Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boody
Group 10 - PDPA II.pptx
1. GROUP 10
GROUP MEMBERS
• MARSYITAH AMIIRA BINTI MARZUKI (LIA190082 / 17204201/1)
• JULIA MAISARAH BINTI ISMAIL (LIA190057 / 17204122/1)
• NURUL HANA BINTI ABDUL HAKIM (LIA190123 / 17205554/1)
• MUHAMMAD SYADAD BIN NOR AZMAN (LIA190095 / 17204109/1)
• NURFARAHIN BINTI ZAINAL ABIDIN (LIA190113 / 17204127/1)
PDPA 2 01 0:
SECURITY & RETENTION PRINCIPLE
2. Question
The Security Principle states that a data user shall take practicable steps to
protect the personal data, whilst the Retention Principle laid down the rule that
the personal data shall not be kept longer than is necessary.
Elaborate on the meaning of the two variables in italics. In your answer, you are to
refer to any cases (if any) and regulations/standards/code of practice that may be
available relating to personal data protection.
3. Overview
• SECURITY PRINCIPLE
• RETENTION PRINCIPLE
• REAL-LIFE EXAMPLES
• COMPARISON OF OUR PDPA WITH OTHER
COUNTRIES
• THE WAY
FORWARD
4. SECURITY PRINCIPLE
The Security Principle imposes
obligations on the data user to take
steps to protect the personal data
during its processing from any loss,
misuse, modification, unauthorised or
accidental access or disclosure,
alteration or destruction.
6. What are the practical steps?
Personal Data Protection Code of Practice
PDPA Standards 2015
7. Code of Practice
• The Code of Practice was issued pursuant to Section
23 of the PDPA
• Aims to further inculcate the spirit and practice of
ethical business within the industry while providing a
self-regulating mechanism for collection,
maintenance, retention and disposal of personal data.
• The views of data users, data subjects and the
relevant regulatory authority are taken into
consideration in preparing the respective of Code of
Practice.
8. • Four codes of practice were finalised by the Commissioner in
2017 namely:
• Code of Practice for the Banking and Financial Sector 2017,
• Personal Data Protection Code of Practice for the Utilities
Sector (Electricity) 2017
• Code of Practice on Personal Data Protection for the
Insurance and Takaful Industries in Malaysia 2017
• Personal Data Protection Code of Practice for the
Communications Class Data Users 2017
• These “practical steps” will vary from case to case,
depending on the nature of personal data being processed
by the Data User in question and the degree of sensitivity
attached to the personal data or harm that the Data Subject
might suffer due to its loss, misuse, modification,
unauthorized or accidental access or disclosure, alteration or
destruction.
Code of Practice
9. Code of Practice (CMA)
For Licensees Under The
Communications And Multimedia Act
1998
Technical Security
Measures
Organizational Security
Measures
10. Organizational Security Measures
Data classification policy
• Personal data being processed by each Data User should ideally be categorised based on the sensitivity
of the personal data and the harm that could arise vis-à-vis the Data Subject should the personal data be
mishandled.
• The policy should identify the specific categories of personal data, the security measures associated with
each of the said categories of personal data, both in physical and electronic Formats.
Access control policy
• Personal data should be accessed by personnel of the Data User based on a “need to know” basis.
• Policy will indicate the various levels of personnel that are permitted access, modification and/or
deletion rights in relation to different categories of personal data.
• Access control policies should be supplemented with policies limiting access to technologies that allow
personal data to be transferred out of the Data User’s organization (as detailed further under technical
security measures), and the activation of audit logs which enable authorised and unauthorised access to
personal data to be traced.
11. Confidentiality guidelines
• Guidelines in respect of the confidentiality of Data Subject information be issued (either
separately or as part of the employee handbook) to all personnel of Data Users in order to
make clear the fundamental importance of confidentiality and the role that it plays in
establishing confidence and market credibility in the branding of the Data User.
• Data Users must explicitly state the obligation of maintaining the confidentiality of Data
Subject information, and where there has been a breach of the same, Data Users need to be
seen to have taken the necessary action in order that personnel are aware of how seriously
Data Users take this issue.
12. Technical Security Measures
(a) Physical document security
• Physical documents need to be received, processed and stored securely.
