TAXATION
E-Invoice
(PART 3: SYSTEMS, DATA SECURITY AND PRIVACY FREQUENTLY ASKED QUESTIONS)
22. Does Personal Data Protection Act 2010 govern the processing of e-Invoice?
Yes, it does. The Personal Data and Protection Act 2010 governs the processing of personal data
concerning commercial transactions.
Personal information such as name, address and email address details are commonly collected and processed online. The collection and processing of personal data are permitted on the condition that consent is obtained from the data subject. This is supported by the General Principle as set out in Section 6(1) of the Personal Data and Protection Act 2010, which states that a data user shall not process personal data, that is other than sensitive personal data, regarding the owner of the data unless the owner has given his consent to the processing of the personal data. For the purposes of e-Invoice issuance, taxpayers are required to obtain consent from their customers accordingly.
23. Does the API solution offer security and encryption services?
Yes, through the necessary Network & Security monitoring tools to ensure data security and privacy.
Additionally, the API solution will utilise industry standard encryption protocol to ensure information transmitted remains confidential and secure.
24. How would IRBM monitor and audit the e-Invoice data security and privacy?
IRBM adopts a high standard of data security in managing data of taxpayers. These are the steps that will be taken in monitoring and auditing the e-Invoice data security and privacy:
1. IRBM will assess the data protection needs – Before IRBM starts monitoring and auditing the e-Invoice data security and privacy, IRB will identify what kind of data that IRB collects, processes, stores, and shares through the e-Invoice system. By having that process in place, IRBM will always understand the legal and contractual obligations that apply to the data, such as data privacy laws or specific industry standards. From the data protection needs, IRBM can define the data security and privacy policies and objectives.
2. Implementation of data protection controls – In order to protect the e-Invoice data from
unauthorised access, modification, loss, or disclosure, IRBM will implement appropriate
technical and organisational controls. These may include encryption, authentication, access
control, backup, firewall, antivirus, and logging.
3. Monitoring and auditing data protection performance and incidents – This can be done by
benchmarking the performance against the objectives and industry best practices and reporting, investigating, resolving, and learning from any data breaches, errors, complaints, or violations that may affect the e-Invoice data.
4. Review and improve the data protection practices – IRBM will use the results of the monitoring and auditing activities to identify any gaps, weaknesses, or opportunities for improvement in the data protection policies, controls, performance, or incidents.
25. Is there any specific application required to scan the QR code?
The QR code will only contain a link to the validated e-Invoice. Hence, any device (e.g., mobile
camera, QR code scanner application) capable of scanning a QR code will be able to scan the
QR code.
26. What are the measures taken by IRBM in protecting the confidentiality of e-Invoice submitted to IRBM?
No, the supplier would need to cancel the e-Invoice within 72 hours from time of validation and reissue a new e-Invoice.
Any changes after 72 hours from time of validation would require the supplier to issue a new eInvoice (i.e., debit note, credit note, refund note e-Invoice) to adjust the original e-Invoice issued. Thereafter, a new e-Invoice would be required to be issued accordingly.
27. What is the file format sent to IRBM for validation purposes?
Supplier must generate e-Invoice in XML or JSON file format to IRBM for validation purposes.
28. Can a company use a combination of transmission mechanisms (API and MyInvois Portal)?
Yes. Taxpayers are recommended to perform reconciliation to ensure no duplication of e Invoice submitted to IRBM.
29. What is the workaround in the event that the MyInvois System is down?
System will be available 99.97% of the time. However, in the event that IRBM’s system is down,
suppliers are given 72 hours to issue an e-Invoice once system is available. A retry mechanism
shall be implemented in supplier’s system to submit the e-Invoices once the system is available.
As for MyInvois Portal, supplier should periodically check the portal to determine if it is back online.
Refer to section 14.4 of the e-Invoice Specific Guideline for further details.
30. Can taxpayer adopt the Peppol Network as the transmission mechanism for e-Invoice?
Taxpayers are allowed to select any transmission method that is most suited to their business nature and preference. Any access point in the market that can comply to IRBM’s API requirements are welcomed. Refer to Section 2.2 of the e-Invoice Guideline for further details.
31. Is MyInvois Portal able to accept large volume of e-Invoices from taxpayers?
MyInvois Portal supports both individual and batch e-Invoice generation through spreadsheet
upload for processing multiple transactions.
MyInvois System will undergo testing with actual estimated volume of e-Invoices before its go-live.
Additionally, it is designed to scale up additional computing resources as and when required.
For Education purposes, we make no representations or warranty (expressed or implied) about the accuracy, suitability, reliability, or completeness of the information for any purpose. Tee & Co(NF 2298) accepts no liability, and disclaims all responsibility, for the consequences of anyone acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. Recipients should not act upon it without seeking specific professional advice tailored to your circumstances, requirements, or needs