Several days ago, Malaysians woke up to the shocking news of an alleged personal data leak claimed to be from the National Registration Department (NRD) and the Inland Revenue Board (IRB). It was reported that a whole cache of personal data belonging to 4 million Malaysians was up for sale on the internet. Troubling indeed.
IRB has denied the leakage. JPN has denied it too. The Police are investigating.
Needless to say, the question on everyone’s mind is this: Isn’t my personal data protected under Malaysian law?
The only piece of legislation in Malaysia that regulates personal data processing is the Personal Data Protection Act 2010 (“PDPA”). Section 9(1) provides inter alia “A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction…”.
But before you jump for joy, you may want to note that the PDPA only applies to “commercial transactions” and not to the Malaysian Government. Section 3(1) clearly states, “This Act shall not apply to the Federal Government and State Governments”. You may find this disappointing especially when there is no real justification why the Government should be exempt from being bound by the stringent data protection mechanisms made mandatory under the PDPA. In fact, the Government should stand as an example of how personal data ought to be properly protected. For example, in the UK , the government is bound like any other commercial organisation to protect the personal data it collects – see UK’s Data Protection Act 2018.
So, if there is evidence that some officer in some government agency with nefarious intentions, had indeed abused your data for a quick buck, would he/she get away scot-free? Not really. He/she may charged for a criminal offence under section 4(1) of the Computer Crimes Act 1987 read with section 3(1) of the same Act i.e. securing data without authorisation with intention to commit an offence involving fraud or dishonesty. If the authorities do find this irresponsible individual, and he/she is convicted in a criminal court for this offence, he/she may have to fork out a fine of up to RM150,000 or spend time thinking about his/her despicable behaviour in prison for up to 10 years, or even both.
Let’s hope the authorities do get to the bottom of this. In the meantime, we should talk to our MPs to have the PDPA amended, so that our Government is also held accountable for our personal data. Malaysians have a right to feel secure about their personal data especially when we do not have the choice of NOT giving our personal data to JPN or any other government agency for that matter.
As to whether our data is currently safe in JPN, your guess is as good as mine!