In Part 2 of the series, we discussed the seven key principles under the Malaysian PDPA 2010. The final article focuses on data controller contracts, data subject rights, data transfers and how breach reporting can be done in the Health and Financial sector.
Data Processor / Controller and Contracts
It should be noted that the provisions under PDPA 2010 for the most part concern data users and not data processors. However, under specific circumstances, data users may be required to contractually bind data processors/controllers in order to ensure PDPA compliance.
Now, this brings us to data controller/processor agreements or contracts;
Whenever any personal data processing is carried out by a data processor or controller on behalf of a data user – for the purpose of protecting that personal data from loss, modification, misuse, accidental/unauthorized disclosure or access or destruction – the PDPA requires the data user to ensure that the data controller/processor meets the following criteria:
- Offers reasonable guarantees and/or assurance around the technical and organizational security measures which have been taken in regards to the process which must be carried out
- Takes the appropriate steps to ensure compliance with the above measures.
In addition, as per the Security Principle, which was discussed in detail in part 2, data users can enter into contracts with data controllers/processors with regard to any kind of data processing which may be required.
Data Subject Rights
Apart from the obligations placed by the PDPA on a data user, it also offers these rights to a data subject:
- The right to access personal data
- The right to request a data user to correct/update personal data
- The right to withdraw the consent given for personal data processing
- The right to object to processing which may cause any damage or distress
- The right to object to processing done for direct marketing campaigns
Some of the above rights are subject to further PDPA provisions. For example, with respect to the last one, a data subject can, through written notice, require the data user to immediately stop or not begin processing the personal data for direct marketing purposes. If the data subject is not satisfied with the data user’s response, he/she may forward a formal application to the Commissioner to enforce compliance with the notice.
If a data subject believes that his/her personal data has been misused or used in a way against his/her wishes or consent, then they may register a complaint with the Commissioner here.
The PDPA does not permit the transfer of personal data out of Malaysia unless the transfer is to a country which has been recorded by the Minister in the Official Gazette. As it stands, no countries have been officially specified or recorded as yet.
However, the PDPA has outlined certain exceptions to this prohibition such as, for instance, where the data subject’s consent has been obtained for the transfer – where that transfer is deemed necessary to maintain the performance of the contract between the concerned parties.
If in doubt so as to whether any such exemptions apply on data transfer, the best course of action is to obtain the data subject’s consent with respect to transfers out of Malaysia.
Breach Reporting in the Health and Financial sector
There appears to be no general obligation on either individual to report a breach of personal data under the PDPA – however, there are a number of reporting obligations levied by authorities and regulators that have jurisdiction based on the individual facts of each case.
Here’s how breach reporting can be done in these two sectors:
In this sector, while there are general breach reporting obligations not specific to data breach notifications, they are still relevant.
For example, Section 37(1) from the Private Healthcare and Facilities Act 1998 outlines that a private healthcare service or facility must report breaches to the Director-General or any individual authorized on his behalf.
In the financial sector, things are a bit more nuanced. Various breach reporting obligations which are imposed by authorities and regulators may be triggered which may nor may not be coherent with data breaches.
For example, the Central Bank of Malaysia (BNM) has published Guidelines on Internet Insurance – where it states that licensed insurers responsible for carrying out internet-based insurance activities must report any material security breaches, and system performance degradation as well as downtime, if these critically affect the insurer with regard to the BNM.
Additionally, the BNM has also published the Management of Customer Information & Permitted Disclosure which explains that financial service providers need to have a customer information breach handing and response mechanism in place, should there be any loss, misuse, theft, modification, or disclosure of customer information that they hold. In fact, the guidance document is accompanied by a template which guides complainants on how to report a customer information breach.
Under separate Guidelines on Data Management and MIS Framework also published by the BNM, boards of registered financial companies must inform the Malay bank of any development whatsoever which may have a material effect on the company’s risk profile, financial condition or day-to-day operations.
Furthermore, public listed companies must abide by the Listing Requirements laid forth by Bursa Malaysia – listed issuers must disclose to the public without any delays all material information which may be deemed important and necessary for informed investing decisions.
In regards to capital markets, Securities Commission of Malaysia (SC) has published the Guidelines on Management of Cyber Risk, requiring all concerned entities to file a report to the SC, in case a cyber incident occurs with an adverse effect on the systems or information assets of the entity in question. Furthermore, this must be reported on the day the incident occurs.
To conclude, specific circumstances and facts of each case are the two underlying factors which decide whether a notification of data breach is required by a financial institution. With that said, the Financial Services Act 2013 (FSA) offers protection to those financial companies that voluntarily disclose information, knowledge or document(s) to the BNM which clearly indicates that a breach of contravention has occurred or is about to occur under the FSA guidelines.
Hopefully, this series has proven useful to help you understand what PDPA in Malaysia is and what you can and cannot do as a data user or a data subject.
Formiti deliver Global data privacy services and projects across a wide portfolio of industries contact us to discuss your next data privacy requirements