Data Privacy

Malaysian Personal Data Protection Commissioner publishes draft Codes of Practice

The Malaysian Personal Data Protection Commissioner has published the draft Codes of Practice for the banking and finance industry and also for the communications sector. Members of the public are invited to provide their feedback before 22 September 2015 by sending their comments to:-

Aras 6, Kompleks KKMM, Lot 4G9,
Jabatan Perlindungan Data Peribadi
Kementerian Komunikasi dan Multimedia Malaysia
Persiaran Perdana, Presint 4,
Pusat Pentadbiran Kerajaan Persekutuan,
62100 Putrajaya.

or email or fax to and 603-89117959 respectively.


On 1 July 2015, the Personal Data Protection Commissioner published the Public Consultation Paper No. 1/2015. This consultation paper is intended to solicit feedback from the data users and data subjects relating to their understanding of the personal data protection.

In order to make the Standard for Personal Data Protection a reliable reference document, the Commissioner will merged three standards namely the Safety Standard, Storage Standard and Data Integrity Standard into one document.
According to the Commissioner, this step is in accordance with the requirements of the Personal Data Protection Regulations 2013 and the Personal Data Protection Act 2010. The feedback received through this public consultation paper will be analyzed and the results of this analysis will be used in the preparation of the final draft standard. The final draft will be presented to the 11 classes of data users before being registered by the Commissioner.

The feedback can be downloaded here (in Malay) and here (in English)


List of Data User Forums in Malaysia

The Personal Data Protection Commissioner has appointed the following associations as data user forum for the following sectors:-

1. Institut Akauntan Malaysia for the accounting and audit sectors;
2. Persatuan Jualan Langsung Malaysia for the direct selling sector;
3. Persatuan Bank-bank Dalam Malaysia for the banking and financial sectors;
4. Institut Jurutera Malaysia for the engineering services sector;
5. Institut Insurans Hayat Malaysia for the insurance sector;
6. Pertubuhan Akitek Malaysia for the architecture sector;
7. Maxis Berhad for the telecommunications sector;
8. Persatuan Hotel Malaysia for the travel and hospitality sector.
9. Majlis Peguam, Persatuan Undang-Undang Sabah and Persatuan Peguambela Sarawak for the legal sector.

Last updated: 1 April 2015

Source: Personal Data Protection Department Registration Unit.

Meeting with the Personal Data Protection Department, Putrajaya (26 Nov 2014)

Article and photos contributed by Sarah Yong Li Hsien, Officer, Ad Hoc Committee on Personal Data Protection
Wednesday, 17 December 2014 09:43am

On 26 Nov 2014, the Bar Council Ad Hoc Committee on Personal Data Protection (“Committee”) visited the Personal Data Protection Department (“PDPD”) at the Ministry of Communication and Multimedia in Putrajaya. The delegation, led by Co-Chairpersons, Suaran Singh and Foong Cheng Leong, consisted of 11 persons, including committee officers, Sarah Yong Li Hsien and Anneliz Reina George.

Mazmalek b Mohamad, the newly-appointed Director General of PDPD and his Deputy, Dr Zainal Abidin b Sait were on hand to welcome the Committee. The purpose of the meeting was to introduce the Committee, and discuss various matters relating to the Personal Data Protection Act 2010 (“PDPA”).

The meeting started at 9:30 am and some of the matters discussed were whether the Malaysian Bar will be appointed as the data user forum for lawyers, and about the drafting of the code of practice for lawyers. The Committee informed PDPD that it has been working on the code and it may be ready by early next year.

PDPD informed the Committee that it is not necessary to obtain consent to process personal data of existing customers collected prior to the enforcement of the PDPA, and the privacy notice issued in accordance with the Notice and Choice Principle does not need to be sent via AR registered post, pursuant to section 136 of the PDPA.

It was also revealed during the discussion that investigations have been conducted on parties alleged to have breached the PDPA. However, none have been charged under the PDPA yet. Other technical and practical issues were also raised during the meeting.

