From
Cambridge Analytica’s alleged hijacking of 87 million Facebook users’ data, to
something even closer to home, being Lowyat’s news expose of local telco’s
database of 46 million mobile phone numbers and Astro’s IPTV customer details
being made available for sale online.
Apart
from the scale of personal data leaks being jaw-dropping, this article examines
the responsibilities and standards that Malaysia’s Personal Data Protection
laws impose on businesses in Malaysia, both big and small, when it comes to protecting
and securing customers’ personal data, and addresses some practical steps
that are expected of such businesses to take.
Security Principle
Section 9 of the Personal Data Protection Act 2010 of Malaysia (“PDPA”) establishes the Security Principle. The Security Principle is among the 7 major principles businesses that are data users are obliged to comply with (Sections 6 to 12, PDPA). Failing to do so will attract fines and even jail terms.
The Security Principle requires data users to take practical steps, when processing personal data, to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction. In order to determine the steps needed and lengths that it should go to ensure such protection, the data user needs to take into account factors like the nature of the personal data (ie, how sensitive it is), the potential harm resulting from loss or misuse, the place or location of storage, the security measures in any equipment used to store data, the measures taken for ensuring the reliability, integrity and competence of personnel having access, and the measures put in place to ensure the personal data is transferred securely (Section 9 PDPA).
Secondly, many businesses that are data users rely on third party service providers by ‘outsourcing’ the processing and storage of personal data on its behalf. In such instances, the Security Principle also dictates that the data user must obtain sufficient guarantees from the Data Processor that it (i) takes technical and organizational security measures governing the processing to be carried out AND (ii) takes reasonable steps to ensure compliance with those measures (Section 9 PDPA).
Practical Security Steps
Among the “practical steps” in the Security Principle is to, as suggested by Rule 6 of the Personal Data Protection Regulations (“PDPR”),implement a security policy which is compliant with the Personal Data Protection Standard 2015 (the “Security Standards”).
The Security Standards are divided into personal data stored electronically and personal data stored non-electronically.
The Security Standards for personal data stored electronically compels data users to implement measures like:
• registering all employees and personnel involved in
processing personal data;
• providing user ID and password for employees and personnel
involved in the processing of personal data;
• storing data in a safe location;
• controlling movement into and out of the said location;
• setting up around the clock security monitoring like CCTVs
in the aforesaid location;
• using back-up services and anti-viruses;
• not permitting transfer of personal data through removable
media devices (like pen drives) and cloud computing services, unless written
permission from an officer authorized by the top management of the data user is
obtained; and
• If using a third-party to process personal data, bind the
said third party with an agreement to ensure their compliance with the PDPA.
The Security Standards for personal data for non-electronically processed personal data compels data users to establish physical security procedures like storing all personal data orderly in files and in a locked place, keeping all the related keys in a safe place, and providing record for keys storage. Additionally, personal data shall be stored in an appropriate location which is unexposed and safe from physical or natural threats.
The list above is not exhaustive and each organization should undertake a risk assessment exercise to determine the sufficiency of their:
• security protocols,
• protection levels,
• access controls,
• staff responsibility, and
• disaster management plan
that
are appropriate, in the context of its own business.
Glossary
data users
means
a person who either alone or jointly or in common with other persons
processes any personal data or has control over or authorizes the processing
of any personal data, but does not include a data processor;
data processors
data processors
in
relation to personal data, means any person, other than an employee of the
data user, who processes the personal data solely on behalf of the data user,
and does not process the personal data for any of his own purposes;
personal data
personal data
means
any information in respect of commercial transactions, which (a) (b) (c) (a)
is being processed wholly or partly by means of equipment operating
automatically in response to instructions given for that purpose; (b) is
recorded with the intention that it should wholly or partly be processed by
means of such equipment; or (c) is recorded as part of a relevant filing
system or with the intention that it should form part of a relevant filing
system, that relates directly or indirectly to a data subject, who is
identified or identifiable from that information or from that and other
information in the possession of a data user, including any sensitive
personal data and expression of opinion about the data subject; but does not
include any information that is processed for the purpose of a credit
reporting business carried on by a credit reporting agency under the Credit
Reporting Agencies Act 2010; and
processing
processing
in
relation to personal data, means collecting, recording, holding or storing
the personal data or carrying out any operation or set of operations on the
personal data, including (a) the organization, adaptation or alteration of
personal data; (b) the retrieval, consultation or use of personal data; (c)
the disclosure of personal data by transmission, transfer, dissemination or
otherwise making available; or (d) the alignment, combination, correction,
erasure or destruction of personal data.
No comments:
Post a Comment