Data Privacy

Making MySejahtera compulsory raises privacy, connectivity concerns, say experts

I was asked by FreeMalaysiaToday to comment on Malaysian Government’s plan to make MySejahtera, a contact tracing mobile application, compulsory in tracing people’s movements. The Malaysian Government has said it is considering making the use of the MySejahtera mandatory and doing away with the manual registration of personal data when people access public places.

Meanwhile, a privacy lawyer, Foong Cheng Leong, said the government should ensure that the data collected would only be used for contact tracing and related purposes.

He also wanted a timeline to be set for the data collected to be destroyed.

Foong called for accountability if there was misuse of the data by anyone, including civil servants.

He also raised the issue of the app’s accessibility as not everyone had a smart phone that could have the MySejahtera app installed.

Similarly, he said, not every business in Malaysia would be capable of generating the QR code to be used for the app. “Manual registration must remain to cater to a certain segment of the people.”

He added: “Instead of forcing people to use it, the government should give incentives to those who use the app. A RM50 e-wallet credit to users is a good way.”

Department of Personal Data Protection’s Advisory on the collection, processing and storage of personal data by business premises during the Conditional Movement Control Order period

The Department of Personal Data Protection has issued an advisory on the collection, processing and storage of personal data by business premises during the Conditional Movement Control Order period (“Advisory“).

According to the Advisory, businesses are only permitted to record minimal information – name, contact number, as well as dates and times of visit – for the purpose of contract tracing. The recordal can be made manually or digitally. It cannot be used for other purposes such as marketing.

The information must be processed for six (6) months after the expiry of the Conditional Movement Control Order (to be announced by the Government of Malaysia). It must be destroyed or disposed permanently thereafter.

Appendix A of the Advisory provides a sample notice for businesses to adopt in their data collection forms. The notice states that the collection of the details is required under the Prevention and Control of Infectious Diseases Act 1988. Although the Act does not specifically provide for the collection of personal data, s. 31 of the Act gives power to the Minister to make regulations. Reg. 13 of the Prevention and Control of Infectious Diseases (Measures within the Infected Local Areas) (No. 6) Regulations 2020 provides that an authorised officer may request for any information relating to the prevention and control of infectious disease from any person or body of persons. The act of requiring the collection of personal data may be granted by the implied powers under s. 40 of the Interpretation Act 1948 and 1967.

Any business who fails to comply with the Advisory and is found guilty under the Personal Data Protection Act 2010 may be subject to a fine of not more than RM300,000 or jail of not more than two years, or to both. However, it is noted that Advisory has no force in law under the Personal Data Protection Act 2010.

Prior to the publication of the Advisory, I was asked by The Star to comment on the introduction of an advisory to regulate the processing of personal data by business premises.

In the article “Experts: Safeguards needed for contact tracing info“, I said-

Bar Council Information Technology and Cyber Laws Committee deputy chairman Foong Cheng Leong said this included keeping the data secure, not disclosing it to third parties without consent, and within the purpose of which the data is collected.

Processing personal data in ways that were not compliant with the PDPA could lead to a fine of not more than RM300,000 or jailtime of not more than two years, or both.

However, there is a lack of awareness on personal data protection among Malaysians, said Fong.

“I don’t think many people are fully aware of their rights as stated in the PDPA. The custodians who are collecting or holding people’s personal information also have to be aware of their responsibilities and liabilities, ” he said.

Further, in article Advisory on protecting contact tracing information approved, I said-

Experts welcomed the decision to introduce an advisory to help protect contact tracing info given by visitors to various establishments.

“It’s good to have a standard approach for businesses that process personal data. It also removes any uncertainty, ” said Foong Cheng Leong, the Bar Council Information Technology and Cyber Laws Committee deputy chairman.

He hoped that the advisory would introduce standard operating procedures that are suitable for both small medium enterprises (SMEs) and large businesses.

“It should not be too onerous on businesses especially for small outfits with fewer employees, ” he said, suggesting that the government encourage larger businesses like shopping malls to use a designated online platform to register visitors, as it could help to prevent the misuse of personal data.

“The data should only be maintained by a specific department with the sole purpose of aiding the Health Ministry with contact tracing.”

BFM Podcast: PROTECTING OUR PRIVACY

Gobind Singh Deo, Minister of Communications and Multimedia will consider reviewing the 9 year old Personal Data Protection Act (PDPA) at the “Impact of EU-GDPR in Malaysia and Non-EU Countries”conference.

The act was formulated back in 2010 and since, there has been a lot of development in the area of privacy and data protection.

We speak to Foong Cheng Leong, who’s part of the Malaysian Bar committee on data protection.

