Employee Data under the Personal Data Protection Act 2010

Earlier in the year, the Malaysian Personal Data Protection Department prepared a proposal paper  (“Paper“) to act as a guide on the management of employee data under the Malaysian Personal Data Protection Act (“PDPA“).

Some key takeaways from the Paper:

1. The PDPA applies to any person who processes and has control over the processing of “personal data” in respect of “commercial transactions”. Commercial transactions is defined in the PDPA as “any transaction of a commercial nature, whether contractual or not, which includes any  matters relating to the supply or exchange of goods or services…” By this definition, the employer-employee relationship is treated as a “commercial transaction” since it arises from a contract of service in exchange for remuneration.
2. What this means is that employers are required to comply with the PDPA in respect of the processing of their employees’ personal data – not just the personal data of their customers and suppliers.
3. Employers must therefore obtain consent (implied or express) before collecting and processing employees’ personal data (if sensitive personal data is being collected, then explicit consent must be obtained)
4. Employers must evaluate and determine what information is absolutely necessary for the discharge of their duties as an employer and avoid excessive data collection.
5. Employers must notify their employees of the nature and purpose of information being collected, to whom it is being disclosed to, and that the employees have the right to access such data.
6. Under the PDPA, personal data cannot be shared with third parties unless consent of the individual is obtained. As such, employers who outsource human resources functions (eg: payroll) will need to ensure that employees are duly notified and that their consent has been obtained.
7. Employers are responsible for ensuring that reasonable security measures are put in place to ensure that their employees’ personal data are protected. There is no definition of what amounts to “reasonable security measures”; however the Paper does provide an example of keeping employees’ personnel files in “securely locked cabinets”.
8. Employers must destroy the employees’ personal data when it is no longer required. However this must be read in line with other statutory obligations to retain data which may be imposed on employers (eg: the Employment Act requires information registers of employees to be kept for at least 6 years).
9. Employers should ensure that the personal data of their employees is regularly updated.
10. Employers must allow employees to access their personal data, so that any inaccuracies, incomplete information or outdated information can be rectified. However, in certain cases, an employer may be given exemption, for example where there is an element of confidentiality involved

Businesses should not focus solely on the personal data of their customers, suppliers and business contacts at the expense of their own employees. Employers are well advised to look into their human resources management to ensure that their processing of employee personal data is in compliance with the PDPA as the penalties for non-compliance can be severe.