SlideShare a Scribd company logo

Group 10 - PDPA II.pptx

Download as PPTX, PDF
S
Suthaesh Ramash

ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd

Career
1 of 59
GROUP 10 GROUP MEMBERS • MARSYITAH AMIIRA BINTI MARZUKI (LIA190082 / 17204201/1) • JULIA MAISARAH BINTI ISMAIL (LIA190057 / 17204122/1) • NURUL HANA BINTI ABDUL HAKIM (LIA190123 / 17205554/1) • MUHAMMAD SYADAD BIN NOR AZMAN (LIA190095 / 17204109/1) • NURFARAHIN BINTI ZAINAL ABIDIN (LIA190113 / 17204127/1) PDPA 2 01 0: SECURITY & RETENTION PRINCIPLE
Question The Security Principle states that a data user shall take practicable steps to protect the personal data, whilst the Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the two variables in italics. In your answer, you are to refer to any cases (if any) and regulations/standards/code of practice that may be available relating to personal data protection.
Overview • SECURITY PRINCIPLE • RETENTION PRINCIPLE • REAL-LIFE EXAMPLES • COMPARISON OF OUR PDPA WITH OTHER COUNTRIES • THE WAY FORWARD
SECURITY PRINCIPLE The Security Principle imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
SECTION 9 OF THE PDPA
What are the practical steps? Personal Data Protection Code of Practice PDPA Standards 2015
Code of Practice • The Code of Practice was issued pursuant to Section 23 of the PDPA • Aims to further inculcate the spirit and practice of ethical business within the industry while providing a self-regulating mechanism for collection, maintenance, retention and disposal of personal data. • The views of data users, data subjects and the relevant regulatory authority are taken into consideration in preparing the respective of Code of Practice.
• Four codes of practice were finalised by the Commissioner in 2017 namely: • Code of Practice for the Banking and Financial Sector 2017, • Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017 • Code of Practice on Personal Data Protection for the Insurance and Takaful Industries in Malaysia 2017 • Personal Data Protection Code of Practice for the Communications Class Data Users 2017 • These “practical steps” will vary from case to case, depending on the nature of personal data being processed by the Data User in question and the degree of sensitivity attached to the personal data or harm that the Data Subject might suffer due to its loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Code of Practice
Code of Practice (CMA) For Licensees Under The Communications And Multimedia Act 1998 Technical Security Measures Organizational Security Measures
Organizational Security Measures Data classification policy • Personal data being processed by each Data User should ideally be categorised based on the sensitivity of the personal data and the harm that could arise vis-à-vis the Data Subject should the personal data be mishandled. • The policy should identify the specific categories of personal data, the security measures associated with each of the said categories of personal data, both in physical and electronic Formats. Access control policy • Personal data should be accessed by personnel of the Data User based on a “need to know” basis. • Policy will indicate the various levels of personnel that are permitted access, modification and/or deletion rights in relation to different categories of personal data. • Access control policies should be supplemented with policies limiting access to technologies that allow personal data to be transferred out of the Data User’s organization (as detailed further under technical security measures), and the activation of audit logs which enable authorised and unauthorised access to personal data to be traced.
Confidentiality guidelines • Guidelines in respect of the confidentiality of Data Subject information be issued (either separately or as part of the employee handbook) to all personnel of Data Users in order to make clear the fundamental importance of confidentiality and the role that it plays in establishing confidence and market credibility in the branding of the Data User. • Data Users must explicitly state the obligation of maintaining the confidentiality of Data Subject information, and where there has been a breach of the same, Data Users need to be seen to have taken the necessary action in order that personnel are aware of how seriously Data Users take this issue.
Technical Security Measures (a) Physical document security • Physical documents need to be received, processed and stored securely. (b) Physical access to IT facilities • Access to IT facilities where the IT infrastructure and the telecommunications infrastructure of Data Users are located, needs to be controlled at all times. • This can be achieved through the use of security guards for perimeter and location security, and escorts. (c) Physical access to IT systems and communications equipment • Access to IT systems within Data Users’ offices or premises needs to be controlled at all times as personal data may be stored and/or displayed on them. • By restricting physical access to any non-authorised personnel, careful positioning of PCs in order to ensure that screens are not viewable by non-authorised personnel, the utilisation of screen savers for unattended PCs, and locked printer and/or fax rooms which are accessible only to authorised personnel.
(d) Back-ups • Data Users should back-up the personal data resident on their systems in order to guard against data loss. • The media on which the backups are resident should be stored off-site to prevent their loss together with the primary systems in the event of a major disaster. (e) Anti-virus and anti-malware software • Data Users would be required to install and regularly update their anti-virus software in order to avoid putting the personal data of Data Subjects at risk consequent to virus infections and other malware. • Personnel should be restricted from downloading and installing applications that have not been approved by the IT department of the Data User as it may introduce malware which may put personal data at risk. (f) Securing access • All personal data that is removed from the premises of the Data User with authorisation, whether on notebooks, tablets, smart phones, USB thumb drives, portable hard drives, are to be secured in order to prevent the personal data stored on the said devices being accessed without authorisation in the event the said devices being stolen or lost. • E-mails attaching personal data are also to be secured in order to prevent the personal data being accessed by unauthorised third parties.
PDPA Standards 2015 INTERPRETATION “standard” means a missued by the Commissioner, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, of order in a given context. APPLICATION 3.1 This Standard applies to a. any person who processes; and b. any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions. The Standards are considered the “minimum” standards to be observed by data users, as each and every requirement of the Standards must be implemented as part of the data user’s policy in its handling of the personal data of customers and employees.
Security Standards under PDPA Standards 2015 Data Security For Personal Data Processed Electronically Data Security For Personal Data Processed Non-Electronically
Data Security For Personal Data Processed Electronically • Register all employees involved in the processing of personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organisation. • Control and limit employees’ access to personal data system for the purpose of collecting, processing and storing of personal data. • Provide user ID and password for authorized employees to access personal data. • Terminate user ID and password immediately when an employee who is authorized access to personal data is no longer handling the data. • Establish physical security procedures as follow: i. control the movement in and out of the data storage site; ii. store personal data in an appropriate location which is unexposed and safe from physical or natural threats iii. provide a closed-circuit camera at the data storage site (if necessary), iv. provide a 24 hour security monitoring (if necessary).
• Update the Back up/Recovery System and anti-virus to prevent personal data intrusion and such. • Safeguard the computer systems from malware threats to prevent attacks on personal data. • The transfer of personal data through removable media device and cloud computing service is not permitted unless with written consent by an officer authorized by the top management of the data user organization. • Record any transfer of data through removable media device and cloud computing service. • Personal data transfer through cloud computing service must comply with the personal data protection principles in Malaysia, as well as with personal data protection laws of other countries. • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner. • Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Bind an appointed third party by the data user with a contract for operating and carrying out personal data processing activities. This is to ensure the safety of personal data from loss, misuse, modification, unauthorized access and disclosure.
Data Security For Personal Data Processed Non- Electronically • Register employees handling personal data into a system/registration book before being allowed access to personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organization. • Control and limit employees’ access to personal data system for the purpose collecting, processing and storing of personal data. • Establish physical security procedures as follow: i. store all personal data orderly in files; ii. store all files containing personal data in a locked place; iii. keep all the related keys in a safe place; iv. provide record for keys storage; and v. store personal data in an appropriate location which is unexposed and safe from physical or natural threats • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner.
• Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Record personal data transferred conventionally such as through mail, delivery, fax and etc. • Ensure that all used papers, printed documents or other documents exhibiting personal data are destroyed thoroughly and efficiently by using shredding machine or other appropriate methods. • Conduct awareness programmes to all employees (if necessary) on the responsibility to protect personal data.
RETENTION PRINCIPLE The Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the variables in italics.
PERSONAL DATA PROTECTION ACT 2010 ("PDPA 2010") Section 10 - Retention Principle (1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. (2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed. Data Users can retain personal data but it cannot be longer than is necessary to fulfil the processing purpose. PERSONAL DATA PROTECTION REGULATION 2013 ("PDPR 2013") Para 7 - Retention Standard For the purposes of section 10 of the Act, the personal data of a data subject shall be retained in accordance with the retention standard set out from time to time by the Commissioner. This standard can be seen in the 2015 Standard (Personal Data Protection Standard 2015). However, this section does not define what “is necessary” means. Hence, reference will be made to the 2013 Regulation.
