On 1 July 2025, Legal Officers from our Clinical Investigation Centre, Universiti Malaya
Medical Centre attended the Personal Data Breach Simulation Conference 2025,
held by Malaysia’s Leading Technology Law Firm, Messrs. Halim Hong & Quek
(HHQ) and FIRMUS, an advanced cybersecurity services and solutions company,
presented by Ong Johnson and Lo Khai Yi.
The conference provided valuable insights into Malaysia’s Personal Data Protection
Act 2010 (PDPA) and its recent 2024 amendments, with a particular focus on the
mandatory appointment of a Data Protection Officer (DPO) and data breach
notification obligations. These topics are of critical importance to organizations
involved in healthcare research, where data sensitivity and legal compliance are
paramount.
The PDPA and Its 2024 Amendments: A Strengthened Legal Framework
Enacted in 2010, the PDPA is Malaysia’s primary legislation governing the processing of personal data in commercial transactions. It establishes core data protection principles for responsible and transparent data handling.
The 2024 amendments introduced significant updates, including:
- Mandatory Appointment of a DPO
Organizations are now required to appoint a DPO if they:
○ Process personal data of more than 20,000 individuals,
○ Handle sensitive personal data (e.g., medical or financial) of more than 10,000 individuals, or
○ Conduct regular and systematic monitoring of individuals (e.g., in clinical trials).
The DPO is responsible for ensuring compliance with the PDPA, managing data subject access requests, coordinating breach responses, and overseeing internal privacy policies and audits.
2. Mandatory Data Breach Notification
Affected organizations must notify the Personal Data Protection Commissioner (PDPC) under the Department of Personal Data Protection (PDP) Malaysia and, where necessary, affected individuals if a data breach results in or is likely to result in significant harm, such as financial loss, identity theft, or exposure of sensitive information affecting more than 1,000 individuals.
3. Expanded Enforcement Powers and Penalties
The PDPC now has broader powers to inspect, investigate, and issue enforcement actions, with increased penalties for non-compliance.
Implications for Healthcare and Research Institutions
As a research centre operating within a hospital setting, we routinely handle large volumes of sensitive health and research data. The updated PDPA framework directly applies to our operations, and the conference served as a valuable platform for our legal officers to gain clarity on our compliance obligations and the necessary operational changes.
Key takeaways relevant to our organization include:
● The appointment of a DPO is now a legal requirement based on the nature and scale of data we process.
● Data breach notification must be carried out promptly and in accordance with PDPC guidelines.
● Internal systems, documentation, and third-party service providers must be reviewed to ensure end-to-end compliance.
Our Ongoing Commitment to Personal Data Protection
The insights gained by our legal officers at the conference shall guide our next steps as we continue to strengthen our approach to personal data protection. Moving forward, our Clinical Investigation Centre will:
● Review and update its data governance framework in line with PDPA requirements,
● Appoint a qualified Data Protection Officer,
● Enhance data breach response procedures to ensure timely reporting and mitigation,
● Conduct staff training and third-party compliance reviews to build a culture of data accountability.
At the Clinical Investigation Centre, data integrity and participant trust are at the
core of our research mission and data protection is no longer just an IT or
compliance matter—it is a legal, ethical, and institutional responsibility to the
communities and research participants who entrust us with their data. We remain
committed to upholding the highest standards of privacy, integrity, and transparency
in healthcare research.
article by Ms Ernis Erna Yahya,
CIC Legal Officer
