SR
Uploaded bySuthaesh Ramash
PPTX, PDF58 views

Group 10 - PDPA II.pptx

The document discusses the roles of the security and retention principles under the Personal Data Protection Act (PDPA) in Malaysia. It outlines the obligations of data users to protect personal data and not retain it longer than necessary, along with practical steps for compliance and comparisons with regulations in other countries. Additionally, it provides specific guidelines on data handling, security measures, and examples of policies related to data retention and protection.

Embed presentation

Download to read offline
GROUP 10 GROUP MEMBERS • MARSYITAH AMIIRA BINTI MARZUKI (LIA190082 / 17204201/1) • JULIA MAISARAH BINTI ISMAIL (LIA190057 / 17204122/1) • NURUL HANA BINTI ABDUL HAKIM (LIA190123 / 17205554/1) • MUHAMMAD SYADAD BIN NOR AZMAN (LIA190095 / 17204109/1) • NURFARAHIN BINTI ZAINAL ABIDIN (LIA190113 / 17204127/1) PDPA 2 01 0: SECURITY & RETENTION PRINCIPLE
Question The Security Principle states that a data user shall take practicable steps to protect the personal data, whilst the Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the two variables in italics. In your answer, you are to refer to any cases (if any) and regulations/standards/code of practice that may be available relating to personal data protection.
Overview • SECURITY PRINCIPLE • RETENTION PRINCIPLE • REAL-LIFE EXAMPLES • COMPARISON OF OUR PDPA WITH OTHER COUNTRIES • THE WAY FORWARD
SECURITY PRINCIPLE The Security Principle imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
SECTION 9 OF THE PDPA
What are the practical steps? Personal Data Protection Code of Practice PDPA Standards 2015
Code of Practice • The Code of Practice was issued pursuant to Section 23 of the PDPA • Aims to further inculcate the spirit and practice of ethical business within the industry while providing a self-regulating mechanism for collection, maintenance, retention and disposal of personal data. • The views of data users, data subjects and the relevant regulatory authority are taken into consideration in preparing the respective of Code of Practice.
• Four codes of practice were finalised by the Commissioner in 2017 namely: • Code of Practice for the Banking and Financial Sector 2017, • Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017 • Code of Practice on Personal Data Protection for the Insurance and Takaful Industries in Malaysia 2017 • Personal Data Protection Code of Practice for the Communications Class Data Users 2017 • These “practical steps” will vary from case to case, depending on the nature of personal data being processed by the Data User in question and the degree of sensitivity attached to the personal data or harm that the Data Subject might suffer due to its loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Code of Practice
Code of Practice (CMA) For Licensees Under The Communications And Multimedia Act 1998 Technical Security Measures Organizational Security Measures
Organizational Security Measures Data classification policy • Personal data being processed by each Data User should ideally be categorised based on the sensitivity of the personal data and the harm that could arise vis-à-vis the Data Subject should the personal data be mishandled. • The policy should identify the specific categories of personal data, the security measures associated with each of the said categories of personal data, both in physical and electronic Formats. Access control policy • Personal data should be accessed by personnel of the Data User based on a “need to know” basis. • Policy will indicate the various levels of personnel that are permitted access, modification and/or deletion rights in relation to different categories of personal data. • Access control policies should be supplemented with policies limiting access to technologies that allow personal data to be transferred out of the Data User’s organization (as detailed further under technical security measures), and the activation of audit logs which enable authorised and unauthorised access to personal data to be traced.
Confidentiality guidelines • Guidelines in respect of the confidentiality of Data Subject information be issued (either separately or as part of the employee handbook) to all personnel of Data Users in order to make clear the fundamental importance of confidentiality and the role that it plays in establishing confidence and market credibility in the branding of the Data User. • Data Users must explicitly state the obligation of maintaining the confidentiality of Data Subject information, and where there has been a breach of the same, Data Users need to be seen to have taken the necessary action in order that personnel are aware of how seriously Data Users take this issue.
Technical Security Measures (a) Physical document security • Physical documents need to be received, processed and stored securely. (b) Physical access to IT facilities • Access to IT facilities where the IT infrastructure and the telecommunications infrastructure of Data Users are located, needs to be controlled at all times. • This can be achieved through the use of security guards for perimeter and location security, and escorts. (c) Physical access to IT systems and communications equipment • Access to IT systems within Data Users’ offices or premises needs to be controlled at all times as personal data may be stored and/or displayed on them. • By restricting physical access to any non-authorised personnel, careful positioning of PCs in order to ensure that screens are not viewable by non-authorised personnel, the utilisation of screen savers for unattended PCs, and locked printer and/or fax rooms which are accessible only to authorised personnel.
(d) Back-ups • Data Users should back-up the personal data resident on their systems in order to guard against data loss. • The media on which the backups are resident should be stored off-site to prevent their loss together with the primary systems in the event of a major disaster. (e) Anti-virus and anti-malware software • Data Users would be required to install and regularly update their anti-virus software in order to avoid putting the personal data of Data Subjects at risk consequent to virus infections and other malware. • Personnel should be restricted from downloading and installing applications that have not been approved by the IT department of the Data User as it may introduce malware which may put personal data at risk. (f) Securing access • All personal data that is removed from the premises of the Data User with authorisation, whether on notebooks, tablets, smart phones, USB thumb drives, portable hard drives, are to be secured in order to prevent the personal data stored on the said devices being accessed without authorisation in the event the said devices being stolen or lost. • E-mails attaching personal data are also to be secured in order to prevent the personal data being accessed by unauthorised third parties.
PDPA Standards 2015 INTERPRETATION “standard” means a missued by the Commissioner, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, of order in a given context. APPLICATION 3.1 This Standard applies to a. any person who processes; and b. any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions. The Standards are considered the “minimum” standards to be observed by data users, as each and every requirement of the Standards must be implemented as part of the data user’s policy in its handling of the personal data of customers and employees.
Security Standards under PDPA Standards 2015 Data Security For Personal Data Processed Electronically Data Security For Personal Data Processed Non-Electronically
Data Security For Personal Data Processed Electronically • Register all employees involved in the processing of personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organisation. • Control and limit employees’ access to personal data system for the purpose of collecting, processing and storing of personal data. • Provide user ID and password for authorized employees to access personal data. • Terminate user ID and password immediately when an employee who is authorized access to personal data is no longer handling the data. • Establish physical security procedures as follow: i. control the movement in and out of the data storage site; ii. store personal data in an appropriate location which is unexposed and safe from physical or natural threats iii. provide a closed-circuit camera at the data storage site (if necessary), iv. provide a 24 hour security monitoring (if necessary).
• Update the Back up/Recovery System and anti-virus to prevent personal data intrusion and such. • Safeguard the computer systems from malware threats to prevent attacks on personal data. • The transfer of personal data through removable media device and cloud computing service is not permitted unless with written consent by an officer authorized by the top management of the data user organization. • Record any transfer of data through removable media device and cloud computing service. • Personal data transfer through cloud computing service must comply with the personal data protection principles in Malaysia, as well as with personal data protection laws of other countries. • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner. • Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Bind an appointed third party by the data user with a contract for operating and carrying out personal data processing activities. This is to ensure the safety of personal data from loss, misuse, modification, unauthorized access and disclosure.
Data Security For Personal Data Processed Non- Electronically • Register employees handling personal data into a system/registration book before being allowed access to personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organization. • Control and limit employees’ access to personal data system for the purpose collecting, processing and storing of personal data. • Establish physical security procedures as follow: i. store all personal data orderly in files; ii. store all files containing personal data in a locked place; iii. keep all the related keys in a safe place; iv. provide record for keys storage; and v. store personal data in an appropriate location which is unexposed and safe from physical or natural threats • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner.
• Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Record personal data transferred conventionally such as through mail, delivery, fax and etc. • Ensure that all used papers, printed documents or other documents exhibiting personal data are destroyed thoroughly and efficiently by using shredding machine or other appropriate methods. • Conduct awareness programmes to all employees (if necessary) on the responsibility to protect personal data.
RETENTION PRINCIPLE The Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the variables in italics.
