By: Sonny Zulhuda
Major legal issues on data privacy in Malaysia were resolved with the introduction of the Personal Data Protection Act (PDPA) 2010. Being the main legal framework for protecting data privacy of individuals, PDPA regulates the processing of personal data in commercial transactions and to provide for matters connected therewith.
Under section 4, “personal data” refers to any “data that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.”
Meanwhile, “commercial transactions” mean “any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.”
The enactment of the PDPA is arguably a milestone for the development of e-commerce and e-government in Malaysia, considering that a massive and increasingly valuable amount of personal information are being stored, processed and exploited. However, there is a cause for concern here that the Parliament has expressly excluded the application of PDPA to the Federal Government and State Governments in section 3. Commentators opined that this exclusion would have a far-reaching implication in terms of the development of data protection law in Malaysia. Nevertheless, it is argued that this law can still help protect the security of e-government in Malaysia in one way or another.
This argument was brought forward in my paper entitled:”The State of E-Government Security in Malaysia: Reassessing the Legal and Regulatory Framework on the Threat of Information Theft,” that was presented in the International Conference on Computing and Information Technology (ICCIT) 2012 held by Taibah University in Madinah, Saudi Arabia (11-14 March 2012).
It was argued that, based on its literal expression and the absence to any further qualification, the “exclusion” above concerns especially on the Government as an entity, but not on the e-government as an activity. It follows therefore, that if the e-government system and activities are operated directly by a government agency, the law does not apply.
However, if such system is outsourced to any third party, notably and usually a private entity, such e-government system and activities shall be subject by the PDPA. Therefore, the PDPA still constitutes an important component in the legal framework to secure the Malaysian e-government.
The full conference paper can be obtained from the Conference web-page here. Feel free to download and may it benefit everyone.