top of page
Writer's pictureRajvin Singh Gill

What Businesses should know regarding Personal Data Protection in Malaysia

Updated: Mar 27, 2023

The Personal Data Protection Act 2010 (referred to as the "Act") is responsible for governing the handling of personal data belonging to individuals in Malaysia. This includes activities such as collection, processing, storage, transfer, and retention of such data. Essentially, the Act serves to regulate how personal data is handled in commercial transactions within Malaysia.



Here are key elements you need to know on personal data protection:


Firstly, is your business required to comply with the Act?


As previously stated, the Act would apply to any handling of personal data in commercial transactions. According to the Act, "commercial transactions" encompass a variety of topics including:


(i) the supply or exchange of goods or services;

(ii) agency;

(iii) investments;

(iv) financing;

(v) banking; and

(vi) insurance.


Nevertheless, it is imperative to also note that the Act does not apply to:

(a) Federal Government and State Governments;

(b) where personal data are being processed outside of Malaysia, unless it is intended to be further processed in Malaysia; and

(c) credit report agencies under the Malaysia Credit Reporting Agencies Act 2010.


Is your business involved in the processing of personal data?


The Act defines “processing” as the act of collecting, recording, holding or storing of the personal data or carrying out any operation or set of operations on the personal data. To make it simpler to comprehend, the following are some examples of activities that would fall under processing as defined by the Act:


(i) Collecting data through forms, by phone or via the web;

(ii) Publishing data;

(iii) Selling data;

(iv) Using administrative data;

(v) Using data for marketing purposes;

(vi) Recording data;

(vii) Disclosing or providing data to other organizations; and/or

(viii) Destroying data


What Personal Data Protection Principles does your business need to comply with?


The fundamental essence of the Act is based on seven (7) key principles, which include:

(i) the General Principle;

(ii) the Notice and Choice Principle;

(iii) the Disclosure Principle;

(iv) the Security Principle;

(v) the Retention Principle;

(vi) the Data Integrity Principle; and

(vii) the Access Principle


If any of the seven (7) principles of the Act are not adhered to, a penalty of up to RM300,000.00 or imprisonment for up to two years, or both, may be imposed.


Are there any guidelines/standards imposed pertaining to the compliance with the 7 principles?


The Personal Data Protection Commissioner Malaysia (PDPCM) states that entities often violate the general, security, retention, and disclosure principles. This is likely due to the financial burden of complying with these principles, especially for small and medium-sized business owners. Additionally, a lack of awareness among the public and businesses about personal data protection in our country has contributed to these breaches.


Based on this, the Personal Data Protection Standard 2015 ("Standard 2015") was implemented, which set forth three (3) essential principles that entities are required to comply with without exception.


(i) the Security Principle;

(ii) the Retention Principle; and

(iii) the Data Integrity Principle.


Failure to comply with the three minimum mandatory principles of the Personal Data Protection Standard 2015 may result in a penalty of a fine up to RM250,000.00 or imprisonment for a maximum of two years or both, upon conviction.

However, it is still mandatory to follow the other four principles of the seven fundamental data protection principles mentioned earlier. This is because the penalties for non-compliance are not exclusive to each other. Thus, if a commercial organization fails to comply with both:


(i) the requirements of the Standard 2015 and;

(ii) the principles under the Act,


both the organization and its officers may be subject to penalties and/or imprisonment for both.


So what are the minimum standards under the three (3) essential principles above?


(i) Security Principle


When handling the personal data of a data subject, a data user or processor must take practical and reasonable measures to prevent any unauthorized access, modifications, loss, disclosure, alteration, or destruction of the data. However, if the data processing is performed by a third-party, it is important to note that the data user must obtain sufficient assurance from the service provider about their security measures for protecting the data and take all reasonable steps to ensure compliance with this principle.


(ii) Retention Principle


This principle mandates that personal data of a data subject should not be kept longer than necessary for the purpose for which it was processed. After the purpose has been fulfilled, the data user must take reasonable steps to destroy or permanently delete all personal data according to the retention periods specified by different laws. For example, data related to employee payrolls must be retained for a period of seven (7) years. However, if the data has no legal significance, it should be disposed of within 14 days, and inactive personal data should be disposed of within 24 months.


(iii) Data Integrity Principle


This principle places an ongoing responsibility on data users to ensure that personal data remains accurate, complete, not misleading, and up-to-date by taking reasonable measures. This should be done while considering the purpose for which the personal data was collected and processed further.


Measures your business can take to comply with the minimum standards


(i) Security Principle


DO’s:


The control of access is properly established and protected. Management of IDs and passwords is firmly established, regularly maintained, and secured. Documents are stored in secure locations or databases.


DON’Ts:


Personal data-containing documents are stored in unsuitable, unsecured, or publicly accessible locations. Documents are inadequately secured and retained, resulting in exposure. CCTV systems malfunction and are not remedied promptly, leading to additional data or financial losses. Documents are not disposed of or destroyed properly. Passwords to computer login systems are revealed and shared with colleagues.


(ii) Retention Principle


DO’s:


All documents that contain personal data are kept in secure locations. A practical process for disposing of unused records and data is in place and strictly followed.


DON’Ts:


Inadequate storage of commercial agreements, client and vendor information, and financial documents due to incorrect storage practices or facilities. Negligent usage of storage cabinets or units. Absence of a well-defined protocol for data retention and disposal. Cabinets being utilized to hold objects besides documents.


(iii) Data Integrity Principle


DO’s:


The first task is to create a form that allows data subjects to update their personal information either digitally or through a hard copy. Upon receiving a personal data correction notice from the data subjects, the data should be immediately updated, corrected, or amended. To comply with relevant legislation, the types of data or documents needed to authenticate the data subjects' personal information should be identified. The data subjects should be informed of the process for updating their personal information through various methods, such as an online portal, an announcement or notice on the premises of the data user, or other appropriate forms of notification


DON’Ts:


Keeping outdated or incorrect personal information; Unauthorized modification of data by hackers or anonymous fraudsters; Uploading and circulating information that is untrue or incorrect.



To sum up

Despite the potential high costs of compliance, owners of small and medium-sized enterprises (SMEs) are advised to adhere to the data protection standards and principles mentioned above. In any case, data users and companies that handle personal information are required to follow the seven (7) principles outlined in the Act, regardless of the existence of minimum standards. If an enterprise is unsure about whether its data processing and retention operations comply with the Act's principles and minimum standards, it is recommended to seek legal advice.


At Rajvin Gill & Co, we are able to advise you on the legal measures to be undertaken in order for your business to comply with the prescribed principles under the Act, including the drafting and/or reviewing of your personal data protection policies.

Comments


bottom of page