PERSONAL DATA PROTECTION ACT 2010 ("PDPA 2010") Section 10 - Retention Principle (1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. (2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed. Data Users can retain personal data but it cannot be longer than is necessary to fulfil the processing purpose. PERSONAL DATA PROTECTION REGULATION 2013 ("PDPR 2013") Para 7 - Retention Standard For the purposes of section 10 of the Act, the personal data of a data subject shall be retained in accordance with the retention standard set out from time to time by the Commissioner. This standard can be seen in the 2015 Standard (Personal Data Protection Standard 2015). However, this section does not define what “is necessary” means. Hence, reference will be made to the 2013 Regulation.
Ensure that the retention period in all legislation relating to the processing and retention of personal data are fulfilled before destroying the data. 1. Not to retain personal data for longer than is necessary UNLESS there are other legal provisions that require personal data to be kept for a longer period. 2. Personal data collection forms used in commercial transactions should be disposed within the period not exceeding 14 days. EXCEPTION - If the forms carry legal values in relation to the commercial transaction, then it may be retained for more than 14 days. 4. Prepare and maintain a personal data disposal schedule for inactive data with a 24 month period. 6. A data user shall, take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed by having regard to the following descriptions - 6.1 RETENTION STANDARD The standard for retention of personal data which is processed electronically and non-electronically. 6.0 PERSONAL DATA PROTECTION STANDARD 2015 ("PDPA 2015")
5.0 RETENTION PRINCIPLE 5.1 The Act places a responsibility on Data Users to hold personal data only for as long as necessary for the fulfilment of the purpose. The Act also provides that upon the purpose being fulfilled, Data users are required to permanently destroy/delete the personal data. This requirement applies to both physical and electronic copies of documents containing personal data. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 3.1 The Code shall apply to all Data Users including all; • (i) Network Facilities Providers; • (ii) Network Services Providers; • (iii) Applications Service Providers; and • (iv) Content Applications Service Providers, As defined in the CMA 1998. However, there are certain statutory provisions that specify the minimum data retention periods. 5.3 This Code does not specify the applicable durations that personal data may be retained for but leaves it to the discretion of Data Users. 5.2 For the avoidance of doubt, the Act does not override other applicable statutory provisions that require the retention of data/records/information for a specified minimum duration, for instance, the Communications and Multimedia Act 1998, the Companies Act 1965, Income Tax Act 1967, Employment Act 1955 or the Limitation Act 1953. The Act and such other applicable legislation must be read together.
Other Applicable Legislations That require the retention of data/records/information for a specified minimum duration. Communications and Multimedia Act 1998 S 268. Minister may make rules on record- keeping The Minister can make rules to provide for recordkeeping, and to require one or more licensees or persons to keep and retain records. Companies Act 2016 S 245. Accounts to be kept. (1) A company, the directors and managers of a company shall - • a. Keep accounting and other records to sufficiently explain the transactions and financial position of the company; • b. Keep the accounting and other records in a manner as to enable the accounting to be conveniently and properly audited. (3) The company shall retain the records referred to in subsection (1) for seven years after the completion of the transactions or operations to which entries relate.
Other Applicable Legislations That require the retention of data/records/information for a specified minimum duration. Income Tax Act 1967 S 82. Duty to keep records and give receipts (1) Notwithstanding section 82A and subject to this section, every person carrying on a business - (a) shall keep and retain in safe custody sufficient records for a period of seven years from the end of the year to which any income from that business relates … Employment Act 199 S 61. Duty to keep registers. (1) Every employer shall prepare and keep one or more registers containing such information regarding each employee employed by him as may be prescribed by regulations made under this Act. (2) Every such register shall be preserved for such period that every particular recorded therein shall be available for inspection for not less than six years after the recording thereof.
5.5 There may be certain instances in which Data Users need to retain personal data beyond a specified statutory period. In these cases, Data Users should be able to demonstrate - (i) a reasonable need to retain personal data beyond the applicable statutory period; and (ii) (if available) provide evidence of their adherence to the same. The commencement of legal proceedings or investigations concerning the Data Subject would qualify as grounds for continuing to retain the personal data until the disposal/closure of the matter and the expiry of the retention period specific to the matter itself. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 5.4 In order to assist Data Users to keep track of the various retention periods as may be applicable to the various types of personal data processed by them, Data Users are required to consolidate all applicable retention periods into the Data User’s relevant retention policies which addresses the various categories of personal data, for example: (i) Application forms (ii) Unsuccessful applications (iii) Call records (iv) Customer audio recordings (v) Defaulting customers 5.6 For the avoidance of doubt, the Retention Principle does not apply to backup and electronic archival data subject to the Data User restricting access to the same to authorised personnel only and for backup or archival purposes respectively. 5.12 For the avoidance of doubt, in the event of a conflict between the Commissioner’s retention standard, this Code, any retention standard(s) (or their equivalent) set by the Malaysian Communications and Multimedia Commission or such other regulators of the Data User and/or any retention standard(s) (or their equivalent) prescribed by the law, the document setting the higher standard will prevail to the extent of the conflict.
The term “is necessary” under the Retention Principle is not defined in the PDPA. Generally, the retention period of personal data is at the discretion of Data Users. However, there are times where the minimum duration is specified in certaain applicable legislations. The retention periods may vary in accordance with the requirements set out by different laws. For those not specified by the laws, the appropriate retention period for personal data would therefore depend on the purpose for which it was collected. MEANING OF "IS NECESSARY" UNDER THE RETENTION PRINCIPLE
IRL Example LAZADA'S SECURITY & RETENTION POLICY
Security Principle LAZADA collects information of different degree of sensitivity so how do they protect said information? Identity data Contact data Technical data Technical data Transaction data ID verification data Account data IP address, browser type, IMEI billing address, email, phone number name, gender, DOB Govt issued documentation; IC, passport, etc details about orders & payments, product & service details bank acc details, credit card details, etc
Security Principle 7. Security of Your Personal Data 7.1. To safeguard your personal data from unauthorised access, collection, use, disclosure, processing, copying, modification, disposal, loss, misuse, modification or similar risks, we have introduced appropriate administrative, physical and technical measures such as: (a) Restricting access to personal data to individuals who require access; (b) Maintaining technology products to prevent unauthorised computer access; (c) Using 128-bit SSL (secure sockets layer) encryption technology when processing your financial details; and/or (d) implementing other security measures as required by applicable law. Incorporate safeguard system into equipment that stores data Securing data access to permitted personnel
Security Principle In regards to the transfer of data overseas, LAZADA assures that the receiving jurisdiction has a standard of protection comparable to the transferring jurisdiction (comparable to MY's standards)
Retention Principle 8. Retention of Personal Data 8.1. We will only retain your personal data for as long as we are either required or permitted to by law or as relevant for the purposes for which it was collected. 8.2. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data was collected, and is no longer necessary for any legal or business purpose.
Retention Principle - Purposes Necessary to Retain Data Purposes for collecting data (i) Processing your order for products (whether sold by us or a third party seller) (ii) Providing Services (iii) Marketing and advertising (iv) Legal and operational purposes (v) Analytics, research, business and development (vi) Other
Retention Principle
Retention Principle If you withdraw consent from Lazada using your personal data or if you deactivate your acc, then Lazada would no longer have a purpose to retain your data and is required by PDPA to delete it.
How Different is Our PDPA Compared to Other Countries We look further by comparing Malaysia's PDPA on its Security and Retention Principle with South Korea's Personal Information Protection Act (PIPA)
Introduction to South Korea's PIPA and Malaysia's PDPA The Korean legislative system for personal information protection is composed of the Personal Information Protection Act (“PIPA”), a general, comprehensive statute and the Credit Information Use and Protection Act which regulates personal credit information. For the purpose of this assignment, we will look into details of its Security Principles and Retention Principles. Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013. As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020, some of which will be set out in the course of the comparison. .
Under South Korea PIPA act, as a part of their Security Principles, South Korea has an enforcement officer called the Data Protection Officer under Article 31 (Designation of Privacy Officers) Every personal data controller must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company. The CPO’s obligations under the PIPA are as follows: • establishing and implementing plans for the protection of personal information • performing periodic investigations and improving the status and practices of the processing of personal information • handling complaints and dealing with damage pertaining to the processing of personal information • establishing internal control systems for preventing leakage, misuse and abuse of personal information • establishing and implementing training sessions for the protection of personal information • protecting, managing, and monitoring personal information files • establishing, amending, and implementing a personal information processing policy • managing materials concerning the protection of personal information, and • destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.
