We published a newsletter regarding Data Protection in Malaysia. To view the PDF version, please click the following link.
Data Protection in Malaysia:
The General Code of Practice – An Overview
August 2023
One Asia Lawyers Group
Yuki Hashimoto
Lawyer (Japan)
Clarence Chua Min Shieh
Lawyer (Malaysia)
As of late, new laws and regulations have been created in order to address modern concerns. In Malaysia, the Personal Data Protection Act 2010 (“PDPA”) is the core of such system. The PDPA is then supported by sub-legislations and regulations. For our discussion herein, we will look into one such regulation, the newly issued General Code of Practice or, in short, “GCOP”.
Although the GCOP seems to appear as a practical guideline, it is legally binding. Violations under the same are subject to penalties under Section 29 of the PDPA. As such, this should not be taken lightly by the data users that it governs[1].
Firstly, data users are required to adhere to the PDPA in order to process and maintain personal data. Some data users are required to be registered as “registered data user” prior to processing [2] with the Personal Data Protection Department. Currently, the list of classes of data users that would require registration are as follows: communications, banking and financial institution, insurance, health, tourism and hospitalities, transportation, education, services (such as legal, audit, engineering, among others), real estate, utilities, and lastly pawnbrokers with an A-type license [3] .
In addition, the PDPA requires the issuance of Codes of Practices (“COP”) for the above classes, which have been issued from time to time[4].The aim of such COPs is to provide specific regulations to address the unique conditions and business environment of certain classes of data users.
Despite the requirements of the PDPA, some information users have unfortunately, have yet developed their own COP or have them issued. As such, the GCOP was built to address this and was issued on 15 December 2022. Its aim is to provide a COP for classes of data users who have yet to have any COP to govern them. Please find below the table describing such classes of data users:
No. | Class of Data User |
1 | licensees under the Postal Services Act 2012 |
2 | licensees under the Private Healthcare Facilities and Services Act 1998, apart from private healthcare facilities and services that have been licensed as private hospitals |
3 | licensees who carry or operate tourism training institutions, licensed tour bus operators, travel agents, or tour guides under the Tourism Industry Act 1992 |
4 | licensees who are registered as private higher education institutions under the Private Higher Education Institutions Act 1996 or private schools or private educational institutions under the Education Act 1996 |
5 | licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993 |
6 | companies or partnerships which provide the following services: Audit, Accountancy, Engineering, or Architecture |
7 | companies or partnerships that conduct retail dealing and wholesale dealing under the Control Supplies Act 1961 |
8 | companies or partnerships that carry on business of a private employment agency under the Private Employment Agencies Act 1981; |
9 | licensed housing developers, under Housing Development (Control and Licensing) Act 1966, Housing Development (Control and Licensing) Enactment 1978 Sabah, or Housing Developers (Control and Licensing) Ordinance 1993, Sarawak |
10 | pawnbrokers who are licensed under the Pawnbrokers Act 1972 |
11 | licensed moneylenders under the Moneylenders Act 1951 |
There are in total 12 paragraphs in the GCOP. For the sake of our discussion, the paragraphs under the GCOP will be split into four categories: regulations when collecting personal data, regulations when holding personal data, regulations on rights of data subjects, and lastly regulations on enforcement.
Before a data processor can process data, they would need to look at the requirements for consent by data subjects and provide necessary information when seeking consent. Fundamentally, the GCOP does not change the mechanism of the principles. However, it provided clarity on how the responsibilities are executed. Firstly, it states that consent should be recorded and maintained properly by the data user [5] . Said consent must also provide the clearest indication that the data subject has consented to the purposes of collection, processing, and/or disclosure of said personal data [6] .
The forms for consent can be created by the data users as long as it makes the consent clear, it is easily recorded and provides the said notification. Data users may rely on the templates provided in the GCOP or use it as a guide in preparing such forms [7] . A useful aspect is that the GCOP also provides for a list of actions by the data subject which shall be deemed as consent via conduct, such as the action of the data subject voluntarily provide personal data [8] , verbal consent that is recorded, among others [9] . This provides guidance to data users if there are doubts on the forms of consent given.
With regard to the personal data protection notice, it should be provided to data subjects prior to or as soon as possible after the collection of personal data [10] . The contents of the GCOP on this issue is almost entirely a repetition of Section 7 of the PDPA.
However, it does add more emphasis to certain particulars to be stated in the notices. And for data users who do not have such a notice or would like to have a reference point, the GCOP provides a template which can used as a reference[11]. The GCOP also provides additional guidance as to how the notice is to be communicated (by giving a physical copy, via email, website of the data user, among others) [12] . It should be noted that what is the most appropriate approach shall be determined by the data user themselves [13] .
