M ainland Ch in a
As it is most likely that the transfer of an employee’s personal data outside Mainland China will be regarded as ‘publicizing’, ideally the employer should obtain the employee’s written consent.
E. Can an employer lawfully transfer an employee’s personal data to a third party?
Under the Employment Services and Management
Regulations, the employer is obliged to keep the employee’s personal data confi dential, and it has to obtain the employee’s written consent if it will publicize any of such personal data. As it is most likely that the transfer of an employee’s personal data to a third party will be regarded as ‘publicizing’, ideally the employer should obtain the employee’s written consent. F. What are the consequences of breaching privacy laws in your
jurisdiction?
Due to lack of a dedicated privacy law, and the clear consequences of breaching the Employment Services and Management Regulations in relation to the privacy, we cannot see any serious consequences in this aspect at the moment. G. What are the main pitfalls or areas to watch out for in your jurisdiction
regarding the collection, use and/or handling of an employee’s personal data?
An employer should keep confi dential the employee’s personal data, and obtain the employee’s written consent if it will publicize any of such personal data.
M
ala
ysia
MALAYSIA
A. Is there a law/Code or other similar document regulating the collection, use and/or handling of an employee’s personal data in your jurisdiction? There are no specifi c law/code that regulates the collection, use or handling of an employee’s personal data.
At present only the Employment Act 1955 provides provisions relating to information with regards to employees. The provisions of the Employment Act provide that an employer is to maintain a register with certain information of employees regarding personal details, details of terms and conditions of employment and details of wages and allowances earned during the each wage period. Such information must be kept in the offi ce within the place of employment on which the employees are employed. Such information must be available for inspection by the relevant authorities and the employee. These requirements however are only applicable to employees covered under the Employment Act 1955.
A recent development in Malaysia is the passing of the Personal Data Protection Bill 2009 by Parliament. However, at present this Bill is not yet in force in the country. However, the Act applies only to personal data in respect of commercial transactions. On whether the Bill would apply in a employee/ employer relationship would largely depend on how wide the word ‘commercial transaction’ will be interpreted. In any event in the abundance of caution we shall deal with the provisions of the Bill as well.
B. Is there a legal requirement to have a document (e.g. privacy policy, personal information collection statement, agreement) to deal with the employee’s personal data?
At present, none.
However, the Personal Data Protection Bill provides that personal information cannot be collected, recorded, held or stored unless the individual who is providing such information gives consent.
MALAYSIA
M
ala
ysia
Furthermore, the data user is required to provide a written notice to inform the individual providing the information amongst others the purpose for which personal data is collected, recorded, held or stored and certain third parties who may have access to the personal information
C. For how long must an employer retain an employee’s personal data? What is best practice?
Section 61 (2) of the Employment Act 1955 provides that a register containing information in relation to an employee must be kept and be available for inspection for not less than six years after the recording thereof.
The Personal Data Protection Bill provides that personal data collected, recorded, held or stored for any purpose shall not be kept longer than is necessary for the fulfi lment of that purpose.
D. What are the legal restrictions on transferring employees’ personal data outside your jurisdiction?
At present there are none.
However, the Personal Data Protection Bill 2009 provides that the personal data cannot be transferred outside the jurisdiction. There are a few exceptions such as any jurisdictions that have been exempted by the Act, the consent of the individual providing the information has been obtained, and that it is necessary for the performance of a contract between the data user and the individual.
E. What are the legal restrictions on transferring employees’ personal data to a third party?
At present there are none.
The Personal Data Protection Bill provides that personal data can only be transferred to a third party if consent is obtained
M
ala
ysia
The Personal Data Protection Bill provide is that in the event the personal information is collected or disclosed without consent a person could be liable to a fi ne not exceeding fi ve hundred thousand ringgit or to imprisonment for a term not exceeding three years or both.
In the event there is contravention of the principles as set out by the Personal Data Protection Bill with regards to collecting, recording, holding or storing of personal information, a data user could be liable to a fi ne not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or both.
G. What are the main pitfalls or areas to watch out for in your jurisdiction regarding the collection, use and/or handling of an employee’s personal data?
Ensuring that the register containing information of the employees is kept up to date and ready for inspection pursuant to the Employment Act 1955.
MALAYSIA
M
ala
Ne
w
Z
ealand