Maintaining privacy and control
A digital ID, unlike Mykad, will not require users to be physically present to conduct transactions or create multiple identities for different services.
Nine use cases were given and the participants were asked to pick the top five. They chose:
>> Electronic healthcare records: Patients will be able to access their healthcare records online, including reviewing doctor visits and current prescriptions. They will also be able to share their records with other parties.
>> Government assistance: Citizens will be able to check their eligibility and register for government assistance programmes online. Less paperwork and documentation will be required, and the payment will be automatically banked into their accounts upon identity verification.
>> Government services: A more efficient and integrated e-government system will allow citizens to access various services, including business registration, e-voting and apply for driving licences.
>> Financial institutions: Authentication will be made seamless, allowing users to open bank accounts and perform various transactions such as applying for loans through their phones.
>> Telecommunications sector: A digital ID will eliminate repetitive verification for updating personal details, change of SIM card and when a person forgets the password to an account.
Of the individual respondents, about 30% were from ages 26 to 33 and 25% from ages 18 to 25.
“From the feedback, we can conclude that Malaysians, particularly from the youth segment, are ready to use digital ID as an enabling platform.
“For the public, it would ease the process of verification and authentication of their identities for performing digital transactions,” an MCMC spokesperson said in a statement.
Data protection
Privacy laws have to be improved to assure the public that the best measures are being taken to keep the user’s personal data associated with the digital ID safe, said Bar Council Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong.
He pointed out that the Federal and state governments are not subject to the Personal Data Protection Act (PDPA) 2010.
This meant users cannot take action if their personal data was compromised when using a government service.
“Also, any breach of the PDPA is subject to the discretion of the Commissioner to take action. There is no express provision in the PDPA stating that a victim can go to court to sue through his or her own lawyer,” he added.
To help reassure the public, Foong also wanted the government to consider allowing civil societies such as privacy rights groups and the Bar Council to participate in the development, maintenance and operation of the digital ID.
However, Universiti Sains Islam Malaysia (Usim) cybersecurity and system research unit coordinator Dr Madihah Mohd Saudi felt there are already government agencies in place like the National Cyber Security Agency (NACSA) and MCMC to safeguard the government against threats.
“Digital services sound scary because it’s hard to imagine how they work. But generally, it’s safer than physical services as it leaves a trail of where a user’s data has been and what it was used for,” she said, comparing the Mysejahtera and Selangkah contact tracing apps with writing one’s details in a logbook.
People also have to be given good reasons to adopt a digital ID and assured their data will be handled with the utmost care, said Selangor Task Force for Covid-19 committee member Dr Helmi Zakariah.
His team developed Selangkah for the Selangor state government, and in the privacy statement it’s spelled out that even though the service is not subject to PDPA, it will adhere to the principles and standards of protection offered by the Act.
He said people were okay with their personal data being collected for the sake of safety and normalcy during the Covid-19 pandemic.
“The fact 1.3 million people used the system within one month came down to the timing. I think in any other time it wouldn’t have worked to ask people to scan QR codes, even if it was incentivised,” he said.
Tried and tested
MCMC also studied other countries that have adopted a digital ID system, including Estonia, which is one of the most digitally integrated countries in the world.
Estonia has made 99% of its public services available online, except for marriage, divorce and real estate transactions.
A report by international accounting firm Pricewaterhousecoopers claimed Estonia saved over 1,400 years of working time and 2% of the gross domestic product (GDP) through its digitised public services.
Other countries that have introduced or trialled a national digital ID system, include India, Canada, Morocco and Australia.
Many Indian residents don’t have a valid proof of identity, making it difficult for them to receive government benefits.
To solve this, the Indian government issued digital IDS, which also helped eliminate fake and duplicated identities.
So far 1.25 billion residents have registered for it, making it easier for them to apply for government scholarships and subsidies.
According to MCMC, in Malaysia, 90% of government services are already online.
However, as there isn’t a national digital ID, users are required to register with multiple service providers.
This results in fragmentation and increased cost due to duplication, according to MCMC, which also said the lack of standardisation in identity verification could be a safety and privacy threat.
The experts also felt that it’s only right to make the digital ID optional.
Madihah said it would be best to have all citizens signed up, but in reality, it could be an issue for those without proper Internet connection or are tech illiterate.
“For a start it’s good enough to have a portion of the public sign up first, before enrolling more people,” she suggested.
Foong also agreed, saying that the government should opt for a slower adoption process, adding that more should be made known about the digital ID first.
“We should have the right to know what information will be included and have the right to ask for details to be deleted. Further, we should also have the right to correct and update the information. Basically the rights provided by our PDPA should also be reflected in the digital ID,” he said.
However, Dr Helmi said this control should be limited so it doesn’t adversely affect the functionality of the service.
He gave the example of how Selangkah purges location data it has collected every 30 days, but if users were allowed to delete the data too soon – say in a week – the service wouldn’t be able to function, as Covid-19’s incubation period is at least 14 days.
MCMC said recommendations from the study, which will include implementation model and strategy, will be “escalated to the government soon after the due process has taken place”.