PART 2 : General Rules of the Code For Internet Access Service Providers

The IASP Code general rules are as follows:-

1. The IASP Code Guiding Principles
2. Protection of Personal Information
3. Provision of Information
4. Provisioning of Services
5. Anti-Spam Measures
6. Policy on Information Network Security
7. Content
8. Billing
9. Protection of Minor
10. Handling of Customer Complaints and Disputes
11. Principle of Compensation

1.1

The communications and multimedia industry will strive to achieve the following principles: The National Policy Objectives as set out in the CMA 1998; The Code objectives as set out in Clause 5, Part 1 of the GCC; and The Fundamental Principles for Service Providers as outlined Clause 1(A), Part 2 of the GCC for the communications and multimedia industry of Malaysia.

2.1	The relevant provisions in the GCC on protection of consumer information (namely the provisions of Clause 2, Part 2 of the GCC) are applicable to the IASP Code.

3.1	Service Providers shall comply with all the relevant provisions contained in the GCC on the provision of information regarding services, rates and performance.
3.2	Consumers shall be provided with adequate description of the service offered prior to entering into the contract of sale. All material features of the services such as bandwidth, speed and availability (i.e. coverage) should be described in simple language that is easily understood.
3.3	The IASP Code should impose an obligation on all Service Providers to publish and adhere to an acceptable use policy, which in all cases would be a condition of sale. This policy shall, at the minimum, include: Information to Consumers about their legal obligations and liabilities in making use of the services provided by the Service Provider; Information to Consumers about the responsibilities of the Service Providers in ensuring that the Customers adhere to their legal obligations; Information on Internet use etiquette; A description of practice, which are abusive and therefore prohibited; and Subject to the anti-spam measures herein provided, an indication of the type of remedial measures that may be taken by the Service Providers in respect of defaulting Customers.
3.4	Service Providers shall take reasonable steps to notify all Consumers of their policy on privacy prior to the entering into the contract of sale.
3.5	Any changes in policies developed by the Service Providers should also be communicated to the Consumers as soon as practicable.

4.1	Service Providers will provide services and products in a responsible manner, ensuring that the services that they provide to their Customers meet the service levels as contractually agreed between the Service Providers and the Customers.
4.2	Service Providers shall endeavour to provide consistent and reliable access to the services.
4.3	Service Providers shall give adequate notice to their Customers of any planned interruptions of service.
4.4	Service Providers shall not discriminate unduly between persons or classes of persons in the provision of their services or any related matters and shall provide equal access to all Customers.

5.1	The Service Providers should address concerns about Spam and consider methods of managing such issues in such a way to ensure the protection of the Customers’ interest. The Service Provider may consider the following measures in dealing with these issues: – To articulate a specific definition for Spam so as to be clear what is being addressed. To include the following general principles as contractual conditions in agreements entered into between the Service Providers and Customers who may have the propensity to produce Spam:- The Customer shall not engage in sending Spam messages; Any breach of conditions shall result in the suspension and/or termination of the Customer account. Such Customer may appeal for reactivation of the said account in accordance with the Service Provider’s prevailing policies and procedures; Service Providers should provide specific guidance (in the form of an Acceptable Use Policy (AUP)) on when sanctions or suspension and termination of account would be imposed. The Acceptable Use Policy should impose an obligation on the Customer to ensure that all commercial emails sent out by the Customer are accompanied by or include the following information:- Header information that is not false, deceptive or misleading A valid return e-mail address Functional unsubscribe facility (ie “opt out” facility) Identity of sender Message be clearly labeled as commercial communication (eg [ADVERTISEMENT] for advertisements, [COMMERCIALS] for commercials etc.) For the purpose of this provision, “commercial electronic message” shall mean any electronic message that can be concluded to be for the purpose of advertising, highlighting, promoting, selling and/or offering to supply any goods, property, service and/or business or investment opportunity. The Service Providers should also provide their policies and procedures in reactivating the services suspended due to violation of the AUP.
5.2	In addition to the terms and conditions outlined above in the service contract with their Customers, Service Providers should also consider implementing some technical measures to assist in curbing Spam.
5.3	In addition to Section 5.1(b)(iv), the Service Providers shall have a written procedure for handling incidents of Spam. This procedure should be publicly available either in print and/or on a web site. Examples of such procedure may be as follows:- There shall be an ‘abuse’ account. Mail sent to this account shall be routed to a responsible person or those who have the ability to investigate and take action on such complaints; All complaints sent to the ‘abuse’ account shall be replied to. All complaints should be investigated within certain period of time and proper and timely replies should be given to complainants; Complaints shall be investigated and action must be taken against users flouting the terms and conditions referring to Spam. Even if investigation reveals no fault on the part of the Service Provider or user, the Service Provider is encouraged to help the complainant to resolve their complaint.
5.4	The Service Provider shall make available on its website information on anti-spamming measures regarding its Customers. Such information may include IP addresses suspended and/or blocked by the Service Provider and/or any anti-spamming monitoring bodies such as Spamhaus and Spamcop. The said information shall be updated on a weekly basis.

