- Be Malas/ Be Lazee (“Be Malas”) places great importance on the security of the Customer’s personal information and ensures organizational security measures when processing the Customer’s personal information.
- Be Malas shall ensure that this security policy complies with Personal Data Protection Act 2010 ("the Act") and Personal Data Protection Regulations 2013 and is obliged to ensure the security of all personal data from retention and destruction stage.
Hardware & Hardcopy
All personal data stored whether in USB, CD, or other physical device (“Hardware”) or in manual records, printed documents, handwritten notes, or in any other hardcopies (“Hardcopy”) shall be kept in a secure environment with controlled access:-
- locked metal cabinets with access to keys limited to authorized personnel only;
- selected locked drawer in desk or other storage area for which the personal data is kept with access to keys limited to authorized personnel only; and
- filing room which is designated as prohibited/restricted area with access to keys limited to authorized personnel only.
The employees or/and authorized personnel shall take the following actions to ensure that the personal data is secured:-
- attend at all material times during the storage facility is unlocked;
- ensure that all Hardcopy containing personal data not to be left unattended when the same are removed from their designated storage area;
- access to, photocopy or otherwise use the Hardcopy as and when required only;
- clean the work place from remaining Hardcopy when out of the offices; and
- never remove all Hardcopy off from the office unless it is required for performance of the task or assignment whereupon such employee or authorized personnel shall ensure all reasonable precaution or measures are taken against theft or inappropriate access or use of the files, eg: locked in a secured briefcase.
- All personal data stored whether in USB, CD, or other physical device (“Hardware”) or in manual records, printed documents, handwritten notes, or in any other hardcopies (“Hardcopy”) shall be kept in a secure environment with controlled access:-
Software & Softcopy
- All personal data stored in a file, folder or otherwise electronically (“Softcopy”) shall be kept in a secured server accessible only by the designated IT manager.
The security features on the personal data stored electronically includes:-
- monitoring of network activity at reasonable times during operation hours;
- only limited numbers of authorized personnel accessible to the Softcopy;
access to application or other software (“Software”) in relation to the credit assessment of the data subject containing personal data is protected with password limited to authorized personnel:-
- password length is at least 5 characters long include numerical numbers;
- password shall not be shared with any personnel;
- password shall be changed every 6 months;
- recovery of password may only be done under automated operating system where proof of identity is required;
- password whenever required should not be “remembered" or stored in the Software;
- anti-virus, anti-spyware or other similar programs are installed in each computer;
- work related emails of all authorized personnel is filtered and separated from personal emails; and
- all personal data is backed up regularly and copies are kept in a separate secure location.
The obligation of the employees or/and authorized personnel shall take the following actions to ensure that the personal data is secured:-
- ensure all the computer and mobile phone is protected with the password known to the personnel only;
- log off, shut down, sleep or hibernate the computer whenever the computer is left unattended;
- allow the anti-virus, anti-spyware or other similar programs runs all data storage device includes USB, CD, DVD for virus or spyware scanning;
- ensure all junk emails are safe to be moved to “inbox” only after reading through the emails;
- copy & paste or otherwise use all the personal data as and when required only for the purpose of the particular assignment or task.
- never install any Software into the computer unless such Software has a valid license;
- never introduce any malicious applications or programs into the server, eg: viruses, worms, Trojan horse, email bombs, etc by any means;
- Level of security applied in Clause 2.1 and 2.2 shall be determined by the Personal Data Officer upon completion of Risk Assessment.
Hardware & Hardcopy
- Subject to the retention guidelines binding against Be Malas, all Hardcopy which is unused and/or unwanted shall be disposed by shredding the copies via shredder machine whilst all Hardware which is unused and/or unwanted shall be disposed by reformatting the contents and cut up with scissors.