There are no nationality or residency requirements for the chief privacy officer. In the event that a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA. (equivalent to 35 146 RM)
Currently, Malaysian law does not require that data users appoint a data protection officer. However, pursuant to PC01/2020, the Commissioner is considering introducing an obligation in the PDPA for a data user to appoint a data protection officer and to introduce a guideline pertaining to such appointments.
Security Principles Differences on PIPA and PDPA Under the PIPA, every personal data controller must, when it processes personal information or sensitive personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information: • establishment and implementation of an internal control plan for handling personal information in a safe way • installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information • measures for preventing fabrication and alteration of access/log records • measures for security including encryption technology and other methods for safe storage and transmission of personal information, and • measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.
This is then supported by South Korea Personal Information Safeguards and Security Standards which is similar to our Personal Data Protection Standards, but instead for it to be a guidelines for the PIPA (Korea’s Personal Data Act) they give out more detailed standards on its Security Standards.
Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards. In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Pursuant to PC01/2020, the Commissioner observed that there are many new technologies such as facial recognition and smart trackers being used as data collection endpoints, and thus is considering issuing a policy regarding the endpoint security which uses technologies such as encryption.
Differences Explained SOUTH KOREA The Security standards laid down in south korea are strict in which they gives out what is necessary to prevent any breach including laying out certain level of encryption necessary and also the sole use of biometrics and personal identifiers to control each of the processing of the personal data during, in the middle or after the processing including how to do it They also gives out notifications if or when there could be or there is a threat for a breach, which is highlighted in the act and also standards. The Korean PIPA also sets out that if a breach does occur, aside from giving out notification and the organisation trying to remedy it, the customer has a right to take matters to court if it is necessary for them to do so Malaysia In Malaysia, the standards and guidelines are somehow encouraged but not to be strictly adhered to, although there are still minimum standards that needs to be followed by each of the organisations, including the Security Principle and Retention Principle, every one of the standards listed are too general and this means that it is still up to the organization to interpret what it means. This will result in different interpretations for a security principle by each and every one of the organisations.
Retention Principle Differences on PIPA and PDPA In South Korea, under the PIPA, the retention standards necessary for the Act to retain are strictly to be adhered. In PIPA, the retention principles seems to be more direct and all data user must follow what has been laid down. The basic principles applicable to data retention include: • the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and • the principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes. In paragraph one (1) of Article 21 of the PIPA, if the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data. This matters should also be read where pursuant to paragraph (1), paragraph (3) takes it when it is necessary for the personal information controller to retain the data of the personal information the relevant personal information or personal information files shall be stored and managed separately from other personal information.
In the Korean PIPA, if any of the privacy policies states that there is a need to safe keep personal information pursuant to legal documentation or any provision stating that the company needs to keep the data aside from discarding it, with the consent of the data subject, the personal information officer in charge needs to make a separate encrypted storage for the archive of the said information where access is only applicable to persons appointed by the relevant provisions.
Data retention principles laid down in Malaysia’s PDPA is a little bit different where there is discretion for the data user to lay down the retention period throughout the act, standards and also CMA. This is the only main difference as what is construed as necessary for both of the Acts as the retention principle that applies under other legislations still applies to both the Korean PIPA and the Malaysia’s PDPA. In Malaysia, the Act and both the standards and the CMA is silent on the application of data that needs to be safeguard under certain laws. There is no right or wrong way prescribed under the law and it is up to the interpretation of each of the organisation in the manner of safekeeping these personal information that needs to be retained. In Malaysia we see a lot of discretionary powers under the retention principle rather than having a very strict provision on how to deal with the retention of data.
Differences Summed Up Throughout the comparison, it seemed clear to us that South Korea’s Security Principle is more strict and adhered than Malaysia as we believe that this is because of South Korea’s advancements on its technological affairs and e-commerce and where everything is bound electronically due to their “smart-nation” age. This has led us to believe that it is important for them to adhere to these strict rules to protect the personal information of their customers. Although there seems to be quite a lack of rules and guidelines in Malaysia’s PDPA mainly to its Security and Retention Principle, we also believe that as of now, Malaysia’s PDPA seems to be competent in handling most cases of data breaches in Malaysia. This could be supported with minimum reported case on Malaysia’s online business security and data breaches that we believe that Malaysia, for now has sufficient implementation to its security and data retention principle.
THE WAY FORWARD Improvements that can be made to the Security & Retention Principle.
Implement the Data Breach Notification requirement. • Presently, the PDPA does not provide any requirement for a data user to notify or report any breach of personal data to the PDPD or the data subject. Security Principle
This, however, remains ungazetted law. However, the authorities did issue a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification. It sets out among other things: • the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident • to provide details about the data at risk • actions that have been taken or will be taken to mitigate the risks to the data • details of notifications to affected individuals • details of the organization's training programs on data protection
While not mandatory, a data breach notification to the Commissioner can be done online at the SPDP website.
HEALTH SECTOR • Exists a general reporting obligation. • As per section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director General such unforeseeable and unanticipated incidents as may be prescribed. • Insufficient, this may/may not amount to data breach. • Reports to the Director General only and not the data subject. Existance of reporting obligations imposed by different authorities. FINANCIAL SECTOR • BNM has set out guidelines and regulations to report to BNM regarding material security breaches, system downtime and degradation in system performance that critically affects the insurer. • Capital markets to report to SC. • The BNM also issued a Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorised access, modification, or disclosure by whatever means of customer information.
• 'Data processor' means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for his or her own purposes. • A data processor who processes personal data solely on behalf of a data user is not bound directly by the provisions of the PDPA. • Section 9(2) of the PDPA puts the obligations on the data user instead to ensure that the processor acts in line with the PDPA. Ensure that data processors are directly obligated towards the PDPA. Security Principle
Provide a more comprehensive guideline when it comes to data user's discretion. Retention Principle • The Code of Practice does not specify the applicable durations that personal data may be retained. • In the event where there are no statutory provisions that provide the minimum period specified, it is up to the discretion of Data Users. • While it is acknowledged that the discretion is given due to the different nature of data types, it is submitted that the discretion given to the data user to make use of the data as they see fit is too wide. • Hence, a comprehensive guideline on how long should the data user should store the data is pertinent.
Provide a data retention taxonomy according to data types, degree of risk, etc. Retention Principle • A data taxonomy is the classification of data into categories and sub-categories. • It provides a cohesive view on data and introduces common terminology across multiple systems • Data can be categorized based of its degree of sensitivity, risk assessment, etc • Once it is categorised, the 'necessity' for data retention can be evaluated more closely • Hence there can be a more systematically specified period of retention that can be implemented.
PROVIDE FOR A MANDATORY INSPECTION OVER A STATED PERIOD • Section 101(1)(a): The Commissioner may carry out an inspection . . . relating to the promotion of compliance with the provisions of the Act. • Act does not specify a period in which the inspection can be carried out. It is entirely up to the discretion of the Commissioner. • There is a need for a periodical inspection to ensure the principles laid out in the PDPA are complied with. EXPAND THE USAGE OF PDPA TO THE FEDERAL AND STATE GOVERNMENTS • Section 3(1): This Act shall not apply to the Federal Government and State Government. • The National Registration Department (NRD) / Jabatan Pendaftaran Negara (JPN) has access holds the personal data of nearly every citizen in Malaysia and our income tax returns which contain detailed records of our financial affairs and sources of income are well within the knowledge of the Inland Revenue Board. • They are not subjected to this Act but has access to it, reasons given to justify broad government access and use include national security, law enforcement and the combating of terrorism. Security & Retention Principle
Conclusion Malaysia's current practice of the Security and Retention Principle is sufficient for the purpose of commercial transaction, for now. However, there is room for improvement to heighten the threshold of cybersecurity in Malaysia; in order to keep up with the fast- paced landscape of cybersecurity worldwide

