject where entering into a new contract is required
- The assessment of contractual performance where the data subject acts as a party
- The administration of justice or legal notices
- Protection of vital interests, which namely includes matters pertaining to security, life, or death of the data subject
- Exercising any functions delegated to any concerned individual under any law.
Under PDPA 2010, the personal data of a data subject can only be processed when:
- It is done so for a lawful purpose which is directly related to the data user’s activity
- It is required for or directly related to the above purpose; and
- The data is sufficient and not excessively or implicitly required for the above purpose.
Notice and Choice Principle
Under the notice and choice principle, data users must inform a data subject of a variety of matters which may relate to the latter’s personal information which may need to be proceed by or on behalf of the data user.
According to PDPA law, a data user must notify a data subject in writing under the following circumstances (in both Malay and English), when:
- The data subject’s personal data is being processed, along with a description of that data
- The underlying purpose of the data which is being collected for processing
- Any information the data user currently has in regards to the source of the subject’s personal data
- The data subject requests access to the personal data for correction or updating
- The contact information of the data user when any inquiries or complaints are raised
- The classification of 3rd parties with whom the personal data is shared
- The means and options granted to the data subject in order to limit data processing to the desired purpose only
- Whether it is compulsory or voluntary for data subjects to share personal data, and if it is obligatory, then the consequences of not sharing that data.
The above notice must be given to the data subject by the data subject at the first possible opportunity – that is, when the latter first requests personal data to be sent.
Under this principle, a data user cannot disclose a data subject’s personal data under these two conditions:
- Disclosure of data for a purpose other than the one disclosed or directly related to the agreed upon disclosure
- Disclose to any party other than the designated class of 3rd parties agreed upon between the data user and data subject
Personal data disclosure is, however, permissible under the following:
- Prior consent from the data subject has been given
- The disclosure is deemed necessary in order to detect or prevent crime, or for the purpose of a criminal investigation or legal action
- The disclosure has been authorised/required by law enforcement agencies or the court
- The data user believed that he was under legal obligation to share personal data with another individual or party
- The data user believed that the data subject would have given consent in the event that the latter would have known of the disclosure and the circumstances around such disclosure
- The personal data disclosure was justified and called for in the name of public interest, and in accordance with circumstances determined by the acting Minister.
This principle puts the data user under obligation to take specific measures in order to protect a data subject’s personal data from loss, modification, misuse, accidental/unauthorized, disclosure or destruction during processing. The following factors are to be considered:
- The personal data’s underlying nature and the harm which may ensue due to loss, modification, misuse, unauthorized/accidental disclosure or access, or destruction
- The location of the personal data storage
- Security measures which have been integrated within the equipment used to store the personal data
- Any measures taken to ensure the integrity, reliability and competence of the personnel who have access to that personal data
- Measures taken to ensure the secure transfer of all such data.
In addition, a security policy must be prepared by the data user according to the 2013 Regulations.
This principle stipulates that personal data can only be retained for as long the main purpose for which it is must be processed has been fulfilled. The data user must destroy the data permanently once the data subject’s personal data is no longer required for processing purposes.
However, minimum data retention periods may apply under other laws, such as specific tax laws. With that said, it is quite unlikely that the retention of data under other laws would be termed as a contravention of this principle, though this has not been tested in practice.
Here’s a brief overview of the retention standards according to the 2015 Standards set by PDPA:
- Ensure that all legislation pertaining to personal data processing and storage is appropriately compiled and recorded before disposal
- Not retain the personal data longer than the required time for processing, unless specified otherwise by legal authorities, law enforcement agencies or the court
- Prepare and maintain personal data disposal records which are to be submitted to the Commissioner when required
- Dispose of personal data collection forms used for the purpose of commercial transactions within 14 days, with the exception that the form is of legislative value in regards to that commercial transaction(s).
- Review and dispose of personal data which is no longer required in the data user’s database
- Come up with a personal data disposal schedule for 24 months minimum for personal data which is inactive
- Removable media device for storing personal data is prohibited, unless allowed through written consent by the data user’s organization’s higher management.
Data Integrity Principle
Under this principle, the data user must take the appropriate steps to ensure that all personal data collected is entirely complete, accurate, up-to-date and not misleading in regards to the underlying purpose for storing and processing such data.
According to the 2015 Standards, here’s a brief overview of the data integrity standards set by PDPA:
- Prepare a form for updating personal data which must be available either in tangible form or online
- Upon receiving a personal data correction/amendment notice from the data subject, the personal data must be updated immediately without delays
- Ensure that all the required legislation has been satisfied through identifying the type of documents/data required for supporting the personal data’s authenticity
- Inform the data subject about any updates which his/her personal data may require, either through a portal where the latter is registered or other appropriate channels to ensure that the data user receives notice.
The Access principle gives data users the right to access and correct his/her personal data in case it is incomplete, misleading, inaccurate or outdated. The PDPA provides stipulations under which a data user may refuse to comply with a data correction request put forth by the data subject.
- When a data subject puts forward a request to access their personal data, the data user must comply with this request within 21 days from the receipt of any such request.