- The employee or personnel who last use the Hardware or Hardcopy shall be responsible to ensure the full compliance of Clause 3.1(A). In the event such employee or personnel is not able to be identified, the employee or personnel who is in charge of the file producing the Hardware or Hardcopy shall be responsible on the same.
Software & Softcopy
- Subject to any retention guidelines binding against Be Malas, all Software or Softcopy which is unused and/or unwanted shall be disposed by permanently deletion from the computer and server, including deleting any back-up softcopy, record logs, cookies, if any.
- The employee or personnel tracked by the particular computer who last use the Softcopy or Software shall be responsible to ensure the full compliance of Clause 3.2(b).
- The “unused and/or unwanted” Softcopy shall be determined by the Personal Data Officer upon completion of Risk Assessment.
- Hardware & Hardcopy
- The Personal Data Officer shall carry out a personal data risk assessment against Be Malas on an annual basis or on such other periodical period as he think fit and necessary.
The risk assessment shall primarily consist of:-
- identifying and determining all the potential risks for unauthorized access to Hardcopy Hardware Softcopy and Software; and
- proposing appropriate actions to be taken in order to mitigate the risk, or unauthorized use of personal data.
Whenever Be Malas is disclosing the personal data to Third Parties (as stated in the Personal Data Notice), security measures shall be taken including:-
- all Hardcopy whenever addressed to a data subject (as defined in the Act) is marked strictly private and confidential and be enclosed in a covering envelope; and
- all Softcopy shall be encrypted with password before transferring to third parties except for the ease of performance of task or assignment or for other reasons the transferor thinks otherwise;
- Whenever Be Malas is disclosing the personal data to Third Parties (as stated in the Personal Data Notice), security measures shall be taken including:-
Security Incidents occur when there is a breach of, or compromise to, data security as a result of, among others:-
- Loss or theft of personal data held in Hardware or Software;
- Inappropriate or illegal access controls allowing unauthorized use;
- Equipment failure;
- Human error;
- Unforeseen circumstances such as fire or flood; or
Upon the occurrence of Security Incident known to any employee, the said employee shall immediately inform to the Personal Data Officer, thereafter, the Personal Data Officer shall assess the Security Incident based on the following factors before initiating the Data Recovery System in Clause 7:-
- nature of the breach;
- manner of the breach;
- consequence of the breach;
- number of individuals who have been affected by the breach; and
- appropriate steps to manage the consequences.
- Security Incidents occur when there is a breach of, or compromise to, data security as a result of, among others:-
Data Recover System
- The Personal Data Officer shall investigate the breach of data security within reasonable period of time and inform the IT officer to recover the personal data so breached, if necessary.
Upon completion of the investigation, the Personal Data Officer may take the following necessary actions:-
- report to the personnel designated from the management team;
- if he finds that the Security Incident is owed to the particular employee(s) of Be Malas, recommend to Be Malas a warning letter to be issued to the officer or if the Security Incident is serious, to convene a meeting with all relevant parties to decide on the appropriate disciplinary actions to be taken against the employee;
- if he finds that the Security Incident is not owed to the employee(s) of Be Malas and that the Security Incident is serious and illegal, lodge a police report on the same;
- issue a memorandum or brief report on the Security Incident to all the employees;
- update and revise this Security Policy if necessary taking into consideration of the Security Incident.
- Notwithstanding Clause 7.2, the Personal Data Officer may take any actions necessary in order to recover the personal data so lost and to prevent from future Security Incident.
Personal Data Officer
The details of the Personal Data Officer are:-
Name ***** Department Customer Service Department Telephone No. +60126431303 Email address email@example.com Office hours 9.00am to 6.00pm (Monday to Friday)
- This Security Policy issued by Be Malas shall be valid and binding against all the employee of Be Malas, including any updated Security Policy.
- Any amendments, variation, deletion or changes to this Security Policy shall be notified in writing by Be Malas to all employees.
- Unless the context herein requires otherwise, all words shall be interpreted and construed in accordance to the Act.