As an employer, companies collect personal data from their employees for purposes such as benefits, entitlement and regulatory reporting. Over the past few years, there have been numerous cases of data breach and many outfits selling pirated personal data have been exposed. While in Europe and the US there are stringent laws on personal data protection, many countries in Asia still lag behind. Japan, Korea, Hong Kong, Taiwan, Philippines, Thailand and recently Singapore and Malaysia have enacted laws on Personal Data Protection. Countries with large employee bases such as Indonesia, India and China are in the midst of finalizing such laws.
Malaysia’s PDPA Act 2010 is based on seven principles viz. General, Notice and Choice, Disclosure, Security, Retention, Data Integrity and Access. Personal data includes information such as Employee Name, Identification Number (IC), Passport Number, Driving License Number, Bank Account Number, Home Address, and Personal Phone. Sensitive personal data includes information on race, religion, health etc…
In accordance with the principles of the Act, an employer must obtain consent from the employees to collect and maintain their personal data and an explicit consent is required for sensitive personal data. This means that employers must have online consent forms in English and Bahasa Malaysia for employees accessing the company’s HRIS self-service functions. Moreover, the sensitive personal data items could be highlighted for explicit consent. The consent forms should explain the nature of data being collected and its purpose. If such data is shared with external agencies e.g. insurance companies, training providers or Payroll Outsourcing agencies, the consent form should state the same. The employer is not allowed to retain the personal data record indefinitely after the cessation of employment and must destroy this data safely once the minimum retention period, as defined under the Employment Act 1955, is over.
Another important aspect to consider is the safety of the employee’s personal data. While Cloud HCM solutions are gaining popularity, it is important to choose hosting providers such as Amazon Web services and Rackspace which follow stringent security procedures to store and protect their client’s data. However, this may not stop the HR user from downloading a report on employee data to their company computer, which may later be compromised. In order to safeguard against such data disclosure, it is recommended that HR technology providers store the personal data in encrypted form in the database. While generating reports, care should be taken to include the personal data only where necessary. Choice should be provided to the user to generate the report with masking of personal data. While generating HR analytics on Demographic Profiles, the individual employee’s personal data should be protected and only aggregated results should be displayed to the user.
In order to ensure integrity of personal data, an employee should be able to view and update their personal data on a periodic basis. Some HR technology providers such as Ramco Systems, have provided access for the employees to view and update to their personal information using mobile phones.
With defaulting companies running a risk of loss of reputation and penalties upto RM 500,000 and imprisonment upto there years, data privacy has become a serious matter for Malaysia.