Ensure that the retention period in all legislation relating to the processing and retention of personal data are fulfilled before destroying the data. 1. Not to retain personal data for longer than is necessary UNLESS there are other legal provisions that require personal data to be kept for a longer period. 2. Personal data collection forms used in commercial transactions should be disposed within the period not exceeding 14 days. EXCEPTION - If the forms carry legal values in relation to the commercial transaction, then it may be retained for more than 14 days. 4. Prepare and maintain a personal data disposal schedule for inactive data with a 24 month period. 6. A data user shall, take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed by having regard to the following descriptions - 6.1 RETENTION STANDARD The standard for retention of personal data which is processed electronically and non-electronically. 6.0 PERSONAL DATA PROTECTION STANDARD 2015 ("PDPA 2015")
5.0 RETENTION PRINCIPLE 5.1 The Act places a responsibility on Data Users to hold personal data only for as long as necessary for the fulfilment of the purpose. The Act also provides that upon the purpose being fulfilled, Data users are required to permanently destroy/delete the personal data. This requirement applies to both physical and electronic copies of documents containing personal data. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 3.1 The Code shall apply to all Data Users including all; • (i) Network Facilities Providers; • (ii) Network Services Providers; • (iii) Applications Service Providers; and • (iv) Content Applications Service Providers, As defined in the CMA 1998. However, there are certain statutory provisions that specify the minimum data retention periods. 5.3 This Code does not specify the applicable durations that personal data may be retained for but leaves it to the discretion of Data Users. 5.2 For the avoidance of doubt, the Act does not override other applicable statutory provisions that require the retention of data/records/information for a specified minimum duration, for instance, the Communications and Multimedia Act 1998, the Companies Act 1965, Income Tax Act 1967, Employment Act 1955 or the Limitation Act 1953. The Act and such other applicable legislation must be read together.
Other Applicable Legislations That require the retention of data/records/information for a specified minimum duration. Communications and Multimedia Act 1998 S 268. Minister may make rules on record- keeping The Minister can make rules to provide for recordkeeping, and to require one or more licensees or persons to keep and retain records. Companies Act 2016 S 245. Accounts to be kept. (1) A company, the directors and managers of a company shall - • a. Keep accounting and other records to sufficiently explain the transactions and financial position of the company; • b. Keep the accounting and other records in a manner as to enable the accounting to be conveniently and properly audited. (3) The company shall retain the records referred to in subsection (1) for seven years after the completion of the transactions or operations to which entries relate.
Other Applicable Legislations That require the retention of data/records/information for a specified minimum duration. Income Tax Act 1967 S 82. Duty to keep records and give receipts (1) Notwithstanding section 82A and subject to this section, every person carrying on a business - (a) shall keep and retain in safe custody sufficient records for a period of seven years from the end of the year to which any income from that business relates … Employment Act 199 S 61. Duty to keep registers. (1) Every employer shall prepare and keep one or more registers containing such information regarding each employee employed by him as may be prescribed by regulations made under this Act. (2) Every such register shall be preserved for such period that every particular recorded therein shall be available for inspection for not less than six years after the recording thereof.
5.5 There may be certain instances in which Data Users need to retain personal data beyond a specified statutory period. In these cases, Data Users should be able to demonstrate - (i) a reasonable need to retain personal data beyond the applicable statutory period; and (ii) (if available) provide evidence of their adherence to the same. The commencement of legal proceedings or investigations concerning the Data Subject would qualify as grounds for continuing to retain the personal data until the disposal/closure of the matter and the expiry of the retention period specific to the matter itself. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 5.4 In order to assist Data Users to keep track of the various retention periods as may be applicable to the various types of personal data processed by them, Data Users are required to consolidate all applicable retention periods into the Data User’s relevant retention policies which addresses the various categories of personal data, for example: (i) Application forms (ii) Unsuccessful applications (iii) Call records (iv) Customer audio recordings (v) Defaulting customers 5.6 For the avoidance of doubt, the Retention Principle does not apply to backup and electronic archival data subject to the Data User restricting access to the same to authorised personnel only and for backup or archival purposes respectively. 5.12 For the avoidance of doubt, in the event of a conflict between the Commissioner’s retention standard, this Code, any retention standard(s) (or their equivalent) set by the Malaysian Communications and Multimedia Commission or such other regulators of the Data User and/or any retention standard(s) (or their equivalent) prescribed by the law, the document setting the higher standard will prevail to the extent of the conflict.
The term “is necessary” under the Retention Principle is not defined in the PDPA. Generally, the retention period of personal data is at the discretion of Data Users. However, there are times where the minimum duration is specified in certaain applicable legislations. The retention periods may vary in accordance with the requirements set out by different laws. For those not specified by the laws, the appropriate retention period for personal data would therefore depend on the purpose for which it was collected. MEANING OF "IS NECESSARY" UNDER THE RETENTION PRINCIPLE
IRL Example LAZADA'S SECURITY & RETENTION POLICY
Security Principle LAZADA collects information of different degree of sensitivity so how do they protect said information? Identity data Contact data Technical data Technical data Transaction data ID verification data Account data IP address, browser type, IMEI billing address, email, phone number name, gender, DOB Govt issued documentation; IC, passport, etc details about orders & payments, product & service details bank acc details, credit card details, etc
Security Principle 7. Security of Your Personal Data 7.1. To safeguard your personal data from unauthorised access, collection, use, disclosure, processing, copying, modification, disposal, loss, misuse, modification or similar risks, we have introduced appropriate administrative, physical and technical measures such as: (a) Restricting access to personal data to individuals who require access; (b) Maintaining technology products to prevent unauthorised computer access; (c) Using 128-bit SSL (secure sockets layer) encryption technology when processing your financial details; and/or (d) implementing other security measures as required by applicable law. Incorporate safeguard system into equipment that stores data Securing data access to permitted personnel
Security Principle In regards to the transfer of data overseas, LAZADA assures that the receiving jurisdiction has a standard of protection comparable to the transferring jurisdiction (comparable to MY's standards)
Retention Principle 8. Retention of Personal Data 8.1. We will only retain your personal data for as long as we are either required or permitted to by law or as relevant for the purposes for which it was collected. 8.2. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data was collected, and is no longer necessary for any legal or business purpose.
Retention Principle - Purposes Necessary to Retain Data Purposes for collecting data (i) Processing your order for products (whether sold by us or a third party seller) (ii) Providing Services (iii) Marketing and advertising (iv) Legal and operational purposes (v) Analytics, research, business and development (vi) Other
Retention Principle
Retention Principle If you withdraw consent from Lazada using your personal data or if you deactivate your acc, then Lazada would no longer have a purpose to retain your data and is required by PDPA to delete it.
How Different is Our PDPA Compared to Other Countries We look further by comparing Malaysia's PDPA on its Security and Retention Principle with South Korea's Personal Information Protection Act (PIPA)
Introduction to South Korea's PIPA and Malaysia's PDPA The Korean legislative system for personal information protection is composed of the Personal Information Protection Act (“PIPA”), a general, comprehensive statute and the Credit Information Use and Protection Act which regulates personal credit information. For the purpose of this assignment, we will look into details of its Security Principles and Retention Principles. Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013. As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020, some of which will be set out in the course of the comparison. .
Under South Korea PIPA act, as a part of their Security Principles, South Korea has an enforcement officer called the Data Protection Officer under Article 31 (Designation of Privacy Officers) Every personal data controller must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company. The CPO’s obligations under the PIPA are as follows: • establishing and implementing plans for the protection of personal information • performing periodic investigations and improving the status and practices of the processing of personal information • handling complaints and dealing with damage pertaining to the processing of personal information • establishing internal control systems for preventing leakage, misuse and abuse of personal information • establishing and implementing training sessions for the protection of personal information • protecting, managing, and monitoring personal information files • establishing, amending, and implementing a personal information processing policy • managing materials concerning the protection of personal information, and • destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.
There are no nationality or residency requirements for the chief privacy officer. In the event that a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA. (equivalent to 35 146 RM)
Currently, Malaysian law does not require that data users appoint a data protection officer. However, pursuant to PC01/2020, the Commissioner is considering introducing an obligation in the PDPA for a data user to appoint a data protection officer and to introduce a guideline pertaining to such appointments.
Security Principles Differences on PIPA and PDPA Under the PIPA, every personal data controller must, when it processes personal information or sensitive personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information: • establishment and implementation of an internal control plan for handling personal information in a safe way • installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information • measures for preventing fabrication and alteration of access/log records • measures for security including encryption technology and other methods for safe storage and transmission of personal information, and • measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.
This is then supported by South Korea Personal Information Safeguards and Security Standards which is similar to our Personal Data Protection Standards, but instead for it to be a guidelines for the PIPA (Korea’s Personal Data Act) they give out more detailed standards on its Security Standards.
Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards. In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Pursuant to PC01/2020, the Commissioner observed that there are many new technologies such as facial recognition and smart trackers being used as data collection endpoints, and thus is considering issuing a policy regarding the endpoint security which uses technologies such as encryption.
Differences Explained SOUTH KOREA The Security standards laid down in south korea are strict in which they gives out what is necessary to prevent any breach including laying out certain level of encryption necessary and also the sole use of biometrics and personal identifiers to control each of the processing of the personal data during, in the middle or after the processing including how to do it They also gives out notifications if or when there could be or there is a threat for a breach, which is highlighted in the act and also standards. The Korean PIPA also sets out that if a breach does occur, aside from giving out notification and the organisation trying to remedy it, the customer has a right to take matters to court if it is necessary for them to do so Malaysia In Malaysia, the standards and guidelines are somehow encouraged but not to be strictly adhered to, although there are still minimum standards that needs to be followed by each of the organisations, including the Security Principle and Retention Principle, every one of the standards listed are too general and this means that it is still up to the organization to interpret what it means. This will result in different interpretations for a security principle by each and every one of the organisations.
Retention Principle Differences on PIPA and PDPA In South Korea, under the PIPA, the retention standards necessary for the Act to retain are strictly to be adhered. In PIPA, the retention principles seems to be more direct and all data user must follow what has been laid down. The basic principles applicable to data retention include: • the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and • the principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes. In paragraph one (1) of Article 21 of the PIPA, if the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data. This matters should also be read where pursuant to paragraph (1), paragraph (3) takes it when it is necessary for the personal information controller to retain the data of the personal information the relevant personal information or personal information files shall be stored and managed separately from other personal information.
In the Korean PIPA, if any of the privacy policies states that there is a need to safe keep personal information pursuant to legal documentation or any provision stating that the company needs to keep the data aside from discarding it, with the consent of the data subject, the personal information officer in charge needs to make a separate encrypted storage for the archive of the said information where access is only applicable to persons appointed by the relevant provisions.
Data retention principles laid down in Malaysia’s PDPA is a little bit different where there is discretion for the data user to lay down the retention period throughout the act, standards and also CMA. This is the only main difference as what is construed as necessary for both of the Acts as the retention principle that applies under other legislations still applies to both the Korean PIPA and the Malaysia’s PDPA. In Malaysia, the Act and both the standards and the CMA is silent on the application of data that needs to be safeguard under certain laws. There is no right or wrong way prescribed under the law and it is up to the interpretation of each of the organisation in the manner of safekeeping these personal information that needs to be retained. In Malaysia we see a lot of discretionary powers under the retention principle rather than having a very strict provision on how to deal with the retention of data.
Differences Summed Up Throughout the comparison, it seemed clear to us that South Korea’s Security Principle is more strict and adhered than Malaysia as we believe that this is because of South Korea’s advancements on its technological affairs and e-commerce and where everything is bound electronically due to their “smart-nation” age. This has led us to believe that it is important for them to adhere to these strict rules to protect the personal information of their customers. Although there seems to be quite a lack of rules and guidelines in Malaysia’s PDPA mainly to its Security and Retention Principle, we also believe that as of now, Malaysia’s PDPA seems to be competent in handling most cases of data breaches in Malaysia. This could be supported with minimum reported case on Malaysia’s online business security and data breaches that we believe that Malaysia, for now has sufficient implementation to its security and data retention principle.
THE WAY FORWARD Improvements that can be made to the Security & Retention Principle.
Implement the Data Breach Notification requirement. • Presently, the PDPA does not provide any requirement for a data user to notify or report any breach of personal data to the PDPD or the data subject. Security Principle
This, however, remains ungazetted law. However, the authorities did issue a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification. It sets out among other things: • the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident • to provide details about the data at risk • actions that have been taken or will be taken to mitigate the risks to the data • details of notifications to affected individuals • details of the organization's training programs on data protection
While not mandatory, a data breach notification to the Commissioner can be done online at the SPDP website.
HEALTH SECTOR • Exists a general reporting obligation. • As per section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director General such unforeseeable and unanticipated incidents as may be prescribed. • Insufficient, this may/may not amount to data breach. • Reports to the Director General only and not the data subject. Existance of reporting obligations imposed by different authorities. FINANCIAL SECTOR • BNM has set out guidelines and regulations to report to BNM regarding material security breaches, system downtime and degradation in system performance that critically affects the insurer. • Capital markets to report to SC. • The BNM also issued a Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorised access, modification, or disclosure by whatever means of customer information.
• 'Data processor' means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for his or her own purposes. • A data processor who processes personal data solely on behalf of a data user is not bound directly by the provisions of the PDPA. • Section 9(2) of the PDPA puts the obligations on the data user instead to ensure that the processor acts in line with the PDPA. Ensure that data processors are directly obligated towards the PDPA. Security Principle
Provide a more comprehensive guideline when it comes to data user's discretion. Retention Principle • The Code of Practice does not specify the applicable durations that personal data may be retained. • In the event where there are no statutory provisions that provide the minimum period specified, it is up to the discretion of Data Users. • While it is acknowledged that the discretion is given due to the different nature of data types, it is submitted that the discretion given to the data user to make use of the data as they see fit is too wide. • Hence, a comprehensive guideline on how long should the data user should store the data is pertinent.
Provide a data retention taxonomy according to data types, degree of risk, etc. Retention Principle • A data taxonomy is the classification of data into categories and sub-categories. • It provides a cohesive view on data and introduces common terminology across multiple systems • Data can be categorized based of its degree of sensitivity, risk assessment, etc • Once it is categorised, the 'necessity' for data retention can be evaluated more closely • Hence there can be a more systematically specified period of retention that can be implemented.
PROVIDE FOR A MANDATORY INSPECTION OVER A STATED PERIOD • Section 101(1)(a): The Commissioner may carry out an inspection . . . relating to the promotion of compliance with the provisions of the Act. • Act does not specify a period in which the inspection can be carried out. It is entirely up to the discretion of the Commissioner. • There is a need for a periodical inspection to ensure the principles laid out in the PDPA are complied with. EXPAND THE USAGE OF PDPA TO THE FEDERAL AND STATE GOVERNMENTS • Section 3(1): This Act shall not apply to the Federal Government and State Government. • The National Registration Department (NRD) / Jabatan Pendaftaran Negara (JPN) has access holds the personal data of nearly every citizen in Malaysia and our income tax returns which contain detailed records of our financial affairs and sources of income are well within the knowledge of the Inland Revenue Board. • They are not subjected to this Act but has access to it, reasons given to justify broad government access and use include national security, law enforcement and the combating of terrorism. Security & Retention Principle
Conclusion Malaysia's current practice of the Security and Retention Principle is sufficient for the purpose of commercial transaction, for now. However, there is room for improvement to heighten the threshold of cybersecurity in Malaysia; in order to keep up with the fast- paced landscape of cybersecurity worldwide