(b) Physical access to IT facilities
• Access to IT facilities where the IT infrastructure and the telecommunications infrastructure of Data
Users are located, needs to be controlled at all times.
• This can be achieved through the use of security guards for perimeter and location security, and
escorts.
(c) Physical access to IT systems and communications equipment
• Access to IT systems within Data Users’ offices or premises needs to be controlled at all times as
personal data may be stored and/or displayed on them.
• By restricting physical access to any non-authorised personnel, careful positioning of PCs in order to
ensure that screens are not viewable by non-authorised personnel, the utilisation of screen savers for
unattended PCs, and locked printer and/or fax rooms which are accessible only to authorised
personnel.
13. (d) Back-ups
• Data Users should back-up the personal data resident on their systems in order to guard against data
loss.
• The media on which the backups are resident should be stored off-site to prevent their loss together
with the primary systems in the event of a major disaster.
(e) Anti-virus and anti-malware software
• Data Users would be required to install and regularly update their anti-virus software in order to avoid
putting the personal data of Data Subjects at risk consequent to virus infections and other malware.
• Personnel should be restricted from downloading and installing applications that have not been
approved by the IT department of the Data User as it may introduce malware which may put personal
data at risk.
(f) Securing access
• All personal data that is removed from the premises of the Data User with authorisation, whether on
notebooks, tablets, smart phones, USB thumb drives, portable hard drives, are to be secured in order to
prevent the personal data stored on the said devices being accessed without authorisation in the event
the said devices being stolen or lost.
• E-mails attaching personal data are also to be secured in order to prevent the personal data being
accessed by unauthorised third parties.
14. PDPA Standards
2015
INTERPRETATION
“standard” means a
missued by the
Commissioner, that
provides, for common and
repeated use, rules,
guidelines or
characteristics for
activities or their results,
of order in a given
context.
APPLICATION
3.1 This Standard applies to
a. any person who
processes; and
b. any person who has
control over or authorizes
the processing of, any
personal data in respect of
commercial transactions.
The Standards are considered the
“minimum” standards to be observed by
data users, as each and every requirement
of the Standards must be implemented as
part of the data user’s policy in its handling
of the personal data of customers and
employees.
15. Security Standards
under PDPA Standards
2015
Data Security For Personal Data
Processed Electronically
Data Security For Personal Data
Processed Non-Electronically
16. Data Security For Personal Data Processed Electronically
• Register all employees involved in the processing of personal data.
• Terminate an employee’s access rights to personal data after his/her resignation, termination,
termination of contract or agreement, or adjustment in accordance with changes in the
organisation.
• Control and limit employees’ access to personal data system for the purpose of collecting,
processing and storing of personal data.
• Provide user ID and password for authorized employees to access personal data.
• Terminate user ID and password immediately when an employee who is authorized access to
personal data is no longer handling the data.
• Establish physical security procedures as follow:
i. control the movement in and out of the data storage site;
ii. store personal data in an appropriate location which is unexposed and safe from physical or
natural threats
iii. provide a closed-circuit camera at the data storage site (if necessary),
iv. provide a 24 hour security monitoring (if necessary).
17. • Update the Back up/Recovery System and anti-virus to prevent personal data intrusion and
such.
• Safeguard the computer systems from malware threats to prevent attacks on personal data.
• The transfer of personal data through removable media device and cloud computing service is not
permitted unless with written consent by an officer authorized by the top management of the
data user organization.
• Record any transfer of data through removable media device and cloud computing service.
• Personal data transfer through cloud computing service must comply with the personal data
protection principles in Malaysia, as well as with personal data protection laws of other countries.
• Maintain a proper record of access to personal data periodically and make such record available
for submission when directed by the Commissioner.
• Ensure that all employees involved in processing personal data always protect the
confidentiality of the data subject’s personal data.
• Bind an appointed third party by the data user with a contract for operating and carrying out
personal data processing activities. This is to ensure the safety of personal data from loss, misuse,
modification, unauthorized access and disclosure.
18. Data Security For Personal Data Processed Non-
Electronically
• Register employees handling personal data into a system/registration book before being
allowed access to personal data.
• Terminate an employee’s access rights to personal data after his/her resignation,
termination, termination of contract or agreement, or adjustment in accordance with changes
in the organization.
• Control and limit employees’ access to personal data system for the purpose collecting,
processing and storing of personal data.
