Earlier this year, the Malaysian Personal Data Protection Department (PDPD) released several documents to aid data users in their compliance with the Malaysian Personal Data Protection Act 2010 (PDPA) – these include a guide on privacy notices, new codes of practice applicable to the private healthcare industry and the water utilities industry, as well as circulars reminding prescribed classes of data users of their registration obligations.
In more detail
The first in the series of documents issued by the PDPD was the publication of the Guide to Preparation of Personal Data Protection Notice – which aims to serve as a reference for data users in preparing simple, comprehensive and tailored privacy notices for compliance with the requirements of the Notice and Choice Principle under the Malaysian Personal Data Protection Act 2010 (PDPA).
It supplements obligations under the Notice and Choice Principle by requiring privacy notices to also state:
- if any sensitive personal data will be processed;
- if personal data of children below the age of 18 years will be processed;
- if there is any regulatory requirement to collect certain personal data;
- how long personal data will be retained in the processing;
- when will personal data be disposed of;
- what practical measures are taken to ensure personal data is secured;
- what security measures are taken to ensure any disclosure of personal data is safe and secure;
- the name of third parties to whom personal data is disclosed and for what purpose; and
- the effective and last revision dates of the privacy notice.
The guide also emphasises that a privacy notice serves to notify data subjects of how their personal data is being processed, and should therefore not be used as a platform to obtain consent (especially a blanket consent) for processing their personal data.
While the guide does not appear to have legal force, data users are nevertheless encouraged to abide by the requirements set out in the guide as best practice.
Codes of practice
In February 2022, the PDPD published two industry codes of practice:
- the Code of Practice for Private Hospitals in the Healthcare Industry which applies to all private hospitals that are licensed under the Private Healthcare Facilities & Services Act 1998; and
- the Code of Practice for Utilities Sector (Water) which applies to water supply entities that are listed under paragraph 11 of the Schedule of the Personal Data Protection (Class of Data Users) Order 2013 (as may be revised from time to time).
Data users falling within the prescribed sectors above should note that non-compliance with the code of practice is an offence under the PDPA, punishable with a fine up to MYR 100,000 (~ USD 24,000) and/or imprisonment up to one year.
The Personal Data Protection Commissioner also released two circulars in February 2022, reminding prescribed classes of data users of their obligation under the PDPA to register with the PDPD and to renew their certificates of registration before expiry:
- Personal Data Protection Commissioner Circular No. 1/2022: Requirement to Register as Data User under the Personal Data Protection Act 2010 (Act 709)
- Personal Data Protection Commissioner Circular No. 3/2022: Obligation to Renew Certificate of Registration as Data User under the Personal Data Protection Act 2010 (Act 709)
A list of the 13 prescribed classes of data users can be found in the first of the aforementioned circulars (only available in the local Malay language).
Where a data user falls within the prescribed classes, processing personal data without a certificate of registration is an offence under the PDPA, which may attract liability to a fine up to MYR 500,000 (~ USD 120,000) and/or imprisonment up to three years. Failure of renewal may also result in a fine up to MYR 250,000 (~ USD 60,000) and/or imprisonment up to two years.
These latest developments suggest an increasingly proactive stance being taken by the PDPD in enforcing and promoting compliance with the PDPA. Given the pace of data privacy reforms globally and in the region, businesses should continue to monitor developments under Malaysia’s data privacy regime.
* * * * *
This client alert was issued by Wong & Partners, a member firm of Baker McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.