From Cambridge Analytica’s alleged hijacking of 87 million Facebook users’ data, to something even closer to home, being Lowyat’s news expose of local telco’s database of 46 million mobile phone numbers and Astro’s IPTV customer details being made available for sale online.
Apart from the scale of personal data leaks being jaw-dropping, this article examines the responsibilities and standards that Malaysia’s Personal Data Protection laws impose on businesses in Malaysia, both big and small, when it comes to protecting and securing customers’ personal data, and addresses some practical steps that are expected of such businesses to take.
Section 9 of the Personal Data Protection Act 2010 of Malaysia (“PDPA”) establishes the Security Principle. The Security Principle is among the 7 major principles businesses that are data users are obliged to comply with (Sections 6 to 12, PDPA). Failing to do so will attract fines and even jail terms.
The Security Principle requires data users to take practical steps, when processing personal data, to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In order to determine the steps needed and lengths that it should go to ensure such protection, the data user needs to take into account factors like the nature of the personal data (ie, how sensitive it is), the potential harm resulting from loss or misuse, the place or location of storage, the security measures in any equipment used to store data, the measures taken for ensuring the reliability, integrity and competence of personnel having access, and the measures put in place to ensure the personal data is transferred securely (Section 9 PDPA).
Secondly, many businesses that are data users rely on third party service providers by ‘outsourcing’ the processing and storage of personal data on its behalf. In such instances, the Security Principle also dictates that the data user must obtain sufficient guarantees from the Data Processor that it (i) takes technical and organizational security measures governing the processing to be carried out AND (ii) takes reasonable steps to ensure compliance with those measures (Section 9 PDPA).
Practical Security Steps
Among the “practical steps” in the Security Principle is to, as suggested by Rule 6 of the Personal Data Protection Regulations (“PDPR”), implement a security policy which is compliant with the Personal Data Protection Standard 2015 (the “Security Standards”).
The Security Standards are divided into personal data stored electronically and personal data stored non-electronically.
The Security Standards for personal data stored electronically compels data users to implement measures like:
- registering all employees and personnel involved in processing personal data;
- providing user ID and password for employees and personnel involved in the processing of personal data;
- storing data in a safe location;
- controlling movement into and out of the said location;
- setting up around the clock security monitoring like CCTVs in the aforesaid location;
- using back-up services and anti-viruses;
- not permitting transfer of personal data through removable media devices (like pen drives) and cloud computing services, unless written permission from an officer authorized by the top management of the data user is obtained; and
- If using a third-party to process personal data, bind the said third party with an agreement to ensure their compliance with the PDPA.
The Security Standards for personal data for non-electronically processed personal data compels data users to establish physical security procedures like storing all personal data orderly in files and in a locked place, keeping all the related keys in a safe place, and providing record for keys storage. Additionally, personal data shall be stored in an appropriate location which is unexposed and safe from physical or natural threats.
The list above is not exhaustive and each organization should undertake a risk assessment exercise to determine the sufficiency of their:
- security protocols,
- protection levels,
- access controls,
- staff responsibility, and
- disaster management plan
that are appropriate, in the context of its own business.
|data users||means a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorizes the processing of any personal data, but does not include a data processor;|
|data processors||in relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes;|
|personal data||means any information in respect of commercial transactions, which (a) (b) (c)
(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;
(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010; and
|processing||in relation to personal data, means collecting, recording, holding or storing the personal data or carrying out any operation or set of operations on the personal data, including
(a) the organization, adaptation or alteration of personal data;
(b) the retrieval, consultation or use of personal data;
(c) the disclosure of personal data by transmission, transfer, dissemination or otherwise making available; or
(d) the alignment, combination, correction, erasure or destruction of personal data.
(source: Section 4, PDPA)