Malaysia - Data Protection Overview
1. Governing Texts
Data protection in Malaysia is primarily governed by the Personal Data Protection Act 2010 ('PDPA') and subsidiary legislation as outlined below. The PDPA purports to safeguard personal data by requiring data users to comply with certain obligations and conferring certain rights to the data subject in relation to their personal data.
Prior to 2010, the regulation of personal data was governed mainly by industry-specific legislation. Industry-specific legislation with respect to data protection existed in the banking and finance, healthcare, and telecommunications industries, among others. In May 2010, the PDPA was passed by the Malaysian Parliament and received Royal Assent in June 2010. The PDPA came into force on 15 November 2013, with a three-month grace period ending on 14 February 2014.
Together with the PDPA, five pieces of subsidiary legislation were also enforced on 15 November 2013. These address issues such as the appointment of the Personal Data Protection Commissioner ('the Commissioner'), the registration of data users, and the fees that may be imposed under the PDPA. This subsidiary legislation was passed simultaneously in order to facilitate the enforcement of the PDPA.
The subsidiary legislation that has been passed to date include:
- the Personal Data Protection Regulations 2013 ('the 2013 Regulations');
- the Personal Data Protection (Class of Data Users) Order 2013 ('the Order');
- the Personal Data Protection (Registration of Data User) Regulations 2013 ('the Registration Regulation');
- the Personal Data Protection (Fees) Regulations 2013;
- the Personal Data Protection (Compounding of Offences) Regulations 2016 ('the Compounding of Offences Regulations');
- the Personal Data Protection (Class of Data Users) (Amendment) Order 2016 ('the Order Amendment'); and
- the Personal Data Protection (Appeal Tribunal) Regulations 2021.
Other subsidiary legislation pertains to the appointment of the Commissioner.
The Commissioner has issued the Personal Data Protection Standard 2015 ('the 2015 Standards') which came into force on 23 December 2015. The 2015 Standards include security standards, retention standards, and data integrity standards, which apply to personal data that is processed electronically and non-electronically. The 2015 Standards are intended to be 'a minimum requirement' and will apply to all data users, meaning any person who processes, has control of, or allows the processing of, any personal data in connection with a commercial transaction.
Industry codes of practice
Data user forums were formed for specific industries, in particular the communications, banking and finance, insurance, hospitality, transport, direct sales, professional services, and utility sectors. Each data user forum was directed by the Commissioner to develop its own codes of practice for adherence by data users in the respective sectors.
To date, there are 6 codes of practice registered by the Commissioner, namely the Code of Practice for the Banking and Financial Sector 2017, the Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017, the Code of Practice on Personal Data Protection for the Insurance and Takaful Industries in Malaysia 2017, the Personal Data Protection Code of Practice for the Communications Sector 2017, the Personal Data Protection Code of Practice for Private Hospitals in the Healthcare Industry 2022, and the Personal Data Protection Code of Practice for the Utilities Sector (Water) 2022, and the General Code of Practice of Personal Data Protection.
The Department of Personal Data Protection ('PDP') has released a number of guidance documents and Frequently Asked Questions ('FAQs') on its website on various matters under the PDPA and its subsidiary legislation. There is also the Draft Guide for Data Users which was issued in March 2016.
In January 2022, the PDP issued the Guide to Prepare Personal Data Protection Notice ('Guide to prepare PDP notice'), which serves as a reference to data users in micro, small, and medium enterprises.
1.3. Case law
Provisions under the PDPA have been considered in Malaysian courts in several cases.
The majority of the reported cases considered the application of the general exemption of Section 45 of the PDPA. For example, in Newlake Development Sdn Bhd v Zenith Delight Sdn Bhd & Ors (No 2)  7 CLJ 88, it was held that if a court rules that the documents in question were relevant and admissible, the PDPA cannot be used as a shield to prevent such documents from being produced at trial under the guise of personal data protection.
