In more detail

Guide

The first in the series of documents issued by the PDPD was the publication of the Guide to Preparation of Personal Data Protection Notice – which aims to serve as a reference for data users in preparing simple, comprehensive and tailored privacy notices for compliance with the requirements of the Notice and Choice Principle under the Malaysian Personal Data Protection Act 2010 (PDPA).

It supplements obligations under the Notice and Choice Principle by requiring privacy notices to also state:

• if any sensitive personal data will be processed;
• if personal data of children below the age of 18 years will be processed;
• if there is any regulatory requirement to collect certain personal data;
• how long personal data will be retained in the processing;
• when will personal data be disposed of;
• what practical measures are taken to ensure personal data is secured;
• what security measures are taken to ensure any disclosure of personal data is safe and secure;
• the name of third parties to whom personal data is disclosed and for what purpose; and
• the effective and last revision dates of the privacy notice.

The guide also emphasises that a privacy notice serves to notify data subjects of how their personal data is being processed, and should therefore not be used as a platform to obtain consent (especially a blanket consent) for processing their personal data.

While the guide does not appear to have legal force, data users are nevertheless encouraged to abide by the requirements set out in the guide as best practice.

Codes of practice

In February 2022, the PDPD published two industry codes of practice:

• the Code of Practice for Private Hospitals in the Healthcare Industry which applies to all private hospitals that are licensed under the Private Healthcare Facilities & Services Act 1998; and
• the Code of Practice for Utilities Sector (Water) which applies to water supply entities that are listed under paragraph 11 of the Schedule of the Personal Data Protection (Class of Data Users) Order 2013 (as may be revised from time to time).

Data users falling within the prescribed sectors above should note that non-compliance with the code of practice is an offence under the PDPA, punishable with a fine up to MYR 100,000 (~ USD 24,000) and/or imprisonment up to one year.

Circulars

The Personal Data Protection Commissioner also released two circulars in February 2022, reminding prescribed classes of data users of their obligation under the PDPA to register with the PDPD and to renew their certificates of registration before expiry:

• Personal Data Protection Commissioner Circular No. 1/2022: Requirement to Register as Data User under the Personal Data Protection Act 2010 (Act 709)
• Personal Data Protection Commissioner Circular No. 3/2022: Obligation to Renew Certificate of Registration as Data User under the Personal Data Protection Act 2010 (Act 709)

A list of the 13 prescribed classes of data users can be found in the first of the aforementioned circulars (only available in the local Malay language).

Where a data user falls within the prescribed classes, processing personal data without a certificate of registration is an offence under the PDPA, which may attract liability to a fine up to MYR 500,000 (~ USD 120,000) and/or imprisonment up to three years. Failure of renewal may also result in a fine up to MYR 250,000 (~ USD 60,000) and/or imprisonment up to two years.

Looking ahead

These latest developments suggest an increasingly proactive stance being taken by the PDPD in enforcing and promoting compliance with the PDPA. Given the pace of data privacy reforms globally and in the region, businesses should continue to monitor developments under Malaysia's data privacy regime.

* * * * *

© 2022 Wong & Partners. All rights reserved. Wong & Partners, member of Baker & McKenzie International. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.