The shift to work-from-home arrangements does not absolve employers or employees of their legal responsibilities for protecting sensitive data.
Lawyer Datuk J. Shamesh emphasised that both parties retain full liability under the Personal Data Protection Act 2010 (PDPA). He stated that employees must uphold confidentiality and act in good faith towards their employer.
“Working remotely does not reduce an employee’s responsibility, as the obligation to protect confidential information remains firmly in place,” Shamesh told Bernama. Employers are equally responsible for providing secure systems and safeguards.
He warned that failing to protect company and client data could lead to criminal penalties, including imprisonment. The legal expert highlighted that using personal devices and unsecured home Wi-Fi can bypass office security controls.
This increases the risk of unauthorised access or accidental data disclosure. Shamesh cited the 2024 case of Norzuliyana Zulkefli v. Malayan Banking Berhad, where an employee was dismissed for storing customer data on a personal phone.
In that case, the data was later accessed by a third party. He also referred to the 2011 ruling in Equity Trust (Labuan) Limited v Mohammad Sofian Mohamad & Anor.
That case established that transferring proprietary data to personal devices constitutes a breach of confidentiality. On employer liability, Shamesh said companies can be held accountable under the doctrine of vicarious liability.
This is particularly true if proper internal checks and procedures are lacking. He cited Kumpulan Wang Persaraan (Diperbadankan) v Meridian Asset Management Sdn Bhd (2012).
In that ruling, the High Court stated an employer cannot hide behind an employee’s actions if internal procedures are inadequate. The court emphasised that professional organisations must protect client interests through strict operating protocols.
Shamesh outlined that Section 9(1) of the PDPA requires organisations to take practical security measures. These include using device encryption, strong authentication, and employee training.
Data should also be transferred via secure channels only. “Tools like virtual private networks (VPNs) and approved company systems help maintain data security,” he added.
Section 12B of the PDPA also mandates that companies report personal data breaches promptly to the Commissioner. Shamesh said these measures help build a culture of responsibility and trust in remote environments.
The WFH model gained significant traction during the COVID-19 pandemic movement restrictions. It accelerated digital adoption and reshaped workplace practices globally.
Prime Minister Datuk Seri Anwar Ibrahim recently said the government is refining flexible work arrangements. This includes WFH for civil servants to mitigate the impact of global oil supply disruptions.