Notably, in December 2021, the High Court held that the PDPA does not allow the Director-General of the Inland Revenue Board of Malaysia to make blanket demands for personal data in view of the protections afforded to data subjects under the PDPA (Genting Malaysia Berhad v Personal Data Protection Commissioner & Ors  MLJU 2847). Such requests for data must be made in accordance with the law, and it should be ensured that the request satisfies the test of necessity, in that "the interference with the rights of data subjects must be proportionate to the reality as well as to the potential gravity of the public interests involved", and "there must also be a specific instance as contemplated by the statute and not a general sweeping and inconsistent reasons for the disclosure to be given".
This case is significant as this is the first formal challenge in respect of the powers of law enforcement authorities to request for disclosure of personal data.
Apart from reported cases, it has also been reported on the PDP's website that enforcement actions in the form of penalties have been taken against entities in various sectors, namely tourism, education, and services sectors, for failure to register as data users and, in one case, for failure to obtain the requisite consent from the data subject.
2. Scope of Application
The PDPA applies to any person who processes or has control over the processing of personal data (referred to as 'data user'). It is pertinent to note that processing is defined widely under the PDPA to cover a wide range of activities, including using, disseminating, collecting, recording, and/or storing personal data.
Furthermore, only individuals are referred to as data subjects under the PDPA.
The PDPA also contains specific provisions for data processors. A data processor that processes personal data solely on behalf of a data user may not be bound directly by the provisions of the PDPA, but rather, it is the duty of the data user to ensure compliance by the data processor with the relevant provisions under the PDPA.
The PDPA does not apply to personal data processed outside Malaysia, unless the data is intended to be further processed in Malaysia, and it also does not apply to a data user who is not established in Malaysia unless that person uses equipment in Malaysia to process personal data, other than for the purpose of transit through Malaysia. The Government of Malaysia ('the Government') and state governments are also exempted from the application of the PDPA along with any information processed for the purposes of a credit reporting business under the Credit Reporting Agencies Act 2010.
The PDPA covers processing in relation to personal data defined as collecting, recording, holding, or storing of personal data, or carrying out of any operation or set of operations on personal data, including:
- the organization, adaptation, or alteration of personal data;
- the retrieval, consultation, or use of personal data;
- the disclosure of personal data by transmission, transfer, dissemination, or otherwise making available; or
- the alignment, combination, correction, erasure, or destruction of personal data.
Personal data processed only for the purposes of that individual's personal, family, or household affairs, including recreational purposes, are exempted from the PDPA.
However, the following are exempted from certain, but not all, data protection principles under the PDPA in some circumstances:
- processing for the prevention or detection of crime, for the purposes of investigations, apprehension, or prosecution of offenders, or assessment or collection of any tax or duty or other similar impositions;
- in relation to information relating to the physical or mental health of a data subject, of which the application of the provisions in the PDPA to the data subject would likely cause serious harm to the physical or mental health of the data subject or any other individual;
- solely for the purposes of preparing statistics or carrying out research, provided that the resulting statistics or research results are not in a form which identifies the data subject;
- for the purposes of, or in connection with, any court judgment or order;
- for the purpose of discharging regulatory functions if the application of those provisions would be likely to prejudice the proper discharge of those regulatory functions; and
- for journalistic, literary, or artistic purposes.
3.1. Main regulator for data protection
The PDP is an agency under the Ministry of Communications and Digital ('MCD'). It was officially launched by the Minister in Kuala Lumpur on 12 February 2012. The PDPA came into force on 15 December 2013.
3.2. Main powers, duties and responsibilities
The main responsibility of the PDP is to enforce and regulate the PDPA in Malaysia, and it focuses on the processing of personal data in commercial transactions and avoiding the misuse of personal data. In enforcing the PDPA, the Commissioner has also been mandated to register all classes of data users under the Order.
The Commissioner has the power to carry out inspections of data protection systems under the PDPA. Furthermore, the 2013 Regulations provide that the personal data system must, at all reasonable times, be open to the inspection of the Commissioner or any inspection officer. During this inspection, documents such as consent and notice forms may be requested, as well as the list of third-party disclosure or any other documentation evidencing compliance with standards issued by the Commissioner, or any other information that the Commissioner may request.
Other powers include, among other things, the power to designate data user forums, issue and register codes of practice, carry out investigations on receipt of complaints, serve enforcement notices, and authorize officers to take enforcement actions.
