First published on LoyarBurok on 11 December 2011
There has been a public outcry on the Computing Professionals Bill. Some of the fears are unfounded while others, quite genuine. Foong Cheng Leong, an IT lawyer and Joachim Leong, a non-practicing lawyer cum Consultant for Denning IT dissect the Bill. In their views, the main concerns lie at how the Critical National Information Infrastructure (CNII) is being widely and ambiguously defined, the powers the Ministry of Science, Technology and Innovation (MOSTI) has over the Computing Professionals Board, the need for government regulation in the information technology industry and its implications on the public at large.
For better or worse, the Malaysian Government has been proactive in regulating the Malaysian Information Technology (IT) industry in recent days. One such example is the amendment of the Electronic Commerce Act 2006 to compel online marketplace operators to maintain proper records of their sellers which could be relied upon for the purpose of investigation by the authorities. And now, the Government is introducing the Computing Professionals Act 2011 (“CPA”). We have obtained a copy of this Act (which is still in a form of a draft Bill). At this juncture, we are unable to confirm the authenticity and veracity of this Bill but we will comment on the CPA based on the document available here. It is noted that this draft bill has numerous omissions such as the Explanatory Statement and the definition of Graduate Membership.
Basically, the CPA provides for the establishment of the Board of Computing Professionals Malaysia and for the registration of computing practitioners, computing professionals, sole proprietorships, partnerships and bodies corporate providing computing services.
Who does it apply to?
The CPA would affect all Malaysian Computing Professionals, Computing Practitioners and Computing Services Provider who are involved with the Critical National Information Infrastructure (CNII) which is defined under CPA 2011 as:
“S. 3. … Those assets, systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on National economic strength or National image or National defence and security of Government Capability to function or Public Health and safety.”
What the CNII is and which area does it apply to (taken from : http://cnii.cybersecurity.my/main/about.html)
Breaking that down, if you are Malaysian and involved in the Malaysian IT industry in the following areas, you should be concerned:
a. National Economic Strength
b. National image
c. National defence
d. Security of Government capability to function; or
e. Public health and safety
Then again, no definition is given to these widely drafted areas. However, Cyber-security has listed down the following as CNII sectors (the list can be obtained here):
• National Defence & Security
• Banking & Finance
• Information & Communications
• Health Services
• Emergency Services
• Food & Agriculture
The sectors above are practically all the important sectors of the Malaysian economy. The coverage of the CNII is far reaching. For example, telecommunication services can be seen as assets, systems and functions that are vital to the nation. We all know that such services are provided by only a handful of companies such as Maxis, Telekom, Digi, Umobile and Celcom. Clearly the incapacity or destruction of the telecommunication infrastructure would have a devasting impact on Malaysia. Does this mean that anyone who is providing computing services these telecommunication companies would need to register with the Board? On this line, does this mean that anyone who providing computing services the aforementioned sectors must register themselves with the board?
It remains to be seen if say AirAsia’s IT provider to its online booking or a boy genius who designs a successful multimillion application will fall within the Act as these can be said to be ‘vital to the nation’ and fall within (a) and (b) if these appear on international media and contribute significant tax dollars to the country . The Ministry of Science, Technology and Innovation has clarified that registration with the Board is not mandatory. Notwithstanding aforesaid, any person providing computing services to CNII must still register themselves with the Board and from the list provided by Cybersecurity, many of our IT professionals are caught by the CPA.
Who is a Computer Professional/Computing Practitioner/Computing Service Provider under the CPA?
Briefly, a Computing Professional is a person with computer science qualification or a person with qualifications recognized by the Board. A Computing Practitioner is a person who has a job function in computing or qualification in computing. A Computing Services Provider a sole proprietorship, partnership or body corporate providing professional Computing services. Regardless of the definition, the CPA basically restricts the provision of computing services to CNII.
How wide is it?
S. 18 of the CPA states that no person or body, other than a Registered Computing Professional who is residing in Malaysia or a Registered Computing Services Provider providing Computing Services shall be entitled to submit proposals, plans, designs, drawings, schemes, reports, studies or others to be determined by the Board of Computing Professionals Malaysia to any person or authority in Malaysia.
