Malaysia - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
Prior to 2010, the regulation of personal data was governed mainly by industry specific legislation. Industry specific legislation in respect to data protection existed in the banking and finance, healthcare, and telecommunications industries, amongst others. In May 2010, the Personal Data Protection Act 2010 ('PDPA') was passed by the Malaysian Parliament and received Royal Assent in June 2010. The PDPA came into force on 15 November 2013, with a three-month grace period ending on 14 February 2014.
The PDPA purports to safeguard personal data by requiring data users to comply with certain obligations and conferring certain rights to the data subject in relation to his personal data.
Together with the PDPA, five pieces of subsidiary legislation were also enforced on 15 November 2013. These address issues such as the appointment of the Personal Data Protection Commissioner ('the Commissioner'), the registration of data users, and the fees that may be imposed under the PDPA. This subsidiary legislation was passed simultaneously in order to facilitate the enforcement of the PDPA.
The subsidiary legislation that has been passed to date include:
- the Personal Data Protection Regulations 2013 ('the 2013 Regulations');
- the Personal Data Protection (Class of Data Users) Order 2013 ('the Order');
- the Personal Data Protection (Registration of Data User) Regulations 2013 ('Registration Regulation');
- the Personal Data Protection (Fees) Regulations 2013;
- the Personal Data Protection (Compounding of Offences) Regulations 2016 ('Compounding of Offences Regulations'); and
- the Personal Data Protection (Class of Data Users) (Amendment) Order 2016 ('the Order Amendment').
Other subsidiary legislation pertains to the appointment of the Commissioner.
The Commissioner has issued the Personal Data Protection Standard 2015 ('the 2015 Standards') which came into force on 23 December 2015. The 2015 Standards include: security standards, retention standards, and data integrity standards, which applies to personal data that is processed electronically and non-electronically. The 2015 Standards are intended to be 'a minimum requirement' and will apply to all data users, meaning any person who processes, has control of, or allows the processing of, any personal data in connection with a commercial transaction.
Industry Codes of Practice
Data user forums were formed for specific industries, in particular, for the communications, banking and finance, insurance, hospitality, transport, direct sales, professional services, and utility sectors. Each data user forum was directed by the Commissioner to develop its own codes of practice for adherence by data users in the respective sectors.
Four codes of practice were finalised and registered by the Commissioner in 2017, namely the Code of Practice for the Banking and Financial Sector 2017, the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017, Code of Practice on Personal Data Protection for the insurance and Takaful Industries in Malaysia 2017, and the Personal Data Protection Code of Practice for the Communications Class Data Users 2017.
The Department of Personal Data Protection ('PDP’) has released a number of guidance documents and Frequently Asked Questions ('FAQs') on their website on various matters under the PDPA and its subsidiary legislation. There is also the Draft Guide for Data Users which was issued in March 2016.
1.3. Case Law
There has yet to be any reported cases under the PDPA. However, it has been reported on the PDP's website that enforcement actions in the form of penalties have been taken against entities in various sectors, namely tourism, education, and services sectors, for failure to register as data users and, in one case, for failure to obtain the requisite consent from the data subject.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The PDPA applies to any person who processes or has control over the processing of any personal data ('data user'). It is pertinent to note that processing is defined widely under the PDPA to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data. Furthermore, only individuals are referred to as data subjects under the PDPA. The PDPA also contains specific provisions for data processors. A data processor that processes personal data solely on behalf of a data user may not be bound directly by the provisions of the PDPA, but rather, it is the duty of the data user to ensure compliance by the data processor with the relevant provisions under the PDPA.
The PDPA does not apply to personal data processed outside Malaysia, unless the data is intended to be further processed in Malaysia, and it also does not apply to a data user who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data, other than for the purpose of transit through Malaysia. The Government of Malaysia and state governments are also exempted from the application of the PDPA along with any information processed for the purposes of a credit reporting business under the Credit Reporting Agencies Act 2010.
