Top 5 Things To Know About The Personal Data Protection Act 2010
by Jason Yong Kok Yew and Aqila Zulaiqha Zulkifli ~ 1 November 2021
The Personal Data Protection Act 2010 (“PDPA”) came into force on 15 November 2013 as a comprehensive data protection legislation. The PDPA was enacted to regulate the processing of personal data by businesses in commercial transactions.
Here’s a list of top 5 things to know about the PDPA:
1. Scope of Application
The PDPA applies to any person who processes and who has control over or authorises the processing of ‘any personal data in respect of commercial transactions’[1].
In the above context, the entity which processes personal data is known as the ‘data user’, whereas the individual in respect of whom personal data is processed is known as the ‘data subject’.
The word ‘processing’ has been widely defined under the PDPA to cover activities such as collecting, recording, holding or storing of personal data.[2]
Further, the term ‘personal data’ refers to any information relating to a data subject (whether directly or indirectly), who is ‘identified or identifiable’ from that information and other information in the possession of a data user.[3]
Examples of the PDPA include and are not limited to the following:
(a) data subject’s name;
(b) national registration identification card (NRIC) or passport;
(c) address; and
(d) contact details.
However, the definition of personal data may be wide enough to cover data which may unconventionally be thought of as personal data, such as a vehicle registration number, which when combined with other data in the possession of the data user, can then be used to identify the data subject.
However, the PDPA does not apply to the Federal Government and the State Governments, or to any personal data processed outside Malaysia, unless that personal data is intended to be further processed in Malaysia.[4] It also appears that any information processed by a credit reporting business (such as CTOS, FIS, and CBM) are exempted from the ambit of the PDPA[5], as those businesses are regulated by the Credit Reporting Agencies Act 2010 instead.
2. Principles
A data user is required to comply with the following 7 personal data protection principles under the PDPA:
a) General Principle
This sets out general parameters on the processing of personal data, e.g. that a data subject’s consent in writing is required in order to process her personal data.[6]
b) Notice and Choice Principle
The Notice and Choice Principles requires data users to inform a data subject by way of written notice (in both the English and Malay language) of various matters relating to the processing of her personal data, including but not limited to:
-That personal data is being processed;
-The purposes for which the personal data is collected or processed;
-The data subject’s right to request access and correction of the personal data;
-To whom the personal data may be disclosed;
(the “Privacy Notice”)[7]
c) Disclosure Principle
This principle prohibits a data user from disclosing the personal data of a data subject for any purpose other than the purpose disclosed at the time of collection and to any other party other than the class of third parties specified in the Privacy Notice.
However, disclosure of personal data is permitted where consent has been given by the data subject or when the disclosure is required or authorised by law.
d) Security Principle
The Security Principle imposes an obligation on a data user to adopt specified measures to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration, or destruction during its processing.
e) Retention Principle
The Retention principle provides that the personal data must not be kept longer than is necessary for the fulfilment of the purpose laid down in the Privacy Notice. It is the duty of data users to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the said purpose.
f) Data Integrity Principle
This principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up-to-date.
g) Access Principle
Under the Access Principle, the data user must ensure that a data subject is allowed to access their personal data and to correct such data if it is inaccurate, incomplete, misleading, or not up-to-date.
3. Subsidiary Legislation
In addition to the PDPA, the data users are required to comply with a list of subsidiary legislation that facilitates the enforcement of the PDPA, including:
a) Personal Data Protection Regulations 2013 (“PDPR”);
b) Personal Data Protection (Class of Data Users) Order 2013;
c) Personal Data Protection (Registration of Data User) Regulations 2013;
d) Personal Data Protection (Fees) Regulations 2013;
e) Personal Data Protection (Compounding of Offences) Regulations 2016; and
f) Personal Data Protection (Class of Data Users) (Amendment) Order 2016.
Further to the above list, data users must comply with the Personal Data Protection Standard 2015 (the “Standard”) issued by the Personal Data Protection Commission (“PDPC”).[8] The Standard is considered the ‘minimum requirement’[9] that must be complied with by data users in their handling of the personal data. The Standard focuses on three areas, i.e. the Security Standard, Retention Standard, and Data Integrity Standard.[10] For example, the Security Standard lists some practical steps that data users must take in order to protect the personal data from any loss, misuse or accidental access or disclosure, such as to ensure that all documents exhibiting personal data are destroyed thoroughly and/or to safeguard the data user’s computer systems from malware threats.
4. Industry Codes of Practice
Further to the above, the data users in specific industries must conform to the Codes of Practice issued by the Commissioner. The Industry Codes of Practice can be found on the official portal of the Department of Personal Data Protection Malaysia[11].
The Commissioner has issued five Codes of Practice for the industries listed as follows:
a) Personal Data Protection Code of Practice for the Banking and Financial Sector;
b) Personal Data Protection Code of Practice for the Utilities Sector (Electricity);
c) Personal Data Protection Code of Practice for the Malaysia Aviation sector;
d) Personal Data Protection Code of Practice for the Insurance and Takaful Industry in Malaysia; and
e) Personal Data Protection Code of Practice for Communications Sector.
5. Registration as Data Users
Pursuant to Personal Data Protection (Class of Data Users) Order 2013 and Section 15 of the PDPA, a data user who falls within the following sectors is required to register itself with the Commissioner in order to process the personal data:
Communications;
a) Banking and financial institution;
b) Insurance;
c) Health;
d) Tourism and hospitalities;
e) Transportation;
f) Education;
h) Direct selling;
i) Services;
j) Real estate;
k) Utilities;
l) Pawnbroker[12]; and
m) Moneylender.
Finally, if there are any issues not addressed in the PDPA, the subsidiary legislation, and the Standard, data users may refer to the FAQ and leaflets from the official portal of the Department of Personal Data Protection Malaysia for further clarification.
The PDPA needs to be complied with as a breach of the PDPA comes with heavy fines and/or imprisonment. For example, the penalty for breaching the 7 Principles set out under the PDPA is a fine of up to RM300,000.00 only and/or imprisonment of up to 2 years.[13]
[1] Section 2(1) PDPA
[2] Section 4 PDPA
[3] Section 4 PDPA
[4] Section 3 PDPA
[5] Section 4 PDPA
[6] Regulation 3 PDPR
[7] “A Quick Guide to Privacy Notice” (2017) issued by Personal Data Protection Commissioner Malaysia
[8] Pursuant to Regulations 6, 7, and 8 PDPR
[9] Standard 2 of the Standard
[10] Standards 4, 6, and 7 of the Standard
[11] http://www.pdp.gov.my/
[12] Paragraph 2(c) of Personal Data Protection (Class of Data Users) (Amendment) Order 2016
[13] Section 5(2) PDPA