Under s. 19 of the CPA, no person shall, unless he is registered as a Registered Computing Professional with the Board of Computing Professionals Malaysia, practice, carry on business or take up employment which requires him to carry out or perform the services of a Registered Computing Professional and be entitled to recover in any court any fee, charge, remuneration or other form of consideration for any professional technology services rendered.
What are the “services of a Registered Computing Professional’ is unclear. However, it can be inferred that services of a Registered Computing Professional is the services of “Computing” which is defined as:- a goal-oriented activity to plan, architect, design, create, develop, implement, use and manage information technology or information technology systems. What amounts to a goal-oriented activity is wide. From the definition, the activities may include implementation of an electronic database, writing computer programmes, web designs, installation of software and hardware, setting up of a computer network, etc. It may also include setting up or maintaining social media pages. Of course, this definition is subject to whether such activities are relevant to a CNII. These sections would effectively force IT professionals and their Companies to accredit themselves with the newly formed Board if they wish to deal with areas highlighted above.
Who is the Board of Computing Professionals Malaysia?
The Board of Computing Professionals Malaysia which is a body corporate established by the CPA to, among others, register and/or regulate computing practitioners and computing professionals.
What is the penalty for contravening the CPA?
Any person, sole proprietorship, partnership or body corporate who contravenes the CPA or any regulations made there under shall be guilty of an offence and shall, where no penalty is expressly provided therefore, be liable, on conviction, to a fine not exceeding twenty thousand ringgit (RM20,000) or imprisonment not more than six months or both.
The Board will require any person to be registered as a Registered Computing Professional to sit for examinations. It seems that the CPA is transforming certain parts of the IT industry into something like the legal industry where only legally qualified individuals can provide legal services.
In theory, this should raise the quality of IT professionals but possibly increase the costs at the same time as IT companies and its staff will have to raise funds to get themselves accredited by the Board. With due respect to other professions, this may not be as practical as other professions like Architecture, Engineering and Law, the IT profession is constantly changing with the adaptation of news systems/applications, networks and coding languages. As such, it is questionable whether the syallabus or accreditation system will be able to adapt to the ever-changing world of IT. Any good IT professional will be able to tell you that one has to update oneself constantly or suffer being left behind. This details of how the Board will operate and how it may favour certain languages/programmes over another may be called into question. This leaves a big question mark over how exactly the Board will carry out its accreditation process.
Preference of Codes/Systems:
Would it is say prefer certain operating systems over others? How would it react to emergence of new platforms or devices (ie: the rise of tablet computing)? Another impracticality of the Act- Let’s say I own a registered IT company under the Act, my company has to hire Registered Computing Professionals and can only provide services that have been accredited under the Board’s register. (Section 15 (4)) So, let’s say I have a colleague who in his spare time tinkers with Android application programming and if I want to let him design an application for a client, my company can be ordered given a slap on the wrist with a warning or even have a suspension of the registration. Such a situation, does not take into account the reality that many IT professionals tinker with code or different projects in their free time but under this Act, will not be able to provide that service within the CNII’s scope unless they are accredited by the Board.
Rationale behind the Act.
At the time of writing to this Article, MOSTI has released a press statement stating the rationale behind the proposed Act:
“Why do we need this Act? The need of this Act is to achieve the following objectives:
• Enhance the value of the profession as it will require registered members to possess minimum levels of qualification/experience;
• Raise professional standards by developing and maintaining a code of conduct for computing professionals;
• Review qualifications offered by other bodies in order to serve as a guide and reference when gauging which certifications are valid and relevant;
• Provide some level of assurance of the quality of computing professionals to employers who hire those who are registered by BCPM;
• Enhance the supply of ICT manpower in the country and help the nation achieve the goals of the New Economic Model in becoming a productive high-income nation; and •
Serve as a central repository of all computing professionals and practitioners in the country.”
While these aims are admirable, it is highly questionable whether the drive should come from government-led regulation as opposed to a self-regulated industry with government grants and incentives. This Bill marks a sharp move towards that direction from the Ministry which has given out loans and grants for IT entrepreneurs.
