OVER the weekend when two women separately recounted their experiences with police officers at roadblocks, the main issue raised has been sexual harassment – and rightly so.
Both women said a police officer had recorded their personal details, including phone numbers. One of the women recounted on social media that she had informed the police officer that she was on the way to buy some groceries. A few minutes later, she received a message from the police officer asking her if she had finished her shopping. He identified himself as the officer who had stopped her at the roadblock.
When she asked if there was an issue, the police officer allegedly replied, “Nothing. Can I get to know you?”
Clearly, the police officer had misused personal information of the woman. If the information had been given to, say, a bank officer in the course of a transaction that is commercial in nature, it would have been protected under the Personal Data Protection Act 2010 (PDPA).
Names, MyKad or passport numbers, personal telephone numbers, home and email addresses and bank account numbers are data protected under the PDPA, which imposes strict requirements on any person (called data user) who collects or processes personal data.
The PDPA also grants individual rights to “data subjects” who are individuals to whom personal data belong. The women above are data subjects. So are we in respect of our personal data.
The PDPA is based on a set of data protection principles that previously applied in the European Union (EU), namely Data Protection Directive 95/46/EC of the EU, which came into effect in 1995. For this reason, the PDPA is often described as “European-style privacy law”.
But that directive, which is much outdated, has been replaced by the General Data Protection Regulation (GDPR) adopted by the EU in April 2016. As such, our PDPA also has an important limitation – it does not apply to the Federal Government and state governments.
By comparison, in the United Kingdom (UK), the Data Protection Act 2018, which implements the GDPR in the UK, applies to “public authority” and “public body” for the purposes of protecting personal data, requiring personal data to be processed lawfully and fairly on the basis of the data subject’s consent or another specified basis, among others. Public authority is defined to include the police.
In Singapore, data management in the public sector is governed by the Public Sector (Governance) Act 2018 and the Government Instruction Manual on IT Management. The former provides for a consistent governance framework across public bodies in Singapore and to support a whole‑of‑government approach to the delivery of services in the Singapore public sector, which includes the police force.
Singapore’s Personal Data Protection Act 2012, on the other hand, applies to the private sector. Note that the Act was passed two years after our PDPA.
Two different legal frameworks governing data management in the public and private sectors are said to be needed because there are different expectations of the services provided by the government and the private sector.
Clearly, there is a need to review personal data protection law in Malaysia if the law is to continue to be described as European-style privacy law, or at least similar to Singapore’s, to govern personal data requiring the same to be processed lawfully and fairly by the government.
HAFIZ HASSAN , Melaka