Malaysia’s alarming approach to citizen data collection

• Failure to review the PDPA leaves citizens vulnerable to exploitation
• Repeated sharing of info with unknown stakeholders felt like an invasion of privacy

Malaysia is the fifth-worst country for personal data protection. This is unsurprising news for a country that implemented its only personal data protection regulation back in 2010. At the time, the Personal Data Protection Act 2010 (PDPA) signalled an important milestone for Malaysia to bridge the gap and protect personal data.

Today, it has failed to keep up with the times and fallen short of safeguarding citizens digital rights and personal information. Efforts to review the PDPA have seemingly stalled despite the increasing importance for a refresh to reflect the current technological landscape including online privacy, data ownership, data protection, and facial recognition policies. A failure to do so leaves citizens’ vulnerable to exploitation.

The Department of Personal Data Protection (JPDP) issued an advisory on the collection of personal data for the purposes of Covid-19 and contact tracing, but the advisory is limited to the collection of data by businesses only. More needs to be done to ensure that citizens data be kept secure at every point – entry, transfer, access and storage.

I recently went through the mandatory fourteen-day quarantine at a quarantine facility in Selangor and must commend the tireless efforts of Malaysia’s Ministry of Health (KKM) in tackling the Covid-19 pandemic. The procedures in place from arrival in Kuala Lumpur International Airport (KLIA) to check-in at the quarantine facility were well-defined. During the quarantine period too, there were clear checkpoints to monitor travellers physical and mental health. However, a lack of awareness on safeguarding data highlighted inefficiencies in day-to-day processes and in data collection of citizens’ information.

Shortcomings of no-tech data collection

From KLIA to our rooms at the facility, four different paper forms were filled containing the same personal and sensitive information. This included one’s full name, National Registration Identity Card (NRIC), home address and mobile number. These forms went to, what I assume to be, three different stakeholders – KKM, the Police Department and the quarantine facility.

Malaysia’s mandatory quarantine came into effect on 3 April 2020 for international travellers and when I arrived, procedures had been in full swing for eight weeks. In that time, more could have been done to implement a systematic collection method that reduced silos, increased efficiency and improved long-term collection and monitoring, especially as sensitive information was collected at every checkpoint. This would have improved processing time and minimised unnecessary physical contact.

Understandably, the global pandemic gave the government little time to organise quarantine procedures and implement new measures pertaining to contact tracing and movement monitoring. A no-tech paper format gets the job done with minimal investment from the government. But, the initial data collection process and the repeated sharing of personal information with unknown stakeholders felt like an invasion of privacy, one where citizens could not opt-out of.

Challenges of tech-enabled data collection

If the no-tech collection raised concerns about where information was going, the tech-enabled collection drove home the point that little thought was given to data protection and security. During the 14-day quarantine period, all health-related information was collected through Google Forms. This included daily self-assessment health checks and a one-off mental health assessment. Every form contained the same personal and sensitive information including NRIC details and mobile numbers.

The use of Google Forms highlighted the unsecure collection of personal and sensitive information. Google Forms is relatively secure to protect self-reported data and is most commonly used for gaining feedback in the healthcare industry. Google Forms however is not secure enough to store information that should otherwise be encrypted such as NRIC details and medical data. This sensitive information should not be accessible to an unknown number of people as it can easily fall into the wrong hands. 

Medical records by nature are confidential but can be disclosed with consent. But during quarantine, consent was the only option. Citizens could not opt-out of disclosing personal and medical information through Google Forms. Repeatedly entering sensitive information on a day-to-day basis also increased the possibility for data leakages. It can be argued that no harm can be done from sharing personal information, but the number of identity theft cases in Malaysia is growing, and can have detrimental effects to an individual. Afterall, NRICs do store biometric details, making it a desirable target for hackers. Citizens need to be more aware of the risks associated with sharing personal information freely and the government needs to facilitate secure practices.

Disregard for citizens personal data highlights huge digital infrastructure gaps in public sector

While Google Forms is the cheapest and quickest way to collect data, it is by far not the safest to collect sensitive information. The disregard for citizens personal and sensitive information felt like a violation of citizens’ rights and highlights huge digital infrastructure gaps in the public sector. In the age of prevalent data breaches and identity theft, the government needs to take more action to protect personal and sensitive information from ending up in the wrong hands.

Research has found that the healthcare and public sector spent the most time in the data breach cycle with an 80% increase in the number of people affected by health data breaches from 2017 to 2019. In Malaysia alone, more than 46 million total data records have been stolen. With identity theft at an all-time high, the collection of data during the quarantine period left me with plenty of concerns about where my sensitive information will end up.

As Malaysia’s MCO will be lifted on June 9 (pending any changes in the upcoming 3pm announcement by the Prime Minister), the mandatory quarantine process may well cease to exist, making these issues seem redundant. However, it is imperative that the Malaysian government reassesses the procedures that were implemented and keep these issues top of mind to ensure preparedness for future challenges. The government needs to invest in three things to safeguard its future in the age of technology – strengthen public sector digital infrastructure to enable better service delivery, reinforce data protection and privacy laws to protect citizens rights, and invest in stronger cybersecurity measures to protect data and enable the digital economy. This will ensure Malaysia’s resilience against future shocks and data breaches, while advancing its position in a hyperconnected world.

Nabila Hassan recently graduated from the School of International and Public Affairs (SIPA) at Columbia University. She is curious about technology for good and passionate about all things Southeast Asia.