Malaysia

Malaysia Image
LEG-01:

Legislation enacted specifically for data privacy?
– Personal Data Protection Act 2010.

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Communications and Multimedia Act 1998
– Telemedicine Act 1997
– Computer Crimes Act 1997

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.

LEG-04:

Local government has any Bills going through the legislative process.

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.

LEG-06:

Has other state laws related to privacy.Note: these will not be identified as too extensive.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
– Personal Data Protection Act 2010 Section 70
Notes: establishes the Personal Data Protection Advisory Committee

PRI-02:

There is a requirement to establish a privacy commissioner.
– Personal Data Protection Act 2010 Section 47
Notes: establishes the Personal Data Protection Commissioner

PRI-03:

The functions of the authority clearly set out.
– Personal Data Protection Act 2010 Section 71

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.
– Personal Data Protection Act 2010 Section 48 c
Notes: Personal Data Protection Commissioner to encourage and promote

PRI-07:

An internal audit process is outlined for each company.
– Personal Data Protection Act 2010 Section 101
Notes: Personal Data Protection Commissioner may carry out an inspection of any personal data systems.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Personal Data Protection Act 2010 Section 4. Notes: Personal Data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline
– Personal Data Protection Act 2010 Section 4. Notes: Sensitive Personal Data.

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Personal Data Protection Act 2010 Section 6
– Telemedicine Act 1997 Section 5

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .
– Personal Data Protection Act 2010 Section 4
Notes: “relevant person” – (a) in the case of a data subject who is below the age of eighteen years, the parent, guardian or person who has parental responsibility for the data subject.

PCP-08:

Consent may be withdrawn at any time.
– Personal Data Protection Act 2010 Section 38

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Personal Data Protection Act 2010 Section 7

PRO-01:

Individual has the ability to access their data by request.
– Personal Data Protection Act 2010 Section 12 and 30

PRO-02:

Individual has the ability to update or amend their data for accuracy.

PRO-03:

Data can be sent to a third party for processing.
– Personal Data Protection Act 2010 Section 7 and 9 (2)

PRO-04:

Data is only used for the purposed outlined at pre collection stage.

– Personal Data Protection Act 2010 Section 7

PRO-05:

Encryption used for processing of data to ensure anonymity
Notes:Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.

– Personal Data Protection Act 2010 Section 8 and 130

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Personal Data Protection Act 2010 Section 5 (2), 29 and 133
Notes: Section 133 directly relates to offences by a body corporate

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– Personal Data Protection Act 2010 Section 104

STO-01:

All data is stored with at least a “reasonable” level of security.
– Personal Data Protection Act 2010 Section 9

STO-02:

Encryption techniques used to store data.
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method

STO-03:

Data can be transferred to third-parties to use.
– Personal Data Protection Act 2010 Section 7 and 9(2)

STO-04:

Data can be stored off shore in different Country.
– Personal Data Protection Act 2010 Section 9 (2) and 129.
Notes: Although storage locations are not specified, this may be seen as a reasonable protection method.

STO-05:

Data can be stored off site but in same Country.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Personal Data Protection Act 2010 Section 10(1)

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– Personal Data Protection Act 2010 Section 10(2)

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Personal Data Protection Act 2010 Section 5 (2), 29 and 133.
Notes: Does not specify storage

STO-09:

Notification has to be given to individuals in case of a data breach.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– Communications and Multimedia Act 1998 Section 233(1)(b).
Notes: This is not specific to spam but could be used.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.
– Communications and Multimedia Act 1998 Section 253

INT-03:

A warrant is needed to have the ability to intercept personal data.
– Communications and Multimedia Act 1998 Section 252
– Communications and Multimedia Act 1998 Section 234(4).
Notes: Section 234(4) gives the “officer, employee or agent of any network facilities provider, network service provider, applications service provider or content applications service provider ” the ability to intercept.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.
– Communications and Multimedia Act 1998 Section 265.

INT-05:

External countries have the ability to intercept data with permission from the host country.
– Communications and Multimedia Act 1998 Section 269.