In the past week alone, I spoke about the personal data protection law at two Malaysian public universities; Universiti Sultan Zainal Abidin (UniSZA) Kuala Terengganu and Universiti Malaysia Pahang (UMP) Pekan. While the former was an internal programme, the latter talk was attended by other public universities’representatives who were members of Majlis Tatatertib dan Disiplin Universiti-universiti Awam Malaysia (MATDUM).
In this post, I would like to note some discussions we had on the implementation of the Personal Data Protection Act 2010 at the University environment.
The education industry is indeed among those where personal information is highly processed. The data subjects include students (prospective, actual and graduates), university’s employees, as well as any individuals involved in the data processing.
Transferring personal data beyond national boundaries has been a point of contention under many data protection laws across the globe. The European Union adopts this restriction that such transfer beyond EU boundaries cannot be done unless to the countries or places which have adequate protection on personal data of individuals.
This rule is associated with the concept of “Data Sovereignty” which says that a country shall not lose a control or sovereignty over the processing of personal data pertaining to data subjects from that country. It also imposes that information which has been stored in digital form is subject to the laws of the country in which it is located. Therefore, a control over trans-border data flow is a form of upholding data sovereignty.
The concept of Data Sovereignty is reflected in the EU Data Protection Directives 1995 recitals whereas:
cross-border flows of personal data are necessary to the expansion of international trade;
the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection;
the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited.
As much as we are concerned with personal data transferred beyond our border, we also appreciate that personal data is inherently needed for the International trade and International cooperation. Hence, when a personal data is subject to trans-border flow, there shall be no discriminatory treatment to the citizen’s personal data despite where it is processed.
Data Localisation Law
This data sovereignty is sometimes confused with the rules of “Data Localisation”, which is totally a different thing. Data localisation laws set forth requirements to keep and store data “locally” (i.e., within national or regional borders), and thus not allowing data users to transfer data beyond borders. Consequently, any foreign party who wishes to collect or process personal data of individuals will be required to establish a local data storage facilities in the country of those individuals. Continue reading “Data Sovereignty vs Data Localisation Law”→
The above is the name of the event in Tsinghua University, Beijing, on December 3-4, 2016, where I came as a speaker to the audience consisted of law, media and Internet governance academia and practitioners. Both Beijing-based School of Journalism and Communication of Tsinghua University and the School of Communication of Hong Kong Baptist University (HKBU) jointly organised this event.
The invitation came to me through Dr. Yik Chan Chin of the HKBU, who is with me at the Global Internet Governance Academic Network (GigaNet). Upon few exchanges of emails, I was then invited to come and present my views on the social media regulations in the Malaysian perspective. I must say that the event was really a rewarding experience; filled with substantial discussions, new perspectives and, of course, new friends and network!
Open government is the notion that allows transparency of governments in running matters pertinent to public interests. According to that concept, the government shall allow its citizens an access to government documents and a right to obtaining information relating to public matters.
In Malaysia recently, the Open Government initiative was represented in the Public Sector Open Data Portal programme which was launched in September 2015by MAMPU, a Unit under the Prime Minister’s Department. It declares that the aim of such initiative is to open and share government data to public and hence to enhance transparency and efficiency of government and to create a digital innovativeness.
With this background, the question of how the Government deals with the increasing demand of freedom of information and other challenges ranging from personal data to the government data security is worth examining. I was invited to talk about this at an international conference hosted by Sydney Cyber Security Network, the University of Sydney, Australia. In my presentation, I highlighted a recent initiative of open data in Malaysian public sector and the related challenges on data security, privacy and information surveillance.
I was also looking at the recent developments in Malaysia relating to the enactment of personal data protection law and recent policies relating to critical infrastructure protection. Lessons from cases and incidents surrounding information security and personal data breaches were discussed to trigger discussions on relevant solutions and best practice.
Among the key summary of my talk in Sydney was as following:
Open Government is underway, but more economically-motivated and narrowly looked at “open data”. A long way to the “open government”.
Cyber security governance enhances the security of data in the Malaysian cyberspace. However:
There is a striking imbalance in the legal framework between the protection of secret on one hand, and the freedom of information on the other.
The data privacy law boosts the transparency in the private & commercial sector, but it is a missed opportunity for an open government.
