The Personal Data Protection Commissioner (“Commissioner”) recently issued the new General Code of Practice of Personal Data Protection (“General CoP”) on its website, which came into effect on 15 December 2022. The General CoP is issued pursuant to section 24(1) of the Personal Data Protection Act 2010 (“PDPA”). Below is a brief summary of the General CoP with some key points.
Application of the General CoP
The General CoP sets out new legal requirements as well as best practices applicable to classes of data users that currently do not have a code of practice that has been registered with the Commissioner in place. To date, only the following sectors have codes of practices that have been registered with the Commissioner:
- the utilities sector (water);
- the utilities sector (electricity);
- the aviation sector;
- the insurance and takaful industry;
- the banking and financial sector;
- the licensees under the Communications and Multimedia Act 1998; and
- the private hospitals in the healthcare industry.
Accordingly, the General CoP applies to the following classes of data users:
- Communications sector
Licensees under the Postal Services Act 2012.
- Health sector
Licensees under the Private Healthcare Facilities and Services Act 1998 (other than licensees who are private hospitals), holders of the certificates of registration of private medical clinics/dental clinics and bodies corporate registered under the Registration of Pharmacists Act 1951.
- Tourism and Hospitalities industry
Licensed persons who carry on or operate tourism training institutions, licensed tour operators, licensed travel agents, licensed tourist guides and persons who carry on or operate as registered tourists accommodation premises under the Tourism Industry Act 1992.
- Education sector
Private higher educational institutions registered under the Private Higher Educational Institutions Act 1996 and private schools or private educational institutions registered under the Education Act 1996.
- Direct Selling industry
Licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993.
- Services industry
Companies registered under the Companies Act 2016 (or Companies Act 1965) and persons who have entered into partnership under the Partnership Act 1961 who:
- carry on businesses in these sectors: legal, audit, accountancy, engineering, or architecture;
- conduct retail dealing and wholesale dealing as defined under the Control Supplies Act 1961; and
- carry on the business of a private employment agency under the Private Employment Agencies Act 1981.
- Real Estate sector
Licensed housing developers under the Housing Development (Control and Licensing) Act 1966, the Housing Development (Control and Licensing) Enactment 1978, Sabah, and the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak.
- Pawn broking industry
Licensees under the Pawnbrokers Act 1972.
- Moneylending industry
Licensees under the Moneylenders Act 1951.
Key provisions of the General CoP
- Additional Information for Personal Data Protection Notices
In addition to the requirements prescribed under Section 7 of the PDPA, the General CoP requires additional information to be stipulated in the personal data protection notices, including but not limited to the following:
- where applicable, information regarding any sensitive personal data being processed;
- where applicable, information regarding personal data of children under 18 years old being processed;
- where applicable, regulatory requirements to collect certain personal data;
- retention period of personal data;
- when the personal data will be disposed of; and
- the practical and security measures taken to ensure that personal data is safe and secured.
- Implementation of a compliance framework
Pursuant to the General CoP, the relevant data users are required to develop and implement appropriate compliance policies and procedures (compliance framework) to ensure compliance with the General CoP and the PDPA. The General CoP further recommends that the relevant data users continuously monitor their compliance with the General CoP, the PDPA, and regulations and standards thereunder by implementing an internal monitoring framework and conducting self-audits.
- Recommended provisions for data processor agreements.
Where processing of personal data is carried out by a data processor on the relevant data user’s behalf, it is recommended that the relevant data user include in the agreement with the data processor certain provisions to bind such data processor including (a) provisions in relation to confidentiality, non-disclosure and technical and/or organizational security measures; (b) conditions under which personal data may be processed; and (c) representations, undertakings, warranties and/or indemnities which are to be provided by the data processor.
- Direct Marketing
The PDPA requires data users to cease, or not begin, the processing of personal data for direct marketing purposes upon the data subject’s written request. The General CoP now requires the relevant data users to comply with such written request within a “reasonable time frame” although the General CoP does not explain how long a “reasonable time frame” would be.
Penalty for non-compliance with the General CoP
Non-compliance by a relevant data user with the mandatory provisions of the General CoP is an offence and upon conviction, may render such data user liable to a fine not exceeding RM100,000 or imprisonment for a term not exceeding one year, or both.
Key Contributors:
Tong Lai Ling
Partner – Technology, Multimedia & Telecommunications
Direct line : +603-2632 9878
Email : tonglailing@rdl.com.my
Karen Ting Shi Chien
Associate – Technology, Multimedia & Telecommunications
Direct line : +603-2632 9953
Email : karenting@rdl.com.my