4. Key Definitions
Data controller: The PDPA defines 'data user', which is the equivalent of a 'data controller' as a person who either alone, jointly, or in common with other persons, processes any personal data or has control over, or authorizes the processing of any personal data, but does not include a data processor.
Data processor: A data processor under the PDPA means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user and does not process the personal data for any of their own purposes.
- the data must be information in respect of commercial transactions;
- such information must be processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose, be recorded with the intention that it should be wholly or partly processed by such equipment or be recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; and
- the information must relate directly or indirectly to a data subject who is identified or identifiable from the information or other information in the possession of the data user.
In respect of the first condition, 'commercial transactions' are defined under the PDPA as transactions of a commercial nature and include any matter relating to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance. It is currently unclear whether an employment relationship is considered to be a commercial transaction and whether employment-related information would come under the scope of the PDPA. The definition of 'personal data' appears to be sufficiently wide to cover the usual types of personal information collected in day-to-day transactions, for example, name, address, telephone number, email address, banking details, and photographs.
Sensitive data: Sensitive personal data under the PDPA includes any personal data consisting of information as to the physical or mental health or condition of a data subject, their political opinions, their religious beliefs or other beliefs of a similar nature, the commission or alleged commission by them of any offense or any other personal data as the Minister may determine by order published in the Gazette. The obligations imposed by the PDPA in respect of sensitive personal data are more stringent.
Health data: 'Health data' is not specifically defined under the PDPA but such data would fall within the scope of 'sensitive personal data' as it consists of information as to the 'physical or mental health or condition of a data subject'.
Biometric data: There are currently no express provisions or guidance in the PDPA on 'biometric data'. However, such data could fall within the scope of 'sensitive personal data' as it consists of information regarding the 'physical condition of the data subject'.
Data subject: The PDPA defines 'data subject' as an individual who is the subject of the personal data.
5. Legal Bases
The 'General Principle' prohibits a data user from processing personal data without the consent of a data subject. However, a data user is not required to comply with this requirement where the processing is necessary for:
- the performance of a contract to which the data subject is a party;
- taking steps, at the data subject's request, with a view to entering into a contract;
- compliance with any legal obligation to which the data user is the subject, other than a contractual obligation;
- protecting the vital interests, namely matters relating to life, death, or security, of the data subject;
- the administration of justice; or
- the exercise of any functions conferred on any person under any law.
Please see above.
Please see above.
Please see above.
Please see above.
There are no exemptions from consent for the data processing carried out in public interests in general, but there are exemptions such as for public interest in freedom of expression, i.e. where the data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest.
The concept of 'legitimate interests' does not feature under Malaysian data protection laws.
A data user is required to comply with the seven personal data protection principles.
Further to the section on legal bases above, the General Principle also sets out certain parameters for the processing of personal data. It provides that personal data shall not be processed unless:
- it is for a lawful purpose directly related to the activity of the data user;
- it is necessary for, or directly related to, that purpose; and
- the data is adequate and not excessive for that purpose.
The 2013 Regulations stipulate that consent must be recorded and must be properly kept by data users. The requirement to record consent implies that consent should be sought expressly or by way of opt-in methods, as arguably consent cannot be recorded where it is implied or where an opt-out method is used. Further, it is pertinent to note that the 2013 Regulations stipulate that the onus to prove consent is on the data user. The 2013 Regulations also state that when consent is required, the requirement to obtain consent shall be presented as distinguishable in its appearance from other matters. Where personal data relates to a data subject under 18 years of age, consent must be sought from the parent, guardian, or person who has parental responsibility of the data subject.
Notice and choice principle
This principle requires a data user to inform a data subject of various matters relating to the information of the data subject, which is being processed by, or on behalf of that data user.
The PDPA requires a data user to inform a data subject by written notice of the following, in both the national language, Malay, and English:
- that the personal data of the data subject is being processed and a description of the data;
- the purposes for which the personal data is being collected and further processed;
- any information available to the data user as to the source of that personal data;
- the data subject's right to request access and correction of the personal data;
- the contact particulars of the data user in the event of any inquiries or complaints;
- the class of third parties to whom the data is or may be disclosed;
- the choices and means offered to a data subject to limit the processing of the data; and
- whether it is obligatory or voluntary for the data subject to supply data, and if obligatory, the consequences of not doing so.
