KUALA LUMPUR – Opposition lawmaker Fahmi Fadzil has mooted a private member’s bill to propose an amendment to the Personal Data Protection Act 2010 (PDPA) that would extend accountability to government and state government entities.
The Lembah Pantai MP told The Vibes this is necessary seeing that there is a worrying increase of Malaysians’ personal data being leaked into the digital sphere, with more incidents involving data managed by government entities.
“Our data governance protocols need to be updated. When PDPA was put together, I don’t think it included the numerous challenges we are facing today.
“As such, I would be in favour of reforming the PDPA to make government agencies, those who are handling our data, and intermediaries to be held accountable as well,” he said.
While the PDPA is designed to protect the personal data of individuals with respect to commercial transactions, the legislation does not apply to government or state governments, as clearly stated in Section 3 of the act.
Fahmi stated that this represents a clear weakness in the law, which has led to either a lack of transparency on the overall progress in investigating possible data leaks and their alleged perpetrators.
“This is where there is a lacuna or a weakness in the law. To date, I can’t recall where investigations have led to court convictions and there have not been any major updates on any of these cases.
“This absolute deafening silence on actions, or inaction, definitely affects public perception about how safe our data really is.
“This is where we have to reform. I think I have to consider speaking with my colleagues. Perhaps we have to bring some kind of legal reform, or a private member’s bill so that the government will look into the matter seriously,” he said.
Most recently, IT and cybersecurity expert Suresh Ramasamy reportedly shared on LinkedIn that 2,000 Excel files containing possibly more than 1.7 million personnel data linked to the Pikas programme can be downloaded directly from the Miti website.
Pikas is a public-private partnership immunisation programme aimed at employees in the manufacturing sector, coordinated by the International Trade and Industry Ministry.
The incident prompted Bangi MP Ong Kian Ming, a former deputy minister at the ministry, to criticise the easy access of personnel information of company employees who sign up for the vaccination programme.
The Pikas system has data points such as company names, NRIC/passport numbers, phone numbers and roles in one’s company.
Prior to this incident, news broke out last month that hackers had stolen the personal details of some 22.5 million Malaysians from the National Registration Department.
The leak included MyKad numbers, names, dates of birth, home addresses, gender, and registered phone numbers belonging to those born between 1940 and 2004.
The hackers are said to be looking to sell the data for US$10,000 (RM43,870) in bitcoin.
Home Minister Datuk Seri Hamzah Zainudin had since denied that the leak originated from the NRD.
Need to fortify overall data security infrastructure
Fahmi also cited another prominent data leak incident in the past decade, where some 46.2 million personal information was leaked back in 2014.
The data in question was handled by Nuemera (M) Sdn Bhd, which was contracted by the Malaysian Communications and Multimedia Commission (MCMC) to handle Public Cellular Blocking Services.
Despite the incident that occurred back in 2014, news of the data leak only reached the public sphere in 2017.
In 2018, Fahmi had filed a civil suit against both MCMC and Nuemera for their alleged failure to protect personal data under their purview.
The initial police investigation indicated that the leak could have originated from Nuemera but they eventually cleared the firm of any wrongdoing.
The lawmaker had also since withdrawn the suit and there have been no updates on investigations on the data leak.
Similarly, DAP’s social media bureau chairman and lawyer Syahredzan Johan also concurred with Fahmi, but he added that there is a need to strengthen the overall data security infrastructure as well.
“I would welcome a review of the PDPA to consider the inclusion of government and state entities. However, I believe the core issue is regarding the data security and integrity of these entities.
“Clearly, there seem to be issues with the security infrastructure of these databases, whether it is technical or human weaknesses. Even if the law is made wider, if the security and integrity are not improved, data leaks will continue to occur.
“By the time the law is used, the data will already be in the wrong hands,” he said to The Vibes.
For context, Syahredzan had also represented Fahmi in his civil suit against Nuemera. – The Vibes, June 4, 2022