More Related Content

PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PDF
Personal Data Protection Singapore - Pdpc corporate-brochure
byJean Luc Creppy
 
PPT
Personal privacy and computer technologies
bysidra batool
 
PPT
Data protection act new 13 12-11
bymrmwood
 
PPTX
PRIVACY_SPI-Subject_3rdyear-BSITWeb.pptx
byinaresangelique
 
PPTX
Ley protección de datos personales
byJuan Carlos Carrillo
 
PDF
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Infor...
byNiche Konsult Ltd
 
PPT
2014 dpa training february nn
byLawrence Serewicz
 
3A – DATA PROTECTION: ADVICE
byCFG
 
Personal Data Protection Singapore - Pdpc corporate-brochure
byJean Luc Creppy
 
Personal privacy and computer technologies
bysidra batool
 
Data protection act new 13 12-11
bymrmwood
 
PRIVACY_SPI-Subject_3rdyear-BSITWeb.pptx
byinaresangelique
 
Ley protección de datos personales
byJuan Carlos Carrillo
 
Niche Konsult Limited Section By Section Analysis Of Cyber Security And Infor...
byNiche Konsult Ltd
 
2014 dpa training february nn
byLawrence Serewicz
 

Similar to Group 10 - PDPA II.pptx

PDF
Personal Data Protection in Indonesia
byEryk Budi Pratama
 
PPT
Merit Event - Understanding and Managing Data Protection
bymeritnorthwest
 
PPTX
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
PDF
Blake lapthorn In House Lawyer forum - 11 Sept 2012
byBlake Morgan
 
PDF
An introduction to data protection - Edinburgh
byRachel Aldighieri
 
PPT
Kawser Hamid : ICO and Data Protection in the Cloud
byGurbir Singh
 
PPT
Data Protection Act
bymrmwood
 
PPT
Data Protection Act
bymrmwood
 
PDF
Data Privacy - Security of Personal Information
byJDP Consulting
 
PPSX
What All Organisations Need to Know About Data Protection and Cloud Computing...
byBrian Miller, Solicitor
 
PPTX
Introduction to data protection - Edinburgh - 29/04/15
byRachel Aldighieri
 
PPTX
Privacy (1).pptx
byEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
PPT
3e - Data Protection
byMISY
 
PDF
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
byAnastasiya Lemysh
 
PPT
Data protection act
byIqbal Bocus
 
PPTX
Domain 2 - Asset Security
byMaganathin Veeraragaloo
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
PPS
Introduction to Data Protection and Information Security
byJisc Scotland
 
PPSX
Data Protection Act presentation
byIan Clive Oultram
 
PPTX
Data Privacy Introduction
byPrachi Gulihar
 
Personal Data Protection in Indonesia
byEryk Budi Pratama
 
Merit Event - Understanding and Managing Data Protection
bymeritnorthwest
 
Safeguarding Information: An Overview of Data Protection
bytudokimberlyann
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
byBlake Morgan
 
An introduction to data protection - Edinburgh
byRachel Aldighieri
 
Kawser Hamid : ICO and Data Protection in the Cloud
byGurbir Singh
 
Data Protection Act
bymrmwood
 
Data Protection Act
bymrmwood
 
Data Privacy - Security of Personal Information
byJDP Consulting
 
What All Organisations Need to Know About Data Protection and Cloud Computing...
byBrian Miller, Solicitor
 
Introduction to data protection - Edinburgh - 29/04/15
byRachel Aldighieri
 
Privacy (1).pptx
byEng. Ala' Zayadeen- MBA,CEH,ISO Lead Implementer, MCP
 
3e - Data Protection
byMISY
 
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
byAnastasiya Lemysh
 
Data protection act
byIqbal Bocus
 
Domain 2 - Asset Security
byMaganathin Veeraragaloo
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
byUpekha Vandebona
 
Introduction to Data Protection and Information Security
byJisc Scotland
 
Data Protection Act presentation
byIan Clive Oultram
 
Data Privacy Introduction
byPrachi Gulihar
 

Recently uploaded

PPTX
Electricity Bill.pptxasdddddddddddddddddddddddddddddddddddddddddddddd
byoctaforce898
 
PDF
1080830_范素玲_國際合約範本案例分享檔案12345678911121314
byeachydhw
 
PPTX
Fetal skull 1 consists of vault and.pptx
byAdefaratiBusolami
 
PPTX
Oil Revenues Economic Growth NOTES 2026
byMUSOKESAMUEL1
 
PPTX
Top_3_Trending_Computer_Technologies_Designed.pptx
bynatrajbhai2301
 
PPT
NUCLEOTIDE &NUCLEOSIDE - Copy FOR THE.ppt
byadeoyopeyemi
 
PDF
2021 MBB Casebook.pdf jssssssssssssss
byjanasmusic33
 
PDF
Troubleshooting 5 : Operating system by Naiyan Noor.pdf
byNaiyan Noor
 
PPTX
Lecture 2 8086 microprocessor Architecture.pptx
byabhireddy3573
 
DOCX
Top Trusted Platforms for Buying Verified Wise Accounts Safely.docx
bynmd866761
 
