Can you keep others identity information? A guide to Personal Data Protection Act (PDPA)
Introduction: The data you collected without thinking twice
Many have stored someone else’s IC number in their phone, or a spreadsheet of customers, or a team list in a group chat. It feels harmless. You had to have information for a reason, you did, and now it is sitting somewhere on a device or platform you use. However, according to Malaysian law it is not always easy to keep onto someone else’s identity information.
The Personal Data Protection Act 2010 (Act 709) provides guidelines on when it is permissible to collect, keep and use personal data of others – and when it is not. Since the 15th November 2013, the law has been in effect and the changes to the law in 2024 introduced new duties for a broader range of organisations. Whether you’re a small business manager, a community group leader or simply processing data as part of your work, Act 709 probably impacts you more than you think.
What counts as personal data, and why it matters
It’s best to know what the law actually does before inquiring about retaining someone’s information. Personal data is information that refers directly or indirectly to a person and can be used, singly or in combination with other information in the possession of whoever holds the data. That spans the gamut, including full names, IC numbers, home addresses, telephone numbers, emails, biometric data and location data (Department of Personal Data Protection, “Personal Data Protection Act 2010”).
There is also a stricter category called sensitive personal data. This includes health and medical conditions, political opinions, religious beliefs, and records relating to offences. If you are collecting or storing any of these, the law requires explicit written consent from the person involved. A general tick-box in a form is unlikely to be enough.
The law applies to anyone processing personal data in connection with commercial transactions. That phrase is broad. It covers companies, small businesses, sole traders, and freelancers. What it does not cover is the Federal or State Government, and purely personal or domestic use. A community group administrator keeping a member list, or a political branch holding voter records, technically falls outside Act 709’s reach. That gap is one of the more significant limitations of the current framework compared to the European Union’s General Data Protection Regulation, Regulation (EU) 2016/679, which applies regardless of whether a transaction is commercial.
Seven rules every data holder needs to know
Part II of Act 709, covering Sections 5 to 11, contains the practical obligations. These are written as seven principles, and each one places a specific duty on whoever holds the data.
Under the General Principle stated in Section 5, personal data is not to be processed without the consent of the data subject, unless one of the exceptions listed in that section applies. Exceptions are that when processing is necessary to perform a contract, when it is required by a legal obligation, or when it is required to protect another person’s vital interests.
The Notice and Choice Principle states that the data subject must be notified of: the data being collected, the purposes to which it is collected, whether they have a right to access or correct the data, and the consequences if they refuse to provide the data before or at the time of its collection. This means a consent form with no explanation is not sufficient.
The Disclosure Principle (section 7) states that data should not be used for other purposes than those originally disclosed and should not be disclosed to other persons than those originally disclosed.Selling a customer list to a third party would breach this section unless customers were told in advance and agreed to it.
Practical measures must be taken to ensure that data is not lost, misused, modified or accessed by unauthorised users, as outlined in Section 8, Security Principle. The statute does not specify the technical conditions under which practical steps are to be determined, so the Commissioner evaluates this on an individual basis based on the nature of the industry and the size of the organisation.
The one thing that most people tend to skip is the Retention Principle, in section 9. Data should not be stored beyond the time that is necessary for the data for which it was collected. After serving this purpose, the data should be deleted or anonymised. Having a former customer’s IC number in your system for three years after the last transaction, when there is no existing reason, is a potential breach of this section.
According to Section 10, data must be accurate, complete and up-to-date. Section 11 provides rights of access to data subjects and the right to correct their records. Where a data holder refuses on no lawful ground the data subject may make a complaint to the Commissioner.
When the law was tested: three cases worth knowing
Malaysia’s enforcement record under Act 709 is mostly administrative rather than criminal. Most cases are resolved through directive letters, compliance audits, or compound payments rather than court prosecution. Three situations illustrate how the Act has been applied in practice.
In 2021, personal data linked to Universiti Teknologi Malaysia, including student and staff details, was reported to have circulated online. Because UTM is a public university, Act 709 did not apply. No criminal charge under the Act could be brought, exposing a direct consequence of the public sector exclusion: when a government body suffers or causes a data breach, affected individuals have no recourse under this law.
Telecommunications companies, including Celcom Axiata Berhad, have been investigated following customer data exposure incidents. These cases centred on the Disclosure Principle under Section 7 — specifically whether subscriber information was shared with third parties beyond what customers had been told at the time of collection. The outcomes were largely administrative, but the cases confirmed that the Commissioner does actively pursue complaints in the telecommunications sector.
