Introduction
Further to our previous News Alert on the release of the second tranche of the Personal Data Protection Guidelines under the Personal Data Protection Act 2010 (“PDPA“) by the Personal Data Protection Department (JPDP or Jabatan Perlindungan Data Peribadi), accessible here, this Update provides an overview of the key guidance under the Data Protection by Design (“DPbD“) Guideline.
By way of background, the PDPA requires data controllers to comply with the following Personal Data Protection Principles when processing personal data:
- The General Principle;
- Notice and Choice Principle;
- Disclosure Principle;
- Security Principle (which also applies to data processors);
- Retention Principle;
- Data Integrity Principle; and
- Access Principle
(collectively, “PDP Principles“).
In line with this, the DPbD Guideline provides guidance on applying a DPbD approach to support compliance with the PDP Principles under the PDPA. The DPbD Guideline describes DPbD as an approach that embeds appropriate technical and organisational measures throughout the lifecycle of a data processing activity. In essence, data controllers and data processors are expected to incorporate personal data protection measures from the outset and adopt a proactive approach focused on anticipating and preventing privacy risks, rather than reacting only after data protection issues arise.
DPbD Elements
The DPbD Guideline outlines four DPbD elements, which are as follows:
- Proactiveness: anticipating and preventing privacy risks before they occur, including through appropriate governance, adequate resources and systems designed to minimise the collection, use and retention of personal data;
- End-to-end protection: ensuring that personal data is protected throughout its entire lifecycle, from collection and processing to storage and disposal, in accordance with the PDP Principles;
- Transparency: being open and honest about how personal data is handled, and being able to demonstrate compliance with stated practices; and
- User-centricity: designing projects, products, services, systems and processes around the interests and needs of data subjects, recognising their interest over their own personal data.
DPbD for General Principle
Under the General Principle of the PDPA, a data controller must: (i) have a valid legal basis for processing personal data; (ii) ensure that the processing is for a lawful purpose directly related to its activities; and (iii) only process personal data that is adequate and not excessive for that purpose.
A DPbD approach requires the data controller to embed these requirements into the design of the data processing operation from the outset, so that the processing is lawful, purpose-specific and necessary by default. Where the personal data of individuals under 18 years of age is involved, privacy considerations should also be built into the process, including ensuring that valid consent is obtained from the parent, guardian or person with parental responsibility.
The DPbD Guideline sets out various concepts and applications to guide the implementation of DPbD in compliance with each PDP Principle (“DPbD Implementation Concepts“). These concepts and applications are non-prescriptive and non-exhaustive, and should be adapted based on the relevant data controller’s specific risk profile and personal data processing operations
The DPbD Implementation Concepts relating to the General Principle are summarised in the table below.
| No. | Concepts/Application | Interpretation for DPbD compliance with the General Principle |
|---|---|---|
| 1. | Pre-determination | The purpose and legal basis for processing should be identified before processing begins, and should guide the design and boundaries of the processing activity. |
| 2. | Specificity | The purposes of processing should be clearly specified and explicit. |
| 3. | Data minimisation | Personal data should only be collected and used where necessary for the intended purpose. Where the same purpose can be achieved with less data, aggregated data or without personal data, the processing should be designed accordingly. |
| 4. | Differentiation | The legal basis and purpose should be differentiated for each processing activity. |
| 5. | Relevance | The correct legal basis should be applied and clearly linked to the specific processing purpose. The personal data processed should also be relevant to that purpose. |
| 6. | Necessity | Each type of personal data should only be collected and used where necessary to achieve the intended purpose, and where that purpose cannot reasonably be achieved by other means. |
| 7. | Limitation | Collection and processing should be limited to the intended purpose. Appropriate technical and organisational measures, such as encryption, hashing, policies and contractual controls, should be implemented to reduce misuse or repurposing risks. |
| 8. | Review | Processing activities should be reviewed regularly to confirm whether the personal data remains necessary for the original purpose. |
| 9. | Cessation | Processing should stop immediately if the legal basis or purpose for processing no longer applies. |
| 10. | Adjustment | Where there is a valid change in the legal basis for processing, the actual processing should be adjusted accordingly. |
| 11. | Allocation of Responsibility | Where multiple parties are involved, their respective responsibilities towards data subjects should be clearly defined, and the processing measures should be designed according to their roles. |
| 12. | Privacy-enhancing technologies (PETs) | Data controllers are encouraged to use appropriate and up-to-date technologies to support data minimisation. |
| 13. | Consent | Where consent is relied on as the legal basis, the data controller should ensure that consent is properly obtained and that the processing operation allows consent to be withdrawn. |
DPbD for Notice and Choice Principle
Under the PDPA, the Notice and Choice Principle requires data controllers to be clear and transparent with data subjects on how their personal data is collected, used and shared.