The open government initiative needs to be supported as national agenda, to be backed by a stronger law and national policy.
I was honored to be invited by the University of Sydney to talk about this on November 2016. The event, called “Cyber Security in the Era of Open Government”, sought to identify innovative solutions for improving the security of open government services and their users.
Several keynoters were invited to provide for the best practices from the public and private sectors, both locally and internationally on issues surrounding the cyber security challenges associated with increasing citizens’ access to government data. The preview of the program can be traced in the USyd’s website page here.
The conference was split up into 3 thematic panels:
1. Open Government and Cyber Security in Australia. Three renowned personalities from Australian regulators spoke, namely Tim Pilgrim (Acting Australian Information Commissioner and Australian Privacy Commissioner); Elizabeth Tydd, (NSW Information Commissioner and Head of the Information and Privacy Commission); and Rolf Green, who was the Director of Information, ICT and Digital Government Division, Australian Department of Finance, Services and Innovation.
2. Open Government from Global Perspectives. In this session, I spoke alongside with an American Charles Bell, CEO of Startup Policy Lab (SPL); Dr. Janet Xu, Associate Researcher of the University of Oxford; and the Canadian Dr Khaled El Emam, himself a Professor at the University of Ottawa. I also like to note that this session was chaired by my friend Dr Adam Molnar, a lecturer in criminology at the Deakin University, Victoria, Australia.
3. Privacy, Surveillance and Government Services. This afternoon session presented a speakers from a diverse background, namely Dr. Elizabeth Coombs, NSW Privacy Commissioner; Professor Fleur Johns, Associate Dean (Research) UNSW; Bernard Keane, Crikey’s political editor.
In March, I featured in The Sunday Star (9/3/2014) reporting on the need to establish a “Do not call registry” to protect people’s personal information. The main issue discussed was to scrutinize an initiative to have a DNCR and its operational and legal challenges. The full report can be traced here.
The question that was posed to me was: (1) How good is the idea of DNCR for Malaysian consumers? AND (2) Do you foresee any issues that might arise when they implement this?
Here are my comments:
The PDPA 2010, unlike Singapore’s law, does neither provide nor mandate specifically about Do Not Call (DNC) registry.
I will be speaking on the above topic this week (Tuesday, 18th February 2014) to IT Governance professionals affiliated under the ISACA Chapter Malaysia. I was informed at least one hundred people will be attending.
This will be my first speech on PDPA after the lapse of 3-month grace period set up by the PDP authority in Malaysia. I can foresee the level of enthusiasm from participants is high.
A quick takeaway from a closed session on Students’ Digital Privacy yesterday at Le Meridien KL (June 7th, 2013), I’d like to share what California-based Jeff Gould presented.
The SafeGov.org CEO told the audience of their research findings, among others:
The high significance of Facebook “Like” in profiling the identity of FB users;
Real possibility of identifying a person via DNA reconstruction taken from a gum;
Telco’s effort to provide some form of customer’s surveillance as their enhanced service;
ISP’s role in protecting children privacy through contractual agreements with the users/subscribers
Many things shared which are not new issues but came with novel modus operandi. We just need to be vigilant.
The closed session was attended by representatives from Cybersecurity Malaysia, Parents Action Group for Education (PAGE), FOMCA, Microsoft Corp, India-based CUTS and some local universities. Mr. Rosly Yahil from Cybersecurity Malaysia spoke about various initiatives taken in Malaysian context in dealing with the issues.
Contrary to the traditional belief, information is no longer a mere business processing tools. It is now the very asset that turns to become the commodity of the business itself – becoming more powerful and valuable than any other physical assets. And this is particularly obvious in financial and banking industries where the acquisition of personal data and the adoption of information technology (IT) have both transformed the banking industry as well as the associated operational risk management.
The demand to protect personal data in banking industry comes mainly from two factors. Firstly, the consumers are getting increasingly aware of their right to data privacy. The bulk of their data such as personal and family data, financial information, credit history, employment records, or legal matters are now the target of many predators who wish to acquire them for their benefit, ranging from unsolicited direct marketing, loyalty program recruitment, credit card applications, and even for malicious intent such as identity theft and fraud (or “phishing”).