A RECENT report of a potential data breach at the National Registration Department (JPN) raises concerns regarding the security measures that are in place to protect the rakyat’s data.
The report states that a database of four million Malaysian citizens containing data freshly obtained from JPN and hasil.gov.my (Inland Revenue Board) through the MyIdentity API has been put on sale through an online forum.
Data security must be of a high standard
The government must be held to at least the same standard as private companies, if not higher, when it comes to both data protection and security.
This is especially true for data that is highly personal in nature. JPN, in charge of one of the most important databases of personal data in the country, must be held to the highest of security standards.
For example, regular penetration testing is one of the most basic measures that should be carried out by all government agencies controlling personal data - and it should be made clear if this is currently practiced, as the intrusion analyst who first reported these leaks claims that his previous efforts to inform the agencies about the leaks were not taken seriously.
Secondly, the fact that ten different government databases are accessible through a single API suggests that it may not have been designed with the highest security standards in mind.
There should be an emphasis on security by design and privacy by design for public digital services.
Transparency is paramount
The fact that myIdentity depends on citizens voluntarily updating their personal data makes a potential breach even more consequential for public trust.
Trust needs to be earned - people will be less willing to offer their personal data if they cannot be confident in the government’s ability and willingness to protect it.
The most important element in building trust is to be transparent.
Estonia, a world leader in e-government, has illustrated this point time and again by being fully transparent about:
(i) the way they use citizens’ data (use cases), and
(ii) data breaches or other shortcomings.
If the Malaysian government truly wants to provide better digital public services, it would do well to practice this level of transparency.
Invest in cybersecurity, review PDPA
The government’s "Cloud First" strategy and MyDigital policy, which intends to migrate 80% of public data to hybrid cloud systems by the end of 2022, must include serious investment in cybersecurity in the public sector. We must also review our data protection laws and update the Personal Data Protection Act (PDPA) with particular attention to the question of the PDPA’s applicability to federal and state governments.
One of the key provisions we need to adopt (made evident by these events) is the requirement to inform data subjects when a breach has occurred.
Whilst it is encouraging to note that the government is keen to create a more digital nation, this can only be done if our digital policies are fit for purpose with sufficient attention paid to data security.
We need assurances (including in the law) that our personal data will be properly secured before further data centralisation happens and it is only by building trust that the people would embrace the necessary digital disruption.
SERI is a non-partisan think-tank dedicated to the promotion of evidence-based policies that address issues of inequality, particularly at the intersection of technology and society. For more information, please visit seri.my