The Committee will organise another meeting at a later date to discuss issues such as the data user forum and the issue of consent.


Survey Relating to Compounding Regulations

The Malaysia Personal Data Protection Commissioner Office wishes to enforce compounding regulations pursuant to the Personal Data Protection Act 2010. They have now issued a survey for the members of the public and organisations.

Any response to the survey should be submitted before 14 November 2014. For more details, go to

Download: Survey Form (in Malay language only)

Retirement of Haji Abu Hassan Ismail

With the retirement of Haji Abu Hassan Ismail as the Director General of the Personal Data Protection Department, Encik Mazmalek bin Mohamad has been appointed as the new Director General of the Personal Data Protection Department effective from 1st October 2014.

Malaysian Bar releases feedback to Personal Data Protection Commissioner’s Proposal Papers

On behest of the Malaysian Bar Ad Hoc Committee for the Personal Data Protection Act, the Malaysian Bar has published the feedback by Ad Hoc Committee on Personal Data Protection to Personal Data Protection Commissioner’s following proposal papers.

1) Guideline on Compliance of Personal Data Protection Act 2010;
2) Guide on the Management of Employee Act Data under Personal Data Protection Act 2010;
3) Advisory Guideline related to Consent requirement under the Personal Data Protection Act 2010; and
4) Guide on Management of CCTV under Personal Data Protection Act 2010.

Download the feedback.

BFM Podcast: Revenge Porn

I was interviewed by BFM Radio to talk about revenge porn on 22 July 2014.

The availability of affordable smartphones and cheap mobile data are contributing to the rise of sextortion, the non-consensual publication online of explicit images, often by a former spouse or partner after a relationship turned sour. Does ownership of an image lie with the sender or receiver? And what legal framework is in place to address this growing concern?

Related Link: The Perils of “Revenge Porn” – Part 2

Bread & Kaya: Cyberstalking, harassment … and road rage

Bread & Kaya: Cyberstalking, harassment … and road rage
Foong Cheng Leong
Jul 17, 2014

– No specific Malaysian law that criminalises stalking or harassment
– Singapore has enacted such laws, and Malaysia should follow suit

THE recent case of a blogger complaining that she had been harassed and stalked by a fan got me thinking about the law in Malaysia with regards to stalking and harassment.

I think this would depend on the acts of the stalker. There is no specific Malaysian law that criminalises stalking and harassment, but there are provisions of law that prohibit certain actions that border on stalking and harassment.

For example:

– Hacking into someone’s computer or mobile device or online account, or installing any trojan or tracking device is a crime under the Computer Crimes Act 1997;
– Sending messages threatening to harm a person – depending on the content, this may amount to a criminal offence under the Communications and Multimedia Act 1998 or Section 503 of the Penal Code (criminal intimidation); and
– Breaking into someone’s home amounts to trespass (installing a closed-circuit TV as in the Nasha Aziz case).

There are many forms of stalking and harassment. I’ve heard of cases where a person would call someone numerous times a day – and in some such cases, keeping silent or even make heavy breathing sounds.

Other cases include following a person from time to time; loitering outside a person’s home (which is a public venue, for example a road); downloading someone’s picture off Facebook and publishing it on blogs or online forums with degrading messages; and even frequently posting annoying or insulting comments on a person’s Facebook page, blog or Instagram account.

A police report would be useful to ward off these people but not all reports will be acted on. Sometimes no threat is made, and there’s ‘only’ persistent annoyance.

One blogger showed me some persistent emails from an alleged stalker, who also contacted the blogger through phone calls and SMS.

However, the nature of the contact was not a threat but merely invitations to go out, despite the fact that the blogger had expressly asked him to stop contacting her. Such contact would stop for a short period, but return thereafter.

One email from the alleged stalker was just a reproduction of chat messages between the alleged stalker and his friend.

A police report was made but the police could not take any action as there was no threat involved.

In such cases, I think that the police should take proactive action by contacting the alleged stalker and warning him against pursuing the matter further. A lawyer’s letter of demand may be useful too.