The DPbD Implementation Concepts relating to the Notice and Choice Principle are summarised in the table below.
| No. | Concepts/Application | Interpretation for DPbD compliance with the Notice and Choice Principle |
|---|---|---|
| 1. | Clarity | Information should be provided in clear, plain, concise and intelligible language. |
| 2. | Semantics | Communications should be meaningful and easily understood by the relevant data subject. |
| 3. | Accessibility | Information should be easily accessible to data subjects. |
| 4. | Contextual | Information should be provided at the relevant time and in an appropriate form. |
| 5. | Relevance | Information should be relevant and applicable to the specific data subject. |
| 6. | Universal design | Information should be accessible, including through machine-readable formats, where appropriate, to improve readability and clarity. |
| 7. | Comprehensibility | Data subjects should have a fair understanding of what to expect in relation to the processing of their personal data. |
| 8. | Multi-channel | Information should be provided through various channels and media, and should not be limited to text, to increase the likelihood that it effectively reaches data subjects. |
| 9. | Layered | Information should be presented in layers to balance completeness and understanding, taking into account the data subject's reasonable expectations. |
| 10. | Avoidance of deceptive design patterns | Interfaces should avoid designs that may mislead or pressure data subjects into making unintended or potentially harmful choices, particularly where such choices benefit the data controller rather than protect the data subject's interests. |
DPbD for Disclosure Principle
The Disclosure Principle requires data controllers to ensure that personal data is only disclosed where there is consent or another valid legal basis, and only for the purposes and to the classes of third parties specified in the privacy notice provided to the data subject.
The DPbD Implementation Concepts relating to the Disclosure Principle are summarised in the table below.
| No. | Concepts/Application | Interpretation for DPbD compliance with the Disclosure Principle |
|---|---|---|
| 1. | Predetermination | The legal basis for disclosure should be established before any disclosure takes place. This should guide the design of the disclosure process and set the boundaries for disclosure. |
| 2. | Data avoidance | Data controllers should avoid disclosing personal data where possible. Where feasible, pseudonymised or aggregated data should be used instead. |
| 3. | Differentiation | The legal basis and purpose for each disclosure activity should be clearly differentiated. |
| 4. | Relevance | A valid legal basis should be applied to each disclosure and clearly connected to the specific purpose of disclosure. The data controller should be able to demonstrate that the personal data disclosed is relevant to that disclosure. |
| 5. | Necessity | Personal data should only be disclosed where necessary for the specified purpose, and where that purpose cannot reasonably be fulfilled by other means. |
| 6. | Review | Regular reviews should be conducted to verify whether the disclosure remains necessary for the purpose for which the personal data was disclosed. |
| 7. | Cessation | Personal data should no longer be disclosed if the legal basis or purpose for disclosure no longer applies. Appropriate safeguards should also ensure that the relevant third party ceases processing and permanently deletes or destroys the personal data. |
| 8. | Adjustment | Where there is a valid change in the legal basis for disclosure, the disclosure should be adjusted accordingly. |
| 9. | Security | Appropriate technical and organisational measures, such as hashing, encryption, policies and contractual obligations, should be implemented to ensure that personal data is disclosed securely. |
DPbD for Security Principle
Under the PDPA, the Security Principle requires data controllers and data processors to take practical steps to protect personal data from loss, misuse, modification, unauthorised or accidental access, disclosure, alteration or destruction.
The DPbD Implementation Concepts relating to the Security Principle are summarised in the table below. These should be adapted based on the specific risk profile and personal data processing operations of the data controller and/or data processor.