• Establish physical security procedures as follow:
i. store all personal data orderly in files;
ii. store all files containing personal data in a locked place;
iii. keep all the related keys in a safe place;
iv. provide record for keys storage; and
v. store personal data in an appropriate location which is unexposed and safe from physical
or natural threats
• Maintain a proper record of access to personal data periodically and make such record
available for submission when directed by the Commissioner.
19. • Ensure that all employees involved in processing personal data always protect the
confidentiality of the data subject’s personal data.
• Record personal data transferred conventionally such as through mail, delivery, fax
and etc.
• Ensure that all used papers, printed documents or other documents exhibiting personal
data are destroyed thoroughly and efficiently by using shredding machine or other
appropriate methods.
• Conduct awareness programmes to all employees (if necessary) on the responsibility
to protect personal data.
20. RETENTION PRINCIPLE
The Retention Principle laid down
the rule that the personal data shall
not be kept longer than is
necessary.
Elaborate on the meaning of the
variables in italics.
21. PERSONAL DATA PROTECTION ACT 2010
("PDPA 2010")
Section 10 - Retention Principle
(1) The personal data processed for any purpose
shall not be kept longer than is necessary for the
fulfilment of that purpose.
(2) It shall be the duty of a data user to take all
reasonable steps to ensure that all personal data is
destroyed or permanently deleted if it is no longer
required for the purpose for which it was
processed.
Data Users can retain personal data but it cannot
be longer than is necessary to fulfil the processing
purpose.
PERSONAL DATA PROTECTION
REGULATION 2013 ("PDPR 2013")
Para 7 - Retention Standard
For the purposes of section 10 of the
Act, the personal data of a data subject
shall be retained in accordance with
the retention standard set out from
time to time by the Commissioner.
This standard can be seen in the 2015
Standard (Personal Data Protection
Standard 2015).
However, this section does not define what “is
necessary” means. Hence, reference will be made
to the 2013 Regulation.
22. Ensure that the retention period in all legislation relating to the
processing and retention of personal data are fulfilled before
destroying the data.
1.
Not to retain personal data for longer than is necessary UNLESS there
are other legal provisions that require personal data to be kept for a
longer period.
2.
Personal data collection forms used in commercial transactions should
be disposed within the period not exceeding 14 days.
EXCEPTION - If the forms carry legal values in relation to the
commercial transaction, then it may be retained for more than 14 days.
4.
Prepare and maintain a personal data disposal schedule for inactive
data with a 24 month period.
6.
A data user shall, take all reasonable steps to ensure that all personal
data is destroyed or permanently deleted if it is no longer required for
the purpose for which it was to be processed by having regard to the
following descriptions -
6.1
RETENTION STANDARD
The standard for retention of personal data which is processed
electronically and non-electronically.
6.0
PERSONAL DATA PROTECTION
STANDARD 2015 ("PDPA 2015")
23. 5.0 RETENTION PRINCIPLE
5.1 The Act places a responsibility on Data Users to hold personal data
only for as long as necessary for the fulfilment of the purpose. The Act
also provides that upon the purpose being fulfilled, Data users are
required to permanently destroy/delete the personal data. This
requirement applies to both physical and electronic copies of
documents containing personal data.
CODE OF PRACTICE FOR
LICENSEES UNDER
THE CMA 1998
3.1 The Code shall apply to all Data Users
including all;
• (i) Network Facilities Providers;
• (ii) Network Services Providers;
• (iii) Applications Service Providers; and
• (iv) Content Applications Service Providers,
As defined in the CMA 1998.
However, there are certain statutory provisions that specify
the minimum data retention periods.
5.3 This Code does not specify the applicable durations that personal
data may be retained for but leaves it to the discretion of Data Users.
5.2 For the avoidance of doubt, the Act does not override other
applicable statutory provisions that require the retention of
data/records/information for a specified minimum duration, for
instance, the Communications and Multimedia Act 1998, the Companies
Act 1965, Income Tax Act 1967, Employment Act 1955 or the Limitation
Act 1953. The Act and such other applicable legislation must be read
together.
24. Other Applicable Legislations
That require the retention of data/records/information for a specified minimum duration.
Communications and
Multimedia Act 1998
S 268. Minister may make rules on record-
keeping
The Minister can make rules to provide for
recordkeeping, and to require one or more
licensees or persons to keep and retain
records.
