In a nutshell, for the electronic and non-electronic data, user shall take practical steps to protect the personal data from any loss, misuse, modifications, unauthorised or alteration. As for retention standard , data user shall take reasonable steps to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was to be processed. Finally, on integrity standard, a data user need to ensure the personal data is accurate, complete, not misleading and kept updated by having regards to the collection purpose.
1. Malaysia: Personal
Data Protection Act
(PDPA) 2010
Hairul Hafiz B Hasbullah
Data Protection (Part 3)
Implementation of security to
protect data
2. Where Are We? : Stage 2
• Awareness program on PDPA 2010
• Establish a data protection task force
• Conduct a Privacy Impact Assessment
• Obtain Consent for use of personal data
• Prepare standard data protection notice and
clause in Agreement
3. Where Are We? : Stage 2
(After Briefing on 12-13 April 2017)
• Review plan established during Stage 1
• Establish procedures and forms to handle
data protection complaints
• Establish processes for training of relevant
staff
• Implementation of security to protect data
(a) physical access
(b) electronic access
4. Action Plan : Stage 3
• Implementation of security to protect data
(a) Electronic access
(b) Non-electronic access
(c) Retention standard
(d) Data Integrity standard
5. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
1 Register all employees involved in the processing of
personal data
BE/MME/HR
2 Terminate an employee’s access rights to personal
data after his/her resignation, termination, termination
of contract or agreement, or adjustment in accordance
with changes in MyCEB
HR/IT
3 Control and limit employees’ access to personal data
system for the purpose of collecting, processing and
storing of personal data
BE/MME/HR/IT
4 Provide user ID and password for authorised
employees to access personal data
BE/MME/HR/IT
A Establishment of the Security Standard for
Personal Data Processed for Electronic
6. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
5 Terminate user ID and password immediately when an
employee who is authorised access to personal data
is no longer handling the data
BE/MME/HR
6 Establish physical security procedures as follows:
i. Control the movement in an out of the data storage
site
ii. Storage personal data in an appropriate location
which is unexposed and safe from physical or
natural threats
IT
7 Update the Back up/ Recovery system and anti-virus
to prevent personal data intrusion and such
IT
Establishment of the Security Standard for
Personal Data Processed for Electronic
7. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
8 Safeguard the computer system from malware threats
to prevent attacks on personal data
IT
9 The transfer of personal data through removable
media device and cloud computing service is not
permitted unless with written consent by an officer
authorised by the management of the MyCEB data
user
BE/MME
10 Record any transfer of data through removable media
device and cloud computing service
BE/MME/HR
Establishment of the Security Standard for
Personal Data Processed for Electronic
8. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
11 Personal data transfer through cloud computing
service must comply with the personal data protection
principles in Malaysia, as well as with personal data
protection laws of other countries.
LEGAL
12 Ensure that all employees involved in processing
personal data always protect the confidentiality of the
data subject’s personal data.
BE/MME/HR
13 Bind an appointed third party by the data user with a
contract for operating and carrying out personal data
processing activities. This is to ensure the safety of
personal data from loss, misuse, modification,
unauthorised access and disclosure.
LEGAL
Establishment of the Security Standard for
Personal Data Processed for Electronic
9. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
1 Register employees handling personal data into a
system/registration book before allowed access to
personal data
BE/MME/HR
2 Terminate an employee’s access rights to personal
data after his/her resignation, termination, termination
of contract or agreement, or adjustment in accordance
with changes in MyCEB
BE/MME/HR/IT
3 Control and limit employees’ access to personal data
system for the purpose of collecting, processing and
storing of personal data
BE/MME/HR
B Establishment of the security standard for
personal data processed for non -electronic
10. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
4 Establish physical security procedures as follows:
i. Store all personal data orderly in files; and
ii. Store all files containing personal data in a locked
place
BE/MME/HR
5 Maintain a proper record access to personal data
periodically and make such record the confidentiality
of the data subject’s personal data
BE/MME/HR
6 Record personal data transferred conventionally such
as through mail, delivery, fax and etc
BE/MME/HR
Establishment of the security standard for
personal data processed for non -electronic
11. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
7 Ensure that all used papers, printed documents or
other documents exhibiting personal data are
destroyed thoroughly and efficiently by using
shredding machine or other appropriate methods
BE/MME/HR
8 Conduct awareness programmes to all employees on
the responsibility to protect personal data
LEGAL
Establishment of the security standard for
personal data processed for non -electronic
12. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
1 Determine the retention period relating to the
processing and retention personal data are fulfilled
before destroying the data ( normal practice is within 6
years)
BE/MME/HR
2 Keep personal data no longer than necessary unless
there are requirements by other legal provisions
BE/MME/HR
3 Maintain a proper record of personal data disposal
periodically
BE/MME/HR
C Establishment of the Retention Standard
13. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
4 Dispose personal data collection forms used in
commercial transactions within the period not
exceeding 14 days, except if the forms carry legal
values in relation to the commercial transaction
BE/MME/HR
5 Review and dispose all unwanted personal data in the
database (eg MyCEB CRM)
BE/MME/HR
6 Prepare a personal data disposal schedule for inactive
data with a 24 month period.
BE/MME/HR
7 The use of removable media device for storing
personal data is not permitted without written approval
from MyCEB management.
BE/MME/HR/IT
Establishment of the Retention Standard
14. NO DESCRIPTIONS Person In-
charge
(PIC)/Depart
1 Provide personal data update form for data subjects,
either via online or conventional
LEGAL
2 Update personal data immediately once data
correction notice is received from data subject
BE/MME/HR
3 Ensure that all relevant legislation is fulfilled in
determining the type of documents required to support
the validity of the data subject’s personal data
LEGAL
4 Notify on personal data updates either through the
portal or notice at premises or by other appropriate
methods
MARCOM
D Establishment of the Data Integrity Standard
15. CONGRATULATIONS!
You have just completed Privacy and Personal
data (Part 1) under MyCEB Personal Data Protection
2010
THANK YOU