The Personal Data Protection Act 2010 (PDPA) was passed by the Malaysian Parliament in May 2010 and received Royal Assent on 2 June 2010. The PDPA came into force on 15 November 2013 by way of notification in the Government Gazette, with a three month sunrise period which ended on 15 February 2014.
Scope of the PDPA
The PDPA governs personally identifiable data which is collected in respect of a "commercial transaction". Recent proposal papers which have been issued by the Personal Data Protection Department (Department) have also clarified that employment related data will come within the ambit of the PDPA.
The PDPA does not apply to information processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010. The Malaysian Federal and State governments are also excluded from complying with the PDPA. In addition, the PDPA does not apply to personal data processed outside Malaysia unless such data is intended to be further processed in Malaysia.
The PDPA does, however, apply to parties not established in Malaysia but using equipment in Malaysia to process personal data other than for purposes of transit through Malaysia.
Personal data protection principles
The PDPA asserts seven Personal Data Protection Principles (Principles) which have to be complied with when processing personal data. Non-compliance by a data user with any of the Principles constitutes an offence under the PDPA and the penalty includes fines and/or imprisonment. Certain Principles are qualified by exceptions and exemptions.
The General Principle prohibits a data user from processing an individual's personal data without their consent. The Personal Data Protection Regulations (Regulations) stipulate that consent must be "recorded" and "maintained" which suggests that express consent is required. However recent proposal papers indicate that implied consent may be sufficient provided the individual has been made fully aware of the purposes of the processing of his personal data and as long as the data user is able to demonstrate that consent has been given by the individual.
The PDPA also prohibits processing of personal data unless it is for a lawful purpose directly related to the activity of the data user; it is necessary for or directly related to that purpose and the data processed is not excessive in relation to that purpose.
Explicit consent is required for the processing of "sensitive personal data": data about health; political opinion; religious beliefs; and commission or alleged commission of an offence.
Notice and Choice Principle
The PDPA requires a data user to inform the individual by written notice, in both the national and English languages, of certain matters including the fact that the personal data of the individual is being processed and a description of the data; the purposes for which the personal data is being collected and further processed; any information available to the data user as to the source of that personal data; the individual's right to request access to and correction of the personal data and contact particulars of the data user in the event of any inquiries or complaints; the class of third parties to whom the data is or may be disclosed; the choices and means offered to the individual to limit the processing of the data and whether it is obligatory or voluntary for the individual to supply data, and if obligatory, the consequences of not doing so.
Notice of the above has to be given by the data user "as soon as practicable", that is, when the data user first requests the personal data from the individual, or when the data user first collects the personal data of the individual, or before the data user uses it for a purpose other than the original purpose or discloses it to a third party.
This Principle prohibits the disclosure, without the individual's consent, of personal data for any purpose other than that for which the data was disclosed at the time of collection, or a purpose directly related to it; and to any party other than a third party of the class notified to the data user.
The PDPA imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
Where the data processing is carried out by a third party (a "data processor") on behalf of a data user, the data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organisational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.
In the Regulations, data users are required to develop a security policy in compliance with any security standards issued, though no such standards have been issued at present.
Under this Principle, personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it is processed. A duty is also imposed on the data user to take reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed.
Data Integrity Principle
The data user has to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept-up-to-date, having regard to the purpose (and any directly related purpose) for which it was collected and processed.
The PDPA gives the individual the right to access and correct his own data where it is inaccurate, incomplete, misleading or outdated. The PDPA provides grounds on which the data user may refuse to comply with a data access or data correction request by the individual.
There are exemptions from various Principles including personal data processed for: the prevention or detection of crime; the purposes of investigations; the apprehension or prosecution of offenders; in connection with any court judgment or order; or the purposes of discharging regulatory functions if the application of those provisions would be likely to prejudice the proper discharge of those regulatory functions.
Transfer of personal data out of Malaysia
It is pertinent to note that the PDPA does not permit a data user to transfer any personal data outside Malaysia except to countries specified by the Minister and published in the Gazette. There are certain exceptions specified in the PDPA where personal data can be transferred out of Malaysia, i.e. where the individual has given consent to the transfer, if the transfer is necessary for the performance of a contract between the individual and data user, the transfer is for purposes of legal proceedings or for the purposes of obtaining legal advice.
Rights of the individual
The PDPA confers the following rights (subject to qualifications) on the individual vis-à-vis a data user in relation to their personal data:
- the right to access personal data;
- the right to correct personal data;
- the right to withdraw consent to process personal data;
- the right to prevent processing likely to cause damage and distress; and
- the right to prevent processing for direct marketing.
Registration of data users
There are classes of data users who must be registered under the legislation. The classes which have been identified are: Communications, Banking & Financial institutions, Insurance, Health, Tourism & Hospitalities, Transportation, Education, Direct Selling, Services, Real Estate and Utilities. There are fees chargeable for registration and the registration is valid for 24 months, after which renewal is required.
The Minister may also require data user forums to be established and codes of practice to be prepared in respect of data users who have to be registered.
Proposal papers on guidelines
There have been several proposal papers issued by the Department setting out guidelines for direct marketing, handling of employee date, compliance with the PDPA and the consent requirements. However these guidelines are still at proposal paper stage and may be subject to change before being issued as formal guidelines.
Jillian Chia Yan Ping