| No. | Concepts/Application | Interpretation for DPbD compliance with the Security Principle |
|---|---|---|
| 1. | Information security management system | Implement and maintain appropriate policies and procedures for managing information security. |
| 2. | Risk analysis | Assess security risks to personal data, taking into account the potential impact on data subjects, and implement measures to address identified risks. This may include threat modelling and attack surface analysis to reduce vulnerabilities |
| 3. | Security by design | Consider security requirements from the earliest stages of system design and development, and continuously integrate relevant testing. |
| 4. | Maintenance | Regularly review and test software, hardware, systems and services to identify and address vulnerabilities affecting the processing of personal data. |
| 5. | Access control management | Ensure that only authorised personnel who require access to personal data for their processing tasks are granted access, with access privileges differentiated based on roles. |
| 6. | Access limitation | Design processing activities so that only the minimum number of personnel required to perform their duties have access to personal data. |
| 7. | Access limitation by content | Limit access for each processing operation to only the personal data attributes required for that operation, and only in respect of data subjects within the relevant personnel’s remit. |
| 8. | Access segregation | Segregate personal data so that no single authorised person has comprehensive access to all personal data unless there is a legitimate need. |
| 9. | Secure transfer | Protect personal data transfers against unauthorised access or unintended changes. |
| 10. | Secure storage | Ensure that personal data is stored securely against unauthorised access or alteration, with appropriate safeguards depending on the storage model and category of personal data involved. |
| 11. | Pseudonymisation | Pseudonymise personal data as soon as direct identification is no longer necessary, and store identification keys separately from the pseudonymised data. |
| 12. | Backups and logs | Maintain backups, logs, audit trails and event monitoring where necessary for information security, and protect these records against unauthorised or accidental access or alteration. |
| 13. | Disaster recovery and business continuity | Establish disaster recovery and business continuity requirements to ensure timely restoration and availability of personal data. |
| 14. | Protection according to risk | Protect each category of personal data based on its specific risk profile, rather than relying only on the overall processing risk. |
| 15. | Security incident response management | Establish routines, procedures and resources to detect, contain, handle, report and review personal data breaches systematically. |
| 16. | Incident management | Establish breach management processes to strengthen the processing system, including notification procedures for the Commissioner and affected data subjects. |
DPbD for Retention Principle
The Retention Principle requires that the data controller not keep the personal data for longer than is necessary for the fulfilment of the purpose for which it was processed.
The DPbD Implementation Concepts relating to the Retention Principle are summarised in the table below.
| No. | Concepts/Application | Interpretation for DPbD compliance with the Retention Principle |
|---|---|---|
| 1. | Data minimisation | Periodically assess whether the personal data processed remains adequate, relevant and necessary. Where identification is no longer required, such as after aggregation for statistical purposes, the personal data should be permanently deleted. |
| 2. | Deletion and/or anonymisation | Personal data that is no longer necessary for the relevant purpose should be anonymised and/or permanently deleted. Clear internal procedures and functionalities should be put in place to support this. |
| 3. | Effectiveness of anonymisation/deletion | Ensure that anonymised data cannot be re-identified and deleted data cannot be recovered. The effectiveness of anonymisation and deletion measures should be tested. |
| 4. | Automation | Automate the deletion of certain personal data where appropriate. |
| 5. | Retention criteria | Determine what personal data needs to be retained and the appropriate retention period for such data. |
| 6. | Justification | Be able to justify why the identified retention period is necessary, including the legal basis or rationale for retaining the personal data. |
| 7. | Enforcement of retention policies | Enforce internal retention policies and conduct testing to ensure that such policies are properly implemented. |
| 8. | Backups and logs | Determine what personal data needs to be retained in backups and logs, and the appropriate retention period for such records. |
| 9. | Data flow | Understand the flow of personal data and the storage of any copies, and limit temporary storage or unnecessary duplication where possible. |
DPbD for Data Integrity Principle
Under the PDPA, the Data Integrity Principle requires data controllers to take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date, having regard to the purpose for which it was collected and further processed.
Where the personal data relates to data subjects under the age of 18, a DPbD approach further requires data controllers to make the sourcing and rectification of such personal data easily accessible to the parent, guardian or person with parental responsibility.
The DPbD Implementation Concepts relating to the Data Integrity Principle are summarised in the table below.
| No. | Concepts/Application | Interpretation for DPbD compliance with the Data Integrity Principle |
|---|---|---|
| 1. | Data source | Ensure that personal data is obtained from reliable sources to support data accuracy. |
| 2. | Degree of accuracy | Ensure that each personal data element is accurate to the extent necessary for the specified purpose. |
| 3. | Attributable recording | Maintain identifiable records of when and why personal data is inserted by personnel or systems during the sourcing stage. |
| 4. | Verification | Verify the correctness of personal data with the data subject before and during processing, where appropriate, taking into account the nature of the data and how often it may change. |
| 5. | Rectification | Facilitate the rectification of inaccurate personal data without delay upon the data subject's request. |
| 6. | Error-propagation avoidance | Mitigate the impact of accumulated errors across the processing chain. |
| 7. | Access | Provide data subjects with information and effective access to their personal data, in accordance with the Access Principle, to support accuracy and rectification. |
| 8. | Continued accuracy | Ensure that personal data remains accurate at all stages of processing, including by testing accuracy at critical processing steps. |
| 9. | Up-to-date | Update personal data where necessary for the purpose of processing. |
| 10. | Data design | Use technological and organisational design features to minimise inaccuracies, such as predetermined options instead of free-text fields where appropriate. |
DPbD for Access Principle
Data controllers are required under the Access Principle of the PDPA to allow data subjects to access their personal data and request correction of any data that is inaccurate, incomplete, misleading or not up to date. Data subjects should also be informed of the designated point of contact for such requests, with contact information made easily accessible through appropriate channels.