Recommended

GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxTRSrinidi
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
IT Network Security Policy
IT Network Security PolicyIT Network Security Policy
IT Network Security Policyssuser06c4a6
 

Recommended

GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overviewRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
12 security policies
12 security policies12 security policies
12 security policiesSaqib Raza
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
08 pdf show-239
08 pdf show-23908 pdf show-239
08 pdf show-239#TheFraudTube
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxTRSrinidi
 
Data protection within development
Data protection within developmentData protection within development
Data protection within developmentowaspsuffolk
 
IT Network Security Policy
IT Network Security PolicyIT Network Security Policy
IT Network Security Policyssuser06c4a6
 
DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.docKapricia Morris
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatanceKudzi Chikwatu
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docxSectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docxkenjordan97598
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Benoît H. Dicaire
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network designnephtalie
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework- Mark - Fullbright
 
Data security
Data securityData security
Data securityAbdulBasit938
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackVIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackSuhani Kapoor
 
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...shivangimorya083
 

More Related Content

Similar to Group 10 - PDPA II.pptx

DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesNapier University
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.docKapricia Morris
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatanceKudzi Chikwatu
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docxSectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docxkenjordan97598
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxTikdiPatel
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Benoît H. Dicaire
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network designnephtalie
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework- Mark - Fullbright
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 

Similar to Group 10 - PDPA II.pptx (20)

DLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The ChallengesDLP: Monitoring Legal Obligations, Managing The Challenges
DLP: Monitoring Legal Obligations, Managing The Challenges
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Capstone Finished Presentation.doc
Capstone Finished Presentation.docCapstone Finished Presentation.doc
Capstone Finished Presentation.doc
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatance
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
Information security
Information securityInformation security
Information security
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docxSectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
SectionxIS Security Policiesmmddyy-Effectivemmddyy-.docx
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Cyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptxCyber-Security-Unit-1.pptx
Cyber-Security-Unit-1.pptx
 
Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...Découvrez comment mettre en place un programme de protection des données effi...
Découvrez comment mettre en place un programme de protection des données effi...
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network design
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
 
Data security
Data securityData security
Data security
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 

Recently uploaded

VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackVIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackSuhani Kapoor
 
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...shivangimorya083
 
PM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring ChapterPM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring ChapterHector Del Castillo, CPM, CPMM
 
Final Completion Certificate of Marketing Management Internship
Final Completion Certificate of Marketing Management InternshipFinal Completion Certificate of Marketing Management Internship
Final Completion Certificate of Marketing Management InternshipSoham Mondal
 
Dubai Call Girls Naija O525547819 Call Girls In Dubai Home Made
Dubai Call Girls Naija O525547819 Call Girls In Dubai Home MadeDubai Call Girls Naija O525547819 Call Girls In Dubai Home Made
Dubai Call Girls Naija O525547819 Call Girls In Dubai Home Madekojalkojal131
 
Preventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptxPreventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptxGry Tina Tinde
 
VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...
VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...
VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...Suhani Kapoor
 
VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...Suhani Kapoor
 
VIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service Bhiwandi
VIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service BhiwandiVIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service Bhiwandi
VIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service BhiwandiSuhani Kapoor
 
Resumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying OnlineResumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying OnlineBruce Bennett
 
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...Suhani Kapoor
 
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Internshala Student Partner 6.0 Jadavpur University Certificate
Internshala Student Partner 6.0 Jadavpur University CertificateInternshala Student Partner 6.0 Jadavpur University Certificate
Internshala Student Partner 6.0 Jadavpur University CertificateSoham Mondal
 
Delhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceanilsa9823
 
The Impact of Socioeconomic Status on Education.pdf
The Impact of Socioeconomic Status on Education.pdfThe Impact of Socioeconomic Status on Education.pdf
The Impact of Socioeconomic Status on Education.pdftheknowledgereview1
 
CFO_SB_Career History_Multi Sector Experience
CFO_SB_Career History_Multi Sector ExperienceCFO_SB_Career History_Multi Sector Experience
CFO_SB_Career History_Multi Sector ExperienceSanjay Bokadia
 
OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理cowagem
 
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...Niya Khan
 
Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boody
Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big BoodyDubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boody
Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boodykojalkojal131
 

Recently uploaded (20)

VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service CuttackVIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
VIP Call Girl Cuttack Aashi 8250192130 Independent Escort Service Cuttack
 
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
Vip Modals Call Girls (Delhi) Rohini 9711199171✔️ Full night Service for one...
 
