The Malaysia Personal Data Protection Act 2010 - All you need to know (Part 1)

The Malaysia Personal Data Protection Act (PDPA) of 2010 was introduced and implemented on November 15, 2013. It sets out a complete cross-sectoral framework in order to protect individuals’ personal data with regard to commercial transactions.

This article is the first of three and covers an introduction to PDPA 2010 law, its underlying scope and definitions, where PDPA authority lies and the sectors that must register.

An introduction to PDPA 2010 law

The PDPA was introduced to strengthen consumer confidence in business transactions and e-commerce, given the increasing number of credit card and identify theft frauds as well as personal data selling without the user’s consent.

Before PDPA 2010 was introduced, data protection obligations were present among specific sectoral secrecy and confidentiality obligations only – personal information was protected only as ‘confidential information’ through civil actions or contractual obligations in regards to breach of confidence.

Scope and definitions

Under the Act, data users must be in compliance with seven personal data protection principles:

  1. General – Personal Data may only be processed by the explicit permission of the data subject.
  2. Notice and Choice – Data subjects must be kept informed through written notice so as to (among other things) the type of data being processed, the purpose for processing it, the option to request access to that data and make any amendments, and the choices and means through which the data subject wishes to limit processing of all such personal data.
  3. Disclosure – Personal data must not be disclosed for any purpose other than when it was disclosed at the time of collection; furthermore, data must only be disclosed to persons which the data subject has already agreed to or notified the data user in advance.
  4. Security – Data users must take the required steps to protect personal data from misuse, loss, manipulation or unauthorized disclosure/access, modification or destruction.
  5. Retention – Personal data may not be stored for a duration longer than the one necessary for fulfillment of the underlying purpose.
  6. Data integrity – Data users need to take the appropriate steps to ensure that their personal data is up to date, accurate, complete and not misleading in any way.
  7. Access – Data subjects must be allowed access to their personal data in case they want to update/correct inaccurate, incomplete or misleading data.

PDPA authority

The Personal Data Protection Commissioner is the acting and responsible authority in Malaysia for implementing and executing PDPA 2010 laws.

The Commissioner is at sole discretion to do whatever is necessary in regards to the performance of his/her job functions within the PDPA. This includes:

The Commissioner also has the right to serve an enforcement notice after investigation, which outlines the breach, remedial steps needed and the compliance deadline – or if required, direct the data user to stop processing data indefinitely.

Sectors that must register

The following sectors are required to register with the Commissioner’s office according to the Personal Data Protection Order 2013:

The Formiti International Team cover data regulations across 6 global regions and 15 countries, Find out more here

In Part 2, we’ll be discussing disclosure principle, security principle, retention principle, and data integrity principle contained within PDPA 2010.

The first article out of a series of three provided a general overview of PDPA 2010, its scope and definitions, as well as where authority lies and the sectors that must register. We also briefly touched upon the seven underlying principles of the act.

In the second part, we’re going to discuss those seven key principles in detail, which Malaysian businesses (referred to as data user) must be familiar with in order to ensure compliance:

7 PDPA 2010 Principles businesses must know

A data user must comply with the following seven Malaysian PDPA principles:

General Principle

Under this principle, data users must not process personal data, unless written consent has been given by the data subject. With that said, a data user is under no obligation to comply with the above requirement where data processing is needed for:

Under PDPA 2010, the personal data of a data subject can only be processed when:

Notice and Choice Principle

Under the notice and choice principle, data users must inform a data subject of a variety of matters which may relate to the latter’s personal information which may need to be proceed by or on behalf of the data user.

According to PDPA law, a data user must notify a data subject in writing under the following circumstances (in both Malay and English), when:

The above notice must be given to the data subject by the data subject at the first possible opportunity – that is, when the latter first requests personal data to be sent.

Disclosure Principle

Under this principle, a data user cannot disclose a data subject’s personal data under these two conditions:

Personal data disclosure is, however, permissible under the following:

Security Principle

This principle puts the data user under obligation to take specific measures in order to protect a data subject’s personal data from loss, modification, misuse, accidental/unauthorized, disclosure or destruction during processing. The following factors are to be considered:

In addition, a security policy must be prepared by the data user according to the 2013 Regulations.

Retention Principle

This principle stipulates that personal data can only be retained for as long the main purpose for which it is must be processed has been fulfilled. The data user must destroy the data permanently once the data subject’s personal data is no longer required for processing purposes.

However, minimum data retention periods may apply under other laws, such as specific tax laws. With that said, it is quite unlikely that the retention of data under other laws would be termed as a contravention of this principle, though this has not been tested in practice.

Here’s a brief overview of the retention standards according to the 2015 Standards set by PDPA:

Data Integrity Principle

Under this principle, the data user must take the appropriate steps to ensure that all personal data collected is entirely complete, accurate, up-to-date and not misleading in regards to the underlying purpose for storing and processing such data.

