The authority is investigating a website, namely the MYS PPL, which claims that it can help members of the public to look for a long lost friend by selling personal data.
However, at the time of writing, the website is inaccessible, but it is not clear whether it was taken down by the host or blocked by the authorities.
When the website was still accessible at the end of August, members of the public could key in a full name and it would display some related personal profiles, such as name, age and in which state the person possibly lives.
Some personal data, such as IC numbers and mobile phone numbers were locked, but the site would state how many emails, mobile numbers, addresses and companies’ information were available for purchase. In some cases, it would also state that it has no related information.
The purchase price was not displayed on the website, the people needed to contact the website to buy the profile report.
The Department of Personal Data Protection (JPDP) explained that displaying the personal data of a Data Subject (an individual who is the subject of personal data) is an offence under Personal Data Protection Act (PDPA) 2010.
“Upon conviction, the Data User is liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding two years or to both,” it states.
However, the Act shall not apply to any personal data processed outside Malaysia, unless that personal data is intended to be further processed in Malaysia, the department said in an email to Malaysiakini.
“For the said report (MYS PPL website), JPDP is liaising with the relevant agencies within Malaysia and other related agencies in other countries.
“As not to impede the investigation process, we are not allowed to disclose further details on the extent of investigation activities,” it said.
The department explained that if the website is confirmed to be doing activities that breach the PDPA, the site will be blocked from Malaysia Public Access. The relevant parties, such as the website owner or operator will be taken into custody and punished.
RM500k fine for unlawful collection of personal data
It added that unlawful collecting of personal data is an offence under the PDPA. Upon conviction, the Data User is liable to a fine not exceeding RM500,000 or to imprisonment for a term not exceeding three years or to both.
The website has stated that if anyone wishes to remove their personal information from the website, they may contact the website through the contact form
The associate professor of Ahmad Ibrahim Kulliyyah of Laws at the International Islamic University Malaysia, Sonny Zulhuda, said: “It is improper in the first place because their processing of our personal data is already done without our consent or any other reasons under Section 6 of the PDPA.
“If anyone knows that his/her personal data exists in their system, these individuals should have a right to withdraw from the processing at any time.”
JPDP added that removing personal data from the MYS PPL website does not mean that it has been permanently deleted from its database.
“The statement may just be an indication to remove from displaying the records to public view,” it noted.
It explained that under the Retention Principle in the PDPA, personal data is not to be retained longer than is necessary for the fulfilment of the purpose for which it was processed.
“Once the purpose has been fulfilled, it is the duty of the Data User to take reasonable steps to ensure that the data is destroyed or permanently deleted,” it explained.
It added that Data Subject also has the right to prevent processing likely to cause damage or distress, the right to withdraw consent and the right to prevent processing for the purposes of direct marketing.
“If any member of the public finds that personal data has been misused by certain individuals or organisations, in the adversary of or breaching the rights to personal data, a complaint can be submitted to JPDP through our website for further investigation,” it said.
As for Sonny Zulhuda, in general, displaying personal data in public does not automatically offend the PDPA.
“What we are concerned with is whether the data processed is collected or obtained unlawfully, for example, from other entities' ownership or data users such as from telcos, banks, universities or hospitals. If yes, this will amount to the offence of unlawful collecting and disclosing of personal data,” he stressed.
Sonny Zulhuda said the provider of such services may want to ensure that the whole processing is being done in conformity with the legal requirements. All the processes, starting from collection to storage, from using to disclosure, and from securing to disposal must be done in accordance with the PDPA 2010.
“I would also advise a service provider like this to avoid or minimise public disclosure of the data.
“Even if the service is found to be legitimate, unnecessary disclosure of personal data online may amount to a breach of the data protection principles under PDPA as it can be excessive and unnecessary and does not commensurate with data security threats,” he added.
Malaysiakini has contacted the website for comment and is awaiting a response.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.