Originally, the Personal Data Protection Standards 2015 (“2015 Standards”) provided guidance in fulfilling the Security Principle, Retention Principle, and the Integrity Principle. What the GCOP has done under Paragraphs 6 to 8 is that it used the 2015 Standards as a base and has improved on it.
With regards to the security of personal data, the GCOP mentions that practical steps may vary from case to case, depending on the nature of personal data and the degree of sensitivity [14] . With that in mind, it has proposed steps in the management of staff access like having a register, termination of access due to determination of employment, creating of limits, and a system of access are recommended therein, for both electronic [15] and physical copies [16] as some of the possible steps to take. If data processors are appointed, they are required to adhere to the similar security standards as the data users they were appointed by [17] . The GCOP provides for a system of disposal as well. Namely, if personal data is to be deleted or destroyed, such deletion and/or destruction must be permanent and needs to be recorded accordingly [18] .
This is governed under Paragraphs 9 and 10 of the GCOP which is mainly based on Division 4 of the PDPA. As such, the responsibility in ensuring that requests for access and correct data, such as complying within 21 days [19] and the exceptions to comply, also remained unchanged [20] . However, the GCOP has improved on the “opt-out” option for direct marketing[21].
In particular, Paragraph 10.6.4 provides clarity for instances as to when a data user can process data for direct marketing. Besides providing consent, such processing can take place if the data subject is informed of the identity of direct marketing organizations and the purpose of collection and disclosure or in the event the data user is committed to providing an opt-out option for the data subject during the collection of personal data, among others[22]. Namely, a data subject can apply for an opt-out of the processing of data via a request form.[23] In light of those requests mentioned, data users are then encouraged to use the template provided [24] in the event that they do not have such forms.
This is governed under paragraphs 11 and 12 of the GCOP. Paragraph 11 provides that the personal data system of a data user has to be open for inspection at all times.
This was originally provided under Personal Data Protection Regulations 2013. However, for those who are unfamiliar, the said Regulations, and now the GCOP as well, would require the data user to maintain records on consents of data subjects and other relevant information related to consent, such as the list of third parties for disclosure, a copy of the personal data protection notice, among others [25] . And such information would need to be accessible for inspection during reasonable times.
Also, data users are obliged to have an internal system in terms of data protection management. In particular, they would need to have an internal audit system, provide necessary training to its employees, and to be on the look out for any developments on the laws and regulations[26].
Lastly, Paragraph 12 provides a glimpse of the future as the Personal Data Protection Commissioner is empowered to designate a body to prepare a COP for the specific class of data users within two (2) years from the date of the designation. It should be noted that once a COP has been issued for a specific class of data users, the GCOP will no longer apply.
Based on a general perspective, the GCOP technically does not change much when it comes to the principles of data protection. However, it has provided practical guidance in doing so and enhanced what is already there. Despite focusing on practical steps and not policy-based issues like the PDPA, data users would need to take this seriously. As mentioned in the beginning, it has the force of law and any data user who fails to comply with any provision that is applicable to the data user commits an offence, and shall, on conviction, be liable to a fine not exceeding RM 100,000.00 or to imprisonment for a term not exceeding one year or both [27] .
As such, it is strongly recommended that affected classes of data subjects adhere to the GCOP the best they can. In the event you would like tailor-made support on the compliance of the GCOP, or have any questions on the topics discussed, please do not hesitate in contacting us.
[1] Para 1.2.1 GCOP
[2] Section 14, 15 and 16 PDPA
[3] Schedule of Personal Data Protection (Class of Data Users) Order 2013 and Section 29 PDPA
[4] The classes for which COPs have been established include the following: private hospitals under the healthcare sector, the utilities sector (such as waterworks and electricity), the financial sector, the communications sector, the insurance sector, and the aviation sector.
[5] Para 3.3.1 GCOP
[6] Para 3.3.2 GCOP
[7] Para 3.3.3(a) GCOP
[8] Para 3.3.3(b) GCOP
[9] Para 3.3.3(c) GCOP
[10] Para 4.1 GCOP, Section 7(2) PDPA
[11] Appendix 1 GCOP
[12] Para 4.6.1 GCOP
[13] Para 4.6.2 GCOP
[14] Para 6.2 GCOP
[15] Para 6.3 GCOP
[16] Para 4 GCOP
[17] Para 6.5 GCOP
[18] Para 7.4 GCOP
[19] Para 10.2.3(c) and (d), Para 10.3.4 GCOP, Section 31(1) and 35(1) PDPA
[20] Para 10.2.4 and Para 10.3.5 GCOP, Section 32 and 36 PDPA
[21] Section 43 PDPA
[22] Para 10.6.4 GCOP
[23] Section 43(1) PDPA, Para 10.6.1 GCOP
[24] Appendix 2,3 , and 4 GCOP
[25] Para 11.2 GCOP
[26] Para 11.3, 11.4, 11.5 and 11.6 GCOP
[27] Para 1.2.1 GCOP