Following a 2022 incident where customer data from a bank-linked service was reported to have appeared on a dark web forum, the Commissioner opened a compliance inquiry under the Security Principle. The data user had to show it had taken practical steps to protect customer records. This case reflects a pattern: financial institutions face a higher level of scrutiny because they are required to register with the Commissioner and operate under sector-specific codes of practice.
The 2024 amendments: what changed and what is still unclear
Act 709 was amended by several changes in the Personal Data Protection (Amendment) Act 2024. The most important is a new requirement to notify of data breaches. The data user is now required to notify the Personal Data Protection Commissioner in the event of a data breach that is likely to result in significant damage to the data subjects. This is in contrast to the previous place where notification was not mandated by law (Department of Personal Data Protection, “Personal Data Protection (Amendment) Act 2024”).
In addition, the 2024 Act created the position of Data Protection Officer. A DPO must be appointed by organisations that have specific metrics or requirements. The classes of data users who will have to comply, however, will rely on orders of ministers which are not yet gazetted. This puts many medium-sized organisations in a dilemma as to whether this requirement has any applicability to them.
Penalties also were raised. The general penalty prescribed in terms of Section 130 of Act 709 is a fine of up to RM300,000, imprisonment of up to two years or both. It is punishable by up to RM500,000 or up to three years in prison for operating without registration if registration is required under Section 16. Directors and officers of a company can face personal liability under Section 133 if an offence is committed with their knowledge or consent.
So, can you actually keep someone’s information?
Well, the short answer is – it depends!
If you have taken personal data with proper notice and consent, are only holding it for the period necessary to achieve the purpose for which it was taken, and have reasonable security controls, you are complying with the requirements of the Act. Your chances of being in violation of Act 709 are high if any of those conditions is not present: you collected the data without the knowledge of the person, you’re keeping it for longer than its useful life, or you’re sharing it with people who the person didn’t know about.
If the data is being used only by the individual involved and in no way related to a business transaction then the Act does not apply. However, it can be difficult to distinguish between personal and business usage. A data user may be someone operating a computer system who collects data for the client, such as a food delivery coordinator who maintains a customer list, or a property agent without a registered company who keeps an up-to-date record of past purchasers of the property.
The Credit Reporting Agencies Act 2010, Act 710, adds a separate layer for organisations involved in credit reporting, which operates under its own regulatory framework through the Registrar Office of Credit Reporting Agencies under the Ministry of Finance.
Conclusion: Personal data is not yours to keep forever
The simple premise behind Act 709 is that if someone provides you with information, you don’t own it. You keep it under conditions — consent, purpose, security and time. Once those conditions are no longer fulfilled, you lose your right to keep data.
In 2024, those duties were extended, with the introduction of obligations to report on the breaches, and, in some cases, the appointment of compliance officers. The requirements are still being phased down and the implementation gaps will become evident as the orders of the ministers are published.
The most significant thing for an ordinary user is that there are direct rights to be found in Section 11. You can ask if you’d like to learn what a company has on you. If the info is inaccurate, you can request that it be corrected. If they refuse for no reason, you may report to the Commissioner. These rights are not limited to the need of having a lawyer or a formal complaints process to use them. They are incorporated in the Act and can be made available to all.
Whether Act 709 can keep up with the current methods of data collection such as apps, loyalty programmes, digital payments, and AI-powered platforms will rely on how quickly future amendments come into effect to fill the gaps. For the time being, the law provides a clear starting point: Personal data belongs to the person it describes, and anyone who holds it is responsible for treating it that way.
References
Department of Personal Data Protection (JPDP). "Personal Data Protection Act 2010 [Act 709]." Jabatan Perlindungan Data Peribadi, Ministry of Communications and Digital, Malaysia,www.pdp.gov.my/ppdpv1/en/akta/pdp-act-2010-en/.
Department of Personal Data Protection (JPDP). "Personal Data Protection (Amendment) Act 2024." Jabatan Perlindungan Data Peribadi, Ministry of Communications and Digital, Malaysia, www.pdp.gov.my/ppdpv1/en/akta/personal-data-protection-amendment-act-2024/.
European Parliament and Council of the European Union. General Data Protection Regulation, Regulation (EU) 2016/679. Official Journal of the European Union, 4 May 2016, eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.
Malaysia. Credit Reporting Agencies Act 2010, Act 710. Laws of Malaysia, 2010.www.mof.gov.my/portal/en/profile/divisions/registrar-office-of-credit-reporting-agencies.