Wednesday, September 1, 2021

Govt told to play leading role in personal data protection

 


As the newly reinstated cabinet carries on with work this week, data experts have called on the government to play a leading role in ensuring that our personal data is adequately protected.

Digital rights activist Jac sm Kee said for a country that was an early adopter of biometric data systems and early enforcer of national identity cards, it was time for Malaysia to re-haul its data protection policies.

She added that this was especially impertinent as the country lays down more data-driven infrastructure to address the ongoing Covid-19 pandemic.

“If left unchecked, it’s going to leave all of us vulnerable to violations such as the one that happened with Rela.

“Given that Rela members actually have huge powers to carry firearms - how are the checks so scarily careless?

“We need to inculcate a stronger culture of privacy and rights protection when it comes to collection and handling of personal data in this country, and the government needs to play a leading role in ensuring adequate protections and safeguards are in place,” Kee told Malaysiakini.

Digital rights activist Jac sm Kee

She was referring to the incident where several individuals discovered that they had been registered for the People’s Volunteer Corps (Rela) without their consent.

She claimed that this was not the current reality of the country’s data protection where the government is a primary source of vulnerability to leaks, breaches and potential abuse and violations.

Sinar Project administrative and finance officer Kelly Koh echoed her sentiments on the matter.

“There needs to be transparency on how personal data will be collected, how it will be used and what measures will be taken to protect the data to be disclosed to the public,” Koh told Malaysiakini.

She pointed out that at present, only the privacy and security policies are published on Rela’s website, with the corps failing to provide information on how it handles registration data - which she considers a “little too simplistic”.

“(The) government perhaps should consider setting out a good example of complying (with the) Personal Data Protection Act (PDPA), (and) show us how it is done,” added Koh, who is also a lawyer by training.

Is our personal data protected?

In June, Rela came under fire after netizens - including Bukit Mertajam MP Steven Sim Chee Keong - discovered that they had been registered as members of the corps without their consent or knowledge.

Rela has since denied the allegations that it had been misusing personal data to automatically register the affected individuals without their consent.

Shortly after the discovery, the corps began the process of removing names inadvertently added to the system.

According to the corps, which is under the Home Ministry, such an act violates Section 6(1) of the Personal Data Protection Act 2010, and Section 7(1) of the Rela Act 2012.

The former stipulates that a data user shall not process personal data about a data subject unless they have consented to have their personal data processed.

However, lawyer Foong Cheng Leong claimed that the PDPA has its limitations when it comes to protecting our personal data, whether online or offline.

“It currently only applies to commercial transactions, and federal and state governments are exempted from its application. This would include the government agencies. Therefore, the PDPA does not apply to Rela,” said Foong, who is also the former co-chairperson of the Bar Council Ad-Hoc Committee on Personal Data Protection (2013 to 2016).

He claimed that the PDPA had various subsidiary legislation which details how our personal data should be processed.

For example, the Personal Data Protection Standards 2015 sets out the various security measures a data user ought to take when processing data electronically and non-electronically.

“However, for government agencies, we do not know whether their standards are equivalent to the PDPA as these are not publicly available information.

“The PDPA should be extended to government agencies as well,” Foong added.

According to Kee, the omission of government bodies is one that contradicts the foundational basic global standards when it comes to data protection and privacy.

“The government and their administrative departments and agencies are a huge collector, processor, storer and transactor of personal data.

“They are often very serious ones, such as health and financial records. What (the) PDPA does is actually effectively tell us that we don’t really have recourse in the event of any breach or abuse of data held, processed and used by governments,” Kee said.

Rela’s internal investigations

Since the discovery of Rela’s “phantom volunteers” in June, the corps has said that it will conduct an investigation on how members were registered before the Rela Act was enacted and that it will not compromise if any party is found to have deliberately abused people’s personal data without consent.

The corps' internal investigations are believed to be ongoing.

On the matter, Foong called on Home Minister Hamzah Zainudin to take action on the investigations.

“I think the home minister should publish its findings and recommendations and take appropriate action against those responsible for the leak.

“Hopefully, some remedial action is also taken to ensure that it does not happen again or to compensate those who were seriously affected by the leak,” Foong added. - Mkini

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.