Companies Act 2016
S 245. Accounts to be kept.
(1) A company, the directors and managers of a company
shall -
• a. Keep accounting and other records to sufficiently
explain the transactions and financial position of the
company;
• b. Keep the accounting and other records in a manner
as to enable the accounting to be conveniently and
properly audited.
(3) The company shall retain the records referred to in
subsection (1) for seven years after the completion of the
transactions or operations to which entries relate.
25. Other Applicable Legislations
That require the retention of data/records/information for a specified minimum duration.
Income Tax Act 1967
S 82. Duty to keep records and give
receipts
(1) Notwithstanding section 82A and
subject to this section, every person
carrying on a business -
(a) shall keep and retain in safe custody
sufficient records for a period of seven
years from the end of the year to which
any income from that business relates …
Employment Act 199
S 61. Duty to keep registers.
(1) Every employer shall prepare and keep
one or more registers containing such
information regarding each employee
employed by him as may be prescribed by
regulations made under this Act.
(2) Every such register shall be preserved for
such period that every particular recorded
therein shall be available for inspection for
not less than six years after the recording
thereof.
26. 5.5 There may be certain instances in which Data Users need to retain
personal data beyond a specified statutory period.
In these cases, Data Users should be able to demonstrate -
(i) a reasonable need to retain personal data beyond the applicable
statutory period; and
(ii) (if available) provide evidence of their adherence to the same.
The commencement of legal proceedings or investigations concerning the
Data Subject would qualify as grounds for continuing to retain the personal
data until the disposal/closure of the matter and the expiry of the retention
period specific to the matter itself.
CODE OF PRACTICE FOR
LICENSEES UNDER
THE CMA 1998
5.4 In order to assist Data Users to keep track of
the various retention periods as may be
applicable to the various types of personal data
processed by them, Data Users are required to
consolidate all applicable retention periods
into the Data User’s relevant retention policies
which addresses the various categories of
personal data, for example:
(i) Application forms
(ii) Unsuccessful applications
(iii) Call records
(iv) Customer audio recordings
(v) Defaulting customers
5.6 For the avoidance of doubt, the Retention Principle does not apply to
backup and electronic archival data subject to the Data User restricting
access to the same to authorised personnel only and for backup or archival
purposes respectively.
5.12 For the avoidance of doubt, in the event of a conflict between the
Commissioner’s retention standard, this Code, any retention standard(s)
(or their equivalent) set by the Malaysian Communications and Multimedia
Commission or such other regulators of the Data User and/or any retention
standard(s) (or their equivalent) prescribed by the law, the document
setting the higher standard will prevail to the extent of the conflict.
27. The term “is necessary” under the Retention Principle is not defined in
the PDPA. Generally, the retention period of personal data is at the
discretion of Data Users. However, there are times where the minimum
duration is specified in certaain applicable legislations.
The retention periods may vary in accordance with the requirements
set out by different laws. For those not specified by the laws, the
appropriate retention period for personal data would therefore depend
on the purpose for which it was collected.
MEANING OF "IS NECESSARY" UNDER THE
RETENTION PRINCIPLE
29. Security Principle
LAZADA collects information of different degree of sensitivity
so how do they protect said information?
Identity data Contact data Technical data
Technical data
Transaction data ID verification data
Account data
IP address, browser type, IMEI
billing address, email, phone
number
name, gender, DOB
Govt issued documentation; IC,
passport, etc
details about orders & payments,
product & service details
bank acc details, credit card
details, etc
30. Security Principle
7. Security of Your Personal Data
7.1. To safeguard your personal data from unauthorised access, collection, use,
disclosure, processing, copying, modification, disposal, loss, misuse, modification or
similar risks, we have introduced appropriate administrative, physical and
technical measures such as:
(a) Restricting access to personal data to individuals who require access;
(b) Maintaining technology products to prevent unauthorised computer access;
(c) Using 128-bit SSL (secure sockets layer) encryption technology when processing
your financial details; and/or
(d) implementing other security measures as required by applicable law.
