The Malaysian Personal Data Protection Commissioner recently issued the Personal Data Protection Standards 2015, which came into force on 23 December 2015 (the “Standards“). To those who are affected, namely any person that “processes” and “has control over or authorizes the processing of any personal data in relation to commercial transactions” (in other words, any person or company that deals with personal data in the course of its business, also known as “data users”), the Standards stand to be a new compliance hurdle and would impose additional responsibilities on these data users, over and above those set by the Malaysia Personal Data Protection Act 2010 (“PDPA”).
Requirements above the Malaysia Personal Data Protection Act
The Standards are considered the “minimum” standards to be observed by data users, as each and every requirement of the Standards must be implemented as part of the data user’s policy in its handling of personal data of customers and employees. Any additional measures implemented to ensure proper security, retention and data integrity of personal data are of course optional and permitted by the Commissioner, if not encouraged.
It is also important to note that contravention of any of the Standards may attract a fine of up to RM250,000 or imprisonment for a term not exceeding 2 years or both, and therefore compliance with the Standards must be taken as seriously as the Malaysia Personal Data Protection Act by every data user.
While it is impractical to set out all the Standards in this Article, identified below are some of the Standards which are likely to impact a data user’s existing day-to-day business operations:
Security requirements of data users
In contrast with some of the security Standards, which are in fact reasonable security practices (e.g. the requirement for data users to provide their employees with user IDs and passwords and impose access control over personal data), other Standards may prove to be “challenging” for the data users to comply with.
For example, the Standards stipulate that transfer of personal data through removable media devices (e.g. USB thumb-drives) and cloud computing services (e.g. Dropbox, Gmail) are no longer permitted, unless authorised in writing by the “top management” of the company. Even if permitted, each transfer of personal data via such removable media device must be recorded. Additionally, data users are required to record access to personal data, and to make available such records to the Commissioner upon request.
One of the Standards that will be useful to data users is the Standard requiring data users to execute a contract with any service provider appointed to process personal data on behalf of the data user. This Standard will greatly assist data users in their efforts to impose the Security Principle on their service providers as the latter have oftentimes proven to be reluctant to accept the imposition of specific security requirements by data users.
Retention of personal data
The Standards required personal data collection forms to be disposed off within a period of 14 days, unless such forms can be said to have some “legal value” in connection with the commercial transaction (for which the personal data was collected). This general requirement is questionable, considering that most data users will need to retain the forms beyond the mere 14 days period stipulated. In order to avoid having to dispose all forms within the short period stipulated, it must be taken that ‘legal value’ can be widely construed and would include any purposes for complying with legal, tax, audit, and other compliance requirements.
Data users are also required by the Standards to have a schedule of disposal for personal data where it has been inactive for a period of 24 months. This would appear to be contrary to limitation periods set out in the law, e.g. the limitation period for commencement of legal proceedings which is for a minimum of 6 years, or the requirement to retain records and documents for a minimum of 7 years under revenue laws.
Integrity of personal data records
The Commissioner now requires data users to immediately update personal data in its records, upon receiving request for correction from any of the data user’s customers or any other persons identifiable from the personal data. However, this requirement would appear to conflict with the express provisions of the Malaysia Personal Data Protection Act, which allows the data users to respond to such a request within 21 days of receipt of such request (and in fact provides data users a further extension of 14 days, should the data user be unable to comply with the request due to valid reasons). For the moment, and pending clarification of the Commissioner, it is reasonable to take the position that while data users are required under the Standards to respond promptly to such a request, they are however allowed under the Malaysia Personal Data Protection Act to respond within 21 days (plus 14 additional days where required) from the date of receipt of such a request.
On 15 March 2016, the Commissioner issued the Personal Data Protection (Compounding of Offences) Regulations 2016 (the “Compounding Regulations”).The Compounding Regulations provides a list of offences which are prescribed to be “compoundable offences”. For offences which are compoundable, the Commissioner may offer data users an opportunity to pay a monetary penalty (which penalty can be up to half of the maximum fine stipulated in the Malaysia Personal Data Protection Act) within the time period stipulated in the offer. If no payment is received within the stipulated period, prosecution for the offence will be instituted against the data user.
Under the First Schedule to the Compounding Regulations, the offences which are prescribed to be compoundable offences include:
non-compliance with any of the personal data protection principles;
processing personal data without certificate of registration for a class of data users requiring registration;
failure to cease processing personal data after the data subject withdraws consent to process personal data;
processing sensitive personal data without obtaining the explicit consent of the data subject or without fulfilling any other statutory exception; or
failure to comply with the requirement of the Commissioner to cease processing personal data when the data subject had notified the data user to cease processing for direct marketing.
It is important to note that not all offences under the Malaysia Personal Data Protection Act and its regulations are compoundable.
In respect of the Standards, non-compliance with the Standards are also compoundable offences as these amount to non-compliance with regulations 6, 7 and 8 of the Personal Data Protection Regulations 2013, which require the data users to comply with any personal data protection standards as set out from time to time by the Commissioner. As mentioned earlier in this Article, contravention of any of the Standards may attract a penalty, whether in the form of a fine of up to RM250,000 or imprisonment for a term not exceeding 2 years or both.
As seen from the foregoing, while it is commendable that the Commissioner prescribes the minimum standards for complying with the personal data protection principles in the Malaysia Personal Data Protection Act and makes clear the measures to be taken by data users, however, some of the Standards are not clear enough, may be impractical, costly, administratively difficult or even impossible for data users to comply with.
Notwithstanding the foregoing statement, data users must still comply with the prescribed Standards (or at the very least endeavour to comply with the Standards), as non-compliance of the Standards is an offence and may expose data users to enforcement actions being brought by the Commissioner and/or payment of compounds under the Compounding Regulations.