Minimum Standards Prescribed for Handling Personal Data
Although it has been more than a year since the Personal Data Protection Standard 2015 (”PDPS”) was enacted, non-compliance with the PDPS continue to be a major problem. It may be necessary to remind us of the minimum statutory requirements laid down by the PDPS. Following the appointment of a new Personal Data Protection Commissioner, Khalidah binti Mohd Darus, with effect from 23 January 2017, it is likely that the Personal Data Protection Commission may take a more proactive role in enforcing the Personal Data Protection Act 2010 (“the Act”).
The PDPS was issued pursuant to the Personal Data Protection Regulations 2013 (“Regulations”). In particular, it is intended to set out the minimum requirements of Article 6 (Security policy), Article 7 (Retention standard) and Article 8 (Data integrity standard) of the Regulations. In brief, a data user , namely, a person who processes, has control over or authorizes the processing of any personal data in respect of commercial transactions shall ensure that it complies with these standards. “Standard” has been defined as “a minimum requirement issued by the Commissioner that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”. This article seeks to highlight some of the minimum requirements prescribed under the PDPS.
Security breach has always been the main issue when it comes to personal data protection. In a technological era where data is often processed electronically, data security should never be taken lightly. The PDPS has made a distinction between the protection of personal data that is processed electronically and personal data that is processed non-electronically.
In particular, the PDPS has laid out what needs to be done when it comes to access of personal data by employees in the course of their employment. This is understandable as the majority of security breaches arise as a result of the actions or inactions of the employees of an organisation. Among the standard procedures which are required of employees are as follows:
- To register the employees involved in the processing of personal data;
- To terminate an employee’s access rights to personal data upon resignation, termination or any adjustment made in accordance with changes in the organisation;
- To control and limit employees’ access to personal data;
- To provide user ID and password for authorised employees to access personal data that are processed electronically;
- To ensure that employees involved in processing personal data always protect the confidentiality of such data;
- To maintain a proper record of access of personal data periodically and make such record available for submission when directed by the Commissioner; and
- To conduct awareness programmes for all employees (if necessary) on the responsibility to protect personal data that are processed non-electronically.
Specific procedures have also been laid out where personal data is processed electronically, namely:-
- written consent by an officer authorized by the top management is required for any transfer of personal data through removable media device and cloud computing service;
- any transfer of data through removable media device and cloud computing service must be recorded; and
- personal data transfer through cloud computing service must comply with the personal data protection principles in Malaysia, as well as with personal data protection laws of other countries.
Personal data that is processed for any purpose must not be kept longer than is necessary for the fulfilment of that purpose. PDPS has laid down the standard that a data user must take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required. The prescribed standards are as follows:
- To determine the retention period in all legislation relating to the processing and retention of personal data are fulfilled before destroying the data;
- To keep personal data no longer than necessary unless there are requirements by other legal provisions;
- To maintain a proper record of personal data disposal periodically and make such record available for submission when directed by the Commissioner;
- To dispose personal data collection forms used in commercial transactions within a period not exceeding 14 days, except or unless the forms carry legal values in relation to the commercial transaction;
- To review and dispose all unwanted personal data in the database;
- To prepare a personal data disposal schedule for inactive data within a 24 month period which should also be maintained properly; and
- The use of removable media device for storing personal data is not permitted without written approval from the top management of the organisation.
It is thus important that one takes note of the inventory of personal data available in his organisation and to have a system in place to ensure that personal data is destroyed or deleted when it is no longer required.
Data Integrity Standard
The following standards have been prescribed to ensure that personal data is accurate, complete, not misleading and kept up-to-date by having regard to the purpose:
- To provide personal data update forms for data subjects, either online or conventional methods;
- To update personal data immediately once a data correction notice is received from data subject;
- To ensure that all relevant legislation is fulfilled in determining the type of documents required to support the validity of the data subject’s personal data; and
- To notify on personal data updates either through the portal or notice at premises or by other appropriate methods.
While there does not appear to be any reported enforcement action by the Commissioner to-date, it is worth noting that there are serious consequences in the event of failure to comply with the standards prescribed. The possible penalty for any contravention includes a fine not exceeding RM250,000 or imprisonment for a term not exceeding 2 years or to both. Companies are advised to conduct periodic reviews and due diligence on the procedures or steps taken in processing personal data.