PM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring ChapterPM Job Search Council Info Session - PMI Silver Spring Chapter
PM Job Search Council Info Session - PMI Silver Spring Chapter
 
Final Completion Certificate of Marketing Management Internship
Final Completion Certificate of Marketing Management InternshipFinal Completion Certificate of Marketing Management Internship
Final Completion Certificate of Marketing Management Internship
 
Dubai Call Girls Naija O525547819 Call Girls In Dubai Home Made
Dubai Call Girls Naija O525547819 Call Girls In Dubai Home MadeDubai Call Girls Naija O525547819 Call Girls In Dubai Home Made
Dubai Call Girls Naija O525547819 Call Girls In Dubai Home Made
 
Preventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptxPreventing and ending sexual harassment in the workplace.pptx
Preventing and ending sexual harassment in the workplace.pptx
 
VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...
VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...
VIP Call Girls in Jamshedpur Aarohi 8250192130 Independent Escort Service Jam...
 
VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Jamshedpur Aishwarya 8250192130 Independent Escort Ser...
 
VIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service Bhiwandi
VIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service BhiwandiVIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service Bhiwandi
VIP Call Girl Bhiwandi Aashi 8250192130 Independent Escort Service Bhiwandi
 
Resumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying OnlineResumes, Cover Letters, and Applying Online
Resumes, Cover Letters, and Applying Online
 
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
 
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Internshala Student Partner 6.0 Jadavpur University Certificate
Internshala Student Partner 6.0 Jadavpur University CertificateInternshala Student Partner 6.0 Jadavpur University Certificate
Internshala Student Partner 6.0 Jadavpur University Certificate
 
Delhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Greater Noida 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
 
The Impact of Socioeconomic Status on Education.pdf
The Impact of Socioeconomic Status on Education.pdfThe Impact of Socioeconomic Status on Education.pdf
The Impact of Socioeconomic Status on Education.pdf
 
CFO_SB_Career History_Multi Sector Experience
CFO_SB_Career History_Multi Sector ExperienceCFO_SB_Career History_Multi Sector Experience
CFO_SB_Career History_Multi Sector Experience
 
OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理
 
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
 
Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boody
Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big BoodyDubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boody
Dubai Call Girls Demons O525547819 Call Girls IN DUbai Natural Big Boody
 

