PETALING JAYA: Lax enforcement, resistance to change, and an unwillingness to adopt new ideas are the root causes of the continuous data leaks plaguing the country for several years now, says a highly-placed source.
The source told The Star that the Personal Data Protection Department (PDPD), an agency under the Communications and Multimedia Ministry created to uphold data protection, is not living up to its charter because of the above factors.
It has also failed to exercise its powers to curb data leaks “time and time again”.
The source said data leaks do not solely hinge on the provisions of the Personal Data Protection Act 2010 (PDPA), as popularly believed.
“The primary responsibility of this department is to oversee the processing of personal data of individuals involved in commercial transactions by data users (to ensure) that it is not misused by the parties concerned.
“A data user is like a telco with which we register. It might appoint a data processor, a third party, which is presently not covered by the Act.
“However, with the new amendment soon, this third party will be covered.
“When there is a data leak, everyone immediately points to Cybersecurity Malaysia (CSM), but most don’t realise that they don’t have the legislative authority compared to the PDPD,” the source added.
The department was set up in 2011 immediately after Parliament passed the PDPA 2010 or Act 709.
CSM, which has the infrastructure and technical expertise to handle such matters, has no enforcement powers.
“The director-general of PDPD is also the Commissioner for Personal Data Protection, which based on the law, can delegate power to CSM officers to execute the PDPA on its behalf.
“PDPD also has an adequate budget to appoint experts or officers to enforce the PDPA on a contract basis, but that was also not done.“To top it off, the current enforcement officers inside the department are mostly seconded from the Domestic Trade and Consumer Affairs Ministry, so how do you expect these officers to carry out enforcement when they don’t have the necessary skills set?” the source added.
Compared with Singapore, Malaysia may have passed a data protection act first, but the difference in execution and enforcement has caused the country to lag behind.
The PDPD has also seemingly failed to collect the expected revenue based on audits conducted by the National Audit Department (NAD) in the past few years.
According to the NAD, RM468.88mil could have been collected and channelled to the government’s coffers had enforcement been conducted strictly.
Today, 13 sectors must register as “data users” with the department.
“We are heading towards a digital society, and I foresee more data leaks occurring, but the responsible party has not given its utmost priority to handling these issues.
“Supposedly, these data breaches are under the purview of this department but were handed over to the police due to the lack of expertise by the said department’s officers.
“The police are supposed to be solving crime and they have a lot on their plate right now.
“This department can help the police in an integrated manner, it even has the power to arrest individuals, but no one is doing it,” the source said.
He also said that Malaysia meets all the requirements of a world-class entity but lacks implementation of systems and laws.
He added that this happens when you have “territorial, old-school people who are afraid of change and resist anything good” in the civil service.
“Looking at Singapore, which also has similar laws, we need to ask why we are in this situation,” the source said.
Malaysia has been subjected to several data leaks over the past years, with the most recent one related to the International Trade and Industry Ministry’s Public-Private Covid-19 Industrial Immunisation Programme (Pikas).
In mid-May, a data leak was reported by local tech portal Amanz, where a 160GB-sized database with personal details of 22 million Malaysians belonging to the National Registration Department (NRD) was being sold for US$10,000 (RM43,950) on the dark web.
