When the Personal Data Protection Act (PDPA) was enacted in 2010, it was with the view of protecting the personal data of individuals from the possibly unscrupulous acts of commercial enterprises.
Since Malaysia had (and still has) no laws to protect privacy, the PDPA was seen as quite a progressive law, by Malaysian standards, because it was an effort to address a problem which had the potential to become bigger and more problematic as the economy grew.
The only snag to the Act was that it only applied to commercial transactions. This meant that there were no legal guarantees on the security of any person’s personal data if information was collected for non-commercial purposes — for instance, with the information collected by any of the hundreds of government departments that deal with the public and collect information on them.
While cash still has some commodity in this country, it may still be possible to conduct basic commercial transactions anonymously; not so with government transactions, for which forms must be filled in every time.
In that sense, then, the PDPA was disappointingly short-sighted, especially in light of the alleged governmental data breaches of the past one year. Millions of people’s personal data have allegedly been leaked and sold on the darkweb.
And according to this week’s allegation, it is now possible for ordinary people to buy the personal data of any Malaysian via the open Internet. The crooks are getting more brazen! This latest cybersecurity leak allegedly contains information from the National Registration Department and MySejahtera app.
As with previous discoveries, this discovery was made by a cybersecurity analyst, who then publicly raised the alarm. The alarm has never been raised by the government, because, as evidenced from the government’s response so far, the leak did not come from the government, and, allegedly, the government’s data storage system is impossible to penetrate.
Whether this is true or not cannot be ascertained, because once the relevant minister had made the denial, that is it. End of the story. Except, of course, this story appears to keep churning out sequels at a rapid pace. Even more alarmingly, this latest sequel now makes it possible to find out whether someone is employed in law enforcement or the armed forces, and obtain their residential and contact details, with the keywords being only the person’s name and birth year.
What is the government doing about these serious alleged data breaches? While denying that it is the source, the government has not denied that there isn’t some sort of data breach. So, what is happening with that? Has anyone working in government been charged? Have any investigations been made? What were the findings, and why haven’t they been shared with the public?
What is most concerning is that there is no accountability for these data breaches, and the government is not showing concern for the public’s safety and security. What is the guarantee that our national data systems are secure, if there is no personal data security law that applies to the government?
It is high time that a proper inquiry is done on the matter and the result made public. The PDPA must be amended to extend the scope of the Act, to subject the government to the same expectation of responsibility and privacy. And we, the people, should not accept anything less from our elected leaders.