PPTX
payall.12345678.pptx......................
bySaiGuptesh
 
PDF
Process customer transaction.pdfvcbcxbcbcxcx
byandudereje249
 
PPT
4. cardiac markers.pptfhvxdhajdgrheygyudgyg
bysanjanah077
 
PPTX
MPP Assignment (High Value, Low Uniqueness)-Group 3.pptx
byindranilduttaa25
 
PPTX
tiếng 9 lớp 9 bài ? bài tập luyện tập học sinh giỏi
byHongHaVu3
 
PDF
Navigating the Market for LinkedIn Accounts_ A Comprehensive Overview.pdf
byusatophub
 
PPTX
PRESENTATION for future educator that will help you
byDianaHeartEspejo
 
PPT
NUCLEIC ACID METABOLISM DESIGNED FOR .ppt
byadeoyopeyemi
 
PPTX
2ND-PRESENTER_A-Feasibility-Study-of-SmoothSmile-DualCare-Manufacturer-in-Pob...
byPhilip98409
 
PPTX
Road_Safety.pptx in delhi very dangerous
bypabloahir3000
 
Electricity Bill.pptxasdddddddddddddddddddddddddddddddddddddddddddddd
byoctaforce898
 
1080830_范素玲_國際合約範本案例分享檔案12345678911121314
byeachydhw
 
Fetal skull 1 consists of vault and.pptx
byAdefaratiBusolami
 
Oil Revenues Economic Growth NOTES 2026
byMUSOKESAMUEL1
 
Top_3_Trending_Computer_Technologies_Designed.pptx
bynatrajbhai2301
 
NUCLEOTIDE &NUCLEOSIDE - Copy FOR THE.ppt
byadeoyopeyemi
 
2021 MBB Casebook.pdf jssssssssssssss
byjanasmusic33
 
Troubleshooting 5 : Operating system by Naiyan Noor.pdf
byNaiyan Noor
 
Lecture 2 8086 microprocessor Architecture.pptx
byabhireddy3573
 
Top Trusted Platforms for Buying Verified Wise Accounts Safely.docx
bynmd866761
 
payall.12345678.pptx......................
bySaiGuptesh
 
Process customer transaction.pdfvcbcxbcbcxcx
byandudereje249
 
4. cardiac markers.pptfhvxdhajdgrheygyudgyg
bysanjanah077
 
MPP Assignment (High Value, Low Uniqueness)-Group 3.pptx
byindranilduttaa25
 
tiếng 9 lớp 9 bài ? bài tập luyện tập học sinh giỏi
byHongHaVu3
 
Navigating the Market for LinkedIn Accounts_ A Comprehensive Overview.pdf
byusatophub
 
PRESENTATION for future educator that will help you
byDianaHeartEspejo
 
NUCLEIC ACID METABOLISM DESIGNED FOR .ppt
byadeoyopeyemi
 
2ND-PRESENTER_A-Feasibility-Study-of-SmoothSmile-DualCare-Manufacturer-in-Pob...
byPhilip98409
 
