The Malaysian Personal Data Protection Department (“PDPD“) recently issued the Public Consultation Paper No. 1/2015 on the Proposed Personal Data Protection Standards(“Standards“). The Standards are meant to act as a minimum requirement from the PDPA to govern the collection, processing and maintenance of personal data by data users pursuant to the Personal Data Protection Act. The Standards are not in force yet as the PDPD is currently seeking feedback on the revised Standards.
Some of the key proposals in the Standards include requiring data users to comply with the following:
- Setting physical security procedures such as controlling the entry to and exit from the data storage area (including CCTV monitoring and 24 hours security guard services, if necessary)
- Having proper back-up and recovery systems and anti-virus software to protect against unauthorized access to personal data
- Entering into contracts with third parties who are processing personal data on behalf of the data user
- Conducting Personal Data Protection awareness programs and training
- Disposal of hard copies to be done by shredding machines or other appropriate measures
- Having Standard Operating Procedures in place for accessing and using personal data
- Having regular / scheduled deletion of inactive personal data
The Standards, once in force, will impose additional responsibilities on data users to ensure that they are in compliance with the Personal Data Protection Act (“Act“). Given that some of the Standards can be considered onerous and costly to data users (especially SMEs) it is likely that some of the Standards will be revised further in the following days. Notwithstanding the above, data users should always ensure that they do not just pay lip service to the requirements of the Act and that serious efforts are made to adhere to the 7 Principles of Data Protection as set out in the Act.