Notice of the above has to be given by the data user 'as soon as practicable', that is, when the data user first requests the personal data from the data subject, when the data user first collects the personal data of the data subject, or before the data user uses it for a purpose other than the original purpose or discloses it to a third party. The data subject must also be provided with a clear and readily accessible means to exercise their choice, where necessary, in both Malay and English.
The Guide to preparing a PDP notice provides that 'PDP Notice must be written in dual language; the national language and the English language. If there is any need to prepare the PDP Notice in other languages, you may do so'. 'Any need' is considered it to be a general term to indicate that if a data user has any other need to have the notice in other languages (i.e. if data subjects such as customers or employees are largely speakers of other languages), then they may offer the PDP Notice in other languages. Furthermore, the mention of 'other language' in the Guide to preparing a PDP notice refers to languages other than English and the national language (Malay).
This principle prohibits a data user from disclosing the personal data of a data subject:
- for any purpose other than the purpose disclosed, and directly related purpose; and
- to any party other than the class of third parties disclosed to the data subject.
However, disclosure of personal data is permitted where:
- consent has been given by the data subject;
- the disclosure is necessary to prevent or detect crime, or for the purpose of investigations;
- the disclosure is required or authorized by law or order of the court;
- the data user had acted under the reasonable belief that they have a legal right to disclose the data to another person;
- the data user had acted under the reasonable belief that they would have received the consent of the data subject if the data subject had known of the disclosure and the circumstances of such disclosure; or
- the disclosure was justified as being in the public interests in circumstances as determined by the Minister.
The 2013 Regulations stipulate that a list of third-party disclosures must also be kept by the data user, and such a list may be requested by the Commissioner or inspecting officer during an inspection.
This principle imposes an obligation on a data user to adopt specified measures to protect personal data from loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction, during its processing. Where the data processing is carried out by a data processor on behalf of a data user, the data user must ensure that the data processor provides sufficient guarantees in respect of the technical and organizational security measures governing the processing and takes reasonable steps to ensure compliance with those measures.
Under the PDPA, it is stipulated that the following factors must be taken into account:
- the nature of the personal data and the harm that would result from such loss, misuse, modification, or unauthorised or accidental access, disclosure, alteration, or destruction;
- the place or location where the personal data is stored;
- any security measures incorporated into any equipment in which the personal data is stored;
- the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data; and
- the measures taken for ensuring the secure transfer of the personal data.
According to the 2013 Regulations, a security policy has to be formulated by the data user. A brief overview of the security standards prescribed by the 2015 Standards are as follows:
- to ensure that personnel who manage personal data are registered under a registration system before being granted access to personal data;
- to ensure that all staff who are involved in the processing of personal data always protects the confidentiality of the personal data;
- to enforce access controls and limits;
- to implement physical security procedures such as entry and exit controls, storage of personal data in locations which are safe from physical or natural threats and not exposed, installation of CCTV around data storage areas, if required, and 24-hour security of facilities, if required;
- to implement backup and recovery systems. Data users should ensure that latest antivirus software is deployed and that they have in place scheduled malware monitoring and scanning operating systems to prevent attacks on electronically stored data;
- the transfer of personal data using removable media devices and cloud computing services is not allowed except with the written approval of an authorized offer from high management of the data user's organization;
- to record any transfer of personal data using removable media devices and cloud computing services;
- the transfer of personal data using cloud computing services must follow the personal data protection principles in Malaysia and other countries which have personal data protection laws;
- to maintain proper access records to personal data periodically and those records must be presented when instructed by the Commissioner; and
- to enter into contracts with data processors, persons who process personal data on behalf of the data user, in respect of any data processing.
In respect of non-electronically processed personal data, a data user must:
- prescribe physical security procedures such as keeping all personal data properly in a file, keeping all files containing personal data in a locked area, keeping all relevant keys in a safe place, keeping a record of key storage, and storing personal data in an appropriate location;
- the transfer of personal data using conventional methods such as through post, by hand, fax, or others must be recorded;
- to ensure that all used paper, printed documents, or other documents which clearly shows personal data must be properly destroyed; and
- conduct awareness programs on the responsibility to protect personal data for all relevant personnel, if necessary.