Group 10 - PDPA II.pptx

  • 1. GROUP 10 GROUP MEMBERS • MARSYITAH AMIIRA BINTI MARZUKI (LIA190082 / 17204201/1) • JULIA MAISARAH BINTI ISMAIL (LIA190057 / 17204122/1) • NURUL HANA BINTI ABDUL HAKIM (LIA190123 / 17205554/1) • MUHAMMAD SYADAD BIN NOR AZMAN (LIA190095 / 17204109/1) • NURFARAHIN BINTI ZAINAL ABIDIN (LIA190113 / 17204127/1) PDPA 2 01 0: SECURITY & RETENTION PRINCIPLE
  • 2. Question The Security Principle states that a data user shall take practicable steps to protect the personal data, whilst the Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the two variables in italics. In your answer, you are to refer to any cases (if any) and regulations/standards/code of practice that may be available relating to personal data protection.
  • 3. Overview • SECURITY PRINCIPLE • RETENTION PRINCIPLE • REAL-LIFE EXAMPLES • COMPARISON OF OUR PDPA WITH OTHER COUNTRIES • THE WAY FORWARD
  • 4. SECURITY PRINCIPLE The Security Principle imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
  • 5. SECTION 9 OF THE PDPA
  • 6. What are the practical steps? Personal Data Protection Code of Practice PDPA Standards 2015
  • 7. Code of Practice • The Code of Practice was issued pursuant to Section 23 of the PDPA • Aims to further inculcate the spirit and practice of ethical business within the industry while providing a self-regulating mechanism for collection, maintenance, retention and disposal of personal data. • The views of data users, data subjects and the relevant regulatory authority are taken into consideration in preparing the respective of Code of Practice.
  • 8. • Four codes of practice were finalised by the Commissioner in 2017 namely: • Code of Practice for the Banking and Financial Sector 2017, • Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017 • Code of Practice on Personal Data Protection for the Insurance and Takaful Industries in Malaysia 2017 • Personal Data Protection Code of Practice for the Communications Class Data Users 2017 • These “practical steps” will vary from case to case, depending on the nature of personal data being processed by the Data User in question and the degree of sensitivity attached to the personal data or harm that the Data Subject might suffer due to its loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Code of Practice
  • 9. Code of Practice (CMA) For Licensees Under The Communications And Multimedia Act 1998 Technical Security Measures Organizational Security Measures
  • 10. Organizational Security Measures Data classification policy • Personal data being processed by each Data User should ideally be categorised based on the sensitivity of the personal data and the harm that could arise vis-à-vis the Data Subject should the personal data be mishandled. • The policy should identify the specific categories of personal data, the security measures associated with each of the said categories of personal data, both in physical and electronic Formats. Access control policy • Personal data should be accessed by personnel of the Data User based on a “need to know” basis. • Policy will indicate the various levels of personnel that are permitted access, modification and/or deletion rights in relation to different categories of personal data. • Access control policies should be supplemented with policies limiting access to technologies that allow personal data to be transferred out of the Data User’s organization (as detailed further under technical security measures), and the activation of audit logs which enable authorised and unauthorised access to personal data to be traced.
  • 11. Confidentiality guidelines • Guidelines in respect of the confidentiality of Data Subject information be issued (either separately or as part of the employee handbook) to all personnel of Data Users in order to make clear the fundamental importance of confidentiality and the role that it plays in establishing confidence and market credibility in the branding of the Data User. • Data Users must explicitly state the obligation of maintaining the confidentiality of Data Subject information, and where there has been a breach of the same, Data Users need to be seen to have taken the necessary action in order that personnel are aware of how seriously Data Users take this issue.
  • 12. Technical Security Measures (a) Physical document security • Physical documents need to be received, processed and stored securely. (b) Physical access to IT facilities • Access to IT facilities where the IT infrastructure and the telecommunications infrastructure of Data Users are located, needs to be controlled at all times. • This can be achieved through the use of security guards for perimeter and location security, and escorts. (c) Physical access to IT systems and communications equipment • Access to IT systems within Data Users’ offices or premises needs to be controlled at all times as personal data may be stored and/or displayed on them. • By restricting physical access to any non-authorised personnel, careful positioning of PCs in order to ensure that screens are not viewable by non-authorised personnel, the utilisation of screen savers for unattended PCs, and locked printer and/or fax rooms which are accessible only to authorised personnel.
  • 13. (d) Back-ups • Data Users should back-up the personal data resident on their systems in order to guard against data loss. • The media on which the backups are resident should be stored off-site to prevent their loss together with the primary systems in the event of a major disaster. (e) Anti-virus and anti-malware software • Data Users would be required to install and regularly update their anti-virus software in order to avoid putting the personal data of Data Subjects at risk consequent to virus infections and other malware. • Personnel should be restricted from downloading and installing applications that have not been approved by the IT department of the Data User as it may introduce malware which may put personal data at risk. (f) Securing access • All personal data that is removed from the premises of the Data User with authorisation, whether on notebooks, tablets, smart phones, USB thumb drives, portable hard drives, are to be secured in order to prevent the personal data stored on the said devices being accessed without authorisation in the event the said devices being stolen or lost. • E-mails attaching personal data are also to be secured in order to prevent the personal data being accessed by unauthorised third parties.
  • 14. PDPA Standards 2015 INTERPRETATION “standard” means a missued by the Commissioner, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, of order in a given context. APPLICATION 3.1 This Standard applies to a. any person who processes; and b. any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions. The Standards are considered the “minimum” standards to be observed by data users, as each and every requirement of the Standards must be implemented as part of the data user’s policy in its handling of the personal data of customers and employees.
  • 15. Security Standards under PDPA Standards 2015 Data Security For Personal Data Processed Electronically Data Security For Personal Data Processed Non-Electronically
  • 16. Data Security For Personal Data Processed Electronically • Register all employees involved in the processing of personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organisation. • Control and limit employees’ access to personal data system for the purpose of collecting, processing and storing of personal data. • Provide user ID and password for authorized employees to access personal data. • Terminate user ID and password immediately when an employee who is authorized access to personal data is no longer handling the data. • Establish physical security procedures as follow: i. control the movement in and out of the data storage site; ii. store personal data in an appropriate location which is unexposed and safe from physical or natural threats iii. provide a closed-circuit camera at the data storage site (if necessary), iv. provide a 24 hour security monitoring (if necessary).
  • 17. • Update the Back up/Recovery System and anti-virus to prevent personal data intrusion and such. • Safeguard the computer systems from malware threats to prevent attacks on personal data. • The transfer of personal data through removable media device and cloud computing service is not permitted unless with written consent by an officer authorized by the top management of the data user organization. • Record any transfer of data through removable media device and cloud computing service. • Personal data transfer through cloud computing service must comply with the personal data protection principles in Malaysia, as well as with personal data protection laws of other countries. • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner. • Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Bind an appointed third party by the data user with a contract for operating and carrying out personal data processing activities. This is to ensure the safety of personal data from loss, misuse, modification, unauthorized access and disclosure.
  • 18. Data Security For Personal Data Processed Non- Electronically • Register employees handling personal data into a system/registration book before being allowed access to personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organization. • Control and limit employees’ access to personal data system for the purpose collecting, processing and storing of personal data. • Establish physical security procedures as follow: i. store all personal data orderly in files; ii. store all files containing personal data in a locked place; iii. keep all the related keys in a safe place; iv. provide record for keys storage; and v. store personal data in an appropriate location which is unexposed and safe from physical or natural threats • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner.
  • 19. • Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Record personal data transferred conventionally such as through mail, delivery, fax and etc. • Ensure that all used papers, printed documents or other documents exhibiting personal data are destroyed thoroughly and efficiently by using shredding machine or other appropriate methods. • Conduct awareness programmes to all employees (if necessary) on the responsibility to protect personal data.
  • 20. RETENTION PRINCIPLE The Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the variables in italics.
  • 21. PERSONAL DATA PROTECTION ACT 2010 ("PDPA 2010") Section 10 - Retention Principle (1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. (2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed. Data Users can retain personal data but it cannot be longer than is necessary to fulfil the processing purpose. PERSONAL DATA PROTECTION REGULATION 2013 ("PDPR 2013") Para 7 - Retention Standard For the purposes of section 10 of the Act, the personal data of a data subject shall be retained in accordance with the retention standard set out from time to time by the Commissioner. This standard can be seen in the 2015 Standard (Personal Data Protection Standard 2015). However, this section does not define what “is necessary” means. Hence, reference will be made to the 2013 Regulation.