2.2. What types of processing are covered/exempted?
The PDPA covers processing in relation to personal data defined as collecting, recording, holding or storing the personal data, or carrying out any operation or set of operations on the personal data, including:
- the organisation, adaptation, or alteration of personal data;
- the retrieval, consultation, or use of personal data;
- the disclosure of personal data by transmission, transfer, dissemination, or otherwise making available; or
- the alignment, combination, correction, erasure, or destruction of personal data.
Personal data processed only for the purposes of that individual's personal, family, or household affairs, including recreational purposes, are exempted from the PDPA.
However, the following are exempted from certain, but not all, data protection principles under the PDPA in some circumstances:
- processing for the prevention or detection of crime, for the purposes of investigations, apprehension or prosecution of offenders, or assessment or collection of any tax or duty or other similar impositions;
- in relation to information relating to the physical or mental health of a data subject, of which the application of the provisions in the PDPA to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;
- solely for the purposes of preparing statistics or carrying out research, provided that the resulting statistics or research results are not in a form which identifies the data subject;
- for the purposes of, or in connection with, any court judgment or order;
- for the purpose of discharging regulatory functions if the application of those provisions would be likely to prejudice the proper discharge of those regulatory functions; and
- for journalistic, literary or artistic purposes.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The PDP is an agency under the Ministry of Communications and Multimedia ('MCM'). It was officially launched by the Minister in Kuala Lumpur on 12 February 2012. The PDPA came into force on 15 December 2013. The current Commissioner is Mazmalek bin Mohamad who was appointed with effect from 22 January 2019.
3.2. Main powers, duties and responsibilities
The main responsibility of the PDP is to enforce and regulate the PDPA in Malaysia, and it focuses on the processing of personal data in commercial transactions and avoiding the misuse of personal data. In enforcing the PDPA, the Commissioner has also been mandated to register all classes of data users under the Order.
The Commissioner has the power to carry out inspections of data protection systems under the PDPA. Furthermore, the 2013 Regulations provide that the personal data system shall, at all reasonable times, be open to the inspection of the Commissioner or any inspection officer. During this inspection, documents such as consent and notice forms may be requested, as well as the list of third party disclosure or any other documentation evidencing compliance with standards issued by the Commissioner, or any other information that the Commissioner may request.
Other powers include, among other things, the power to designate data user forums, issue and register codes of practice, carry out investigations on receipt of complaints, serve enforcement notices, and authorise officers to take enforcement actions.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: Three conditions must be fulfilled in order for data to be considered as personal data under the PDPA, namely:
- the data must be information in respect of commercial transactions;
- such information must be processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose, be recorded with the intention that it should be wholly or partly processed by such equipment or be recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; and
- the information must relate directly or indirectly to a data subject who is identified or identifiable from the information or other information in the possession of the data user.
In respect of the first condition, 'commercial transactions' are defined under the PDPA as transactions of a commercial nature and include any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance. It is currently unclear whether an employment relationship is considered to be a commercial transaction and whether employment-related information would come under the scope of the PDPA. The definition of 'personal data' appears to be sufficiently wide to cover the usual types of personal information collected in day to day transactions, for example, name, address, telephone number, email address, banking details, and photographs.
Sensitive Data: Sensitive personal data under the PDPA includes 'any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette.' The obligations imposed by the PDPA in respect of sensitive personal data are more stringent.
Data Controller: The PDPA defines 'data user', which is the equivalent of a 'data controller' as a person who either alone, or jointly, or in common with other persons, processes any personal data or has control over, or authorises the processing of any personal data, but does not include a data processor.
Data Processor: A data processor under the PDPA means 'any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of his own purposes.'
Other: Not applicable.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
The Order and the Order Amendment set out the classes of data users who have to be registered with the Commission.
The sectors which have been specified are:
- banking and financial institutions;
- tourism and hospitalities;
- direct selling;
- services, namely organisations, carrying on the following businesses: legal, audit, accountancy, engineering or architecture, retail or wholesale dealing as defined under the Control Supplies Act 1961, private employment agencies;
- real estate;
- pawnbrokers; and
It appears that for the most part, licensees under the relevant sectors are the data users, who have to be registered. Under the PDPA, a data user who falls within the prescribed classes is required to register itself within three months of the coming into force of the PDPA, although in practice, late registrations are still being accepted subject to such registrations being accompanied by a letter of explanation outlining the reason for late registration. The registration of data users can be completed on the PDP's website. The Minister may also require data user forums to be established and codes of practice to be prepared.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
A data user is required to comply with the seven personal data protection principles.
