The Malaysian Personal Data Protection Act 2010 (“the Act”) was written into law on 15 November 2013. “The Act” mandates that businesses in Malaysia assume additional responsibilities and requirements when it comes to the processing of personal data of their employees, suppliers, and customers. This article provides an overview of the key issues to note under the Act.
The Malaysian Personal Data Protection Act 2010 (“the Act”) applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions known as the (“data user”). The Act also applies to persons not established in Malaysia (for example: international organisations), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.
Certain classes of data users (eg: licensed insurers; legal, auditing, accounting, engineering and architecture firms; housing developers; medical and dental clinics) are required to register themselves with the Department of Personal Data Protection.
HOW IS PERSONAL DATA DETERMINED UNDER THE ACT ?
Predominantly, “personal data” covered by the Act is information that relates to a data subject who is identifiable from that information being processed or collected. This broad definition will cover data types such as names, contact details, national registration identity card numbers, and passport numbers. Personal data also includes any sensitive personal data such as the physical or mental health information of the data subject, his/ her political opinions and religious beliefs, and criminal convictions among others.
WHAT IS REQUIRED BY THE ACT?
Under the Act, data users are required to adhere to the 7 Personal Data Protection Principles.
- General: Personal data can only be processed with the data subject’s consent.
- Notice and Choice: Data subjects must be informed by written notice of, among other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the choices and means by which the data subject can limit the processing of their personal data.
- Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
- Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
- Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
- Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
- Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.
Maximum fines for various offences under the Act range from RM100,000 to RM500,000 per offence. On conviction, offenders may also be liable to imprisonment.
What steps can a business take to help achieve compliance
If your organization is a data user under the Act, you should start considering the following actions:
- Conduct an audit to identify:
(a) the types of personal data being collected and processed;
b) the purposes personal data is being collected;
(c) third parties to whom personal data is being disclosed;
(d) how data subjects are being notified of the data processing
- Have a privacy framework in place to ensure compliance with the Act. Appropriate policies and procedures regarding the collection, processing, retention and disclosure of personal data must be implemented. Where possible, appoint a team to manage issues relating to personal data and compliance with the Act.
- Key personnel must be trained on the application of the Act. Compliance with the Act is not possible if employees do not understand the purpose of the Act or what they are required to do.
- Board level commitment . Given the severe consequences for non-compliance, it is imperative that senior management sets the tone and “buy in” the importance of complying with the Act.
- Have a system in place to continuously monitor compliance with your personal data policies and procedures, so that any gaps can be identified and addressed quickly.
While the additional obligations and responsibilities under the Act may appear troublesome to some, the Act is the right step towards bringing Malaysia’s personal data protection laws in line with the rest of the world as well as boosting investor confidence.Learn More