Malaysia: New Personal Data Protection Act

The Personal Data Protection Act 2010 (PDPA) came into force on 15 November 2013.

The PDPA applies to personal data which relates to a ‘commercial transaction’. The definition of commercial transaction in the Act is ‘any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010’.

Consequently, there is a question mark over whether the PDPA applies to information gathered in the employment context. In the absence of any official guidance, employers should take a conservative approach to applicability, and ensure compliance.

The PDPA establishes seven basic principles as follows:

General Principle: Employers must obtain consent from employees whose personal information is collected. There are certain exceptions to this rule which include where the collection of data is necessary to perform a contract that exists between the parties. To invoke the exception, employers must consider whether it is necessary to collect such data to perform their contractual obligations. Where the data collected is sensitive (e.g. it relates to physical or mental health, political or religious opinions or the commission of an offence) express consent must be obtained.

Notice and Choice Principle: Employers must also inform employees in writing of the data that is being collected, its purpose, the source of the data, the right to request access to and correction of the data, the class of third parties with whom the data is being shared, any choice/means the employee may have to limit the processing of the data, whether the supply of data by the employee is voluntary or obligatory and any consequences the employee will face if he does not supply the data. This written notice must be in both English and Malay.

Disclosure Principle: Disclosure of data, even to group companies, is covered by this principle, which requires consent from the employee. The written notice given to employees should clearly state the class of third parties the data is to be shared with.

Security Principle: Employers must ensure that data collected is securely protected and that access is carefully controlled. The data should be secured against loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

Retention Principle: Where data is no longer required for the purpose for which it was collected, it must be securely destroyed.

Data Integrity Principle: Under this principle, all data collected should be accurate, complete, not misleading and kept up to date. In order to comply with this principle, employers will be required to obtain updates from employees.

Access Principle: Employees must be able to access the data that is collected about them, and to correct it where it is inaccurate, incomplete, misleading or out-of-date.

Actions for employers

Employers should be aware that data collected before 15 November 2013 is subject to a three-month grace period, but the requirements of the PDPA apply to any data collected after that date with immediate effect.

Care should be taken to ensure compliance with other record retention requirements (e.g. section 61 of the Employment Act which requires that registers of employees are kept for six years), as well as the principles set out in the PDPA.

Article written by Fatim Jumabhoy, Senior Associate and Georgia Leonhardt, Associate.