Incorporate safeguard
system into equipment that
stores data
Securing data access to
permitted personnel
31. Security Principle
In regards to the transfer of data overseas,
LAZADA assures that the receiving jurisdiction has a standard of protection
comparable to the transferring jurisdiction (comparable to MY's standards)
32. Retention Principle
8. Retention of Personal Data
8.1. We will only retain your personal data for as long as we are either
required or permitted to by law or as relevant for the purposes for which
it was collected.
8.2. We will cease to retain your personal data, or remove the means by
which the data can be associated with you, as soon as it is reasonable to
assume that such retention no longer serves the purposes for which the
personal data was collected, and is no longer necessary for any legal or
business purpose.
33. Retention Principle - Purposes Necessary to Retain Data
Purposes for collecting data
(i) Processing your order for products
(whether sold by us or a third party
seller)
(ii) Providing Services
(iii) Marketing and advertising
(iv) Legal and operational purposes
(v) Analytics, research, business and
development
(vi) Other
35. Retention Principle
If you withdraw consent from Lazada using your personal data or if you deactivate
your acc, then Lazada would no longer have a purpose to retain your data and is
required by PDPA to delete it.
36. How Different is Our PDPA
Compared to Other
Countries
We look further by comparing Malaysia's
PDPA on its Security and Retention
Principle with South Korea's Personal
Information Protection Act (PIPA)
37. Introduction to South Korea's PIPA and
Malaysia's PDPA
The Korean legislative system for personal information protection is composed of the Personal
Information Protection Act (“PIPA”), a general, comprehensive statute and the Credit Information
Use and Protection Act which regulates personal credit information. For the purpose of this
assignment, we will look into details of its Security Principles and Retention Principles.
Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection
Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force
on November 15, 2013. As part of an ongoing review of the PDPA, the Personal Data Protection
Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public
Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020)
dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in
PC01/2020, some of which will be set out in the course of the comparison. .
38. Under South Korea PIPA act,
as a part of their Security
Principles, South Korea has
an enforcement officer called
the Data Protection Officer
under Article 31 (Designation
of Privacy Officers)
Every personal data
controller must designate a
chief privacy officer (“CPO”)
who must be an employee or
executive of the company.
The CPO’s obligations under the PIPA are as follows:
• establishing and implementing plans for the protection of
personal information
• performing periodic investigations and improving the
status and practices of the processing of personal
information
• handling complaints and dealing with damage pertaining
to the processing of personal information
• establishing internal control systems for preventing
leakage, misuse and abuse of personal information
• establishing and implementing training sessions for the
protection of personal information
• protecting, managing, and monitoring personal
information files
• establishing, amending, and implementing a personal
information processing policy
• managing materials concerning the protection of
personal information, and
• destroying personal information for which the purpose of
processing has been achieved or for which the retention
period has expired.
39. There are no nationality or residency requirements for the
chief privacy officer.
In the event that a CPO is not designated, the personal
information processing entity may be subject to a
maximum administrative fine of KRW 10 million under the
PIPA. (equivalent to 35 146 RM)
40. Currently, Malaysian law does not require that
data users appoint a data protection officer.
However, pursuant to PC01/2020, the
Commissioner is considering introducing an
obligation in the PDPA for a data user to
appoint a data protection officer and to
introduce a guideline pertaining to such
appointments.
41. Security Principles
Differences on PIPA and PDPA
Under the PIPA, every personal data controller must, when it processes personal information or
sensitive personal information of a data subject, take the following technical and administrative
measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss,
theft, leakage, alteration, or destruction of personal information:
• establishment and implementation of an internal control plan for handling personal information in a
safe way
• installation and operation of an access control device, such as a system for blocking intrusion to cut
off illegal access to personal information
• measures for preventing fabrication and alteration of access/log records
• measures for security including encryption technology and other methods for safe storage and
transmission of personal information, and
• measures for preventing intrusion of computer viruses, including installation and operation of
vaccine software, and other protective measures necessary for securing the safety of personal
information.
42. This is then supported by South Korea Personal
Information Safeguards and Security Standards which is
similar to our Personal Data Protection Standards, but
instead for it to be a guidelines for the PIPA (Korea’s
Personal Data Act) they give out more detailed standards
on its Security Standards.
43. Under the PDPA, data users have an obligation to take ‘practical’ steps to protect
personal data, and in doing so, must develop and implement a security policy.
The Commissioner may also, from time to time, set out security standards with
which the data user must comply, and the data user is required to ensure that its
data processors comply with these security standards.