Road_Safety.pptx in delhi very dangerous
bypabloahir3000
 

Group 10 - PDPA II.pptx

  • 1.
    GROUP 10 GROUP MEMBERS •MARSYITAH AMIIRA BINTI MARZUKI (LIA190082 / 17204201/1) • JULIA MAISARAH BINTI ISMAIL (LIA190057 / 17204122/1) • NURUL HANA BINTI ABDUL HAKIM (LIA190123 / 17205554/1) • MUHAMMAD SYADAD BIN NOR AZMAN (LIA190095 / 17204109/1) • NURFARAHIN BINTI ZAINAL ABIDIN (LIA190113 / 17204127/1) PDPA 2 01 0: SECURITY & RETENTION PRINCIPLE
  • 2.
    Question The Security Principlestates that a data user shall take practicable steps to protect the personal data, whilst the Retention Principle laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the two variables in italics. In your answer, you are to refer to any cases (if any) and regulations/standards/code of practice that may be available relating to personal data protection.
  • 3.
    Overview • SECURITY PRINCIPLE •RETENTION PRINCIPLE • REAL-LIFE EXAMPLES • COMPARISON OF OUR PDPA WITH OTHER COUNTRIES • THE WAY FORWARD
  • 4.
    SECURITY PRINCIPLE The SecurityPrinciple imposes obligations on the data user to take steps to protect the personal data during its processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.
  • 5.
    SECTION 9 OFTHE PDPA
  • 6.
    What are thepractical steps? Personal Data Protection Code of Practice PDPA Standards 2015
  • 7.
    Code of Practice •The Code of Practice was issued pursuant to Section 23 of the PDPA • Aims to further inculcate the spirit and practice of ethical business within the industry while providing a self-regulating mechanism for collection, maintenance, retention and disposal of personal data. • The views of data users, data subjects and the relevant regulatory authority are taken into consideration in preparing the respective of Code of Practice.
  • 8.
    • Four codesof practice were finalised by the Commissioner in 2017 namely: • Code of Practice for the Banking and Financial Sector 2017, • Personal Data Protection Code of Practice for the Utilities Sector (Electricity) 2017 • Code of Practice on Personal Data Protection for the Insurance and Takaful Industries in Malaysia 2017 • Personal Data Protection Code of Practice for the Communications Class Data Users 2017 • These “practical steps” will vary from case to case, depending on the nature of personal data being processed by the Data User in question and the degree of sensitivity attached to the personal data or harm that the Data Subject might suffer due to its loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Code of Practice
  • 9.
    Code of Practice(CMA) For Licensees Under The Communications And Multimedia Act 1998 Technical Security Measures Organizational Security Measures
  • 10.
    Organizational Security Measures Dataclassification policy • Personal data being processed by each Data User should ideally be categorised based on the sensitivity of the personal data and the harm that could arise vis-à-vis the Data Subject should the personal data be mishandled. • The policy should identify the specific categories of personal data, the security measures associated with each of the said categories of personal data, both in physical and electronic Formats. Access control policy • Personal data should be accessed by personnel of the Data User based on a “need to know” basis. • Policy will indicate the various levels of personnel that are permitted access, modification and/or deletion rights in relation to different categories of personal data. • Access control policies should be supplemented with policies limiting access to technologies that allow personal data to be transferred out of the Data User’s organization (as detailed further under technical security measures), and the activation of audit logs which enable authorised and unauthorised access to personal data to be traced.
  • 11.
    Confidentiality guidelines • Guidelinesin respect of the confidentiality of Data Subject information be issued (either separately or as part of the employee handbook) to all personnel of Data Users in order to make clear the fundamental importance of confidentiality and the role that it plays in establishing confidence and market credibility in the branding of the Data User. • Data Users must explicitly state the obligation of maintaining the confidentiality of Data Subject information, and where there has been a breach of the same, Data Users need to be seen to have taken the necessary action in order that personnel are aware of how seriously Data Users take this issue.
  • 12.
    Technical Security Measures (a)Physical document security • Physical documents need to be received, processed and stored securely. (b) Physical access to IT facilities • Access to IT facilities where the IT infrastructure and the telecommunications infrastructure of Data Users are located, needs to be controlled at all times. • This can be achieved through the use of security guards for perimeter and location security, and escorts. (c) Physical access to IT systems and communications equipment • Access to IT systems within Data Users’ offices or premises needs to be controlled at all times as personal data may be stored and/or displayed on them. • By restricting physical access to any non-authorised personnel, careful positioning of PCs in order to ensure that screens are not viewable by non-authorised personnel, the utilisation of screen savers for unattended PCs, and locked printer and/or fax rooms which are accessible only to authorised personnel.
  • 13.
    (d) Back-ups • DataUsers should back-up the personal data resident on their systems in order to guard against data loss. • The media on which the backups are resident should be stored off-site to prevent their loss together with the primary systems in the event of a major disaster. (e) Anti-virus and anti-malware software • Data Users would be required to install and regularly update their anti-virus software in order to avoid putting the personal data of Data Subjects at risk consequent to virus infections and other malware. • Personnel should be restricted from downloading and installing applications that have not been approved by the IT department of the Data User as it may introduce malware which may put personal data at risk. (f) Securing access • All personal data that is removed from the premises of the Data User with authorisation, whether on notebooks, tablets, smart phones, USB thumb drives, portable hard drives, are to be secured in order to prevent the personal data stored on the said devices being accessed without authorisation in the event the said devices being stolen or lost. • E-mails attaching personal data are also to be secured in order to prevent the personal data being accessed by unauthorised third parties.
  • 14.
    PDPA Standards 2015 INTERPRETATION “standard” meansa missued by the Commissioner, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, of order in a given context. APPLICATION 3.1 This Standard applies to a. any person who processes; and b. any person who has control over or authorizes the processing of, any personal data in respect of commercial transactions. The Standards are considered the “minimum” standards to be observed by data users, as each and every requirement of the Standards must be implemented as part of the data user’s policy in its handling of the personal data of customers and employees.
  • 15.
    Security Standards under PDPAStandards 2015 Data Security For Personal Data Processed Electronically Data Security For Personal Data Processed Non-Electronically
  • 16.
    Data Security ForPersonal Data Processed Electronically • Register all employees involved in the processing of personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organisation. • Control and limit employees’ access to personal data system for the purpose of collecting, processing and storing of personal data. • Provide user ID and password for authorized employees to access personal data. • Terminate user ID and password immediately when an employee who is authorized access to personal data is no longer handling the data. • Establish physical security procedures as follow: i. control the movement in and out of the data storage site; ii. store personal data in an appropriate location which is unexposed and safe from physical or natural threats iii. provide a closed-circuit camera at the data storage site (if necessary), iv. provide a 24 hour security monitoring (if necessary).
  • 17.
    • Update theBack up/Recovery System and anti-virus to prevent personal data intrusion and such. • Safeguard the computer systems from malware threats to prevent attacks on personal data. • The transfer of personal data through removable media device and cloud computing service is not permitted unless with written consent by an officer authorized by the top management of the data user organization. • Record any transfer of data through removable media device and cloud computing service. • Personal data transfer through cloud computing service must comply with the personal data protection principles in Malaysia, as well as with personal data protection laws of other countries. • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner. • Ensure that all employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Bind an appointed third party by the data user with a contract for operating and carrying out personal data processing activities. This is to ensure the safety of personal data from loss, misuse, modification, unauthorized access and disclosure.
  • 18.
    Data Security ForPersonal Data Processed Non- Electronically • Register employees handling personal data into a system/registration book before being allowed access to personal data. • Terminate an employee’s access rights to personal data after his/her resignation, termination, termination of contract or agreement, or adjustment in accordance with changes in the organization. • Control and limit employees’ access to personal data system for the purpose collecting, processing and storing of personal data. • Establish physical security procedures as follow: i. store all personal data orderly in files; ii. store all files containing personal data in a locked place; iii. keep all the related keys in a safe place; iv. provide record for keys storage; and v. store personal data in an appropriate location which is unexposed and safe from physical or natural threats • Maintain a proper record of access to personal data periodically and make such record available for submission when directed by the Commissioner.
  • 19.
    • Ensure thatall employees involved in processing personal data always protect the confidentiality of the data subject’s personal data. • Record personal data transferred conventionally such as through mail, delivery, fax and etc. • Ensure that all used papers, printed documents or other documents exhibiting personal data are destroyed thoroughly and efficiently by using shredding machine or other appropriate methods. • Conduct awareness programmes to all employees (if necessary) on the responsibility to protect personal data.
  • 20.
    RETENTION PRINCIPLE The RetentionPrinciple laid down the rule that the personal data shall not be kept longer than is necessary. Elaborate on the meaning of the variables in italics.
  • 21.
    PERSONAL DATA PROTECTIONACT 2010 ("PDPA 2010") Section 10 - Retention Principle (1) The personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose. (2) It shall be the duty of a data user to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed. Data Users can retain personal data but it cannot be longer than is necessary to fulfil the processing purpose. PERSONAL DATA PROTECTION REGULATION 2013 ("PDPR 2013") Para 7 - Retention Standard For the purposes of section 10 of the Act, the personal data of a data subject shall be retained in accordance with the retention standard set out from time to time by the Commissioner. This standard can be seen in the 2015 Standard (Personal Data Protection Standard 2015). However, this section does not define what “is necessary” means. Hence, reference will be made to the 2013 Regulation.
