WHO IS COVERED BY THE ACT?
The Malaysian Personal Data Protection Act 2010 (“the Act”) came into force on 15 November 2013.
The Act applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions (“data user”). The Act even applies to persons not established in Malaysia (for example: foreign companies), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.
Certain classes of data users (eg: licensed insurers; legal, auditing, accounting, engineering and architecture firms; housing developers; medical and dental clinics) are required to register themselves with the Department of Personal Data Protection.
WHAT IS PERSONAL DATA?
Generally speaking, “personal data” covered by the Act is information that relates to a data subject who is identifiable from that information. This broad definition will typically cover information like names, contact details, national registration identity card numbers, and passport numbers. Personal data also includes any sensitive personal data such as the physical or mental health of that data subject, his political opinions and religious beliefs, and criminal convictions among others.
WHAT IS REQUIRED BY THE ACT?
Under the Act, data users are required to comply with 7 Personal Data Protection Principles.
- General: Personal data can only be processed with the data subject’s consent.
- Notice and Choice: Data subjects must be informed by written notice of, among other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the choices and means by which the data subject can limit the processing of their personal data.
- Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
- Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
- Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
- Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
- Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.
Maximum fines for the various offences under the Act range from RM100,000 to RM500,000 per offence. On conviction, offenders may also be liable to imprisonment.
WHAT SHOULD YOU DO?
If your organization is a data user under the Act, you should start considering the following actions:
- Conduct an audit to identify: (a) the types of personal data being collected and processed; (b) the purposes personal data is being collected; (c) third parties to whom personal data is being disclosed; (d) how data subjects are being notified of the data processing
- Have a framework in place to ensure compliance with the Act. Appropriate policies and procedures regarding the collection, processing, retention and disclosure of personal data must be implemented. Where possible, appoint a team to manage issues relating to personal data and compliance with the Act.
- Key personnel must be trained on the workings of the Act. Compliance will the Act is not possible if employees do not understand the purpose of the Act or what they are required to do.
- Tone at the top. Given the severe consequences for non-compliance, it is imperative that senior management set the tone and “buy in” the importance of complying with the Act.
- Have a system in place to continuously monitor compliance with your personal data policies and procedures, so that any gaps can be identified and addressed quickly.
While the additional obligations and responsibilities under the Act may appear troublesome to some, the Act is the right step towards bringing Malaysia’s personal data protection laws in line with the rest of the world as well as boosting investor confidence.
ABOUT THE AUTHOR. Donovan Cheah is a partner at Donovan & Ho. He is an advocate and solicitor of the High Court of Malaya, and his writings have been featured in publications like The Star, the American Chamber of Commerce updates, and Asialaw.