MALAYSIA Law and Practice Contributed by: Janet Toh, Irene Yong, Krystle Lui and Boo Cheng Xuan, Shearn Delamore & Co.
data transfer, storage and processing across distributed networks. Particular attention must be given to the requirements to protect per - sonal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction, and to not keep per - sonal data longer than is necessary. The Security Standard for personal data pro - cessed electronically, as contained in the Per - sonal Data Protection Standard 2015 (PDPS), is of especial relevance to cloud computing: • the transfer of data through cloud computing services requires the written consent of an officer authorised by the top management of the data user organisation; • any transfer of data through cloud computing services must be recorded; and • the transfer of data through cloud computing services must comply with the personal data protection principles in Malaysia and the per - sonal data protection laws of other countries. According to the Public Consultation Paper No 04/2024 (Personal Data Protection Standards), in an effort to bring the PDPS in line with interna - tional best practices, a revised set of standards is being developed by the Personal Data Protec - tion Commissioner. In light of the PDP Amend - ment Act, both providers and users of cloud and edge computing shall monitor the implementa - tion of the PDPA amendments, and the regu - lations, standards and guidelines that may be introduced, to ensure ongoing compliance. Other Data Sharing Laws It is crucial that other laws and regulations are also considered, such as the Strategic Trade Act 2010 pursuant to which information and data have the potential of being considered as stra - tegic technology controlled by the legislation.
The use by public sector agencies of cloud and edge computing solutions may also have to take into account the upcoming requirements under the Data Sharing Act 2025, which aims to regu - late data sharing between public sector agen - cies, once it comes into force. CSA As the “information, communication and digital” sector is among the NCII sectors under the CSA, providers of cloud and edge computing may potentially be designated as NCII Entities which will be subject to the CSA obligations applicable to NCII Entities. On the other hand, entities designated as NICC Entities (whether from the information, commu - nication and digital sector or any of the ten other listed sectors) that adopt cloud and edge com - puting shall also ensure that their use of cloud and edge computing is in a manner compatible with the requirements of the CSA, including any code of practice issued thereunder. Sectoral Requirements The provision and use of cloud and edge com - puting shall also have regard to sector-specific laws. For example, the use of technology includ - ing the use of cloud and edge computing by financial institutions is subject to stricter require - ments imposed by BNM mainly through various policy documents, including the following. Policy Document on Risk Management in Technology The Policy Document on Risk Management in Technology, issued 1 June 2023 (RMiT PD), requires risk assessment to be conducted prior to cloud adoption (including risks associated with migration of existing systems, location of cloud infrastructure, exposure to cyber-attacks, termination of cloud service providers), consulta -
224 CHAMBERS.COM
Powered by FlippingBook