  • 22.
    Ensure that theretention period in all legislation relating to the processing and retention of personal data are fulfilled before destroying the data. 1. Not to retain personal data for longer than is necessary UNLESS there are other legal provisions that require personal data to be kept for a longer period. 2. Personal data collection forms used in commercial transactions should be disposed within the period not exceeding 14 days. EXCEPTION - If the forms carry legal values in relation to the commercial transaction, then it may be retained for more than 14 days. 4. Prepare and maintain a personal data disposal schedule for inactive data with a 24 month period. 6. A data user shall, take all reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed by having regard to the following descriptions - 6.1 RETENTION STANDARD The standard for retention of personal data which is processed electronically and non-electronically. 6.0 PERSONAL DATA PROTECTION STANDARD 2015 ("PDPA 2015")
  • 23.
    5.0 RETENTION PRINCIPLE 5.1The Act places a responsibility on Data Users to hold personal data only for as long as necessary for the fulfilment of the purpose. The Act also provides that upon the purpose being fulfilled, Data users are required to permanently destroy/delete the personal data. This requirement applies to both physical and electronic copies of documents containing personal data. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 3.1 The Code shall apply to all Data Users including all; • (i) Network Facilities Providers; • (ii) Network Services Providers; • (iii) Applications Service Providers; and • (iv) Content Applications Service Providers, As defined in the CMA 1998. However, there are certain statutory provisions that specify the minimum data retention periods. 5.3 This Code does not specify the applicable durations that personal data may be retained for but leaves it to the discretion of Data Users. 5.2 For the avoidance of doubt, the Act does not override other applicable statutory provisions that require the retention of data/records/information for a specified minimum duration, for instance, the Communications and Multimedia Act 1998, the Companies Act 1965, Income Tax Act 1967, Employment Act 1955 or the Limitation Act 1953. The Act and such other applicable legislation must be read together.
  • 24.
    Other Applicable Legislations Thatrequire the retention of data/records/information for a specified minimum duration. Communications and Multimedia Act 1998 S 268. Minister may make rules on record- keeping The Minister can make rules to provide for recordkeeping, and to require one or more licensees or persons to keep and retain records. Companies Act 2016 S 245. Accounts to be kept. (1) A company, the directors and managers of a company shall - • a. Keep accounting and other records to sufficiently explain the transactions and financial position of the company; • b. Keep the accounting and other records in a manner as to enable the accounting to be conveniently and properly audited. (3) The company shall retain the records referred to in subsection (1) for seven years after the completion of the transactions or operations to which entries relate.
  • 25.
    Other Applicable Legislations Thatrequire the retention of data/records/information for a specified minimum duration. Income Tax Act 1967 S 82. Duty to keep records and give receipts (1) Notwithstanding section 82A and subject to this section, every person carrying on a business - (a) shall keep and retain in safe custody sufficient records for a period of seven years from the end of the year to which any income from that business relates … Employment Act 199 S 61. Duty to keep registers. (1) Every employer shall prepare and keep one or more registers containing such information regarding each employee employed by him as may be prescribed by regulations made under this Act. (2) Every such register shall be preserved for such period that every particular recorded therein shall be available for inspection for not less than six years after the recording thereof.
  • 26.
    5.5 There maybe certain instances in which Data Users need to retain personal data beyond a specified statutory period. In these cases, Data Users should be able to demonstrate - (i) a reasonable need to retain personal data beyond the applicable statutory period; and (ii) (if available) provide evidence of their adherence to the same. The commencement of legal proceedings or investigations concerning the Data Subject would qualify as grounds for continuing to retain the personal data until the disposal/closure of the matter and the expiry of the retention period specific to the matter itself. CODE OF PRACTICE FOR LICENSEES UNDER THE CMA 1998 5.4 In order to assist Data Users to keep track of the various retention periods as may be applicable to the various types of personal data processed by them, Data Users are required to consolidate all applicable retention periods into the Data User’s relevant retention policies which addresses the various categories of personal data, for example: (i) Application forms (ii) Unsuccessful applications (iii) Call records (iv) Customer audio recordings (v) Defaulting customers 5.6 For the avoidance of doubt, the Retention Principle does not apply to backup and electronic archival data subject to the Data User restricting access to the same to authorised personnel only and for backup or archival purposes respectively. 5.12 For the avoidance of doubt, in the event of a conflict between the Commissioner’s retention standard, this Code, any retention standard(s) (or their equivalent) set by the Malaysian Communications and Multimedia Commission or such other regulators of the Data User and/or any retention standard(s) (or their equivalent) prescribed by the law, the document setting the higher standard will prevail to the extent of the conflict.
  • 27.
    The term “isnecessary” under the Retention Principle is not defined in the PDPA. Generally, the retention period of personal data is at the discretion of Data Users. However, there are times where the minimum duration is specified in certaain applicable legislations. The retention periods may vary in accordance with the requirements set out by different laws. For those not specified by the laws, the appropriate retention period for personal data would therefore depend on the purpose for which it was collected. MEANING OF "IS NECESSARY" UNDER THE RETENTION PRINCIPLE
  • 28.
  • 29.
    Security Principle LAZADA collectsinformation of different degree of sensitivity so how do they protect said information? Identity data Contact data Technical data Technical data Transaction data ID verification data Account data IP address, browser type, IMEI billing address, email, phone number name, gender, DOB Govt issued documentation; IC, passport, etc details about orders & payments, product & service details bank acc details, credit card details, etc
  • 30.
    Security Principle 7. Securityof Your Personal Data 7.1. To safeguard your personal data from unauthorised access, collection, use, disclosure, processing, copying, modification, disposal, loss, misuse, modification or similar risks, we have introduced appropriate administrative, physical and technical measures such as: (a) Restricting access to personal data to individuals who require access; (b) Maintaining technology products to prevent unauthorised computer access; (c) Using 128-bit SSL (secure sockets layer) encryption technology when processing your financial details; and/or (d) implementing other security measures as required by applicable law. Incorporate safeguard system into equipment that stores data Securing data access to permitted personnel
  • 31.
    Security Principle In regardsto the transfer of data overseas, LAZADA assures that the receiving jurisdiction has a standard of protection comparable to the transferring jurisdiction (comparable to MY's standards)
  • 32.
    Retention Principle 8. Retentionof Personal Data 8.1. We will only retain your personal data for as long as we are either required or permitted to by law or as relevant for the purposes for which it was collected. 8.2. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data was collected, and is no longer necessary for any legal or business purpose.
  • 33.
    Retention Principle -Purposes Necessary to Retain Data Purposes for collecting data (i) Processing your order for products (whether sold by us or a third party seller) (ii) Providing Services (iii) Marketing and advertising (iv) Legal and operational purposes (v) Analytics, research, business and development (vi) Other
  • 34.
  • 35.
    Retention Principle If youwithdraw consent from Lazada using your personal data or if you deactivate your acc, then Lazada would no longer have a purpose to retain your data and is required by PDPA to delete it.
  • 36.
    How Different isOur PDPA Compared to Other Countries We look further by comparing Malaysia's PDPA on its Security and Retention Principle with South Korea's Personal Information Protection Act (PIPA)
  • 37.
    Introduction to SouthKorea's PIPA and Malaysia's PDPA The Korean legislative system for personal information protection is composed of the Personal Information Protection Act (“PIPA”), a general, comprehensive statute and the Credit Information Use and Protection Act which regulates personal credit information. For the purpose of this assignment, we will look into details of its Security Principles and Retention Principles. Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013. As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020, some of which will be set out in the course of the comparison. .
  • 38.
    Under South KoreaPIPA act, as a part of their Security Principles, South Korea has an enforcement officer called the Data Protection Officer under Article 31 (Designation of Privacy Officers) Every personal data controller must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company. The CPO’s obligations under the PIPA are as follows: • establishing and implementing plans for the protection of personal information • performing periodic investigations and improving the status and practices of the processing of personal information • handling complaints and dealing with damage pertaining to the processing of personal information • establishing internal control systems for preventing leakage, misuse and abuse of personal information • establishing and implementing training sessions for the protection of personal information • protecting, managing, and monitoring personal information files • establishing, amending, and implementing a personal information processing policy • managing materials concerning the protection of personal information, and • destroying personal information for which the purpose of processing has been achieved or for which the retention period has expired.
  • 39.
    There are nonationality or residency requirements for the chief privacy officer. In the event that a CPO is not designated, the personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA. (equivalent to 35 146 RM)
  • 40.
    Currently, Malaysian lawdoes not require that data users appoint a data protection officer. However, pursuant to PC01/2020, the Commissioner is considering introducing an obligation in the PDPA for a data user to appoint a data protection officer and to introduce a guideline pertaining to such appointments.