Where the personal data relates to data subjects under the age of 18, a DPbD approach further requires data controllers to design systems that allow the parent, guardian or person with parental responsibility to easily access such personal data.
A summary of the DPbD Implementation Concepts relating to the Access Principle can be found in the table below.
| No. | Concepts/Application | Interpretation for DPbD compliance with the Access Principle |
|---|---|---|
| 1. | Clarity | Information on how data subjects may exercise their rights should be provided in clear, plain, concise and intelligible language. |
| 2. | Accessibility | Mechanisms for exercising data subject rights should be easily accessible. |
| 3. | Contextual | Mechanisms for exercising data subject rights should be provided at the relevant time and in an appropriate form. |
| 4. | Universal design | Mechanisms for exercising data subject rights should be accessible, including through machine-readable formats where appropriate to improve readability and clarity. |
| 5. | Comprehensibility | Data subjects should have a fair understanding of what to expect when exercising their personal data rights. |
| 6. | Multi-channel | Mechanisms for exercising data subject rights should be provided through various channels and media, and should not be limited to text, to increase the likelihood that they effectively reach data subjects. |
| 7. | Cessation | Personal data should no longer be disclosed if the legal basis or purpose for disclosure no longer applies. Appropriate safeguards should also ensure that the relevant third party ceases processing and permanently deletes or destroys the personal data. |
Best Practices for DPbD Governance
The DPbD Guideline outlines non-mandatory best practices for DPbD governance. These are intended to help organisations embed DPbD into their culture, governance and operations, and should be applied on a risk-based basis. Key best practices include:
- Senior leadership commitment: ensuring board and senior management support, adequate resources, clear accountability and regular engagement with the Data Protection Officer (DPO), where applicable;
- Periodic audits: reviewing personal data protection policies to assess their effectiveness and operational compliance;
- Risk assessments and Data Protection Impact Assessments (DPIAs): identifying and mitigating privacy risks before they materialise; and
- Continuous improvement: encouraging stakeholders to suggest improvements to data protection practices and reviewing such suggestions where appropriate.
Comment
The DPbD Guideline marks an important shift towards embedding personal data protection considerations into the design of systems, processes, products and services from the outset, rather than treating compliance as a post-implementation exercise. While the DPbD Implementation Concepts and governance best practices are framed as non-prescriptive and risk-based, they provide useful guidance on the practical measures that data controllers and data processors may be expected to consider when operationalising the PDP Principles.
In light of the DPbD Guideline, organisations should review their existing data processing activities, privacy notices, retention practices, access controls, security measures and data subject rights mechanisms to assess whether personal data protection safeguards are sufficiently embedded into their systems and processes.
Organisations should also view early adoption of the DPbD Guideline not only as a matter of good practice, but also as a practical step towards aligning with the anticipated amendments to the Personal Data Protection Standards 2015 (“Standards“). Under the proposed amendments, the current prescriptive Standards would be replaced with an outcome-based framework, under which the measures implemented by organisations would be expected to be proportionate to the risks presented by their processing activities. Should the amended Standards adopt this approach, organisations that have already embedded the concept of DPbD into their systems and processes are likely to be well-positioned to comply with the amended Standards once they come into force.
We trust the above provides a helpful overview of the key guidance under the DPbD Guideline. Should you require any assistance or clarification on the above, or any other matter relating to personal data protection, please feel free to contact us.
Further Information
For more information on the other two Guidelines issued concurrently with DPbD Guideline, please click on the following links to read our Legal Updates:
- Launch of Personal Data Protection Guideline for Data Protection Impact Assessment
- Launch of Personal Data Protection Guideline for Automated Decision-Making and Profiling
For regional Technology, Media and Telecommunications & Data Protection matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunications Practice and Regional Data & Digital Economy Practice for more information.
Contribution Note
This Legal Update is contributed by the listed Contact Partners, with the assistance of Paralegal Leslie Bong.
Please feel free to also contact Knowledge Management at [email protected].
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
