PERSONAL DATA PROTECTION – The 2015 Standard
Following the enforcement of the Personal Data Protection Act 2010 (“PDPA”) on 15 November 2013, many questions were raised in respect to the practical implementation of the PDPA’s requirements and what the benchmark for compliance is.
In response to such queries, the Ministry of Communications and Multimedia of Malaysia (“MCM”) has recently issued the Personal Data Protection Standard 2015 (“2015 Standard”) to provide the public with better clarity on the minimum standards imposed.
The 2015 Standard is a very short document and only covers 2 areas:
- Safety standards for personal data processed electronically; and
- Safety standards for personal data processed non-electronically.
Electronic Processing
The safety standards for electronic processing of personal data can be broken down into the following categories:
- Employee access
The MCM has introduced a number of practical guidelines in managing employees’ access and processing of personal data. These guidelines include registration of all employees involved in personal data processing, providing tiered access and different security levels for different employees, terminating access for employees who have left the organisation or no longer require access to personal data, and implementing user IDs for employees.
Organisations should also ensure that their employees uphold their duty of confidentiality owed to the data subjects.
- Safety procedures
Safety procedures such as monitoring inflow and outflow of personal data, using secured locations to store personal data, incorporating CCTV and 24-hour surveillance (if necessary), using back-up and recovery systems, and putting in place malware protection are among the methods set as minimum standards.
Movement of personal data via removable media devices or cloud computing services must be authorised by management of the organisation and be recorded.
- Third party processing
If a data user engages a third party to process personal data on its behalf, the engagement must be secured by way of a contract to secure the personal data in relation to lost, abuse, alteration, access and unauthorised disclosure.
Non-electronic Processing
As for non-electronic processing of personal data, we can classify the standards into two general principles:
- Employee access
The guidelines for employee access to non-electronic processing of personal data are similar to that of electronic processing, except that the guidelines for security measures like registration and restriction of access are done physically.
- Safety procedures
The safety procedures highlighted in the 2015 Standard include physical steps to be taken, such as having an organised filing system, keeping files with personal data locked, having a record of storage keys.
Transfer of personal data via conventional means like post, hand delivery and facsimile must be recorded.
Any documentation that contains personal data must be destroyed carefully and efficiently by utilising methods such as shredding.
If necessary, organisation should also have awareness programmes on the issue of personal data protection for their employees.
Concluding Remarks
One of the criticisms of the PDPA when it first rolled out was the lack of practical guidelines. Although the 2015 Standards do not cover all seven principles of personal data protection found in PDPA, it is a good start in assisting data users to better understand and carry out what is expected of them.