Ways to plug the data leaks
INCIDENTS of data breaches continue to make news in Malaysia. Aside from the numerous locally reported cases, at an international level, this year alone, Malaysia was first alluded to in the Netflix documentary The Great Hack as one of the countries allegedly having engaged the services of the infamous Cambridge Analytica, and more recently cited in a report by Comparitech as ranking 15th out of 20 non-EU countries in terms of privacy protection. Malaysia’s international reputation in this field is fast diminishing.
Malaysia was one of the first countries in the region to enact unique legislation dealing with personal data protection in 2010. However, since coming into force in 2013, little has been heard about its impact. And the last three years have seen some of the biggest data breaches involving personal data in the country, many of which are still unresolved.
Citizens are still feeling the impact of the massive data breach involving Numera (M) Sdn Bhd and the Malaysian Communication and Multimedia Commission (MCMC) in 2017 when 46.1 million telco related records were compromised.
Malaysians are growing increasingly frustrated that we continue to lag behind in this field while even our Asean neigbours are taking active steps to implement measures that increase data privacy.
In Singapore, legislation creates a Do Not Call registry that allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages using SMS or MMS, and faxes from organisations. Additionally, the legislation permits private legal action if damage can be shown.
The Philippines recognises privacy as a fundamental human right. It imposes considerably high standards of compliance on business and government entities and even subjects antiterrorism surveillance legislation to its requirements.
While noting Malaysia’s inadequacies, we must still recognise that data privacy is a multifaceted problem that requires collective action from all segments of society, including the government, corporations and individuals. With that in mind, we may wish to consider a few aspects that can be improved on by each one of these segments.
From a legislative perspective, there is a definite need to revisit the Personal Data Protection Act 2010. This is already in the pipeline as mentioned by Communications and Multimedia Minister Gobind Singh Deo in March this year. However, one key for consideration in light of the difficulty faced in enforcement would be to afford more powers to the Department of Personal Data Protection (DPDP), including the ability to issue show cause notices, hold hearings to hear complaints and limited powers to impose fines.
As it stands, after investigations by the DPDP, prosecution of the matter requires the intervention of the Public Prosecutor. This can be a long and arduous process that places an undue burden on the police and the Public Prosecutor’s office. By affording the DPDP these new powers – but retaining for the police and Public Prosecutor the ability for criminal prosecution in cases where malicious intent can be shown – a second layer of enforcement is added allowing for quicker resolution to complaints.
Corporations too play a vital role in directing the course of the conversation on data privacy. Many corporations often overlook the proper implementation of requirements under the Malaysian Data Protection Act. Operating under the mistaken belief that a generic privacy policy is sufficient, businesses open themselves up to the risk of both prosecution and irreparable reputational damage from an unexpected data breach.
The largest percentage of data breaches occur due to human error, ie employees’ mistakes. To avoid this, corporations can undertake various forms of training and privacy management programmes to ensure the whole organisation is aware and up to date on the latest data privacy practices.
Without waiting for legislative requirements to compel corporations to undergo such training, it would be advantageous for all stakeholders if corporations look towards the developing field of privacy management as a core element of their business. In fact, due to many data protection laws imposing liabilities on a principal where a vendor or partner commits a breach, strong data privacy practices are quickly becoming a key indicator for trustworthy businesses in the global business marketplace.
The final pillar of the privacy structure is, of course, the individual’s role. Society’s demand for higher standards is an indicator of maturity in the field which causes regulatory development sooner rather than later. As cumbersome as it may be, we must, as individuals, continue to be vigilant in lodging complaints every time we are faced with a potential breach of our own personal data. Every complaint assists the authorities in developing trends and prosecuting cases.
Leaders in the technology community like Apple’s Tim Cook and Microsoft’s Bill Gates continue to advocate the importance of privacy, stating in no uncertain terms that it is the single most pressing issue under the umbrella of data ethics.
However, in this age of data, privacy is ultimately a mindset. It is clear that, although critical, legislation alone is not the sole solution to this growing threat. Unless there is a shift in our collective mindset as a nation towards addressing this issue, we will fail to recognise the true risk posed by the misuse of personal data let alone solve it.
DARMAIN SEGARAN Petaling Jaya