In addition, the Standards provide separate security standards for personal data
processed electronically and for personal data processed non-electronically
(among others) and require data users to have regard to the Standards in taking
practical steps to protect the personal data from any loss, misuse, modification,
unauthorized or accidental access or disclosure, alteration or destruction.
Pursuant to PC01/2020, the Commissioner observed that there are many new
technologies such as facial recognition and smart trackers being used as data
collection endpoints, and thus is considering issuing a policy regarding the
endpoint security which uses technologies such as encryption.
44. Differences Explained
SOUTH KOREA
The Security standards laid down in south korea are
strict in which they gives out what is necessary to
prevent any breach including laying out certain level
of encryption necessary and also the sole use of
biometrics and personal identifiers to control each
of the processing of the personal data during, in the
middle or after the processing including how to do it
They also gives out notifications if or when there
could be or there is a threat for a breach, which is
highlighted in the act and also standards. The Korean
PIPA also sets out that if a breach does occur, aside
from giving out notification and the organisation
trying to remedy it, the customer has a right to take
matters to court if it is necessary for them to do so
Malaysia
In Malaysia, the standards and guidelines are
somehow encouraged but not to be strictly
adhered to, although there are still minimum
standards that needs to be followed by each
of the organisations, including the Security
Principle and Retention Principle, every one
of the standards listed are too general and
this means that it is still up to the
organization to interpret what it means. This
will result in different interpretations for a
security principle by each and every one of
the organisations.
45. Retention Principle
Differences on PIPA and PDPA
In South Korea, under the PIPA, the retention standards necessary for the Act to retain are strictly to be
adhered. In PIPA, the retention principles seems to be more direct and all data user must follow what has been
laid down. The basic principles applicable to data retention include:
• the principle of fair and legitimate collection of the minimum necessary personal data to the extent
necessary for the explicitly stated and consented purposes; and
• the principle that such personal data must be handled only to the extent necessary for the explicitly stated
and consented purposes.
In paragraph one (1) of Article 21 of the PIPA, if the retention of personal data is required by South Korean law
or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will
need to be kept separate from any other personal data. This matters should also be read where pursuant to
paragraph (1), paragraph (3) takes it when it is necessary for the personal information controller to retain the
data of the personal information the relevant personal information or personal information files shall be stored
and managed separately from other personal information.
46. In the Korean PIPA, if any of the privacy policies states that
there is a need to safe keep personal information pursuant
to legal documentation or any provision stating that the
company needs to keep the data aside from discarding it,
with the consent of the data subject, the personal
information officer in charge needs to make a separate
encrypted storage for the archive of the said information
where access is only applicable to persons appointed by
the relevant provisions.
47. Data retention principles laid down in Malaysia’s PDPA is a little bit
different where there is discretion for the data user to lay down the
retention period throughout the act, standards and also CMA. This is the
only main difference as what is construed as necessary for both of the Acts
as the retention principle that applies under other legislations still applies
to both the Korean PIPA and the Malaysia’s PDPA.
In Malaysia, the Act and both the standards and the CMA is silent on the
application of data that needs to be safeguard under certain laws. There is
no right or wrong way prescribed under the law and it is up to the
interpretation of each of the organisation in the manner of safekeeping
these personal information that needs to be retained. In Malaysia we see a
lot of discretionary powers under the retention principle rather than having
a very strict provision on how to deal with the retention of data.
48. Differences
Summed Up
Throughout the comparison, it seemed clear to us that South Korea’s Security Principle is more strict
and adhered than Malaysia as we believe that this is because of South Korea’s advancements on its
technological affairs and e-commerce and where everything is bound electronically due to their
“smart-nation” age. This has led us to believe that it is important for them to adhere to these strict
rules to protect the personal information of their customers.
Although there seems to be quite a lack of rules and guidelines in Malaysia’s PDPA mainly to its
Security and Retention Principle, we also believe that as of now, Malaysia’s PDPA seems to be
competent in handling most cases of data breaches in Malaysia. This could be supported with
minimum reported case on Malaysia’s online business security and data breaches that we believe that
Malaysia, for now has sufficient implementation to its security and data retention principle.
50. Implement the Data Breach Notification
requirement.