According to the 2015 Standards, here’s a brief overview of the data integrity standards set by PDPA:

Access Principle

The Access principle gives data users the right to access and correct his/her personal data in case it is incomplete, misleading, inaccurate or outdated. The PDPA provides stipulations under which a data user may refuse to comply with a data correction request put forth by the data subject.

Keep a look out for part three coming soon part three of the series, we discuss controller / processor contracts, data subject rights, health and financial sector breach reporting and data transfers.

In Part 2 of the series, we discussed the seven key principles under the Malaysian PDPA 2010. The final article focuses on data controller contracts, data subject rights, data transfers and how breach reporting can be done in the Health and Financial sector.

Data Processor / Controller and Contracts

It should be noted that the provisions under PDPA 2010 for the most part concern data users and not data processors. However, under specific circumstances, data users may be required to contractually bind data processors/controllers in order to ensure PDPA compliance.

Now, this brings us to data controller/processor agreements or contracts;

Whenever any personal data processing is carried out by a data processor or controller on behalf of a data user – for the purpose of protecting that personal data from loss, modification, misuse, accidental/unauthorized disclosure or access or destruction – the PDPA requires the data user to ensure that the data controller/processor meets the following criteria:

In addition, as per the Security Principle, which was discussed in detail in part 2, data users can enter into contracts with data controllers/processors with regard to any kind of data processing which may be required.

Data Subject Rights

Apart from the obligations placed by the PDPA on a data user, it also offers these rights to a data subject:

Some of the above rights are subject to further PDPA provisions. For example, with respect to the last one, a data subject can, through written notice, require the data user to immediately stop or not begin processing the personal data for direct marketing purposes. If the data subject is not satisfied with the data user’s response, he/she may forward a formal application to the Commissioner to enforce compliance with the notice.

If a data subject believes that his/her personal data has been misused or used in a way against his/her wishes or consent, then they may register a complaint with the Commissioner here.

Data Transfers

The PDPA does not permit the transfer of personal data out of Malaysia unless the transfer is to a country which has been recorded by the Minister in the Official Gazette. As it stands, no countries have been officially specified or recorded as yet.

However, the PDPA has outlined certain exceptions to this prohibition such as, for instance, where the data subject’s consent has been obtained for the transfer – where that transfer is deemed necessary to maintain the performance of the contract between the concerned parties.

If in doubt so as to whether any such exemptions apply on data transfer, the best course of action is to obtain the data subject’s consent with respect to transfers out of Malaysia.

Breach Reporting in the Health and Financial sector

There appears to be no general obligation on either individual to report a breach of personal data under the PDPA – however, there are a number of reporting obligations levied by authorities and regulators that have jurisdiction based on the individual facts of each case.

Here’s how breach reporting can be done in these two sectors:

In this sector, while there are general breach reporting obligations not specific to data breach notifications, they are still relevant.

For example, Section 37(1) from the Private Healthcare and Facilities Act 1998 outlines that a private healthcare service or facility must report breaches to the Director General or any individual authorized on his behalf.

Financial

In the financial sector, things are bit more nuanced. Various breach reporting obligations which are imposed by authorities and regulators may be triggered which may nor may not be coherent with data breaches.

For example, the Central Bank of Malaysia (BNM) has published Guidelines on Internet Insurance – where it states that licensed insurers responsible for carrying out internet-based insurance activities must report any material security breaches, and system performance degradation as well as downtime, if these critically affect the insurer with regard to the BNM.

Additionally, the BNM has also published the Management of Customer Information & Permitted Disclosure which explains that financial service providers need to have a customer information breach handing and response mechanism in place, should there be any loss, misuse, theft, modification, or disclosure of customer information that they hold. In fact, the guidance document is accompanied by a template which guides complainants on how to report a customer information breach.

Under separate Guidelines on Data Management and MIS Framework also published by the BNM, boards of registered financial companies must inform the Malay bank of any development whatsoever which may have a material effect on the company’s risk profile, financial condition or day-to-day operations.

Furthermore, public listed companies must abide by the Listing Requirements laid forth by Bursa Malaysia – listed issuers must disclose to the public without any delays all material information which may be deemed important and necessary for informed investing decisions.

In regards to capital markets, Securities Commission of Malaysia (SC) has published the Guidelines on Management of Cyber Risk, requiring all concerned entities to file a report to the SC, in case a cyber incident occurs with an adverse effect on the systems or information assets of the entity in question. Furthermore, this must be reported on the day the incident occurs.

To conclude, specific circumstances and facts of each case are the two underlying factors which decide whether a notification of data breach is required by a financial institution. With that said, the Financial Services Act 2013 (FSA) offers protection to those financial companies that voluntarily disclose information, knowledge or document(s) to the BNM which clearly indicates that a breach of contravention has occurred or is about to occur under the FSA guidelines.

Final thoughts

That wraps it up for the final part of this series. You can read through part 1 and part 2 for understanding other aspects of PDPA 2010.

Hopefully, this series has proven useful to help you understand what PDPA in Malaysia is and what you can and cannot do as a data user or a data subject.