Guidance for Preparing Personal Data Protection Notice
InsiderTAPS May 2022
Download PDF File
In January 2022, the Personal Data Protection Commissioner (“Commissioner”) issued a Guide to Prepare Personal Data Protection Notice (“Guidance Note”) for the purpose of the Notice and Choice Principle under the Personal Data Protection Act 2010 (“PDPA”) and the Personal Data Protection Regulations 2013 (“PDPR”). The Notice and Choice Principle requires a data user to give data subjects a written notice in both English and Malay languages that contains the prescribed information regarding the processing of their personal data as soon as practicable (i) when the data subject is first asked to provide his personal data; (ii) when the data user first collects the personal data from the data subject; or (iii) in any other case, before the data user uses the personal data for a new purpose or discloses the personal data to a third party other than that which was originally disclosed in the initial notice. Non-compliance amounts to an offence which may attract a fine of not exceeding RM 300,000 or a term of imprisonment not exceeding 2 years or both.
The level and type of information to be included in the written notice as prescribed under the Notice and Choice Principle are set out below:
- that the personal data of the data subject is being processed by or on behalf of the data user, and a description of the personal data;
- the purposes for which the personal data is being or is to be collected and further processed;
- any information available to the data user as to the source of the personal data;
- the data subject’s right to request access to and to request correction of the personal data and how to contact the data user with any inquiries or complaints in respect of the personal data (by providing the designation of the contact person, phone number, fax number (if any), email address (if any) and such other related information);
- the class of third parties to whom the data user discloses or may disclose the personal data;
- the choices and means the data user offers to the data subject for limiting the processing of personal data, including personal data relating to other persons who may be identified from that personal data;
- whether it is obligatory or voluntary for the data subject to supply the personal data; and
- where it is obligatory for the data subject to supply the personal data, the consequences of failing to do so.
The Guidance Note provides guidance and explanations to data users on how to prepare, formulate and implement a privacy notice for compliance with the requirements of the PDPA. In particular, it addresses several aspects concerning privacy notice such as the detailed information that must be included therein, language and placement requirements, presentation style as well as format, font and layout requirements, with an example of privacy notice template given for reference.
In addition to the existing requirements specified under the Notice and Choice Principle, the Guidance Note sets out several additional requirements imposed by the Commissioner as briefly summarized below.
- In addition to the name and type of personal data and sensitive personal data involved, the privacy notice must also state whether personal data of children under the age of 18 is processed.
- The privacy notice must stipulate whether there is any regulator’s requirement or regulatory purpose to collect certain personal data pursuant to which such data may be disclosed to the regulators.
- The privacy notice must state the duration within which personal data will be retained and when will the personal data be disposed.
- The privacy notice must describe the security measures that will be taken or are in place to ensure the security of personal data processed and disclosed to third parties.
- The privacy notice must specify how data subjects may access, correct or update their personal data (for instance, by providing a link to the relevant form).
- Apart from the designation and contact number of the person who is responsible for handling queries and complaints with respect to personal data which are the only mandatory details prescribed under the PDPR, the privacy notice must also include the name of the contact person, fax number and email address.
- Other than the class of third parties to whom personal data is or may be disclosed, the privacy notice must also provide the corresponding purpose for the disclosure made to each different classes of third party.
- The privacy notice must mention the effective date and last reviewed or amended date of the notice.
The imposition of the additional requirements under the Guidance Note appears to be outside the scope prescribed under the Notice and Choice Principle. However, given that the purpose of the Guidance Note is to serve as a reference and guide to data users, especially micro, small and medium enterprises, to produce a simple but comprehensive privacy notice that aligns to the business ecosystem and the current data protection development, adherence to the Guidance Note is recommended as a matter of best practices and not mandatory. The introduction of the additional requirements could also be perceived to be in anticipation of the proposed amendments to the PDPA which are aimed at strengthening the effectiveness and practical implementation of the PDPA and aligning it to international standards.
In view thereof, businesses and organizations should take this opportunity to review and revise their existing privacy notices, where necessary, to ensure adherence to the Guidance Note in addition to the Notice and Choice Principle. Data users are also encouraged to revisit their privacy notices at regular intervals so that the notices remain up-to-date and accurately reflect changes to their privacy practices, procedures and systems, and have all revisions and updates documented and recorded properly.
Lee Lin Li
T: +603 2050 1898
Chong Kah Yee
T: +603 2050 1831
Image by Gerd Altmann from Pixabay