• Presently, the PDPA does not provide any requirement for
a data user to notify or report any breach of personal data
to the PDPD or the data subject.
Security Principle
51. This, however, remains ungazetted law.
However, the authorities did issue a Public
Consultation Paper 1/2018: The
Implementation of Data Breach
Notification.
It sets out among other things:
• the requirement to notify the
Commissioner within 72 hours of
becoming aware of the data breach
incident
• to provide details about the data at
risk
• actions that have been taken or will be
taken to mitigate the risks to the data
• details of notifications to affected
individuals
• details of the organization's training
programs on data protection
52. While not mandatory, a data breach notification to the
Commissioner can be done online at the SPDP website.
53.
54. HEALTH SECTOR
• Exists a general reporting
obligation.
• As per section 37(1) of the
Private Healthcare and Facilities
Act 1998 states that a private
healthcare facility or service
must report to the Director
General such unforeseeable and
unanticipated incidents as may
be prescribed.
• Insufficient, this may/may not
amount to data breach.
• Reports to the Director General
only and not the data subject.
Existance of reporting obligations
imposed by different authorities.
FINANCIAL SECTOR
• BNM has set out guidelines and regulations
to report to BNM regarding material security
breaches, system downtime and
degradation in system performance that
critically affects the insurer.
• Capital markets to report to SC.
• The BNM also issued a Management of
Customer Information and Permitted
Disclosures, which states that financial
service providers must have in place a
customer information breach handling and
response plan in the event of theft, loss,
misuse, or unauthorised access,
modification, or disclosure by whatever
means of customer information.
55. • 'Data processor' means any person, other than an employee of the data
user, who processes the personal data solely on behalf of the data user,
and does not process the personal data for his or her own purposes.
• A data processor who processes personal data solely on behalf of a data
user is not bound directly by the provisions of the PDPA.
• Section 9(2) of the PDPA puts the obligations on the data user instead to
ensure that the processor acts in line with the PDPA.
Ensure that data processors are
directly obligated towards the
PDPA.
Security Principle
56. Provide a more comprehensive guideline
when it comes to data user's discretion.
Retention Principle
• The Code of Practice does not specify the applicable durations
that personal data may be retained.
• In the event where there are no statutory provisions that provide
the minimum period specified, it is up to the discretion of Data
Users.
• While it is acknowledged that the discretion is given due to the
different nature of data types, it is submitted that the discretion
given to the data user to make use of the data as they see fit is too
wide.
• Hence, a comprehensive guideline on how long should the data
user should store the data is pertinent.
57. Provide a data retention taxonomy
according to data types, degree of
risk, etc.
Retention Principle
• A data taxonomy is the classification of data into categories and
sub-categories.
• It provides a cohesive view on data and introduces common
terminology across multiple systems
• Data can be categorized based of its degree of sensitivity, risk
assessment, etc
• Once it is categorised, the 'necessity' for data retention can be
evaluated more closely
• Hence there can be a more systematically specified period of
retention that can be implemented.
58. PROVIDE FOR A MANDATORY
INSPECTION OVER A STATED PERIOD
• Section 101(1)(a): The Commissioner
may carry out an inspection . . .
relating to the promotion of
compliance with the provisions of the
Act.
• Act does not specify a period in which
the inspection can be carried out. It is
entirely up to the discretion of the
Commissioner.
• There is a need for a periodical
inspection to ensure the principles
laid out in the PDPA are complied
with.
EXPAND THE USAGE OF PDPA TO
THE FEDERAL AND STATE
GOVERNMENTS
• Section 3(1): This Act shall not apply to
the Federal Government and State
Government.
• The National Registration Department
(NRD) / Jabatan Pendaftaran Negara (JPN)
has access holds the personal data of
nearly every citizen in Malaysia and our
income tax returns which contain detailed
records of our financial affairs and
sources of income are well within the
knowledge of the Inland Revenue Board.
• They are not subjected to this Act but
has access to it, reasons given to justify
broad government access and use
include national security, law
enforcement and the combating of
terrorism.
Security & Retention Principle
59. Conclusion
Malaysia's current practice of the Security
and Retention Principle is sufficient for the
purpose of commercial transaction, for now.
However, there is room for improvement to
heighten the threshold of cybersecurity in
Malaysia; in order to keep up with the fast-
paced landscape of cybersecurity worldwide