MyKad and personal liberties of the citizen
IT was reported in the news last month that the personal details of some 46.2 million mobile number subscribers in Malaysia are at stake in what is believed to be one of the largest data breaches ever seen in the country.
From home addresses and MyKad numbers to SIM card information, the private details of almost the entire population may have fallen into the wrong hands.
With this leak, Malaysians may be vulnerable to social engineering attacks and in a worst-case scenario, phones may be cloned.
To most people this breach of data security means an incident of cyber security, hacking and finiancial loss. However we need to delve deeper as this attack is a threat to our constitutional right to freedom of privacy.
In September 2001, the Malaysian government officially launched a multipurpose smart identification card for its citizens. This card, named ‘MyKad’, incorporates multiple applications with several sets of personal information about the holder of the card.
Given the scope of the applications and the extensive personal information that is and can be stored in the MyKad, the implementation of the MyKad project raises crucial issues about information privacy and the protection of the personal information of Malaysians.
In Malaysia, the national identity card system has been operational since 1949 even before Malaysia attained independence from British colonial rule.
In September 2001, the Malaysian government officially launched a multipurpose smart identification card for its citizens. This smart card, named ‘MyKad’, incorporates in a single card multiple applications with several sets of personal information about the holder of the card.
The MyKad was the world’s first government-backed smart card initiative and it has been heralded as a giant step in information technology both in Malaysia and worldwide.
However, given the scope of the applications and the types of personal information contained in the MyKad, the implementation of the MyKad project raises crucial issues about the privacy and protection of the personal information of Malaysians.
There is no doubt that the MyKad has the main security features that a smart card should have given the present level of technological development.
However, a distinction must be made between security concerns and the information privacy implications of the MyKad. The information privacy implications highlighted in this article arise notwithstanding the use of technologically advanced security features.
This threat to information privacy can only be addressed by a robust legal framework which protects personal information against misuse, whether by the government or other parties.
The existing legal framework may be lacking in this respect and confers little protection on MyKad holders. The current laws may also fail to support or inculcate a basic respect for information privacy as a human right.
All democratic societies must respect information privacy to protect the democratic ideal. Information privacy is one of the universal virtues of a democratic nation that transcends cultural value systems.
If the MyKad is meant to be a tool to better serve the citizens of Malaysia, then the government nedd to take steps to implement a robust and information privacyfocused personal data protection legislation.
Such legislation requires as its foundation the recognition of information privacy as a basic human right, in order to ensure that personal information stored in the MyKad is protected against ‘authorised’ and unauthorised use or disclosure of such personal information.
The right to information privacy as a mechanism for the protection of personal information stored in the MyKad can and should be recognised as a fundamental right protected by the Malaysian Constitution.
5(1) triumphantly declares: no person shall be deprived of his life or personal liberty save in accordance with the law. Then look at Article 8: Equality 8. (1) All persons are equal before the law and entitled to the equal protection of the law.(2) Except as expressly authorized by this Constitution, there shall be no discrimination against citizens on the ground only of religion, race, descent, place of birth or gender in any law or in the appointment to any office or employment under a public authority or in the administration of any law relating to the acquisition, holding or disposition of property or the establishing or carrying on of any trade, business, profession, vocation or employment. According to Mathews Thomas writing in the Melbourne Law Review the Malaysian Court of Appeal has construed ‘life’ and ‘personal liberty’ in art 5(1) read together with art 8(1) of the Malaysian Constitution,it is arguable that a person’s right to information privacy is inherent within the right to life and personal liberty under the Malaysian Constitution.
This right is relevant to the ‘quality of life’ and ‘personal liberty’ of the individual citizen. If the right to information privacy is placed on a constitutional footing, individuals would have recourse to public law remedies for the enforcement of fundamental rights conferred by the Malaysian Constitution.
This would include the award of compensation to citizens whose fundamental rights have been infringed due to acts or omissions by the government says Mathews. Private law remedies would also be available.
A constitutional right to information privacy would not be absolute, but subject to any compelling and overriding national interest.
However, the courts would be able to scrutinise the claim of overriding national interest and not simply accept the public decision-maker’s mere ipse dixit on the question in Tan Tek Seng v Suruhanjaya Perkhidmatan Pendidikan, Sri Ram JCA, with whose judgment Fairuz J concurred, held that the word ‘life’ in art 5(1) did not refer to ‘mere existence’, but ‘incorporates all those facets that are an integral part of life itself and those matters which go to form the quality of life’.
These facets include the right to livelihood and the right to live in a reasonably healthy environment. The right to livelihood and the right to work were held to be guaranteed under the Malaysian Constitution. Sri Ram JCA further held that judges ‘should, when discharging their duties as interpreters of the supreme law, adopt a liberal approach in order to implement the true intention of the framers of the Malaysian Constitution’.
In taking this approach, the Court of Appeal jettisoned the narrow and literal approach previously taken by the Malaysian courts in the interpretation and application of the Malaysian Constitution.
It is therefore incumbent for the Government to treat this serious data breach not just as an issue of cyber security but also and more importantly as an attack albeit digital one on the freedom of its citizenry as guaranteed by the Federal Constitution.