You are here


Survey Answer:

Section 9 of the PDPA provides that under the Security Principle (i.e. one of the seven (7) data processing principles under the PDPA), where a data user (i.e. a person who alone or jointly with other persons processes any personal data or has control over or authorizes the processing of any personal data) processes personal data of a data subject (i.e. an individual who is the subject of the personal data), the data user is required to take “practical steps” to protect the personal data of the data subject from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.
The Personal Data Protection Standard 2015 (the “PDP Standards”) set out the minimum requirements pertaining to these “practical steps”, which include the requirement to impose cybersecurity measures such as:
(a) provide user IDs and password for authorized employees to access personal data;
(b) update the backup / recovery system and anti-virus to prevent personal data intrusion; and
(c) safeguard the computer systems from malware threats to prevent attacks on personal data.
Failure to comply with section 9 of the PDPA is an offence liable on conviction to a fine not exceeding RM300,000 and/or imprisonment for up to two (2) years. Separately, failure to comply with any of the standards prescribed under the PDP Standards is an offence liable on conviction to a fine not exceeding RM250,000 and/or imprisonment for up to one year.

Provided By: