Data Privacy Practices of Private Higher Education Institutions in Malaysia: A Preliminary Study

Abstract

Private higher education institutions as data users are subjected to the requirements of the Personal Data Protection Act 2010 (PDPA). These institutions process employee data as well as data of potential students, active students and alumni. They also deal with data of third parties such as vendors, visitors and contractors. Ten years after the coming into effect of the PDPA in 2013, the education sector has yet to develop their personal data protection code of practice as required by the Act. The General Code of Practice (CoP) of Personal Data Protection was introduced in December 2022 with the objective to provide guidelines to the Class of Data Users who have not prepared a Code of Practice and there is no data user forum to develop the relevant Code of Practice for the Class of Data Users. As the General CoP is legally binding, it is an offence punishable under the Act for any data user for failure to comply with any provision of this General CoP. As data users, private higher education institutions need to introduce certain mechanisms to adhere to the requirements such as privacy policy and procedure. This paper aims to compare the data privacy practices of private higher education institutions in Malaysia in order to determine to what extent the law has been complied with. Being a qualitative study, this paper applies content analysis technique. Data privacy policies of four private higher education institutions in Malaysia were examined to attain the objective. The four private higher education institutions are Universiti Tenaga Nasional (UNITEN), Universiti Teknologi PETRONAS (UTP), Taylor’s University and University of Nottingham Malaysia. The data privacy policies of the four institutions are accessible on the official website of the institutions. The study indicates that in the absence of a personal data protection code of practice for the education sector as a guideline, the data privacy practices of the institutions vary from one to another. While some of the privacy policies contain provisions which are general in nature which may lead to confusion to the data subjects, the data privacy policies show that the four institutions have, to a certain extent, complied with the requirements of the PDPA in general.