If all else fails, a restraining order may be obtained from the courts.

The victims are not only women. Vancouver teacher Lee David Clayworth was ‘cyberstalked’ by his Malaysian ex-girlfriend. She posted nude pictures of him and labelled him all sorts of names, according to a CNET report.

A warrant of arrest was issued in Malaysia against his ex-girlfriend but she had reportedly left the country.

Many victims suffer in silence. They try to ignore their stalkers and hope that they go away. Sometimes this works, sometimes it does not.

It is noted that s. 233 of the Communications and Multimedia Act 1998 criminalises harasses but such harassment must be in a form of electronic harassment which is obscene, indecent, false, menacing or offensive in character.

Our Parliament should introduce a new law to criminalise stalking and harassment. Singapore recently introduced the Protection from Harassment Bill 2014. This new law will provide protection from harassment and anti-social behaviour, such as stalking, through a range of civil remedies and criminal sanctions.

It’s time for our Parliament to look into this before it’s too late.

Regarding the recent Kuantan road rage case, I was asked whether doxing or document tracing by netizens amounts to harassment.

From what I read, some netizens had posted her name, company name and pictures on the Internet, created Facebook pages about her, and also created all sorts of memes featuring her. Some even started bombarding her mobile phone with SMSes and left numerous comments on her company’s Facebook page.

As mentioned, we have no specific law to govern harassment, thus it is difficult to determine whether such acts amount to harassment without a legal definition here.

In my personal opinion, I think there is nothing wrong in exposing the identity of the driver to the public. The lady had posted her own personal information online, thus there is no expectation of privacy with respect to that posted information.

The Personal Data Protection Act 2010 only applies to commercial transactions. But the extraction of her personal information through her licence plate number may be an issue if someone had unlawfully extracted it from a company’s database.

Some messages that were posted may also be subject to the Communications and Multimedia Act 1998 provisions on criminal defamation. Tracking her home address and taking photographs of it may be considered a form of harassment.

She also has rights (that is, copyright) to the pictures that she has taken (selfies especially), but she will not have rights to her modelling pictures if those were taken by a photographer – in that case, the photographer usually has rights to the photographs.

First published on Digital News Asia on 17 July 2014.

[No. 5/2014] Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

The Malaysia Personal Data Protection Commissioner (Commissioner) has published a proposal paper entitled, “Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010”.

This proposal paper aims to provide guidelines for an individual or organization in the management of CCTV under Personal Data Protection Act 2010 (PDPA). Any comments on the Proposal Paper may be submitted to the Commissioner before the prescribed deadline.

I am of the view that this Proposal Paper is not clear as to what kind of CCTV recording is subject to the PDPA. At the last paragraph of page 2, it states that an individual’s image is subject to PDPA when it is involved in a commercial transaction such as for promotion or sale of products and services either by contract or otherwise. Does this mean that all CCTV recordings at business premises and commercial areas such as banks, shopping centres and supermarkets as well as in offices and airports are subject to the PDPA? If so, how would a data user obtain the “recordable consent” (as required by the Personal Data Protection Regulations 2013) from the individuals who are captured through the CCTV?

My personal view of the use of CCTV and PDPA is that it is not subject to the PDPA if it is used for security purposes and not be used for commercial transaction purposes (e.g. to be sold). It would be impracticable for the data user to obtain the “recordable consent” and provide a Privacy Notice, which is mandated to be in writing, fulfill eight (8) requirements, and in two (2) language, to the individual.

If the Commissioner is keen to apply PDPA on CCTV recordings, it should make some adjustments to the application of the seven (7) principles. For example, no recordable consent is required, no requirement to fully comply with the Notice and Choice Principle but merely provide a notice to say CCTV is in operation etc.

Further view of this Proposal Paper will be address in the Malaysian Bar Council’s Ad Hoc Committee for Personal Data Protection.

Download: Guide On The Management Of CCTV Under Personal Data Protection Act (PDPA) 2010

1 2 3 4 8  Scroll to top