Malaysia Personal Data Protection Commission Seeks Feedback on Security

Posted: July 20, 2015

The Malaysia Personal Data Protection Commission (PDPC) recently published Public Consultation Paper No. 1/2015 seeking feedback from data users and subjects regarding security, storage and data integrity standards. The deadline for submitting feedback is July 27, 2015.

Public Consultation Paper No. 1/2015 separates the three concepts – security, storage and data integrity – providing space for individuals to submit comments. The PDPC’s goal is to make a reference document that outlines the minimum standards by which data users and others regulated by the Personal Data Protection Act 2010 (PDPA) and the Regulations on Classification of Data Users 2013 must abide.

Security Standards
The security standards portion of the Paper addresses a variety of topics including data managed electronically and in hard copy. In particular, the Paper seeks feedback on various items such as: requirement to register company personnel that manage personal data, recording and monitoring data system use, and data storage and physical security requirements.

Storage Standards
In the storage standards section, the Paper seeks feedback on several important items including personal data retention. Under the PDPA’s “Retention Principle”, personal data should not be kept longer than is necessary for the fulfillment of the data processing. The Paper seeks comment whether further legislation and standards should be implemented to better manage this requirement. In particular, the Paper poses whether personal data should be disposed of within seven (7) days after the commercial transaction has been completed and whether different standards should apply to different sets of data.

Data Integrity Standards
The “Data Integrity Principle” under the PDPA requires data users to take reasonable steps to ensure personal data is accurate, complete and up-to-date. The Paper proposes strengthening this principle by outlining specific requirements such as ensuring that all personal data is updated within seven (7) days of receiving notice of correction and displaying a notice to consumers about how personal data may be updated.

Once the public consultation period ends, the PDPC will finalize and publish the new standards. Once effective, companies will need to ensure compliance or potentially face penalties.