Sunday, 3 May 2009

Pushing for a Privacy Act as it would cover data protection matters

Source - THE STAR ONLINE
WebLink - http://thestar.com.my/news/story.asp?file=/2009/5/3/focus/3820302&sec=focus
Date - Sunday, 3.5.2009

Little protection under the law
MALAYSIA does not have a specific act of law dealing with data protection issues, although a draft version of the Data Protection Bill was released in November 2002.

The Bill never became law for reasons unspecified. The only legal protection Malaysians have is in piecemeal form, in acts such as the Banking and Financial Institutions Act 1989 and the Digital Signature Act 1997.

A good guide for an effective law is the European Union (EU) Data Protection Directive (95/46/EC), which outlines the crucial principles for a comprehensive data protection regime.
Sonya Liew from the human rights committee, Malaysian Bar Council, says: “We have a hotchpotch of legislation, but it does not provide for a holistic regime of data protection. We do not have one act which covers all aspects of data protection.”
“If protection can only be found in piecemeal legislation, how adequate is that?” asks Prof Datuk Khaw Lake Tee, deputy vice-chancellor (development), Universiti Malaya.

In cases where an unscrupulous employee of a financial institution sells data to a collector, what prevents him from selling the information to a third party?
Says Liew, “It is not even illegal; it doesn’t fall under the Bafia, so he gets off scot-free.”
Khaw says that it is possible to look to the common law principle of confidential information for redress.

“If information is disclosed to me in confidence, and I then divulge it to a third party, then I am in breach of confidence. The party receiving the information is also tied up in confidence if he is aware it is supposed to be so,” she explains.

However, Khaw points out that the information must be confidential and asks, “Is a phone number and address considered confidential? Only if it is stored for a specific purpose, and it is used otherwise.”

Says Liew, “Nobody has tried this approach in the (local) courts before and we are inviting judges to be creative if these cases some to court.”

Apart from databases in industries covered by relevant acts, the rest are vulnerable. Liew says that standards of data protection vary from company to company.

“It depends on the standard operating procedure which the company has in the management of its data. In a good data protection regime, all avenues and ways of managing data must be addressed, especially its standard operating procedures, and Malaysia does not have a standard,” she says.

It is possible that certain EU standards can be indirectly imposed on Malaysian companies.
“For example, if I want to do business with an EU company and process data as part of the contract, I am supposed to have a data protection regime that is adequate in the eyes of the directive.

“It is stated in the contract, and as far as EU data is concerned, they are entitled to the full protection. So why is the Malaysian Government not giving us the same standard?” says Liew.
She adds that in order to have a proper data protection regime in Malaysia, much needs to be done.

“Firstly, we are asking for an amendment to the Constitution to enshrine the right to privacy. It is silent on this matter but does that mean we are exempt from it?”

She explains that under human rights principles, everyone has a right to privacy, which is stated in the Universal Declaration of Human Rights (UDHR).

Malaysia has yet to ratify the principal covenants of the UDHR, which is required as a member of the United Nations.

“We are also pushing for a Privacy Act,” she says, as it would cover data protection matters.
Khaw says, “Privacy is a much broader concept than data protection.”

In an article titled “Towards a personal data protection regime” published in the Journal of Malaysian and Comparative Law Malaysia in 2002, she wrote, “Although its ramifications and effects are far-reaching, it should be emphasised that the Bill does not attempt to prohibit the collection, holding or processing or use of personal data; nor does it deal with access to any information collected.

“The proposed law is not a law relating to privacy, as traditionally understood, or freedom of information. Rather, it requires the person collecting, processing, holding and using personal data collected by him to comply with certain prescribed principles.”

But there are major issues to be looked at before the Bill can become law.

“There is the issue of whether the proposed law should also apply to the Government, including state and local governments, and statutory bodies, or should be restricted to the private sector only.

“The Government, through its various registration, tax and other agencies, is one of the largest collectors and custodians of personal data in the country. As such, to exclude it from the ambit of a personal data law would be to deny the underlying objectives of such a law.

“Processes, education, change management and procedures will have to be put in place to ensure compliance with it, which in all likelihood will involve considerable costs, time and resources,” wrote Khaw.

Says Liew, “There are many organisations and entities which will want to stop it. As long as they have to spend money, they will oppose it. Consumers will want protection, but data collectors will not.”

No comments:

Post a Comment