Personal Data Protection a Key Concern for Human Resources (HR) Professional

By: Sonny Zulhuda

More personally identifiable information (PII) is being captured in the commercial activities across sectors and industries. The workplace today has become a battleground for protecting employees’ valuable personal data that includes their personal records, financial status, medical information as well as the professional data relating to their jobs.


As a result, it is not too much to say that managing human resource HR) data has now become a critical success factor for organisations both internally and externally. Internally, because an effective and sustainable personal data management supports the works of everyone in the organization who relies on those data. Externally, because personal data has now become a crucial issue closely linked with managing trust and competitiveness while trying to grab the best human capital in the industry.

Given this, a Human Resource (HR) manager plays a central role to ensure that personal data of the employees and anyone around them would remain as assets and not turn out as liabilities for the commercial organizations. And for Malaysian employers, dealing with personal data of their employees, customers as well as their service providers has transformed from largely a business and operational issue to a legal and compliance concern.

With the enforcement of the Personal Data Protection (PDP) Act 2010 (Act 709), the operational landscape for human resource management has tremendously changed. The Act tasks the employers with a series of obligations relating to the collection, use, disclosure and retention of the personal data in their control, including data of employees, job applicants, former workers, outsourced service providers, vendors and customers.

Even though measures from industrial laws and guidelines are abundant and in place, employers are still in the dark about the multi-dimensional effect of the PDP Act 2010 on the employment relationship. Many practical issues arose in the workplace and throughout the employment lifecycle. These questions would likely arise:

  • Who are implicated by the PDP Act 2010?
  • What are the seven data protection principles in the Act and how do I (as an HR manager) implement them in my scope of work?
  • Are personal data of job applicants protected even when not recruited?
  • Can I obtain employee’s data from his former employer?
  • Can I retain the personal records of my former employees?
  • How do I handle employees’ data access requests (DAR)?
  • Is it allowed to install CCTV and other surveillance methods at the workplace?
  • What if the employees object to Internet monitoring?
  • I outsource some data-processing such as payroll and attendance system to a third party: am I still responsible under the Act?
  • My employees data had been abused and leaked out by certain officer, am I also liable?
  • What security measures are required by the PDPA to protect the employees data?
  • Is privacy policy required in employment relationship? Is confidentiality rule sufficient?


Wow.. now we see how critical is the understanding of PDPA for HR professionals and managers. Choose to ignore these issues and soon you may find yourselves in trouble dealing with employees demands or the Authority’s inquiries during inspection (Yes, they may knock your door any time to inspect your compliance of the PDPA 2010).

How ready are you?

Note: In relation to this article, I would like to acknowledge my research project under the Fundamental Research Grant Scheme (FRGS 13-045-0286) commissioned by the Ministry of Higher Education, Malaysia.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s