PETALING JAYA: Earlier this month, communications and digital minister Fahmi Fadzil said he was looking into amending the Personal Data Protection Act to make companies accountable for data in their possession and also make the law applicable to more industries.
His decision comes after privacy concerns were raised when it was revealed the personal information of three million vaccine recipients was stolen from the MySejahtera database.
What is the PDPA and what does it do? FMT takes a closer look at the law.
What is it?
The PDPA governs data usage and its security in Malaysia. It was tabled in 2010 and gazetted the same year, but only implemented in 2013.
The act is enforced by the Personal Data Protection Department. One of its main functions is to prevent data misuse in commercial transactions.
What it covers
Under the PDPA, data such as your full name, MyKad number, passport number and your email address are considered to be personal and sensitive information.
Other forms of data that fall under this category include photographs, images captured from CCTVs, religious and political beliefs, as well as personal documents like tax records.
Under the Act, a person is entitled to the following rights after sharing their data with an organisation:
- The right to know if their data is being processed.
- The right to access their personal data from the organisation’s database
- The right to amend the data provided
- The right to withdraw consent given to process one’s data
- The right to stop any any data processing activities that could cause one damages or distress
- The right to stop data processing activities for direct marketing
How often is it called upon?
The Mysejahtera data breach wasn’t an isolated case.
Nine incidents of similar breachers were reported last year alone. In one instance, millions of datasets belonging to the National Registration Department were put up for sale online for just US$10,000. A cybersecurity incident involving payment gateway iPay88 left customers’ card data compromised.
Malindo Air, now known as Batik Air, suffered the exposure of 45 million customers’ emails and passport and phone numbers, which were revealed online by hackers.
Yet only 20 companies have been fined for data breaches in the past six years. Fahmi said in January this year that the average fines on these companies came to just RM24,000.
Is it effective?
According to Derek Fernandez, a lawyer who specialises in cybersecurity legislation, the PDPA in its current form is inadequate.
He said companies should be compelled to inform customers if there was a need to share their data with third-party companies. Customers should not be required to give consent for their data to be shared before being allowed to access online services, as with a common checkbox when making online transactions.
Fernandez also said companies should be required to formally report data breaches and that the law’s scope should be expanded to cover non-commercial entities such as credit reporting agencies.
The law should allow people to sue companies for breaching the PDPA, he said, including failing to protect data in their possession. - FMT
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.