In the digital age, where sensitive information flows seamlessly through the internet, cybersecurity has become a paramount concern for just about every industry around the globe. Educational institutions are no exception to this. In fact, the Microsoft Global Threat Tool has reported the education industry to be the most affected industry by enterprise malware in the last 30 days. The high volume of personal information and research data stored by higher education institutions, coupled with limited security budgets and headcount, makes this industry a prime target for cybercrime.
While Malaysia does not have specific cybersecurity laws for educational institutions, it does provide a number of sporadic laws to counter cybercrime. In this blog, we will be covering the frameworks and legislation that educational institutions need to be aware of.
Personal Data Protection Act 2010
The Personal Data Protection Act 2010 (PDPA) aims to protect personal data and ensure privacy. The PDPA applies to anyone who processes and has control over the processing of any personal data with respect to commercial transactions, such as educational institutions holding students’ personal data.
The PDPA sets out seven personal data protection principles that institutions must comply with. These are as follows:
- General Principle
- Notice and Choice Principle
- Disclosure Principle
- Security Principle
- Retention Principle
- Data Integrity Principle
- Access Principle
General Principle
The general principle sets out parameters for the processing of personal data by a data user, providing that personal data shall not be processed unless:
- it is for a lawful purpose directly related to an activity of the data user
- it is necessary for, or directly related to, that purpose
- the data is adequate but not excessive in relation to that purpose
The principle stipulates that in order to process personal data, the data subject must have given consent, or if processing the personal data is necessary.
Notice and Choice Principle
The Notice and Choice Principle requires a data user to, by written notice, inform a data subject of matters relating to the information of the data subject, which is being processed by, or on behalf of that data user.
Disclosure Principle
The Disclosure Principle prohibits a data user from disclosing the personal data of a data subject:
- for any purpose other than the purpose disclosed at the time of the collection of the personal data or any directly related purpose
- to any party other than a class of third parties the data user may disclose the personal data to as stated in the written notice
Security Principle
The Security Principle stipulates that the appropriate steps be taken to protect personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, or alteration or destruction. In the case a data processor handles the data on behalf of the data user, the data user must still take appropriate security measures to govern the data processing and take reasonable steps to ensure compliance with said measures.
Retention Principle
The Retention Principle provides that personal data must not be retained longer than is necessary for the fulfilment of the purpose for which it is processed, requiring the data user to destroy or permanently delete all personal data that is no longer required for that purpose.
Data Integrity Principle
The Data Integrity Principle requires a data user to take reasonable steps to ensure that the personal data is accurate, complete, not misleading, and kept up to date. This can be done by preparing a form for updating personal data or by updating personal data immediately upon receiving a personal data correction notice.
Access Principle
The Access Principle states that a data subject will be given access to their personal data held by the data user and be able to correct that personal data where it is inaccurate, misleading, or not up to date.
ISO 27001
While not a national regulation, the ISO 27001 is an international standard for the implementation of enterprise-wide Information Security Management Systems (ISMS). It is a framework to comply with to protect information assets from malicious actors. The global standard provides complete guidance on building, implementing, maintaining, and consistently improving the ISMS.
The process of getting an ISO 27001 certification involves:
- Conducting a gap analysis
- Determining current information security risk assessment of ISMS controls
- Developing written security policies/controls, ISMS procedures, and policy improvement
- Providing training for staff
- Establishing ISO 27001 best practices if security improvements are necessary
- Obtaining ISO 27001 third-party certification
Educational institutions may choose to align their cyber security practices with the ISO 27001 to enhance their security posture.
Other Legislations to Keep in Mind
Computer Crimes Act 1997
The Computer Crimes Act 1997 (CCA) is a crucial piece of legislation made to counter cybercrimes. It addresses offences such as unauthorized access to computer material, unauthorized access with intent to commit other offences, and unauthorized modification of the contents of any computer.
Copyright (Amendment) Act
The Copyright (Amendment) Act aims to protect copyrighted works, including literary work such as computer programs and online materials. It outlines the applicable licensing principles and technological protection measures in relation to copyrighted work. Institutions should keep this in mind when distributing materials to staff and students and ensure that they abide by this act.
In conclusion, as educational institutions embrace technology to enhance learning experiences, the importance of cybersecurity cannot be overstated. Compliance with Malaysian cybersecurity regulations and being aware of its legislation is a crucial step toward fostering a secure digital environment.
By understanding and adhering to the regulations, educational institutions can ensure the resilience of their digital infrastructure in the face of evolving cyber threats.