This principle provides that personal data must not be retained longer than is necessary for the fulfillment of the purpose for which it is processed and requires the data user to destroy or permanently delete all personal data which is no longer required for the purpose for which it was processed. However, under other laws, there may be minimum data retention periods, which may be specified, for example, under certain tax laws. It would appear unlikely that the retention of data in compliance with retention periods stipulated under other laws would be considered a contravention of this principle, though this has not yet been tested.
A brief overview of the retention standards prescribed by the 2015 Standards is as follows:
- to ensure that all legislation relating to the processing and storing of personal data is complied with before disposing of any personal data;
- not to retain the personal data for longer than is required unless there are other legislative requirements that require personal data to be kept for a longer period;
- to prepare and maintain records of the disposal of personal data and these records should be submitted when directed by the Commissioner;
- to dispose of any personal data collection forms used for commercial transactions within 14 days, unless the form has legislative value in connection with the commercial transaction;
- to review and dispose of all personal data that is no longer needed in the database;
- to have a personal data disposal schedule, for a period of 24 months, for any inactive personal data; and
- the use of removable media devices for purposes of personal data storage is not allowed without the written consent of higher management of the data user's organization.
Data integrity principle
This principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected and further processed.
A brief overview of the data integrity standards prescribed by the 2015 Standards are as follows:
- to prepare a form for updating personal data, available online or in a physical copy;
- to update personal data immediately upon receiving a personal data correction notice from the data subject;
- to ensure that all relevant legislation is fulfilled by identifying the type of data or documents that are required to support the authenticity of the personal data of the data subject; and
- to inform the data subject about the updating of personal data either through a portal or by displaying an announcement on the data user's premise, or by other appropriate methods.
7. Controller and Processor Obligations
The provisions under the PDPA generally concern data users directly and not data processors. However, data users are in certain cases required to contractually bind data processors to ensure compliance with the PDPA.
The Order and the Order Amendment set out the classes of data users who have to be registered with the Commission.
The sectors which have been specified are:
- banking and financial institutions;
- tourism and hospitalities;
- direct selling;
- services, namely organizations, carrying on the following businesses: legal, audit, accountancy, engineering or architecture, retail or wholesale dealing as defined under the Control Supplies Act 1961, private employment agencies;
- real estate;
- pawnbrokers; and
It appears that for the most part, licensees under the relevant sectors are the data users, who have to be registered. Under the PDPA, a data user who falls within the prescribed classes is required to register itself within three months of the coming into force of the PDPA, although in practice, late registrations are still being accepted subject to such registrations being accompanied by a letter of explanation outlining the reason for late registration. The registration of data users can be completed on the PDP's website. The Minister may also require data user forums to be established and codes of practice to be prepared.
A data user who belongs to two or more classes of data users must make an application for registration separately for each class in which the data user belongs (Section 3(2) of the Registration Regulation).
The Commissioner will consider applications and then either issue a certificate of registration, refuse the application or issue a certificate subject to conditions and/or restrictions on data processing (Section 16(1) and (2) of the PDPA).
An application for registration by a data user under Section 15 of the PDPA must be accompanied with a registration fee ranging from MYR 100 to MYR 400 (approx. €22 to €90), as specified in the Schedule of the Registration Regulation, as well as the following documents (Section 3(1) of the Registration Regulation):
- a copy of the memorandum of association and article of association, if the data user is a private or public company; or
- a copy of the constituent document under which the data user is established, if the data user is not a private or a public company.
Once issued, the certificate of registration is valid for a period of not less than 12 months from the date on which the certificate of registration is issued, unless it is revoked earlier (Section 4 of the Registration Regulation).
A data user should also notify the PDP of any changes to the particulars in his certificate of registration, which include the documents relating to the applicable classes of data users and the company's status as a public or private entity (Sections 3 and 6 of the Registration Regulation).
An application for renewal of a certificate of registration must be accompanied by the fee for renewal as specified in the Schedule of the Registration Regulation, which ranges from MYR 100 to MYR 400 (approx. €20 to €80) (Section 5 of the Registration Regulation).