This will stifle innovation and the Ministry of Science, Technology and Innovation(MOSTI) should note how some innovative companies like Google have a “20% percent” policy to help innovation along. They actually let their staff spend 20% of their time at work to experiment and come up with their own personal projects which eventually adapted by Google. Google News, Google Suggest, Adsense are examples of these personal projects. Will this Act help or further stifling by also having a broad definition of ‘computing’ to include things like planning, architecture, creation and development of IT systems? While one may argue the act provides that people with ‘relevant experience’ may gain accredition from the board but the question – is why do they have to?
The IT industry is filled with hobbyists who tinker with programming code in their free time and gain this experience from their passion and interest – why do they have a Governmental Body say what they do is good enough when their work can be very well shown in the end results of the personal projects. They would argue it would not be fair to compare IT industry to other professions as no one designs building, treats medical patients, dispense drugs or give legal advice as a side activity. Even if you were to go with the idea of the Act is to ensure the quality of IT professionals within Malaysia, this Act creates another layer of unnecessary bureaucracy and its ambiguity may turn IT hobbyists from innovating in their spare time. The greatest minds in the industry such as Steve Jobs, Bill Gates, Steve Wozniak were not even graduates who became the brains behind the giants of the IT industry today namely – Apple and Microsoft. They were dropouts who had an opportunity to flourish in an unregulated ecosystem. This bill will have the opposite effect on our IT industry. If we are to attempt to take a lead in IT, we should take a page from the Silicon Valley where IT professionals are allowed to innovate with little to no regulation.
The Minister and the Board
Given how the Minister has power over the selection of the Board’s president, the Board’s remuneration and able to remove members of the Board. This beckons the question of the independence of the Board which should be peer-led as opposed to be decided by the Government. Comparisons across the different Professions in Malaysia – most are peer led with the exception of the Engineers and this gives rise to concern of political interference in a highly dynamic industry or even the appearance with it can put off people from getting involved in the Industry. Clarification on these areas are greatly needed or better still to move the Board towards a peer-led and peer-chosen Board.
What does it mean for the Public?
While this may increase the quality of IT professionals, it may result in increased costs of IT services for the Government Sector and consequently, the Private Sector as the costs of accreditation will be passed down to the end user. If we are to lead in the IT global industry, we should be looking outward and allowing the flourishing of IT innovation rather than ring-fencing certain industries as listed in the CNII by forcing IT companies/staff to acquire accreditation before being allowed to carry out their services.
Ambiguity, Uncertainty and Arbitrariness
The stifling of innovation is a very real threat as the ambiguity of what exactly the CNII is and the purpose of the CPA Bill is hard to tell from what available information we have. It calls into question whether the scope of the CNII can be changed even without parliamentary input as the criteria for the CNII is decided by a collection of government linked IT bodies and leads to arbitrariness and uncertainty. What if one day, they turn around and decided that E-commerce falls within the CNII’s scope as the more and more people shift their shopping online? What would that mean for the numerous blog shops in Malaysia? Such uncertainty and arbitrariness hangs over the heads of all Malaysians and not just IT professionals.
The ambiguity behind the bill and the lack of consultation is very worrying. While , the fact that the Board’s appointment and numeration is decided by the Minister. It may have wide implications on the IT industry and its reach is currently hard to discern. These writers would recommend that more consultation and above all, self-regulation would be the best to way to go as the IT industry is dynamic and fluid and to regulate would to mean to stifle the fire that kindles it- innovation.
1) Public Consultation – the Ministry of Science, Technology and Innovation is having an open day for the Board of Computing Professionals Malaysia on 13 December 2011 at 930am to 5pm at Dewan Perhimpunan, Aras 1, Blok C4, Kompleks C, Kementerian Sains, Teknologi dan Inovasi, 62662 Putrajaya, Wilayah Persekutuan. This event is open to the public.
2) Petition Against the Bill There also is a current petition against the Bill which can be found here ;
3) Facebook Community Against the Bill can be found here.