1. Introduction
As of late, new laws and regulations have been created in order to address modern concerns. In Malaysia, the Personal Data Protection Act 2010 ("PDPA") is the core of such system. The PDPA is then supported by sub-legislations and regulations. For our discussion herein, we will look into one such regulation, the newly issued General Code of Practice or, in short, "GCOP".
Although the GCOP seems to appear as a practical guideline, it is legally binding. Violations under the same are subject to penalties under Section 29 of the PDPA. As such, this should not be taken lightly by the data users that it governs1.
2. The basis behind the GCOP.
Firstly, data users are required to adhere to the PDPA in order to process and maintain personal data. Some data users are required to be registered as "registered data user" prior to processing2 with the Personal Data Protection Department. Currently, the list of classes of data users that would require registration are as follows: communications, banking and financial institution, insurance, health, tourism and hospitalities, transportation, education, services (such as legal, audit, engineering, among others), real estate, utilities, and lastly pawnbrokers with an A-type license3.
In addition, the PDPA requires the issuance of Codes of Practices ("COP") for the above classes, which have been issued from time to time4.The aim of such COPs is to provide specific regulations to address the unique conditions and business environment of certain classes of data users.
Despite the requirements of the PDPA, some information users have unfortunately, have yet developed their own COP or have them issued. As such, the GCOP was built to address this and was issued on 15 December 2022. Its aim is to provide a COP for classes of data users who have yet to have any COP to govern them. Please find below the table describing such classes of data users:
| No. | Class of Data User |
| 1 | licensees under the Postal Services Act 2012 |
| 2 | licensees under the Private Healthcare Facilities and Services Act 1998, apart from private healthcare facilities and services that have been licensed as private hospitals |
| 3 | licensees who carry or operate tourism training institutions, licensed tour bus operators, travel agents, or tour guides under the Tourism Industry Act 1992 |
| 4 | licensees who are registered as private higher education institutions under the Private Higher Education Institutions Act 1996 or private schools or private educational institutions under the Education Act 1996 |
| 5 | licensees under the Direct Sales and Anti-Pyramid Scheme Act 1993 |
| 6 | companies or partnerships which provide the following services: Audit, Accountancy, Engineering, or Architecture |
| 7 | companies or partnerships that conduct retail dealing and wholesale dealing under the Control Supplies Act 1961 |
| 8 | companies or partnerships that carry on business of a private employment agency under the Private Employment Agencies Act 1981; |
| 9 | licensed housing developers, under Housing Development (Control and Licensing) Act 1966, Housing Development (Control and Licensing) Enactment 1978 Sabah, or Housing Developers (Control and Licensing) Ordinance 1993, Sarawak |
| 10 | pawnbrokers who are licensed under the Pawnbrokers Act 1972 |
| 11 | licensed moneylenders under the Moneylenders Act 1951 |
There are in total 12 paragraphs in the GCOP. For the sake of our
discussion, the paragraphs under the GCOP will be split into four
categories: regulations when collecting personal data,
regulations when holding personal data, regulations on rights of
data subjects, and lastly regulations on enforcement.
3. Regulations when collecting personal data.
3.1. Obtaining Consent
Before a data processor can process data, they would need to look at the requirements for consent by data subjects and provide necessary information when seeking consent. Fundamentally, the GCOP does not change the mechanism of the principles. However, it provided clarity on how the responsibilities are executed. Firstly, it states that consent should be recorded and maintained properly by the data user5. Said consent must also provide the clearest indication that the data subject has consented to the purposes of collection, processing, and/or disclosure of said personal data6.
The forms for consent can be created by the data users as long as it makes the consent clear, it is easily recorded and provides the said notification. Data users may rely on the templates provided in the GCOP or use it as a guide in preparing such forms7. A useful aspect is that the GCOP also provides for a list of actions by the data subject which shall be deemed as consent via conduct, such as the action of the data subject voluntarily provide personal data8, verbal consent that is recorded, among others9. This provides guidance to data users if there are doubts on the forms of consent given.
3.2. Personal Data Protection Notices
With regard to the personal data protection notice, it should be provided to data subjects prior to or as soon as possible after the collection of personal data10. The contents of the GCOP on this issue is almost entirely a repetition of Section 7 of the PDPA.
However, it does add more emphasis to certain particulars to be stated in the notices. And for data users who do not have such a notice or would like to have a reference point, the GCOP provides a template which can used as a reference11. The GCOP also provides additional guidance as to how the notice is to be communicated (by giving a physical copy, via email, website of the data user, among others)12. It should be noted that what is the most appropriate approach shall be determined by the data user themselves13.
4. Regulations when holding data
Originally, the Personal Data Protection Standards 2015 ("2015 Standards") provided guidance in fulfilling the Security Principle, Retention Principle, and the Integrity Principle. What the GCOP has done under Paragraphs 6 to 8 is that it used the 2015 Standards as a base and has improved on it.