  • 22. Ensure that the retention period in all legislation relating to the processing and retention of personal data are fulfilled before destroying the data. 1. Not to retain personal data for longer than is necessary UNLESS there are other legal provisions that require personal data to be kept for a longer period. 2. Personal data collection forms used in commercial transactions should be disposed within the period not exceeding 14 days. EXCEPTION - If the forms carry legal values in relation to the commercial transaction, then it may be retained for more than 14 days. 4. Prepare and maintain a personal data disposal schedule for inactive data with a 24 month period. 6. A data user shall, take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed by having regard to the following descriptions - 6.1 RETENTION STANDARD The standard for retention of personal data which is processed electronically and non-electronically. 6.0 PERSONAL DATA PROTECTION STANDARD 2015 ("PDPA 2015")
  • 23. 5.0 RETENTION PRINCIPLE 5.1 The Act places a responsibility on Data Users to hold personal data only for as long as necessary for the fulfilment of the purpose. The Act also provides that upon the purpose being fulfilled, Data users are required to permanently destroy/delete the personal data. This requirement applies to both physical and electronic copies of documents containing personal data. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 3.1 The Code shall apply to all Data Users including all; • (i) Network Facilities Providers; • (ii) Network Services Providers; • (iii) Applications Service Providers; and • (iv) Content Applications Service Providers, As defined in the CMA 1998. However, there are certain statutory provisions that specify the minimum data retention periods. 5.3 This Code does not specify the applicable durations that personal data may be retained for but leaves it to the discretion of Data Users. 5.2 For the avoidance of doubt, the Act does not override other applicable statutory provisions that require the retention of data/records/information for a specified minimum duration, for instance, the Communications and Multimedia Act 1998, the Companies Act 1965, Income Tax Act 1967, Employment Act 1955 or the Limitation Act 1953. The Act and such other applicable legislation must be read together.
  • 24. Other Applicable Legislations That require the retention of data/records/information for a specified minimum duration. Communications and Multimedia Act 1998 S 268. Minister may make rules on record- keeping The Minister can make rules to provide for recordkeeping, and to require one or more licensees or persons to keep and retain records. Companies Act 2016 S 245. Accounts to be kept. (1) A company, the directors and managers of a company shall - • a. Keep accounting and other records to sufficiently explain the transactions and financial position of the company; • b. Keep the accounting and other records in a manner as to enable the accounting to be conveniently and properly audited. (3) The company shall retain the records referred to in subsection (1) for seven years after the completion of the transactions or operations to which entries relate.
  • 25. Other Applicable Legislations That require the retention of data/records/information for a specified minimum duration. Income Tax Act 1967 S 82. Duty to keep records and give receipts (1) Notwithstanding section 82A and subject to this section, every person carrying on a business - (a) shall keep and retain in safe custody sufficient records for a period of seven years from the end of the year to which any income from that business relates … Employment Act 199 S 61. Duty to keep registers. (1) Every employer shall prepare and keep one or more registers containing such information regarding each employee employed by him as may be prescribed by regulations made under this Act. (2) Every such register shall be preserved for such period that every particular recorded therein shall be available for inspection for not less than six years after the recording thereof.
  • 26. 5.5 There may be certain instances in which Data Users need to retain personal data beyond a specified statutory period. In these cases, Data Users should be able to demonstrate - (i) a reasonable need to retain personal data beyond the applicable statutory period; and (ii) (if available) provide evidence of their adherence to the same. The commencement of legal proceedings or investigations concerning the Data Subject would qualify as grounds for continuing to retain the personal data until the disposal/closure of the matter and the expiry of the retention period specific to the matter itself. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 5.4 In order to assist Data Users to keep track of the various retention periods as may be applicable to the various types of personal data processed by them, Data Users are required to consolidate all applicable retention periods into the Data User’s relevant retention policies which addresses the various categories of personal data, for example: (i) Application forms (ii) Unsuccessful applications (iii) Call records (iv) Customer audio recordings (v) Defaulting customers 5.6 For the avoidance of doubt, the Retention Principle does not apply to backup and electronic archival data subject to the Data User restricting access to the same to authorised personnel only and for backup or archival purposes respectively. 5.12 For the avoidance of doubt, in the event of a conflict between the Commissioner’s retention standard, this Code, any retention standard(s) (or their equivalent) set by the Malaysian Communications and Multimedia Commission or such other regulators of the Data User and/or any retention standard(s) (or their equivalent) prescribed by the law, the document setting the higher standard will prevail to the extent of the conflict.
  • 27. The term “is necessary” under the Retention Principle is not defined in the PDPA. Generally, the retention period of personal data is at the discretion of Data Users. However, there are times where the minimum duration is specified in certaain applicable legislations. The retention periods may vary in accordance with the requirements set out by different laws. For those not specified by the laws, the appropriate retention period for personal data would therefore depend on the purpose for which it was collected. MEANING OF "IS NECESSARY" UNDER THE RETENTION PRINCIPLE
  • 29. Security Principle LAZADA collects information of different degree of sensitivity so how do they protect said information? Identity data Contact data Technical data Technical data Transaction data ID verification data Account data IP address, browser type, IMEI billing address, email, phone number name, gender, DOB Govt issued documentation; IC, passport, etc details about orders & payments, product & service details bank acc details, credit card details, etc
  • 30. Security Principle 7. Security of Your Personal Data 7.1. To safeguard your personal data from unauthorised access, collection, use, disclosure, processing, copying, modification, disposal, loss, misuse, modification or similar risks, we have introduced appropriate administrative, physical and technical measures such as: (a) Restricting access to personal data to individuals who require access; (b) Maintaining technology products to prevent unauthorised computer access; (c) Using 128-bit SSL (secure sockets layer) encryption technology when processing your financial details; and/or (d) implementing other security measures as required by applicable law. Incorporate safeguard system into equipment that stores data Securing data access to permitted personnel
  • 31. Security Principle In regards to the transfer of data overseas, LAZADA assures that the receiving jurisdiction has a standard of protection comparable to the transferring jurisdiction (comparable to MY's standards)
  • 32. Retention Principle 8. Retention of Personal Data 8.1. We will only retain your personal data for as long as we are either required or permitted to by law or as relevant for the purposes for which it was collected. 8.2. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data was collected, and is no longer necessary for any legal or business purpose.
  • 33. Retention Principle - Purposes Necessary to Retain Data Purposes for collecting data (i) Processing your order for products (whether sold by us or a third party seller) (ii) Providing Services (iii) Marketing and advertising (iv) Legal and operational purposes (v) Analytics, research, business and development (vi) Other
  • 35. Retention Principle If you withdraw consent from Lazada using your personal data or if you deactivate your acc, then Lazada would no longer have a purpose to retain your data and is required by PDPA to delete it.
  • 36. How Different is Our PDPA Compared to Other Countries We look further by comparing Malaysia's PDPA on its Security and Retention Principle with South Korea's Personal Information Protection Act (PIPA)
  • 37. Introduction to South Korea's PIPA and Malaysia's PDPA The Korean legislative system for personal information protection is composed of the Personal Information Protection Act (“PIPA”), a general, comprehensive statute and the Credit Information Use and Protection Act which regulates personal credit information. For the purpose of this assignment, we will look into details of its Security Principles and Retention Principles. Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013. As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020, some of which will be set out in the course of the comparison. .
  • 38. Under South Korea PIPA act, as a part of their Security Principles, South Korea has an enforcement officer called the Data Protection Officer under Article 31 (Designation of Privacy Officers) Every personal data controller must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company. The CPO’s obligations under the PIPA are as follows: • establishing and implementing plans for the protection of personal information • performing periodic investigations and improving the status and practices of the processing of personal information • handling complaints and dealing with damage pertaining to the processing of personal information • establishing internal control systems for preventing leakage, misuse and abuse of personal information • establishing and implementing training sessions for the protection of personal information • protecting, managing, and monitoring personal information files • establishing, amending, and implementing a personal information processing policy • managing materials concerning the protection of personal information, and • destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.
  • 39. There are no nationality or residency requirements for the chief privacy officer. In the event that a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA. (equivalent to 35 146 RM)