6.1

Service Providers should have a guideline on how to implement security in their network and there must be some level of standard procedures to be followed. The policy may cover the following areas:- Business Continuity Planning There must be a business continuity plan in place to counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters. System Access Control Access Control System should be in place to ensure the following:- to control access to information to prevent unauthorised access to information systems to ensure the protection of networked services to prevent unauthorized computer access to detect unauthorised activities. System Development and Maintenance Service Providers should also put in place policies on system development and maintenance so as to ensure the following:- security is built into operational systems; to prevent loss, modification or misuse of user data in application systems; to protect the confidentiality, authenticity and integrity of information; to ensure IT projects and support activities are conducted in a secure manner; to maintain the security of application system software and data. Physical and Environmental Security Policies must be put in place to prevent: – unauthorised access; damage and interference to business premises and information; loss, damage or compromise of assets and interruption to business activities; and compromise or theft of information and information processing facilities. Compliance The policies in place must clearly set the following:- to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements to ensure compliance of systems with organizational security policies and standards to maximize the effectiveness of and to minimize interference to/from the system audit process. Security Organisation The policies in place must clearly set the following: to manage information security within the Company; to maintain the security of organizational information processing facilities and information assets accessed by third parties to maintain the security of information when the responsibility for information processing has been outsourced to another organization. Computer & Network Management The policies in place must clearly set the following: to ensure the correct and secure operation of information processing facilities; to minimise the risk of systems failures; to protect the integrity of software and information; to maintain the integrity and availability of information processing and communication; to ensure the safeguarding of information in networks and the protection of the supporting infrastructure; to prevent damage to assets and interruptions to business activities; to prevent loss, modification or misuse of information exchanged between organizations. Asset Classification and Control To maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection.

6.2

Service Providers are required to ensure that their policy on information and network security is in compliance with and subject to other general guidelines such as frameworks and determinations issued as well as framework and determinations to be issued by MCMC and Ministry of Energy, Water and Communications from time to time.

Reference should be made to the relevant provisions of the Content Code in this regard.

Reference should be made to the relevant provisions of the GCC in this regard.

9.1

Service Providers will take reasonable steps to ensure that post- paid Internet access accounts are not provided to any child without the consent a Guardian. For the avoidance of doubt this obligation shall not be applicable to the pre-paid Internet access services.

9.2

Service Providers should take reasonable steps to provide Customers with:- information on supervising and controlling a child’s access to Internet content; procedures which Guardians can implement to control a child’s access to Internet content, including the availability, use and appropriate application of Internet content filtering software; notifying the Consumers : “if you are below 18 years of age – prior consent of a guardian is required before you are allowed to subscribe to a post -paid Internet access account” prior to the sale of the service.

Reference should be made to the relevant provisions in the GCC in this regard.

Reference should be made to the relevant provisions of the GCC in this regard.