By: Sonny Zulhuda*
Information is the lifeblood of today’s business, and the corporate citizens cannot agree more on this in the present fiercely competitive world, where the source of power has to be redefined, and wealth creation needs to be re-identified. The raw data that in the past just remained in the archives had now become the goose that lays the golden eggs. These golden eggs are in the form of valuable information assets from which the companies exploit and generate their wealth.
Bunch of those raw data, however, do not exclusively belong to the companies who retain them. The customers database, for example, may be a collection of personal, financial and commercial information that originally belong to individuals – either of those internal parties such as employees and shareholders; or of external stakeholders including customers, business partners, and vendors/suppliers.. Can companies regard them as their own property? This may be a contentious issue, depending on how the data was initially obtained: where, from whom, and in what manner or circumstances.
The current paper seeks to examine what information-based companies need to caution themselves when dealing with their corporate data especially those relate to personal information of individuals. It views this issue using the framework of internationally-accepted information security principles that include the aspects of data confidentiality, integrity and availability. It also examines the ethical and legal concerns on the rights of data subjects whose personal information are retained, used and exploited by the companies.
The thesis on which this paper starts with is that corporate behavior on the personal data of stakeholders depends so much on the pressure of law or authorities. Without which, the misuse is increasingly rampant due to the potentially lucrative gains recoverable from information assets. More specifically, this paper proposes to do certain tasks. First, it examines the rise of information assets and their significance for corporate organizations. Secondly, it observes consumers’ concerns over the misuse of their personal data retained by the companies. And subsequently, it analyzes various attempts by the governments –notably in the US and European jurisdictions– to control corporate behavior on dealing with personal information. In this respect, Malaysian state of affairs will also be discussed briefly.
* This paper was presented at the 6th International Conference of Corporate Social Responsibility, 11-14 June 2007, Kuala Lumpur.
TRIBUTE 
Hi Sonny,
Our company Aylin Secure Shred Sdn Bhd is the first company in Malaysia that provides on-site document destruction service and we have been actively promoting our secure destruction services for the past 2 years. The problem with corporations here, which include banks and other government institutions is that they have have a lax attitude when it comes to destruction policies. Until the PDP actually enforces the Act by introducing fines for negligence in breach of information like the ones that we find in other developed countries, companies which handle personal data of their employees customers will continue to overlook the importance of data destruction. More often than not, even the stakeholders are not too concerned about having a more secure data destruction policy which covers both electronic and paper based data. I would gladly corroborate with you in any future discussion on this matter.
Dear Rezany, thank you for dropping by. I’m glad that somebody from a niche PDP-related industry like you comes over and shared the thoughts and experiences. data destruction is one important element in implementing the PDP Principle, i.e the Retention Principle specifically. i also share the same concern about what you said, but honestly I saw some improvement especially in banking sector. Well, I am equally happy to build further communication and collaboration with you in the future. Best!