  • 40. Currently, Malaysian law does not require that data users appoint a data protection officer. However, pursuant to PC01/2020, the Commissioner is considering introducing an obligation in the PDPA for a data user to appoint a data protection officer and to introduce a guideline pertaining to such appointments.
  • 41. Security Principles Differences on PIPA and PDPA Under the PIPA, every personal data controller must, when it processes personal information or sensitive personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information: • establishment and implementation of an internal control plan for handling personal information in a safe way • installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information • measures for preventing fabrication and alteration of access/log records • measures for security including encryption technology and other methods for safe storage and transmission of personal information, and • measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.
  • 42. This is then supported by South Korea Personal Information Safeguards and Security Standards which is similar to our Personal Data Protection Standards, but instead for it to be a guidelines for the PIPA (Korea’s Personal Data Act) they give out more detailed standards on its Security Standards.
  • 43. Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards. In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Pursuant to PC01/2020, the Commissioner observed that there are many new technologies such as facial recognition and smart trackers being used as data collection endpoints, and thus is considering issuing a policy regarding the endpoint security which uses technologies such as encryption.
  • 44. Differences Explained SOUTH KOREA The Security standards laid down in south korea are strict in which they gives out what is necessary to prevent any breach including laying out certain level of encryption necessary and also the sole use of biometrics and personal identifiers to control each of the processing of the personal data during, in the middle or after the processing including how to do it They also gives out notifications if or when there could be or there is a threat for a breach, which is highlighted in the act and also standards. The Korean PIPA also sets out that if a breach does occur, aside from giving out notification and the organisation trying to remedy it, the customer has a right to take matters to court if it is necessary for them to do so Malaysia In Malaysia, the standards and guidelines are somehow encouraged but not to be strictly adhered to, although there are still minimum standards that needs to be followed by each of the organisations, including the Security Principle and Retention Principle, every one of the standards listed are too general and this means that it is still up to the organization to interpret what it means. This will result in different interpretations for a security principle by each and every one of the organisations.
  • 45. Retention Principle Differences on PIPA and PDPA In South Korea, under the PIPA, the retention standards necessary for the Act to retain are strictly to be adhered. In PIPA, the retention principles seems to be more direct and all data user must follow what has been laid down. The basic principles applicable to data retention include: • the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and • the principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes. In paragraph one (1) of Article 21 of the PIPA, if the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data. This matters should also be read where pursuant to paragraph (1), paragraph (3) takes it when it is necessary for the personal information controller to retain the data of the personal information the relevant personal information or personal information files shall be stored and managed separately from other personal information.
  • 46. In the Korean PIPA, if any of the privacy policies states that there is a need to safe keep personal information pursuant to legal documentation or any provision stating that the company needs to keep the data aside from discarding it, with the consent of the data subject, the personal information officer in charge needs to make a separate encrypted storage for the archive of the said information where access is only applicable to persons appointed by the relevant provisions.
  • 47. Data retention principles laid down in Malaysia’s PDPA is a little bit different where there is discretion for the data user to lay down the retention period throughout the act, standards and also CMA. This is the only main difference as what is construed as necessary for both of the Acts as the retention principle that applies under other legislations still applies to both the Korean PIPA and the Malaysia’s PDPA. In Malaysia, the Act and both the standards and the CMA is silent on the application of data that needs to be safeguard under certain laws. There is no right or wrong way prescribed under the law and it is up to the interpretation of each of the organisation in the manner of safekeeping these personal information that needs to be retained. In Malaysia we see a lot of discretionary powers under the retention principle rather than having a very strict provision on how to deal with the retention of data.
  • 48. Differences Summed Up Throughout the comparison, it seemed clear to us that South Korea’s Security Principle is more strict and adhered than Malaysia as we believe that this is because of South Korea’s advancements on its technological affairs and e-commerce and where everything is bound electronically due to their “smart-nation” age. This has led us to believe that it is important for them to adhere to these strict rules to protect the personal information of their customers. Although there seems to be quite a lack of rules and guidelines in Malaysia’s PDPA mainly to its Security and Retention Principle, we also believe that as of now, Malaysia’s PDPA seems to be competent in handling most cases of data breaches in Malaysia. This could be supported with minimum reported case on Malaysia’s online business security and data breaches that we believe that Malaysia, for now has sufficient implementation to its security and data retention principle.
  • 49. THE WAY FORWARD Improvements that can be made to the Security & Retention Principle.
  • 50. Implement the Data Breach Notification requirement. • Presently, the PDPA does not provide any requirement for a data user to notify or report any breach of personal data to the PDPD or the data subject. Security Principle
  • 51. This, however, remains ungazetted law. However, the authorities did issue a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification. It sets out among other things: • the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident • to provide details about the data at risk • actions that have been taken or will be taken to mitigate the risks to the data • details of notifications to affected individuals • details of the organization's training programs on data protection
  • 52. While not mandatory, a data breach notification to the Commissioner can be done online at the SPDP website.
  • 53.
  • 54. HEALTH SECTOR • Exists a general reporting obligation. • As per section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director General such unforeseeable and unanticipated incidents as may be prescribed. • Insufficient, this may/may not amount to data breach. • Reports to the Director General only and not the data subject. Existance of reporting obligations imposed by different authorities. FINANCIAL SECTOR • BNM has set out guidelines and regulations to report to BNM regarding material security breaches, system downtime and degradation in system performance that critically affects the insurer. • Capital markets to report to SC. • The BNM also issued a Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorised access, modification, or disclosure by whatever means of customer information.
  • 55. • 'Data processor' means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for his or her own purposes. • A data processor who processes personal data solely on behalf of a data user is not bound directly by the provisions of the PDPA. • Section 9(2) of the PDPA puts the obligations on the data user instead to ensure that the processor acts in line with the PDPA. Ensure that data processors are directly obligated towards the PDPA. Security Principle
  • 56. Provide a more comprehensive guideline when it comes to data user's discretion. Retention Principle • The Code of Practice does not specify the applicable durations that personal data may be retained. • In the event where there are no statutory provisions that provide the minimum period specified, it is up to the discretion of Data Users. • While it is acknowledged that the discretion is given due to the different nature of data types, it is submitted that the discretion given to the data user to make use of the data as they see fit is too wide. • Hence, a comprehensive guideline on how long should the data user should store the data is pertinent.
  • 57. Provide a data retention taxonomy according to data types, degree of risk, etc. Retention Principle • A data taxonomy is the classification of data into categories and sub-categories. • It provides a cohesive view on data and introduces common terminology across multiple systems • Data can be categorized based of its degree of sensitivity, risk assessment, etc • Once it is categorised, the 'necessity' for data retention can be evaluated more closely • Hence there can be a more systematically specified period of retention that can be implemented.
  • 58. PROVIDE FOR A MANDATORY INSPECTION OVER A STATED PERIOD • Section 101(1)(a): The Commissioner may carry out an inspection . . . relating to the promotion of compliance with the provisions of the Act. • Act does not specify a period in which the inspection can be carried out. It is entirely up to the discretion of the Commissioner. • There is a need for a periodical inspection to ensure the principles laid out in the PDPA are complied with. EXPAND THE USAGE OF PDPA TO THE FEDERAL AND STATE GOVERNMENTS • Section 3(1): This Act shall not apply to the Federal Government and State Government. • The National Registration Department (NRD) / Jabatan Pendaftaran Negara (JPN) has access holds the personal data of nearly every citizen in Malaysia and our income tax returns which contain detailed records of our financial affairs and sources of income are well within the knowledge of the Inland Revenue Board. • They are not subjected to this Act but has access to it, reasons given to justify broad government access and use include national security, law enforcement and the combating of terrorism. Security & Retention Principle
  • 59. Conclusion Malaysia's current practice of the Security and Retention Principle is sufficient for the purpose of commercial transaction, for now. However, there is room for improvement to heighten the threshold of cybersecurity in Malaysia; in order to keep up with the fast- paced landscape of cybersecurity worldwide