- The data user is at liberty to impose a reasonable fee for providing access to the data, with the maximum fee which is fixed under the Personal Data Protection Fees Regulations of 2013.
- However, there are multiple exceptions to the above, especially where it might result in disproportionate expense.
Keep a look out for part three coming soon part three of the series, we discuss controller / processor contracts, data subject rights, health and financial sector breach reporting and data transfers.
In Part 2 of the series, we discussed the seven key principles under the Malaysian PDPA 2010. The final article focuses on data controller contracts, data subject rights, data transfers and how breach reporting can be done in the Health and Financial sector.
Data Processor / Controller and Contracts
It should be noted that the provisions under PDPA 2010 for the most part concern data users and not data processors. However, under specific circumstances, data users may be required to contractually bind data processors/controllers in order to ensure PDPA compliance.
Now, this brings us to data controller/processor agreements or contracts;
Whenever any personal data processing is carried out by a data processor or controller on behalf of a data user – for the purpose of protecting that personal data from loss, modification, misuse, accidental/unauthorized disclosure or access or destruction – the PDPA requires the data user to ensure that the data controller/processor meets the following criteria:
- Offers reasonable guarantees and/or assurance around the technical and organizational security measures which have been taken in regards to the process which must be carried out
- Takes the appropriate steps to ensure compliance with the above measures.
In addition, as per the Security Principle, which was discussed in detail in part 2, data users can enter into contracts with data controllers/processors with regard to any kind of data processing which may be required.
Data Subject Rights
Apart from the obligations placed by the PDPA on a data user, it also offers these rights to a data subject:
- The right to access personal data
- The right to request a data user to correct/update personal data
- The right to withdraw consent given for personal data processing
- The right to object to processing which may cause any damage or distress
- The right to object to processing done for direct marketing campaigns
Some of the above rights are subject to further PDPA provisions. For example, with respect to the last one, a data subject can, through written notice, require the data user to immediately stop or not begin processing the personal data for direct marketing purposes. If the data subject is not satisfied with the data user’s response, he/she may forward a formal application to the Commissioner to enforce compliance with the notice.
If a data subject believes that his/her personal data has been misused or used in a way against his/her wishes or consent, then they may register a complaint with the Commissioner here.
The PDPA does not permit the transfer of personal data out of Malaysia unless the transfer is to a country which has been recorded by the Minister in the Official Gazette. As it stands, no countries have been officially specified or recorded as yet.
However, the PDPA has outlined certain exceptions to this prohibition such as, for instance, where the data subject’s consent has been obtained for the transfer – where that transfer is deemed necessary to maintain the performance of the contract between the concerned parties.
If in doubt so as to whether any such exemptions apply on data transfer, the best course of action is to obtain the data subject’s consent with respect to transfers out of Malaysia.
Breach Reporting in the Health and Financial sector
There appears to be no general obligation on either individual to report a breach of personal data under the PDPA – however, there are a number of reporting obligations levied by authorities and regulators that have jurisdiction based on the individual facts of each case.
Here’s how breach reporting can be done in these two sectors:
In this sector, while there are general breach reporting obligations not specific to data breach notifications, they are still relevant.
For example, Section 37(1) from the Private Healthcare and Facilities Act 1998 outlines that a private healthcare service or facility must report breaches to the Director General or any individual authorized on his behalf.
In the financial sector, things are bit more nuanced. Various breach reporting obligations which are imposed by authorities and regulators may be triggered which may nor may not be coherent with data breaches.
For example, the Central Bank of Malaysia (BNM) has published Guidelines on Internet Insurance – where it states that licensed insurers responsible for carrying out internet-based insurance activities must report any material security breaches, and system performance degradation as well as downtime, if these critically affect the insurer with regard to the BNM.
Additionally, the BNM has also published the Management of Customer Information & Permitted Disclosure which explains that financial service providers need to have a customer information breach handing and response mechanism in place, should there be any loss, misuse, theft, modification, or disclosure of customer information that they hold. In fact, the guidance document is accompanied by a template which guides complainants on how to report a customer information breach.
Under separate Guidelines on Data Management and MIS Framework also published by the BNM, boards of registered financial companies must inform the Malay bank of any development whatsoever which may have a material effect on the company’s risk profile, financial condition or day-to-day operations.
Furthermore, public listed companies must abide by the Listing Requirements laid forth by Bursa Malaysia – listed issuers must disclose to the public without any delays all material information which may be deemed important and necessary for informed investing decisions.
In regards to capital markets, Securities Commission of Malaysia (SC) has published the Guidelines on Management of Cyber Risk, requiring all concerned entities to file a report to the SC, in case a cyber incident occurs with an adverse effect on the systems or information assets of the entity in question. Furthermore, this must be reported on the day the incident occurs.
To conclude, specific circumstances and facts of each case are the two underlying factors which decide whether a notification of data breach is required by a financial institution. With that said, the Financial Services Act 2013 (FSA) offers protection to those financial companies that voluntarily disclose information, knowledge or document(s) to the BNM which clearly indicates that a breach of contravention has occurred or is about to occur under the FSA guidelines.
Hopefully, this series has proven useful to help you understand what PDPA in Malaysia is and what you can and cannot do as a data user or a data subject.