Data privacy and data security are two sides of a coin – unseparable. Despite efforts by experts to explain this, yet the misunderstanding that they defeat each other is still widely looming. In this APAC Cyber Security Summit held in on 3rd June 2016 in Kuala Lumpur and attended by more than two-hundred regional participants, I took another attempt to explain this: How protecting one’s data privacy can contribute to a larger information security practices. Not coincidentally, one can see it from the other side: In order to afford maximum protection of one’s privacy, efforts must be taken to secure his data. Thus, data security is part of a bigger personal data privacy protection. Confused? Don’t be.
The truth is, personal data management does include protecting its confidentiality, integrity and availablity. And doing so, it means one must ensure the privacy and security of personal data goes side by side.
In a report released by the PriceWaterhouseCoopers (PWC) in 2016 on Personal Data Use Governance – Mitigate Risk while Unlocking Business Value, there is a sfift (or more sutiably, an expansion) of personal data risks landscape from merely a security and regulatory issue, to an intersection of issues of ethical, regulatory, litigation, security and serivce quality.
At this Conference, I highlighted the latest status and implementation of the Malaysian Personal Data Protection Act 2010 and tried to show how the new regulatory framework reshape the landscape of information security in Malaysia.
The points can be summarised as follows:
Perspective #1. PDPA 2010 creates data management principles
Perspective #2. PDPA 2010 spells out the duties throughout data lifecycle
Perspective #3. PDPA 2010 identifies data risks
Perspective #4. PDPA 2010 creates new data offences
Perspective #5. PDPA 2010 creates duty of data due diligence
Contrary to the traditional belief, information is no longer a mere business processing tools. It is now the very asset that turns to become the commodity of the business itself – becoming more powerful and valuable than any other physical assets. And this is particularly obvious in financial and banking industries where the acquisition of personal data and the adoption of information technology (IT) have both transformed the banking industry as well as the associated operational risk management.
The demand to protect personal data in banking industry comes mainly from two factors. Firstly, the consumers are getting increasingly aware of their right to data privacy. The bulk of their data such as personal and family data, financial information, credit history, employment records, or legal matters are now the target of many predators who wish to acquire them for their benefit, ranging from unsolicited direct marketing, loyalty program recruitment, credit card applications, and even for malicious intent such as identity theft and fraud (or “phishing”).
This is particularly a court decision that will attract many who are curious about law on invasion of privacy in Malaysia. The timing could not be more intriguing that now when the first privacy-related legislation was recently passed in the form of the Personal Data Protection Act 2010. No, this Act was not in the case (yet?), not even possibly so because the Act is still now not enforced. This case was instead dealt with under the civil law of torts.
As reported by the Sun Daily (3/9/2010), Judicial Commissioner Chew Soo Ho who sit in Penang High Court heard this suit brought about by a female writer against the doctors who were involved in a haemorrhoid surgery back in 2006. The point of concern was the fact that a doctor had taken photographs of her private parts while she was unconscious — without getting her prior consent.