You are being exposed!
Delay in personal data protection law gives room for intrusion of privacy
FEBRUARY 1, 2002
Early last year, I received multiple invitations to subscribe to an international news weekly. Again, I received another round of mail spamming several months ago, asking me to subscribe to the same magazine. All these invitations came with a red dart-like ballpoint pen that people use for golf score. I have collected bundles of these trinkets by now, but every time I set sight on them I get goose pimples. How did those guys ever get me? Has my personal data been exposed and compromised?
Somehow, I managed to track down the possible sources that have traded off my personal data without my express consent. The culprits are most likely the financial institutions (FI’s) with which I maintain my credit card and checking accounts. I have assigned different correspondence addresses for my monthly banking and credit card statements. I have also selected different ways to have my name inscribed on my credit cards. To ease accounting purposes, I have my birth certificate name spelt on my personal cards, and “Jeff Ooi” for my corporate cards. Thus, it is rather easy to catch the culprits who “blew my cover” by looking through how my name and addresses are being captured onto those junk mails. This is the simplest digital trail left behind by mass transferring of data fields. Using this rule-of-thumb, I detected two of those junk-mail invitations bearing my personal data that is identical to those used for my personal cards, and another two used for my corporate cards, respectively.
I had another invitation using my name and address reserved exclusively for my checking account, and another that I used for a charge card that I had terminated months ago. Can you imagine this: six junk-mail invitations that sourced my personal data from four separate FI’s I have relationship with, of which three are Malaysia-incorporated foreign-owned, and one local bank.
That’s not the end of it. My other junk-mail invitations came from stables of international trade and news journals that I have subscribed through the years. All of them shared a common trait: my business address and my designations, past and present.
I believe the trading of customers’ personal data is not limited to the FI’s and the publishers.
I understand there is an industry pact where a database of defaulters is being maintained and shared among the mobile operators. This is a database derived from the personal information volunteered by the post-paid mobile phone customers when they first signed up with the respective service providers. It is believed that the “churn rate” is high among the habitual defaulters who migrate from one operator to another, leaving behind piles of unpaid bills. A few years ago, the mobile operators got together to share this defaulters’ database to bar the blacklisted customers from signing with another operator after defaulting the previous one. This shared database has remained in use ever since. However, I was told that, in most cases, customers’ consent was not obtained before their personal data was being shared across networks. The customers originally proffered their personal data to facilitate customer identification and billing. Once this boundary is crossed, it could be argued as a unilateral breach of service contract on the part of the database custodian as the protection for the customers’ personal data has been rendered effectively non-existent.
In tandem with the ongoing development of the Multimedia Super Corridor (MSC), there have been talks of Malaysia introducing a Personal Data Protection (PDP) law over two years ago. In Malaysia, cyberlaws that have been enacted so far are the Digital Signature Act 1997, Copyright Act (Amendment) 1997, Computer Crimes Act 1997, Telemedicine Act 1997, and the Communications and Multimedia Act 1998. The PDP law, positioned as the latest in a series of cyberlaws to be introduced, has been displayed for public reviews since 2000. However, for reasons unknown to the public, the draft law remains a bill unpassed. Unfortunately, the draft can no longer be found at the official website of the Ministry of Energy, Communications and Multimedia. We wonder what has been become of it so far. The last we heard of the PDP law was in April last year when Datuk Leo Moggie was quoted as saying it would be ready by March 2002.
As we move towards this target, it would be timely for us to take a look at what entails in the PDP bill.
The proposed legislation is intended to protect the privacy of personal data and information, both those physically residing in computer systems and those transmitted over networks and the Internet. It is designed to regulate the collection, possession, processing and use of personal data by any person or organization so as to provide protection to an individual’s personal data and safeguard his/her privacy. The proposed law has a prescribed objective to promote Malaysia as a communications and multimedia hub where the national adoption of e-based transactions is expected to be high. In this sort of commercial environment, Malaysia must position itself as a preferred trading partner that conforms to international standards of personal data protection, no matter the consumers and players are from the networked or non-networked industries. Hence, one might ask what are the data protection principles that have been incorporated into the PDP bill.
I notice that, in the Year 2000 version of the PDP bill, fundamentals that safeguard a consumer’s personal data have been dealt with on broad-based outlines. The bill took into considerations issues such as the fair manner under which personal data is collected, the purpose of personal data collection, the accuracy, use and disclosure of personal data, duration of the retention of personal data, an individual’s access to and correction of personal data, and the security of personal data. The Minister is empowered to appoint a Commissioner for Personal Data Protection to carry out the powers and functions assigned to him under this law.
When the bill was made available for public review in 2000, it created rumblings from many sectors, and new perspectives, such as consideration for protection of national and public security interests, were included. The Minister was reported to have said that “while privacy rights would be enhanced with the introduction of a Personal Data Protection law, it is important to recognise that individual privacy rights are never absolute”. This paved the way for lobbying for exemptions by many private and public bodies way before the law became ready for implementation.
Today, it is still not known what is the extent and level of exemptions to be given, but it has to be cautioned that too many exemptions would render the legislation a toothless instrument. Secondly, though Malaysia has been one of the more prolific countries to introduce cyberlaws, the enforcement aspect of these laws has not kept pace with the speed at which such legislations have been drafted and passed.
That is why I am very much haunted by those dart-like pens I received from parties who exposed my personal data. The personal data protection law is not ready, and many industries are obviously making hays while there is sunshine.
For example, I have just reviewed a notice sent by a Malaysia-incorporated foreign bank to its retail banking customers. It says Bank Negara Malaysia requires all participating FI’s to provide credit information, including the status and account details of their customers, for inclusion into a Central Credit Reference Information System (CCRIS). It says this is part of Bank Negara’s ongoing efforts to improve the credit approval process among participating banks, and that “the information, held by the Central Credit Bureau, and will be kept strictly confidential between Bank Negara Malaysia and participating FI’s”.
Nevertheless, the notice also qualifies by saying that “information disclosed may also extend to guarantor details which a customer may have provided to secure credit facilities granted by the bank”. In addition, as stated in the notice, “the Bank and its officers shall not in any event be liable to its customers, credit applicants or any third party (including guarantors of credit facilities) for any claim, loss, or damage, direct or indirect howsoever arising from any reliance placed on the information provided to CCRIS and irrespective of the nature of any erroneous content”. This is what you call, a “Head I win, tail you lose” situation for the customers.
I can’t help but having this feeling that the FI’s are indeed the biggest culprits allowed by the Malaysian laws to intrude into their customers’ privacy and personal data. We don’t know what else they will do with our personal data if the PDP bill does not become law this year.
This article was originally published in Jeff Ooi’s column in MALAYSIA BUSINESS (February 1, 2002)