The Personal Data Protection Act 2010 should apply to the public sector

THE Consumer Choice Centre (CCC) has urged the government especially the Digital and Communications Ministry to consider amending the Personal Data Protection Act (PDPA) 2010 by expanding the application of the act to the public sector.

CCC Malaysia Associate Tarmizi Anuwar said this is necessaru to improve the quality of data security and transparency in the public sector.

“Notably, yesterday’s (Oct 25) 2023 Mid-Year Threat Landscape Report by Cyber Security Malaysia showed that the public sector experienced the highest breach or leakage of information in 1H 2023 at 22%,” he pointed out in a media statement.

Additionally, the public sector is in the second highest place at 28.67% behind the banking sector at 37.65% in terms of the amount of data leaked by sector. This is followed by telecommunications (20.98%), logistics and transport (9.67%) and retail (3.02%).

The existing PDPA 2010 does not apply to the Federal government, state governments and their agencies but only applies to commercial transactions of personal data.

“Currently, any public sector data leaks will be investigated by the Federal and state governments, the National Cyber Security Agency (NACSA) which is under the jurisdiction of the National Security Council (MKN),” shared Tarmizi.

“However, until now there is no clear structure regarding the process to be taken when an information leak occurs in the public sector.”

Moreover, there is no mechanism for individuals to claim compensation when there is a leak in the public sector that causes users to suffer material damage such as financial damage or non-material damage such as loss of reputation or psychological burden, according to Tarmizi.

“We should take the example of the General Data Protection Regulation (GDPR) by the European Union (EU) which is quite comprehensive by taking into account the risk of information leakage in the public sector and the right of users to seek compensation,” he opined.

Commenting on the factors and weaknesses of leaks such as vulnerable software, weak access control, data disclosure and critical issues, Tarmizi suggested that the government improve and enforce the policies and procedures of a public sector organisation’s data protection.

“The public sector needs to upgrade data protection procedures such as controlling access to sensitive data by limiting data access only to certain employees or deleting data that is no longer used to avoid the risk of internal breaches and theft or loss of data,” he opined.

“The public sector also needs to upgrade to safer software with a focus on standards and results rather than fixing any single technology or solution and does not preclude the use of new technologies.” – Oct 26, 2023