Presented by: Lyn Mak, Sharidz Abdullah and Julian Ng


Your browser does not support native audio, but you can download this MP3 to listen on your device.


Right to prevent processing for purposes of direct marketing

Pursuant to s. 43(1) of the Personal Data Protection Act 2010 (PDPA), a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his personal data for purposes of direct marketing.

In this regard, the Personal Data Protection Commissioner has recently issued two (2) template letters for data subjects to use when the latter-

(1) makes a request to a data user to cease the processing of his personal data for marketing purpose; or
(2) files an application to the Commissioner to require the data user to comply with the notice.

Pursuant to s. 43(4) of the PDPA, a data user who fails to comply with the requirement of the Commissioner commits an offence and shall, on conviction, be liable to a fine not exceeding RM200,000 or to imprisonment for a term not exceeding 2 years or to both.

Download:-
(1) Template notice to data user to prevent processing for purposes of direct marketing
(2) Template notice to Commissioner to cease or not to begin processing personal data for purposes of direct marketing.

Notes
1. “direct marketing” means the communication by whatever means of any advertising or marketing material which is directed to particular individuals
2. These templates merely serve only as a guide.

Public Consultation Paper 1/2018: The Implementation of Data Breach Notification

The Public Consultation Paper (PCP) No. 1/2018 entitled The Implementation of Data Breach Notification is intended to solicit feedback from data users and/or relevant parties pertaining to personal data breach management. Personal data breach has become a global threat. Therefore, in light of this, the Personal Data Protection Commissioner (Commissioner) is going to implement Data Breach Notification (DBN), which is currently having practised worldwide.

Objectives: The implementation of DBN is aimed to assist data users in personal data breach management. Basically, it is a mechanism where data users will give notification, informing the authority and the affected/relevant parties where a breach has occurred in an organization. The DBN serves as proactive steps taken by data users to contain the damage caused by a breach incident. Data users should be able to demonstrate their commitment and accountability when addressing the breach. In addition, the DBN enables the enforcement authorities/regulators to conduct investigation thoroughly, transparently and fairly. The DBN is expected to be implemented by end of 2018 by way of imposing conditions to the certificate of registration issued by the Commissioner to the data users. In this regard, the Commissioner welcomes the feedback to this paper and suggestions of other criteria (if any) to be set for the implementation of DBN as stated in the consultation paper.

The deadline for submitting your feedback is on the 21st August 2018 (Tuesday). Feedback can be submitted to pcpdp@pdp.gov.my.

Download: Public Consultation Paper 1/2018: The Implementation of Data Breach Notification

Here’s What You Should Know The Next Time Someone Asks For Your MyKad

I was featured in The Malaysian Digest’s article entitled “Here’s What You Should Know The Next Time Someone Asks For Your MyKad” on 22 February 2018.

If Your Identity Is Stolen, It May Be Difficult To Prove Your Innocence

Although the Private Data Protection Act 2010 (PDPA) that protects our data, which is collected for commercial purposes, from being misused by third parties has been enacted, there are limits to how far the law can protect us especially when our data is collected for non-commercial purposes, which is unregulated and open to abuse.

Foong Cheng Leong, founder of law firm Foong Cheng Leong & Co., relayed that when you simply give out your IC number to anyone asking, you are liable to have more of your information to be collected and can be used for social engineering such as creating a complete profile about you.

“With a complete profile, one can use it to obtain certain things like services, access to bank accounts, mobile numbers, financial information, email, buildings and further information etc.

“One can also use that profile to obtain information of another person e.g. a person close to you, for example, your spouse’s personal information,” he said.

And when our personal data and identity gets stolen, it may not be easy to prove and it will depend on the circumstances.

“But one would have to go through a difficult process of being investigated. He may be arrested, remanded, have his computers and mobile devices ceased, privacy invaded etc.” he said.

Although he has not had any cases involving IC number, he has come across cases involving the misuse of identity.

“I had one case where the employee was charged in Court under the Computer Crimes Act 1997 for unauthorised modification of content.

“His office account and internet account were used to delete a database of his employer. Fortunately, we managed to prove that it was not him who did it,” he said.

Foong also said that cases of identity theft are not just a few in the country, as he shared the most well-known case which is the case of Adorna Properties Sdn Bhd v Boonsom Boonyanit.

“The land owner lost her land after it was fraudulently transferred to a third party and subsequently sold to a bona fide purchaser – see https://asklegal.my/p/boonsom-boonyanit-adorna-properties-indefeasible-title-national-land-code-1. Note that the position of this law has changed – see http://www.skrine.com/better-late-than-never,” he shared.

He said that the best way to protect our data is by ensuring that it is always secure and that we control the circulation of our data.

1 2 3 9  Scroll to top