In addition, Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 ('the Public Consultation Paper') issued by the PDP contains points for consultation regarding registration requirements with the PDP. Specifically, the Public Consultation Paper considers:
- the introduction of a mandatory obligation for data processors to register with the PDP Commissioner;
- the amending of data users' classes to be based on business activities rather than sectoral law and the laws that govern the respective industries;
- the voluntary registration of data users that do not fall within the 13 classes of data users; and
- the obligatory registration of all data users.
Furthermore, the data user is obliged to display a copy of the certificate of registration and any amendment to the same at the principal place of business, as well as a certified copy of the certificate of registration for each branch, where applicable (Section 8 of the PDPA).
The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country, which has been specified and recorded in the Official Gazette by the Minister.
Currently, no countries have been specified officially. Notwithstanding the prohibition on transfers of personal data out of the country, the PDPA sets out a number of exceptions to the prohibition, such as where the consent of the data subject has been obtained for such transfer and where the transfer is necessary for the performance of a contract between the parties. When in doubt as to whether the exemptions on data transfer apply, the prudent approach would be to obtain consent from the data subject in respect of such out of Malaysia transfer. In relation to outsourcing, a data user is not allowed to share data with third parties unless the consent of the individual has been obtained.
A data user must keep and maintain a record of any application, notice, request, or any other information relating to personal data processed by them in the form and manner that may be determined by the Commissioner.
The personal data system must also be open for inspection and the Commissioner or inspection officer may require certain documents to be produced, including inter alia records of consent and notice, lists of disclosures to third parties, and the security policy. Other laws may also prescribe record-keeping requirements, e.g. tax law.
There is no requirement to conduct a Data Protection Impact Assessment ('DPIA') under the PDPA.
The PDPA does not mandate the appointment of a data protection officer ('DPO'), but the application form for registration of data users requires a 'compliance person' to be named which is indicated as the individual who will 'supervise the application of the PDPA' in the data user's organization. A proposal paper titled 'Guidelines on Compliance with Personal Data Protection 2010' seeking to introduce the designation of such officer was issued in 2014, but until it is gazetted as law, its status remains unclear.
In addition, the PDP outlined in Section 3 of the Public Consultation Paper that it is considering the addition of a new provision in the Act to make it obligatory for a data user to appoint a DPO, and to issue a guideline on the mechanism of having a DPO.
The PDPA does not currently provide for this, but the authorities have issued a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification which seeks to introduce a data breach notification regime, where data users will be required to notify regulators and affected individuals in the event of a data breach. The consultation paper sets out, among others, the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident and to provide details about the data at risk, actions that have been taken or will be taken to mitigate the risks to the data, details of notifications to affected individuals, and details of the organization's training programs on data protection. However, the consultation paper has yet to be gazetted as law.
While it is not a mandatory requirement under the PDPA, data breach notification to the Commissioner can be done online here. Information required includes particulars of data user and the person giving the notification, details of the data breach, containment and recovery, and notifications made to other parties (regulators and law enforcement agencies, affected parties, data processors, or other overseas data protection authorities).
While there is no general obligation to report a personal data breach to either individuals or the PDP under the PDPA, there appear to be various reporting obligations imposed by different regulators and authorities that have jurisdiction depending on the specific facts of each case.
As such, whether there is a requirement for notification of data breaches is largely fact-specific and may depend on various factors including the types of services carried out, the entity concerned, and the level of severity of the breach. It is also not uncommon for regulators and authorities to have directives or guidelines which are internal or issued directly to the industry meaning that the public does not have access to them.
In the health sector, there are general reporting obligations which are not specific to the notification of data breaches but may be relevant. For instance, Section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director-General or any person authorized on that behalf, such unforeseeable and unanticipated incidents as may be prescribed.
In the financial sector, depending on the facts of the case, various reporting obligations imposed by regulators and authorities may be triggered which may or may not relate to data breaches. For instance, under the Guidelines on Internet Insurance published by the Central Bank of Malaysia ('BNM'), licensed insurers that carry out internet insurance activities are required to report material security breaches, system downtime, and degradation in system performance that critically affects the insurer to the BNM.