This principle prohibits a data user from processing personal data without the consent of a data subject. However, a data user is not required to comply with this requirement where the processing is necessary for:
- the performance of a contract to which the data subject is a party;
- taking steps, at the data subject's request, with a view to entering into a contract;
- compliance with any legal obligation to which the data user is the subject, other than a contractual obligation;
- protecting the vital interests, namely matters relating to life, death, or security, of the data subject;
- the administration of justice; or
- the exercise of any functions conferred on any person under any law.
The PDPA also sets out certain parameters for the processing of personal data. It provides that personal data shall not be processed unless:
- it is for a lawful purpose directly related to the activity of the data user;
- it is necessary for, or directly related to that purpose; and
- the data is adequate and not excessive for that purpose.
The 2013 Regulations stipulate that consent must be recorded and must be properly kept by data users. The requirement to record consent implies that consent should be sought expressly or by way of opt-in methods, as arguably consent cannot be recorded where it is implied or where an opt-out method is used. Further, it is pertinent to note that the 2013 Regulations stipulate that the onus to prove consent is on the data user. The 2013 Regulations also state that when consent is required, the requirement to obtain consent shall be presented as distinguishable in its appearance from other matters. Where personal data relates to a data subject under 18 years of age, consent must be sought from the parent, guardian, or person who has parental responsibility of the data subject.
Notice and Choice Principle
This principle requires a data user to inform a data subject of various matters relating to the information of a data subject, which is being processed by, or on behalf of that data user.
The PDPA requires a data user to inform a data subject by written notice of the following, in both the national language, Malay, and in English:
- that the personal data of the data subject is being processed and a description of the data;
- the purposes for which the personal data is being collected and further processed;
- any information available to the data user as to the source of that personal data;
- the data subject's right to request access and correction of the personal data;
- the contact particulars of the data user in the event of any inquiries or complaints;
- the class of third parties to whom the data is or may be disclosed;
- the choices and means offered to a data subject to limit the processing of the data; and
- whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so.
Notice of the above has to be given by the data user 'as soon as practicable,' that is, when the data user first requests the personal data from the data subject, when the data user first collects the personal data of the data subject, or before the data user uses it for a purpose other than the original purpose or discloses it to a third party. The data subject must also be provided with a clear and readily accessible means to exercise his choice, where necessary, in both Malay and English.
This principle prohibits a data user from disclosing the personal data of a data subject:
- for any purpose other than the purpose disclosed, and directly related purpose; and
- to any party other than the class of third parties disclosed to the data subject.
However, disclosure of personal data is permitted where:
- consent has been given by the data subject;
- the disclosure is necessary to prevent or detect crime, or for the purpose of investigations;
- the disclosure is required or authorised by law or order of the court;
- the data user had acted under the reasonable belief that he has a legal right to disclose the data to another person;
- the data user had acted under the reasonable belief that he would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or
- the disclosure was justified as being in the public interests in circumstances as determined by the Minister.
The 2013 Regulations stipulate that a list of third-party disclosures must also be kept by the data user, and such a list may be requested by the Commissioner or inspecting officer during an inspection.
This principle imposes an obligation on a data user to adopt specified measures to protect personal data from loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction during its processing. Where the data processing is carried out by a data processor on behalf of a data user, the data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organisational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.
Under the PDPA, it is stipulated that the following factors must be taken into account:
- the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction;
- the place or location where the personal data is stored;
- any security measures incorporated into any equipment in which the personal data is stored;
- the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data; and
- the measures taken for ensuring the secure transfer of the personal data.
