The Personal Data Protection Act 2010 (“PDPA”) finally came into force on 15 November 2013 and marks the introduction of a data privacy regime in Malaysia.
The objective of the PDPA is to regulate the processing of personal data and to safeguard the data privacy rights of individuals. It applies to anyone who processes personal data (“data user”) of an individual (“data subject”) in commercial transactions.
Data users have until 14 February 2014 to comply with the PDPA. Essentially, a data user must comply with the 7 personal data protection principles, which form the backbone of the PDPA.
The 7 principles are;
- General – consent is required before personal data can be processed
- Notice & Choice – individuals must be notified of the purpose their data is processed
- Disclosure – personal data cannot be disclosed without consent
- Security – data users must take practical steps to protect the security of personal data
- Retention – personal data can only be retained for as long as it is required
- Data Integrity – personal data that is collected must be accurate, complete and updated
- Access – all individuals have the right to view and correct their personal data
Aside from the negative publicity, penalties for violation of data privacy or non-compliance or with the PDPA include fines of up to RM500,000 for companies and/or fines and imprisonment of up to 3 years for officers of the offending company.
Several new regulations have also been issued. These are:
- Personal Data Protection Regulations 2013;
- Personal Data Protection (Class of Data Users) Order 2013;
- Personal Data Protection (Registration of Data User) Regulations 2013; and
- Personal Data Protection (Fees) Regulations 2013.
- Personal Data Protection Regulations 2013
These regulations provide some clarification on the 7 principles, which can be summarised as follows:
- General Principle – consent obtained by data users from data subjects must be capable of being recorded and maintained properly. It appears that implied consent is not acceptable.
- Notice & Choice Principle – data users must give data subjects information on how to contact them for inquiries or complaints, such as the designation of the contact person, phone and fax numbers, email address and any other related information (if any).
- The notice must also be given in Malay.
- Security Principle – data users must develop and implement a security policy that will comply with the security standards prescribed by the Personal Data Protection Commissioner (“Commissioner”). Data users must also ensure that these security standards are complied with by data processors who process personal data on their behalf.
- Retention Principle – data users must ensure that personal data of their data subjects are retained in accordance with the standards prescribed by the Commissioner.
- Data Integrity Principle – data users must ensure that the processing of personal data is in accordance with the data integrity standards prescribed by the Commissioner.
- Personal Data Protection (Class of Data Users) Order 2013
This order provides that the following classes of data users must register with the Commissioner in the next 3 months:
- Communications Banking and financial institutions
- InsuranceHealth (e.g. private hospitals, clinics, dental clinics and pharmacies)
- Tourism and hospitalities (e.g. tour operators, travel agents tourist guides, tourist accommodation premises)
- Transportation (all Malaysian airlines)
- Education (e.g. private higher education institutions, private schools)
- Direct selling Services (e.g. lawyers, auditors, accountants, engineers, architects, retail and wholesale dealings and employment agencies)
- Real Estate (e.g. housing developers)
The other two regulations deal with the fees payable under the PDPA and the registration process for data users. Registration fees range from RM100 to RM400, depending on the category of the data user.
Appointment of the Commissioner
The Minister of Communications and Multimedia has also announced the appointment of Tuan Haji Abu Hassan bin Ismail as the Commissioner. It is also expected that the Personal Data Protection Department (“PDPD”) will be converted into an independent Personal Data Protection Commission, which is consistent with the provisions of the PDPA and in line with international practice.
The writer understands that the PDPA will be implemented in 3 phases:
- Phase 1 will focus on the registration of data users and creating awareness;
- Phase 2 will see enforcement teams carrying out inspections for compliance; and
- Phase 3 will see the Commissioner undertake audits and commence a prosecution for non-compliance.
Whilst individuals will rejoice in knowing there is a law that now protects their personal data, there remain numerous points which require clarification as the PDPA has not issued comprehensive guidelines on how the PDPA will be enforced.
Nevertheless, given the severe penalties under the PDPA, and potential reputational damage for non-compliance or violation of data privacy, it is unlikely companies will not comply. If not already in place, businesses should immediately review their processes, contracts and standard forms, and implement sound internal policies on personal data processing to ensure compliance with the PDPA.