By: Sonny Zulhuda
The following is the interview I gave to the Malaysian daily The Star before it was edited and published on November 1st, 2020.
What information is needed for effective contact tracing while providing enough information for the public to protect themselves? Do you think our systems now are effective/sufficient?
In a contact tracing, different dataset is needed for different objectives. In the context of the current pandemic contact tracing, the data needed will be the individual’s name and contact number. These are sufficient for the authority or the premise owner to get back to them and inform them about any incident of a pandemic spread in such premises, which those people have visited recently.
So, for example, if one worker of a supermarket has tested positive, the authority would be able to inform all who have visited such place in the past few days (according to the SOP) about the finding (without disclosing the identity of the infected), so that those people are alerted and able to consider the next action necessary for them.
In Malaysia, just like everywhere else, we are forced to learn fast about all this. The idea of contact tracing is now increasingly understood, I think.
It must be distinguished from surveillance or guilt-finding. Contract tracing is neither surveillance nor censorship. We need to educate people including premise owners so as not to cause hardship or people out of surveillance. People are willing to submit their personal information because they understand the need for contact tracing behind it. I find it good that both governments and citizens are generally now aware about such needs. The systems put in place are largely working well.
How can we improve the security of people’s personal data and protection of people’s privacy?
This is a big concern from time to time. While the idea of contact tracing is already commonly subscribed and supported by people, yet the authority has a huge task to provide necessary processes for the security of the data gathered. These processes involve three fundamental elements: People (we need a sufficient awareness, education and good management), Process (we need a sound, fair and transparent process and procedure in place) and Technology (we need a secure and sustainable system for data governance).
The security task is enormous because we handle the dynamic data of people of the whole nation. But the task is not solely at the Government’s shoulder. Everyone involved in the contact tracing will share some task: The premise owner, the staff in charge of data handling, as well as the individuals who record their own data, both electronically and on a log book.
What are some of the issues we face now in relation to Covid-19 data accumulation and personal privacy?
Firstly, i see there is a lack of respect to the Covid-19 patients’/PUI’s identity. We know that people are all too eager to know who are infected among their neighbourhood or workplace. The moment they got the name or identity, they arbitrarily spread it to others on the pretext to protect other people. The truth is, we can and should minimise disclosing the identities of Covid-19 infected people. Don’t spread them, don’t post their pictures on social media. If you happen to know anything about it, report it to your superior or authority. Let the medical authority and government deal with the matter and take necessary action.
If you hold data about a patient, you should know that such data is sensitive, both in the real world and in legal terms under the PDPA 2010. You do not simply share it or disclose it to others as it can be a privacy breach or a violation of PDPA 2010.
Another issue is the data collection for contact tracing at the premises by way of writing on the log book (hard papers). This practice has to be reduced or minimised, so as not to allow others to misuse those data written by people. First, the data should be minimum. Secondly, the log book must be secure from public view. And third, the person handling the log book must know what to do with that personal data.
As for the contact tracing by way of a mobile App, it is generally a way to go, but not necessarily breach-proof. The government needs to ensure such Apps collect and process the personal data of individuals in transparent, rightful and respectful manner taking into account the privacy of people. Even though the Government is not subject to the PDPA 2010, yet it is desirable to practice the similar data protection principles in their SOP as a matter of best practice and winning the public trust. The fact that there are some third party providers involved in between will make it more necessary to have a strong SOP that conforms with such principles of personal data protection.
How can we extend the same MySejahtera coverage to those without smartphone or digital service?
Well, there is some difficulty to this, unless the premise owner provides a common device where people without smartphones can key in their data to it. I saw some shopping malls had done this. But generally speaking, this is better and safer than asking people to write their data on a paper/log book which is easily accessed by anyone. However, if log books are still required, then they must put in place the necessary precautions as I mentioned above.
How can we limit the misuse of data?
Misuse of data can happen either in transit or in the final storage. In transit means the phase when the data is handled by a third party, a service provider or an apps provider. So, before the data finally arrives at its designated storage (in the case of pandemic contact tracing it should be the Ministry of Health), there is a risk of misuse or breach of such data. This can be prevented or minimised if there is a clear service level agreement that defines particular obligations in relation to the personal data at transit. The 3rd party providers (termed ‘data processor’ in the PDPA 2010) must ensure the integrity, security and confidentiality of those data. And they should now treat those data as if they are theirs.
Meanwhile, another category of data breach risk also exists with the data in final storage. KKM as the authority empowered to deal with the data must ensure they place a secure system of process, people and technology to protect the data from risks of breaches and misuse. Even though the data processed will not be subject to the PDPA 2010, yet the right to privacy of individuals is still standing as a matter of right protected by the common law.
Do you believe that it is time to amend the PDPA and if yes, how?
Yes. Because of the development both from the reality of big data analytics and the international norm of data protection, our PDPA will need to improve. The Government is in fact undertaking some review processes involving industry, regulators, consumers as well as academia. This process has intensively started in 2019 and I was involved in some part too. Among the points raised is about the obligation to report data breach, the need of data protection officers, civil remedies for data subject, and issues involving international transfer of personal data. The process is very well planned and structured, including an open public consultation. I hope we can hear more positive news in the months to come.
What the media and members of the public can help is by taking up more of this issue of data protection to regular talk, discourse and debate so as to create an awareness and the culture of data privacy and security. We also need to spot and speak of more incidents of data breaches when they happen so as to reflect the true state of personal data protection in the country.