According to the 2013 Regulations, a security policy has to be formulated by the data user. A brief overview of the security standards prescribed by the 2015 Standards are as follows:
- to ensure that personnel who manage personal data are registered under a registration system before being granted access to personal data;
- to ensure that all staff who are involved in the processing of personal data always protects the confidentiality of the personal data;
- to enforce access controls and limits;
- to implement physical security procedures such as entry and exit controls, storage of personal data in locations which are safe from physical or natural threats and not exposed, installation of CCTV around data storage areas, if required, and 24 hour security of facilities, if required;
- to implement backup and recovery systems. Data users should ensure that latest antivirus software is deployed and that they have in place scheduled malware monitoring and scanning operating systems to prevent attacks on electronically stored data;
- the transfer of personal data using removable media device and cloud computing service is not allowed except with the written approval of an authorised offer from high management of the data user's organisation;
- to record any transfer of personal data using removable media device and cloud computing services;
- the transfer of personal data using cloud computing service must follow the personal data protection principles in Malaysia and other countries which have personal data protection laws;
- to maintain proper access records to personal data periodically and those records must be presented when instructed by the Commissioner; and
- to enter into contracts with data processors, persons who process personal data on behalf of the data user, in respect of any data processing.
In respect of non-electronically processed personal data, a data user must:
- prescribe physical security procedures such as to keep all personal data properly in a file; keep all files containing personal data in a locked area; keep all relevant keys in a safe place; keep a record of key storage, and to store personal data in an appropriate location;
- the transfer of personal data using conventional methods such as through post, by hand, fax, or others must be recorded;
- to ensure that all used paper, printed documents, or other documents which clearly shows personal data must be properly destroyed; and
- conduct awareness programs on the responsibility to protect personal data for all relevant personnel, if necessary.
This principle provides that personal data must not be retained longer than is necessary for the fulfilment of the purpose for which it is processed and requires the data user to destroy or permanently delete all personal data which is no longer required for the purpose for which it was processed. However, under other laws, there may be minimum data retention periods, which may be specified, for example, under certain tax laws. It would appear unlikely that the retention of data in compliance with retention periods stipulated under other laws would be considered a contravention of the Retention Principle, though this has not yet been tested.
A brief overview of the retention standards prescribed by the 2015 Standards is as follows:
- to ensure that all legislation relating to the processing and storing of personal data is complied with before disposing of any personal data;
- not to retain the personal data for longer than is required unless there are other legislative requirements that require personal data to be kept for a longer period;
- to prepare and maintain records of disposal of personal data and these records should be submitted when directed by the Commissioner;
- to dispose of any personal data collection forms used for commercial transactions within 14 days, unless the form has legislative value in connection with the commercial transaction;
- to review and dispose of all personal data that is no longer needed in the database;
- to have a personal data disposal schedule, for a period of 24 months, for any inactive personal data; and
- the use of removable media device for purposes of personal data storage is not allowed without the written consent of higher management of the data user's organisation.
Data Integrity Principle
This principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
A brief overview of the data integrity standards prescribed by the 2015 Standards are as follows:
- to prepare a form for updating personal data, available online or in a physical copy;
- to update personal data immediately upon receiving a personal data correction notice from the data subject;
- to ensure that all relevant legislation is fulfilled by identifying the type of data or documents that are required to support the authenticity of the personal data of the data subject; and
- to inform the data subject about the updating of personal data either through a portal or by displaying an announcement on the data user's premise, or by other appropriate methods.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
The provisions under the PDPA generally concern data users directly and not data processors. However, data users are in certain cases required to contractually bind data processors to ensure compliance with the PDPA.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
Where the processing of personal data is carried out by a data processor on behalf of a data user, the PDPA for the purpose of protecting the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction, requires the data user to ensure that the data processor:
- provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and
- takes reasonable steps to ensure compliance with those measures.
Additionally, the security principle requires data users enter into contracts with data processors in respect of any data processing.
9. DATA SUBJECT RIGHTS
In addition to the obligations placed on a data user, the PDPA also confers the following rights on a data subject:
- the right of access to personal data;
- the right to require a data user to correct personal data;
- the right to withdraw consent to the processing of personal data;
- the right to prevent processing likely to cause damage or distress; and
- the right to prevent processing for direct marketing purposes.
