Personal Identifiable Information formats
What forms of PII are covered by the law?
Any information relating directly or indirectly to an individual who is identified or identifiable from that information or from that and other information in the data user’s possession is considered personal data within the ambit of the PDPA. Such broad definition includes data in electronic and manual form.
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
The PDPA applies to data users who are:
- established in Malaysia (and the personal data is processed by that person or any other person employed or engaged by that establishment); or
- not established in Malaysia, but use equipment in Malaysia to process the personal data otherwise than for the purposes of transit through Malaysia.
The PDPA will not apply to any personal data processed outside Malaysia unless it is intended to be further processed in Malaysia.
Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?
‘Processing’ is defined widely to include collection, recording, storage and use of personal data but the PDPA applies to personal data processed in respect of a commercial transaction only. Certain types of processing are also exempted – for example, processing by an individual only for his or her personal, family or household affairs is exempted.
The PDPA distinguishes between a ‘data user’, ‘data processor’ and ‘data subject’. A data user, which is conceptually similar to a controller, means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data but does not include a processor. A data processor means any person other than an employee of the data user who processes personal data solely on behalf of the data user, and does not process the personal data for any of his or her own purposes. The obligations are imposed on the data user and there are specific obligations imposed on the data user where a data processor is used. However, the data processor is not bound directly under the PDPA.
Legitimate processing of PII
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?
The PDPA requires consent (for processing of non-sensitive personal data) and explicit consent (for processing of sensitive personal data), failing which the processing must be legitimised on specific grounds for exemptions. For non-sensitive personal data, the PDPA provides certain exemptions where the processing is necessary:
- for the performance of a contract to which the individual is a party;
- for the taking of steps at the request of the individual with a view to entering into a contract;
- for compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract;
- to protect the individual’s vital interests;
- for the administration of justice; or
- for the exercise of any functions conferred on any person by or under any law.
Processing sensitive personal data without explicit consent is subject to separate exemptions.
But there are conditions for processing that the data user must comply with (regardless of whether consent or explicit consent has been obtained). Personal data shall not be processed unless:
- the personal data is processed for a lawful purpose directly related to an activity of the data user;
- the processing of the personal data is necessary for or directly related to that purpose; and
- the personal data is adequate but not excessive in relation to that purpose.
Legitimate processing – types of PII
Does the law impose more stringent rules for specific types of PII?
Stricter rules apply to processing of ‘sensitive personal data’, which includes information relating to mental or physical health, political opinions, religious beliefs and other beliefs of a similar kind as well as information relating to the commission or alleged commission of any offence or any other personal data as the Communications and Multimedia Minister may determine by a gazette order. Processing sensitive personal data requires explicit consent unless an exemption applies. Some examples are where the processing relates to information that has been made public as a result of steps deliberately taken by the data subject or where the processing is necessary:
- for the purposes of exercising or performing any right or obligation that is conferred or imposed by law on the data user in connection with employment;
- to protect the vital interests of the data subject or another person, where consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the consent of the data subject;
- to protect the vital interests of another person, where consent by or on behalf of the data subject has been unreasonably withheld; or
- for the purposes of obtaining legal advice, or the establishment, exercise of defence of legal claims.
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?
A data user must notify the individual in writing in English and Malay of the following:
- that the individual’s personal data is being processed by or on behalf of the data user, with a description of the personal data;
- the purposes for which the personal data is being or is to be collected and further processed;
- of any information available to the data user as to the source of that personal data;
- of the individual’s right to request access to and to request correction of the personal data and how to contact the data user with any enquiries or complaints in respect of the personal data;
- of the class of third parties to whom the data user discloses or may disclose the personal data;
- of the choices and means the data user offers the individual for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
- whether it is obligatory or voluntary for the individual to supply the personal data; and
- where obligatory, the consequences of failure to supply the personal data.
The notice must also be given ‘as soon as practicable’ either when:
- the individual is first asked by the data user to provide his personal data;
- when the data user first collects the personal data; or
- in any other case before the data user uses the personal data for a purpose other than the purpose for which the personal data was collected or before the data user discloses the personal data to a third party.
Exemption from notification
When is notice not required?
Notice is not required when personal data:
- is processed for the prevention or detection of crime or for the purpose of investigations, apprehension or prosecution of offenders, or assessment or collection of any tax or duty or other similar impositions;
- is processed for the purposes of preparing statistics or carrying out research provided that the resulting statistics or research results are not in a form that identifies the individual;
- is necessary for or in connection with any court judgment or order;
- is processed to discharge regulatory functions if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; and
- is processed for journalistic, literary or artistic purposes, provided that the processing is undertaken with a view to the publication by any person of the journalistic, literary or artistic material, the publication would be in the public interest and compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes.
Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
The data user must notify the individual of the choices and means for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data.
The PDPA also gives the individual the right to withdraw consent and certain qualified rights – for example, the right to access and correct personal data, prevent processing likely to cause damage and distress and prevent processing for direct marketing.
Does the law impose standards in relation to the quality, currency and accuracy of PII?
Data users must take reasonable steps to ensure the personal data is accurate, complete, not misleading and kept up to date, having regard to the purpose (and any directly related purpose) for which it was collected and processed. Data users must also comply with the data integrity standards set by the Commissioner – for example, the data user must update the personal data immediately upon receiving a data correction notice from the individual and notify the individual of the update either through appropriate methods.
Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
Personal data cannot be kept longer than is necessary to fulfil the processing purpose unless a longer retention period is required by law (eg, our tax laws generally require all relevant records and documents to be retained for seven years). Retention must be in accordance with the retention standards set by the Commissioner, which further specify the time frame – for example, the data user must dispose of any personal data collection forms used for commercial transactions within 14 days, unless they carry legal value in relation with the commercial transaction.
Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?
The ‘finality principle’ is not expressly featured in the PDPA but there are similar conditions of processing under the General Principle, where data users may not process personal data unless it is for a lawful purpose directly related to the data user’s activity, the processing is necessary and directly related to the purpose, and the personal data is adequate and not excessive in relation to that purpose. Processing must also be restricted to the purposes described in the notice.
Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
For new purposes, consent must be obtained again unless any of the exceptions to the consent (or explicit consent) requirement applies. The notice must also be amended to cater for the new purpose.