Recent updates to the PDPA framework in Malaysia

The Personal Data Protection Commissioner has issued the Personal Data Protection Standard 2015 recently. Appended below are some of the recent PDPA updates for your reference.

1. Standards For Security, Retention and Data Integrity
========================================================
Standards in relation to the Security, Retention and Data Integrity principles were issued by the Commissioner on 30 December 2015 and are binding on all data users with immediate effect. The Standards detail specific actions which need to be taken by data users in respect of the Security, Retention and Data Integrity principles and apply to both physical and electronic personal data.

Highlights extracted from the Standards include the following:-

• All staff involved in the processing of personal data need to be registered;
• The extent of authority of staff accessing personal data for purposes of collecting, processing and retaining personal data should be controlled and limited;
• The transfer of personal data through removable media devices (e.g. USB thumb drives) and cloud computing services is not allowed unless permitted in writing by officers authorised by the top management of the data user;
• Any transfer of personal data through removable media devices and cloud computing services will need to be recorded;
• Contracts must be executed between data users and parties appointed by the data user (data processors) to handle and carry out personal data processing activities;
• All transfers of personal data via conventional methods, for example by post, by hand, fax etc., must be recorded;
• Records of disposal of personal data must be maintained and produced upon request by the Commissioner;
• Personal data collection forms must be disposed within a period of 14 days, unless such forms have legal value (‘nilai perundangan’) to the commercial transaction;
• Data users are required to prepare a schedule for the disposal of personal data which have not been active for a period of 24 months;
• Data subjects may be informed about exercises to update personal data, via the data user’s portal or by way of notice displayed on the premises or any other appropriate means.

2. Data User Forums
====================
Four Codes of Practice are in the final stages of gaining approval of the Commissioner, i.e. the Codes of Practice of the insurance, banking and finance, communications and energy sectors.

The Code of Practice of the insurance sector will likely be approved first, followed by that of the banking and finance as well as communication sectors. We have been informed that upon approval of the said Codes of Practice, the Commissioner will register the relevant Codes of Practice, with the date of formal registration being backdated to the end of December 2015.

Data users within the respective sectors will need to ensure that the Codes of Practice are fully operationalised and the necessary training is provided to their relevant personnel within the first quarter of 2016 (i.e. by the end of March 2016), with enforcement anticipated to commence from April 2016 onwards.

3. Compounding Regulations
===========================
The Compounding Regulations are a vital tool of the Commissioner as the said Regulations permit the Commissioner to issue compounds for offences under the PDPA instead of having to establish the data user’s breach of the PDPA in proceedings brought by the Commissioner against the data user.

We were informed by the Commissioner that the Compounding Regulations (which has been in the works for more than a year) are near finalisation and should be issued sooner rather than later. With the registration of the Codes of Practice in relation to specific sectors, and the issuance of the Compounding Regulations, data users can expect a very “active” 2016 from a personal data protection perspective.

4. On-line Registration
========================
Effective 11th January 2016, the JPDP has made available an online portal for the registration of data users. The online portal may be accessed at http://daftar.pdp.gov.my/login.php

5. JPDP Registration Renewal
=============================
It is coming to close to two years since the first certificates of registration were issued by the Commissioner. As such, the JPDP has been issuing renewal notices to data users whose certificates of registration are several months away from expiry.

We wish to suggest that while data users are preparing to renew their certificates of registration, data users also conduct a review of their filings with the JPDP and update any information which has changed since the first registration (e.g. the personal data collected, the parties that personal data is disclosed to, the overseas jurisdictions that personal data is sent to). Do note that this is an obligation that needs to be fulfilled by data users.