With regards to the security of personal data, the GCOP mentions that practical steps may vary from case to case, depending on the nature of personal data and the degree of sensitivity14. With that in mind, it has proposed steps in the management of staff access like having a register, termination of access due to determination of employment, creating of limits, and a system of access are recommended therein, for both electronic15 and physical copies16 as some of the possible steps to take. If data processors are appointed, they are required to adhere to the similar security standards as the data users they were appointed by17. The GCOP provides for a system of disposal as well. Namely, if personal data is to be deleted or destroyed, such deletion and/or destruction must be permanent and needs to be recorded accordingly18.
5. Regulations on the Rights of Data Subjects
This is governed under Paragraphs 9 and 10 of the GCOP which is mainly based on Division 4 of the PDPA. As such, the responsibility in ensuring that requests for access and correct data, such as complying within 21 days19 and the exceptions to comply, also remained unchanged20. However, the GCOP has improved on the "opt-out" option for direct marketing21.
In particular, Paragraph 10.6.4 provides clarity for instances as to when a data user can process data for direct marketing. Besides providing consent, such processing can take place if the data subject is informed of the identity of direct marketing organizations and the purpose of collection and disclosure or in the event the data user is committed to providing an opt-out option for the data subject during the collection of personal data, among others22. Namely, a data subject can apply for an opt-out of the processing of data via a request form.23 In light of those requests mentioned, data users are then encouraged to use the template provided24 in the event that they do not have such forms.
6. Regulations on Enforcement
This is governed under paragraphs 11 and 12 of the GCOP. Paragraph 11 provides that the personal data system of a data user has to be open for inspection at all times.
This was originally provided under Personal Data Protection Regulations 2013. However, for those who are unfamiliar, the said Regulations, and now the GCOP as well, would require the data user to maintain records on consents of data subjects and other relevant information related to consent, such as the list of third parties for disclosure, a copy of the personal data protection notice, among others25. And such information would need to be accessible for inspection during reasonable times.
Also, data users are obliged to have an internal system in terms of data protection management. In particular, they would need to have an internal audit system, provide necessary training to its employees, and to be on the look out for any developments on the laws and regulations26.
Lastly, Paragraph 12 provides a glimpse of the future as the Personal Data Protection Commissioner is empowered to designate a body to prepare a COP for the specific class of data users within two (2) years from the date of the designation. It should be noted that once a COP has been issued for a specific class of data users, the GCOP will no longer apply.
7. Conclusion
Based on a general perspective, the GCOP technically does not change much when it comes to the principles of data protection. However, it has provided practical guidance in doing so and enhanced what is already there. Despite focusing on practical steps and not policy-based issues like the PDPA, data users would need to take this seriously. As mentioned in the beginning, it has the force of law and any data user who fails to comply with any provision that is applicable to the data user commits an offence, and shall, on conviction, be liable to a fine not exceeding RM 100,000.00 or to imprisonment for a term not exceeding one year or both27.
As such, it is strongly recommended that affected classes of data subjects adhere to the GCOP the best they can. In the event you would like tailor-made support on the compliance of the GCOP, or have any questions on the topics discussed, please do not hesitate in contacting us.
Footnotes
1. Para 1.2.1 GCOP
2. Section 14, 15 and 16 PDPA
3. Schedule of Personal Data Protection (Class of Data Users) Order 2013 and Section 29 PDPA
4. The classes for which COPs have been established include the following: private hospitals under the healthcare sector, the utilities sector (such as waterworks and electricity), the financial sector, the communications sector, the insurance sector, and the aviation sector.
5. Para 3.3.1 GCOP
6. Para 3.3.2 GCOP
7. Para 3.3.3(a) GCOP
8. Para 3.3.3(b) GCOP
9. Para 3.3.3(c) GCOP
10. Para 4.1 GCOP, Section 7(2) PDPA
11. Appendix 1 GCOP
12. Para 4.6.1 GCOP
13. Para 4.6.2 GCOP
14. Para 6.2 GCOP
15. Para 6.3 GCOP
16. Para 4 GCOP
17. Para 6.5 GCOP
18. Para 7.4 GCOP
19. Para 10.2.3(c) and (d), Para 10.3.4 GCOP, Section 31(1) and 35(1) PDPA
20. Para 10.2.4 and Para 10.3.5 GCOP, Section 32 and 36 PDPA
21. Section 43 PDPA
22. Para 10.6.4 GCOP
23. Section 43(1) PDPA, Para 10.6.1 GCOP
24. Appendix 2,3 , and 4 GCOP
25. Para 11.2 GCOP
26. Para 11.3, 11.4, 11.5 and 11.6 GCOP
27. Para 1.2.1 GCOP
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