Some of the rights mentioned above are further qualified by the provisions in the PDPA. In respect of the right of a data subject to prevent processing for direct marketing purposes, the PDPA stipulates that a data subject may, at any time by notice in writing to a data user, require the data user to cease or not to begin processing his/her personal data for purposes of direct marketing. Direct marketing is defined under the PDPA as 'communication by whatever means of any advertising or marketing material, which is directed to particular individuals.'
In the event the data subject is dissatisfied with the data user's failure to comply with the notice to cease processing for direct marketing, the data subject may submit an application to the Commissioner to require the data user to comply with the notice. It is pertinent to note that if a data user fails to comply with the requirements of the Commissioner they would be committing an offence under the PDPA, which attracts a fine of up to MYR 200,000 (approx. €41,000) or to imprisonment for a term not exceeding two years, or both.
As of 11 January 2015, a data subject who believes that there has been a misuse of his/her data by an individual or an organisation may lodge a complaint online on the Commissioner's website (accessible here) in order for the necessary investigation to be carried out.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
The PDPA does not mandate the appointment of a data protection officer ('DPO') but the application form for registration of data users requires a 'compliance person' to be named which is indicated as the individual who will 'supervise the application of the PDPA' in the data user's organisation. A proposal paper entitled 'Guidelines on Compliance with Personal Data Protection 2010' seeking to introduce the designation of such officer was issued in 2014 but until it is gazetted as law, its status remains unclear.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
The PDPA does not currently provide for this but the authorities issued a public consultation paper entitled 'The Implementation of Data Breach Notification' which seeks to introduce a data breach notification regime, where data users will be required to notify regulators and affected individuals in the event of a data breach. The consultation paper sets out, among others, the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident and to provide details about the data at risk, actions that have been taken or will be taken to mitigate the risks to the data, details of notifications to affected individuals, and details of the organisation's training programs on data protection. However, the consultation paper has yet to be gazetted as law.
11.2. Sectoral obligations
While there is no general obligation to report a personal data breach to either individuals or the PDP under the PDPA, there appears to be various reporting obligations imposed by different regulators and authorities that have jurisdiction depending on the specific facts of each case.
As such, whether there is a requirement for notification of data breaches is largely fact specific and may depend on various factors including the types of services carried out, the entity concerned, and the level of severity of the breach. It is also not uncommon for regulators and authorities to have directives or guidelines which are internal or issued directly to industry meaning that the public does not have access to them.
In the health sector, there are general reporting obligations which are not specific to the notification of data breaches but may be relevant. For instance, section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director General or any person authorised by him in that behalf, such unforeseeable and unanticipated incidents as may be prescribed.
In the financial sector, depending on the facts of the case, various reporting obligations imposed by regulators and authorities may be triggered which may or may not relate to data breaches. For instance, under the Guidelines on Internet Insurance published by the Central Bank of Malaysia ('BNM'), licensed insurers that carry out internet insurance activities are required to report material security breaches, system downtime and degradation in system performance that critically affects the insurer to the BNM.
The BNM has also issued the Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorised access, modification or disclosure by whatever means of customer information. There is also a template attached to the guidance document for reporting a customer information breach.
Under the Guidelines on Data Management and Management Information System ('MIS') Framework published by the BNM, boards of licensed financial institutions are required to inform the BNM of any developments that may have a material bearing on the institution's operations, risk profile, or financial condition. Public listed companies are also subject to the Listing Requirements issued by Bursa Malaysia where listed issuers are required to disclose to the public immediately all material information necessary for informed investing.
Where capital market entities are concerned, the Guidelines on Management of Cyber Risk published by the Securities Commission of Malaysia ('SC') requires all such entities to report to the SC any detection of a cyber incident which may or has had an impact on the information assets or systems of the entity, on the day of the occurrence of the incident. Therefore, whether there are notification of data breach requirements largely depends on the specific facts and circumstances of each case. However, under the Financial Services Act 2013 ('FSA'), protection is conferred upon those that disclose in good faith to the BNM their knowledge, belief, or any document or information that a breach of contravention has been committed or is about to be committed under the FSA.
Failure to comply with the provisions in the PDPA may amount to a criminal offence. Breaching of any of the seven data protection principles attracts a fine of up to MYR 300,000 (approx. €61,520) and/or to two years imprisonment. The unlawful collection, disclosure, and sale of personal data attracts a fine of up to MYR 500,000 (approx. €102,530) and/or up to three years imprisonment.