The BNM has also issued the Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorized access, modification, or disclosure by whatever means of customer information. There is also a template attached to the guidance document for reporting a customer information breach.
Under the Guidelines on Data Management and Management Information System ('MIS') Framework published by the BNM, boards of licensed financial institutions are required to inform the BNM of any developments that may have a material bearing on the institution's operations, risk profile, or financial condition. Public listed companies are also subject to the Listing Requirements issued by Bursa Malaysia where listed issuers are required to disclose to the public immediately all material information necessary for informed investing.
Where capital market entities are concerned, the Guidelines on Management of Cyber Risk published by the Securities Commission of Malaysia ('SC') requires all such entities to report to the SC any detection of a cyber incident that may or has had an impact on the information assets or systems of the entity, on the day of the occurrence of the incident. Therefore, whether there are notifications of data breach requirements largely depends on the specific facts and circumstances of each case. However, under the Financial Services Act 2013 ('FSA'), protection is conferred upon those that disclose in good faith to the BNM their knowledge, belief, or any document or information that a breach of contravention has been committed or is about to be committed under the FSA.
In addition to the retention principle under the PDPA, as highlighted in the section on principles above, the 2015 Standards outline three main standards, security, retention, and data integrity, which apply to personal data which is processed either electronically or non-electronically.
A brief overview of the measures prescribed by the 2015 Standards are as follows:
- to ensure that all legislation relating to the processing and storing of personal data is complied with before disposing of personal data;
- not retaining personal data for longer than is required unless there are other legislative requirements that require personal data to be kept for a longer period;
- to prepare and maintain records on the disposal of personal data and to submit these records when directed by the Commissioner;
- to dispose of any personal data collection forms used for commercial transactions within 14 days, unless the form has legislative value in connection with the commercial transaction;
- to review and dispose of all personal data that is no longer needed in the database;
- to have a personal data disposal schedule for a period of 24 months for any inactive personal data; and
- to obtain written consent from the higher management of the data user's organization if using removable media devices for the purposes of personal data storage.
Under the PDPA, children (minors under the age of 18) cannot provide consent to the processing of their personal data. Where a minor's personal data is involved, the 2013 Regulations require that consent be obtained from the parent, guardian, or person who has parental responsibility for the minor.
'Criminal conviction data' is considered as 'sensitive personal data' under the PDPA.
Processing 'sensitive personal data' requires explicit consent unless an exemption applies. Some examples are where the processing relates to information that has been made public as a result of steps deliberately taken by the data subject or where the processing is necessary:
- for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment;
- to protect the vital interests of the data subject or another person, where consent cannot be given by or on behalf of the data subject or the data user cannot reasonably be expected to obtain the consent of the data subject;
- to protect the vital interests of another person, where consent by or on behalf of the data subject has been unreasonably withheld; or
- for the purposes of obtaining legal advice, or the establishment, exercise, and defense of legal claims.
Where the processing of personal data is carried out by a data processor on behalf of a data user, the PDPA for the purpose of protecting the personal data from any loss, misuse, modification, unauthorized or accidental access, disclosure, alteration, or destruction, requires the data user to ensure that the data processor:
- provides sufficient guarantees in respect of the technical and organizational security measures governing the processing to be carried out; and
- takes reasonable steps to ensure compliance with those measures.
Additionally, the security principle requires data users to enter into contracts with data processors with respect to any data processing.
8. Data Subject Rights
In addition to the obligations placed on a data user, the PDPA also confers the following rights on a data subject (which are further explained below):
- the right of access to personal data;
- the right to require a data user to correct personal data;
- the right to withdraw consent to the processing of personal data;
- the right to prevent processing likely to cause damage or distress; and
- the right to prevent processing for direct marketing purposes.
Some of the rights mentioned above are further qualified by the provisions in the PDPA. In respect of the right of a data subject to prevent processing for direct marketing purposes, the PDPA stipulates that a data subject may, at any time by notice in writing to a data user, require the data user to cease or not to begin processing their personal data for purposes of direct marketing. Direct marketing is defined under the PDPA as 'communication by whatever means of any advertising or marketing material, which is directed to particular individuals'.