  • 41.
    Security Principles Differences onPIPA and PDPA Under the PIPA, every personal data controller must, when it processes personal information or sensitive personal information of a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information: • establishment and implementation of an internal control plan for handling personal information in a safe way • installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information • measures for preventing fabrication and alteration of access/log records • measures for security including encryption technology and other methods for safe storage and transmission of personal information, and • measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other protective measures necessary for securing the safety of personal information.
  • 42.
    This is thensupported by South Korea Personal Information Safeguards and Security Standards which is similar to our Personal Data Protection Standards, but instead for it to be a guidelines for the PIPA (Korea’s Personal Data Act) they give out more detailed standards on its Security Standards.
  • 43.
    Under the PDPA,data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards. In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. Pursuant to PC01/2020, the Commissioner observed that there are many new technologies such as facial recognition and smart trackers being used as data collection endpoints, and thus is considering issuing a policy regarding the endpoint security which uses technologies such as encryption.
  • 44.
    Differences Explained SOUTH KOREA TheSecurity standards laid down in south korea are strict in which they gives out what is necessary to prevent any breach including laying out certain level of encryption necessary and also the sole use of biometrics and personal identifiers to control each of the processing of the personal data during, in the middle or after the processing including how to do it They also gives out notifications if or when there could be or there is a threat for a breach, which is highlighted in the act and also standards. The Korean PIPA also sets out that if a breach does occur, aside from giving out notification and the organisation trying to remedy it, the customer has a right to take matters to court if it is necessary for them to do so Malaysia In Malaysia, the standards and guidelines are somehow encouraged but not to be strictly adhered to, although there are still minimum standards that needs to be followed by each of the organisations, including the Security Principle and Retention Principle, every one of the standards listed are too general and this means that it is still up to the organization to interpret what it means. This will result in different interpretations for a security principle by each and every one of the organisations.
  • 45.
    Retention Principle Differences onPIPA and PDPA In South Korea, under the PIPA, the retention standards necessary for the Act to retain are strictly to be adhered. In PIPA, the retention principles seems to be more direct and all data user must follow what has been laid down. The basic principles applicable to data retention include: • the principle of fair and legitimate collection of the minimum necessary personal data to the extent necessary for the explicitly stated and consented purposes; and • the principle that such personal data must be handled only to the extent necessary for the explicitly stated and consented purposes. In paragraph one (1) of Article 21 of the PIPA, if the retention of personal data is required by South Korean law or regulations beyond the retention period notified to, and consented by, data subjects, such personal data will need to be kept separate from any other personal data. This matters should also be read where pursuant to paragraph (1), paragraph (3) takes it when it is necessary for the personal information controller to retain the data of the personal information the relevant personal information or personal information files shall be stored and managed separately from other personal information.
  • 46.
    In the KoreanPIPA, if any of the privacy policies states that there is a need to safe keep personal information pursuant to legal documentation or any provision stating that the company needs to keep the data aside from discarding it, with the consent of the data subject, the personal information officer in charge needs to make a separate encrypted storage for the archive of the said information where access is only applicable to persons appointed by the relevant provisions.
  • 47.
    Data retention principleslaid down in Malaysia’s PDPA is a little bit different where there is discretion for the data user to lay down the retention period throughout the act, standards and also CMA. This is the only main difference as what is construed as necessary for both of the Acts as the retention principle that applies under other legislations still applies to both the Korean PIPA and the Malaysia’s PDPA. In Malaysia, the Act and both the standards and the CMA is silent on the application of data that needs to be safeguard under certain laws. There is no right or wrong way prescribed under the law and it is up to the interpretation of each of the organisation in the manner of safekeeping these personal information that needs to be retained. In Malaysia we see a lot of discretionary powers under the retention principle rather than having a very strict provision on how to deal with the retention of data.
  • 48.
    Differences Summed Up Throughout thecomparison, it seemed clear to us that South Korea’s Security Principle is more strict and adhered than Malaysia as we believe that this is because of South Korea’s advancements on its technological affairs and e-commerce and where everything is bound electronically due to their “smart-nation” age. This has led us to believe that it is important for them to adhere to these strict rules to protect the personal information of their customers. Although there seems to be quite a lack of rules and guidelines in Malaysia’s PDPA mainly to its Security and Retention Principle, we also believe that as of now, Malaysia’s PDPA seems to be competent in handling most cases of data breaches in Malaysia. This could be supported with minimum reported case on Malaysia’s online business security and data breaches that we believe that Malaysia, for now has sufficient implementation to its security and data retention principle.
  • 49.
    THE WAY FORWARD Improvements thatcan be made to the Security & Retention Principle.
  • 50.
    Implement the DataBreach Notification requirement. • Presently, the PDPA does not provide any requirement for a data user to notify or report any breach of personal data to the PDPD or the data subject. Security Principle
  • 51.
    This, however, remainsungazetted law. However, the authorities did issue a Public Consultation Paper 1/2018: The Implementation of Data Breach Notification. It sets out among other things: • the requirement to notify the Commissioner within 72 hours of becoming aware of the data breach incident • to provide details about the data at risk • actions that have been taken or will be taken to mitigate the risks to the data • details of notifications to affected individuals • details of the organization's training programs on data protection
  • 52.
    While not mandatory,a data breach notification to the Commissioner can be done online at the SPDP website.
  • 54.
    HEALTH SECTOR • Existsa general reporting obligation. • As per section 37(1) of the Private Healthcare and Facilities Act 1998 states that a private healthcare facility or service must report to the Director General such unforeseeable and unanticipated incidents as may be prescribed. • Insufficient, this may/may not amount to data breach. • Reports to the Director General only and not the data subject. Existance of reporting obligations imposed by different authorities. FINANCIAL SECTOR • BNM has set out guidelines and regulations to report to BNM regarding material security breaches, system downtime and degradation in system performance that critically affects the insurer. • Capital markets to report to SC. • The BNM also issued a Management of Customer Information and Permitted Disclosures, which states that financial service providers must have in place a customer information breach handling and response plan in the event of theft, loss, misuse, or unauthorised access, modification, or disclosure by whatever means of customer information.
  • 55.
    • 'Data processor'means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for his or her own purposes. • A data processor who processes personal data solely on behalf of a data user is not bound directly by the provisions of the PDPA. • Section 9(2) of the PDPA puts the obligations on the data user instead to ensure that the processor acts in line with the PDPA. Ensure that data processors are directly obligated towards the PDPA. Security Principle
  • 56.
    Provide a morecomprehensive guideline when it comes to data user's discretion. Retention Principle • The Code of Practice does not specify the applicable durations that personal data may be retained. • In the event where there are no statutory provisions that provide the minimum period specified, it is up to the discretion of Data Users. • While it is acknowledged that the discretion is given due to the different nature of data types, it is submitted that the discretion given to the data user to make use of the data as they see fit is too wide. • Hence, a comprehensive guideline on how long should the data user should store the data is pertinent.
  • 57.
    Provide a dataretention taxonomy according to data types, degree of risk, etc. Retention Principle • A data taxonomy is the classification of data into categories and sub-categories. • It provides a cohesive view on data and introduces common terminology across multiple systems • Data can be categorized based of its degree of sensitivity, risk assessment, etc • Once it is categorised, the 'necessity' for data retention can be evaluated more closely • Hence there can be a more systematically specified period of retention that can be implemented.
  • 58.
    PROVIDE FOR AMANDATORY INSPECTION OVER A STATED PERIOD • Section 101(1)(a): The Commissioner may carry out an inspection . . . relating to the promotion of compliance with the provisions of the Act. • Act does not specify a period in which the inspection can be carried out. It is entirely up to the discretion of the Commissioner. • There is a need for a periodical inspection to ensure the principles laid out in the PDPA are complied with. EXPAND THE USAGE OF PDPA TO THE FEDERAL AND STATE GOVERNMENTS • Section 3(1): This Act shall not apply to the Federal Government and State Government. • The National Registration Department (NRD) / Jabatan Pendaftaran Negara (JPN) has access holds the personal data of nearly every citizen in Malaysia and our income tax returns which contain detailed records of our financial affairs and sources of income are well within the knowledge of the Inland Revenue Board. • They are not subjected to this Act but has access to it, reasons given to justify broad government access and use include national security, law enforcement and the combating of terrorism. Security & Retention Principle
  • 59.
    Conclusion Malaysia's current practiceof the Security and Retention Principle is sufficient for the purpose of commercial transaction, for now. However, there is room for improvement to heighten the threshold of cybersecurity in Malaysia; in order to keep up with the fast- paced landscape of cybersecurity worldwide