If a corporate body is found to have committed an offence, the officers of such corporate bodies are deemed to have committed the offence personally. However, the officer/s of such corporate body may not be found to have committed the offence if he/she/they can prove the offence was committed without his/her/their knowledge or consent and he/she/they had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.
The Compounding of Offences Regulations came into operation on 15 March 2016, and provides that certain offences may be compounded with the consent of the Public Prosecutor in the form and manner prescribed. The offences prescribed thus far relates to certain offences under the PDPA, the 2013 Regulations, and the Registration Regulation.
13. ADDITIONAL RELEVANT TOPICS
The PDP has released its Annual Report 2016 (only available in Malay here) based on inspections carried out pursuant to Section 101 of the PDPA. The report shows that inspection was carried out across various sectors including direct sales, education, health, banking and financial, property, and tourism sectors. The report also shows that there have been several non-compliances with the PDPA following such inspection, particularly the security principle as well as notice and choice principle.
Apart from inspections and audits, as noted above, the PDP has been taking enforcement actions against non-compliance, and it is expected that the PDP will continue to increase efforts in respect of such enforcement actions.
On 18 March 2019, the MCM Minister announced that the government is currently reviewing the PDPA to ensure it is in line with global developments. The MCM is keen to incorporate key points of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into the PDPA. Among the areas being looked at by the MCM are cross-border data transfers, data breach notifications, and whether the government should be exempted from the PDPA.
As part of an ongoing review of the PDPA, the Commissioner has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 ('PC01/2020') dated 14 February 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020. Some of the issues for which feedback is sought include extension of obligations to data processors, data portability, appointment of DPO, reporting of data breaches, and providing the right to commence civil litigation against data users.
13.1. Data Transfers and Outsourcing
The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country, which has been specified and recorded in the Official Gazette by the Minister. Currently, no countries have been specified officially. Notwithstanding the prohibition on transfers of personal data out of the country, the PDPA sets out a number of exceptions to the prohibition, such as, where the consent of the data subject has been obtained for such transfer and where the transfer is necessary for the performance of a contract between the parties. When in doubt as to whether the exemptions on data transfer apply, the prudent approach would be to obtain consent from the data subject in respect of such out of Malaysia transfers. In relation to outsourcing, a data user is not allowed to share data with third parties unless the consent of the individual has been obtained.
The PDP had issued a proposal paper to act as a guide on the management of employee data under the PDPA ('the Proposal Paper'). The Proposal Paper was introduced to clarify whether the PDPA would apply to an employer-employee relationship. The PDPA applies to any person who processes and has control over the processing of personal data in respect of commercial transactions. Commercial transactions are defined in the PDPA as 'any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services.' By this definition, the Proposal Paper clarified that an employer-employee relationship is treated as a commercial transaction since it arises from a contract of service in exchange for remuneration. This means that employers are required to comply with the PDPA in respect of the processing of their employees' personal data, not just the personal data of their customers and suppliers. However, the proposal paper has not matured into law or official guidelines.
13.3. Data Retention
In addition to the retention principle under the PDPA, as highlighted section 6 above, the 2015 Standards outline three main standards: security, retention, and data integrity standards which have application to personal data which is processed either electronically and non-electronically.
A brief overview of the measures prescribed by the 2015 Standards are as follows:
- to ensure that all legislation relating to the processing and storing of personal data is complied with before disposing of the said personal data;
- not retaining personal data for longer than is required unless there are other legislative requirements that require personal data to be kept for a longer period;
- to prepare and maintain records on the disposal of personal data and to submit these records when directed by the Commissioner;
- to dispose of any personal data collection forms used for commercial transactions within 14 days, unless the form has legislative value in connection with the commercial transaction;
- to review and dispose of all personal data that is no longer needed in the database;
- to have a personal data disposal schedule for a period of 24 months for any inactive personal data; and
- to obtain written consent from the higher management of the data user's organisation if using removable media devices for the purposes of personal data storage.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES