MANY experts have also attributed the increasing number of data breaches to the lack of transparency in the handling of personal data.

Chairman of the Bar Council’s Committee on Personal Data Protection, Deepak Pilliai, points out that what is obvious is that there is a general lack of transparency on the measures implemented by public and private sector bodies to protect against unauthorised use and mishandling of personal data. This lack of transparency does not serve to instil confidence and engender trust in the public as to the security of their personal data, and it most definitely needs to be addressed, he notes.

“As such, in relation to the public sector, the government should consider drawing up rules to govern the collection, use and handling of personal data by government agencies. The way to achieve this is to either extend the application of the PDPA to government agencies, or to draw up separate legislation on data protection which would apply to government agencies. Both models have been adopted in other more mature jurisdictions,” he reiterates.

Transparency International Malaysia (TI-M) also urges the government to set a more transparent and sustainable approach towards dealing with data leaks and data breaches as they are a national security issue.

“Firstly, we need a long-term solution for data privacy and security. The problem appears to be recurring and tends to be reported by the press before the government takes any steps to inform the public, whether it involves promises of investigation, or outright denial,” said TI-Malaysia President Muhammad Mohan in a statement.

Another is transparency in the data breach and data leak investigations. The investigations previously initiated and currently underway have to do with national interest.

TI-M also urges the government to transparently share with the public what the findings of the previous investigations are, what action has been taken against those responsible, and what remedial measures have been implemented in the affected organisations or agencies.

The same methodology must be applied to the hilt for investigations in the latest and future data leaks, said TI-M.

Deepak notes that apart from certain sectors (e.g. banking and securities sectors), there is currently a general lack of transparency on data breaches suffered by organisations as there is no general data breach notification requirement under the PDPA to require data users to notify regulators and individuals about data breach incidents that are suffered by their organisations.

“The introduction of a mandatory data breach notification regime under the PDPA will serve to keep individuals informed of any potential risks that they may suffer as a result of a data breach, as well as enable them to take the necessary mitigation measures in order to reduce their exposure,“ he says.

“Apart from this, there is a crying need for a cyber security law in Malaysia which will require critical national information infrastructure (CNII) providers (e.g. banking and finance, telecommunications, health, energy, transportation services) to adhere to certain minimum information security standards and require them to report any breaches of security to the regulator. In my view this is one of the key missing pieces of cyber-legislation in Malaysia and it is a necessary part of the government’s digital economy blue-print and its efforts to digitalise our economy,” he says.