In the event the data subject is dissatisfied with the data user's failure to comply with the notice to cease processing for direct marketing, the data subject may submit an application to the Commissioner to require the data user to comply with the notice. It is pertinent to note that if a data user fails to comply with the requirements of the Commissioner they would be committing an offence under the PDPA, which attracts a fine of up to MYR 200,000 (approx. €44,840), imprisonment for a term not exceeding two years, or both.
As of 11 January 2015, a data subject who believes that there has been a misuse of their data by an individual or an organization may lodge a complaint online on the Commissioner's website (accessible here) in order for the necessary investigation to be carried out.
Please see the explanation under the notice and choice principle above.
A data subject has a right of access to their own data and to correct the same if it is inaccurate, incomplete, misleading, or outdated, subject to certain conditions. Certain prescribed procedures have been set out where access or correction is requested by the data subject (i.e. whether the data subject requires a copy of the personal data, data user must acknowledge receipt of the request). The 2013 Regulations also set out the information which may be requested by a data user when processing an access request.
The terminology under the PDPA is 'right to correction', which has been addressed under the section on right of access above.
There are no express rights of erasure under the PDPA.
Under the PDPA, a data subject has the following rights to object/opt-out:
Right to withdraw consent: A data subject can withdraw consent for the processing of their personal data at any time by way of written notice.
Right to prevent processing where likely to cause damage or distress: A data subject may by written notice require a data user to cease or not begin processing personal data for a specified purpose or in a specified manner if:
- the processing of that personal data or the processing of personal data for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to them or to another person; and
- the damage or distress is or would be unwarranted.
There are no express rights to data portability under the PDPA.
This right does not feature under Malaysian data protection laws.
Failure to comply with the provisions in the PDPA may amount to a criminal offense. Breaching of any of the seven data protection principles attracts a fine of up to MYR 300,000 (approx. $65,840) and/or to two years imprisonment. The unlawful collection, disclosure, and sale of personal data attracts a fine of up to MYR 500,000 (approx. $109,730) and/or up to three years imprisonment.
If a corporate body is found to have committed an offense, the officers of such corporate bodies are deemed to have committed the offense personally. However, the officer(s) of such corporate body may not be found to have committed the offense if they can prove the offense was committed without their knowledge or consent and they had taken all reasonable precautions and exercised due diligence to prevent the commission of the offense.
The Compounding of Offences Regulations came into operation on 15 March 2016 and provides that certain offenses may be compounded with the consent of the Public Prosecutor in the form and manner prescribed. The offenses prescribed thus far relate to certain offenses under the PDPA, the 2013 Regulations, and the Registration Regulation.
The Annual Report 2020 released by the PDP (only available in Malay here) provides the statistics of inspections carried out pursuant to Sections 101 and 48 of the PDPA. The report shows that inspections were carried out across various sectors including communications, education, health, property, and tourism sectors. The report also shows that inspections were also carried out on organizations that do not fall within the classes of data users under the Order.
Apart from inspections and audits, as noted above, the PDP has been taking enforcement actions against non-compliance, and it is expected that the PDP will continue to increase efforts in respect of such enforcement actions.
On 18 March 2019, the then MCM Minister announced that the Government is currently reviewing the PDPA to ensure it is in line with global developments. The MCD is keen to incorporate key points of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') into the PDPA. Among the areas being looked at by the MCD are cross-border data transfers, data breach notifications, and whether the Government should be exempted from the PDPA.
As part of an ongoing review of the PDPA, the Commissioner has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 dated 14 February 2020 to seek the views and comments of the public on 22 issues. Some of the issues for which feedback is sought include an extension of obligations to data processors, data portability, the appointment of a DPO, the reporting of data breaches, and the establishment of a right to commence civil litigation against data users.
Further to the above, based on statements made by the MCD Minister, we understand that the five key areas that are the focus of the amendments are as follows:-
- the appointment of a data protection officer (DPO);
- mandatory data breach notification;
- direct obligation on data processors to comply with the Security Principle;
- the right to data portability; and
- the removal of white-list regime for cross-border transfer of personal data.