Incidents of data breaches continue to make news in Malaysia. At an international level, this year alone, Malaysia was first alluded to in the recent Netflix documentary ‘The Great Hack’ as one of the countries allegedly having engaged the services of the infamous Cambridge Analytica and more recently cited in a report by Comparitech as ranking 15th out of twenty non-EU countries in terms of privacy protection. Malaysia’s international reputation in this field is fast diminishing.

It may come as a surprise to many but Malaysia was one of the first in the region to enact unique legislation dealing with personal data protection in 2010. However since coming into force in 2013, little has been heard about its impact presumably because of a combination of factors including lack of awareness amongst the public as to their rights, weak implementation by the corporate sector and limited enforcement by the regulatory bodies. The last three years have seen some of the biggest data breaches involving personal data in the country, most of which are still unresolved.

The causes of these data breaches range from technical errors as seen in the recent National Neurology Registry leak which compromised 17,000 records to security flaws as seen with breaches in the Domestic Trade and Consumer Affairs Ministry and of course hacking in cases like University Malaya where the data leaked included EPF numbers and salary information of staff.

The effects of these breaches and specific use of the compromised data are just as varied and in some cases unclear as such data is traded as an illegal commodity behind closed doors. Its uses can be as basic as a marketing list or in some cases can evolve to far more insidious uses such as scams and even blackmail. Citizens are still feeling the impact of the massive data breach involving Numera (M) Sdn Bhd and the Malaysian Communication and Multimedia Commission (MCMC) in 2017 where 46.1 million telco related records were compromised.

With little more than statements that investigations are ongoing, Malaysians are growing increasingly concerned and frustrated that we continue to lag behind in this field while even our ASEAN neigbours are taking active steps to implement measures that increase data privacy. For example, in Singapore the legislation creates a Do Not Call registry that allows individuals to register their Singapore telephone numbers to opt-out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organizations. Additionally, the legislation permits private legal action if damage can be shown. The Philippines enacted its Data Privacy Act in 2012 which recognises privacy as a fundamental human right. It imposes considerably high standards of compliance on business and government entities and even subjects anti-terrorism surveillance legislation to its requirements.

Noting our inadequacies, we must still recognise that data privacy is a multifaceted problem. It involves elements of cybersecurity, privacy and data protection. It also requires collective implementation from all segments of the community including government, corporations and individuals. With that in mind, we may wish to consider a few aspects that can be improved by each one of these segments.

From a legislative perspective, there is a definite need to revisit the Personal Data Protection Act 2010. This is already in the pipeline as mentioned by YB Gobind Singh Deo, Minister of Communications & Multimedia in March this year. Since 2013 there have been numerous advancements in the field of data protection which our legislators may intend to consider. These include data sharing policies that provide guidelines on data sharing between government, corporate and other related parties; privacy by design - a concept from Europe that advocates the implementation of privacy at every stage of product and service development; and data breach mandatory notification - which imposes a requirement on entities to report any data breach to the regulatory authority within a fixed period of time. Of course, all of these considerations must sit in line with the business and cultural realities in Malaysia.

However, one key for consideration in light of the difficulty faced in enforcement would be to afford more powers to the Department of Personal Data Protection (DPDP) including the ability to issue show cause notices, hold hearings to hear complaints and limited powers to impose fines. As it stands, offences pursuant to the Malaysian Act are criminal in nature. Therefore pursuant to section 134 of the Act, after investigations by the DPDP, prosecution of the matter requires the intervention of the Public Prosecutor. This can be a long and arduous process that places an undue burden on the police and public prosecutor’s office.

By segmenting offences into different categories i.e. distinguishing between offences involving malicious intent to collect and sell personal data from offences stemming from poor security protocols and allowing the DPDP to directly hear and determine cases in the latter category, the DPDP can speed up the process of investigation and prosecution whilst allowing the police and public prosecutor to focus on more severe cases of data breaches involving personal data i.e. those with malicious intent.

Corporations too play a vital role in directing the course of the conversation on data privacy. Many corporations still lack an understanding of the basic principles in the Malaysian Act and often overlook the proper implementation of requirements under the legislation. Operating under the mistaken belief that a generic privacy policy is sufficient, businesses open themselves up to the risk of both prosecution and irreparable reputational damage on account of an unexpected data breach. It is a natural correlation that the largest percentage of data breaches occur due to human error i.e. employee mistake.

These forms of errors can be easily avoided with various forms of training including onboarding training and ongoing privacy risk training to ensure the whole organization is on the same page when it comes to data privacy. Without waiting for legislative requirements to compel corporations to undergo such trainings it would be advantageous for all stakeholders if corporations look towards the developing field of privacy management as a core element of their business. In fact, due to many data protection laws imposing liabilities on a principal where a vendor or partner commits a breach, strong data privacy practices are quickly becoming a key indicator for trustworthy businesses in the global business marketplace.

The final pillar of the privacy structure is, of course, the individual’s role. The community’s demand for higher standards is an indicator of maturity in the field which causes regulatory development sooner rather than later. As cumbersome as it may be, we must, as individuals, continue to be vigilant in lodging complaints every time we are faced with a potential breach of our own personal data. This includes calls by errant real estate companies whom you never provided your number to, scam calls, unnecessary collection of your personal data and wrongful distribution of your data to third parties without your consent. Every complaint assists the authorities in developing trends and prosecuting cases.

Leaders in the technology community like Tim Cook and Bill Gates continue to advocate the importance of privacy stating in no uncertain terms that it is the single most pressing issue under the umbrella of data ethics. However, in this age of data, privacy is ultimately a mindset. It is clear that although critical, legislation alone is not the sole solution to this growing threat. Unless there is a shift in our collective mindset as a nation towards addressing this issue, we will fail to recognise the true risk posed by the misuse of personal data let alone solve it.

This article was previously published in the Star.