KUALA LUMPUR, August 28 — In an age of phishing, spam bombardment and potential scams, protecting personal data has never been more crucial.
That’s why the Personal Data Protection Act 2010 (PDPA) exists — its function is to protect the public from the misuse of their personal data through a set of principles that data controllers (or organisations or businesses that process personal data) must follow.
But what exactly is personal data? According to Malaysian Bar Council Personal Data Protection Committee’s chairperson Sathish Ramajandran, any information that can identify a person is considered personal data.
“That includes things such as name, email address, phone number, age, address, date of birth, IC number, photographs — these are all considered personal data.
“It’s basically anything that can identify (an individual) directly or indirectly,” he said.
The PDPA also outlines seven principles that data controllers and data processors must abide by, including:
- General Principle: Personal data can only be processed with the data subject’s consent and for a lawful purpose. The data collected must not be excessive for that purpose.
- Notice and Choice Principle: Data subjects must be informed in writing (in both Bahasa Malaysia and English) about the purpose of data collection, the type of data being collected, and their rights to access and correct the data
- Disclosure Principle: Personal data cannot be disclosed to a third party without the data subject’s consent.
- Security Principle: Data controllers must take reasonable steps to protect personal data from loss, misuse, modification, unauthorised accessor disclosure.
- Retention Principle: Personal data should not be kept longer than necessary for the purpose for which it was collected. It must be securely destroyed or deleted when it is no longer needed.
- Data Integrity Principle: Data controllers must take reasonable steps to ensure that the personal data they hold is accurate, complete, not misleadingand up-to-date.
- Access Principle: Data subjects have the right to request access to their personal data held by a data controller and to request correction of any inaccurate information.
The PDPA gives individuals rights as ‘data subjects,’ allowing them control over their information and how it is used.
The PDPA mandates that all data controllers register with the PDPC — a requirement that spans both public and private sectors.
Failure to comply carries serious consequences. Under the PDPA, all types of data controllers — whether in transportation, education, healthcare, finance, telecommunications, retail, or other industries handling personal data — who fail to register with the PDPC are committing a serious offence.
They are liable to a fine not exceeding RM500,000, imprisonment for up to three years, or both. This penalty is stipulated under Section 16(4) of the Personal Data Protection Act 2010.
In 2024, the Act underwent several amendments, which were officially implemented on April 1 and June 1 of this year.
What’s new with PDPA?
Driven by several key factors, the recent amendments to the PDPA aim to address the challenges of the modern digital landscape while aligning Malaysia’s data protection framework with international standards.
Among the changes that took effect on April 1 are the inclusion of biometric data such as fingerprints and facial scans, which are now considered sensitive personal data and must be handled with stricter security and consent requirements.
Another key change is the increase in maximum penalties for breaching PDPA principles — fines have risen from RM300,000 to RM1 million, and the maximum prison term has been extended from two to three years.
Other notable changes also include a new obligation for data processors — entities that process data on behalf of data controllers — who are now obligated to comply with the Security Principle of PDPA.
The second series of amendments, effective June 1, includes the mandatory appointment of a Data Protection Officer (DPO) by both data controllers and data processors to oversee compliance with the PDPA.
Data controllers are now required to promptly notify both the data subject and the Personal Data Protection Commissioner (PDPC) — the key enforcement authority under the PDPA — in the event of a personal data breach.
Data subjects now have the right to request that a data controller transfer their personal data directly to another controller of their choice, whenever technically feasible.
As prevention is better than cure, Vishnu recommends strengthening online security by using unique passwords for each account and enabling multi-factor authentication. — Reuters pic
Dealing with personal data breaches
Personal data breaches are especially concerning when they involve high volumes of personal data.
However, this does not mean that small breaches of personal data are totally harmless, as it could also lead to harmful consequences such as identity theft, monetary loss and even emotional distress.
According to lawyer Vishnu Vijandran of Aqran Vijandran A
