IF you have received a telephone call from someone claiming to be an agent of a bank or from Bukit Aman, then you are not alone. Countless others have been on the unfortunate end of the phone. To the authorities, the callers are scammers, but that is an escapist’s answer. If they are indeed scammers, how did they get access to personal details such as MyKad numbers and bank accounts? The details are too convincing. And fear-inducing, too. Are these callers scammers, is not the right question. Instead, one should ask: How did these callers get access to our personal data? This question leads to further questions: Who is giving them access to the data? Are they being sold? Are data users such as banks, telecommunication and manpower companies trading them? According to an article on one website, our personal data are allegedly being sold for bitcoins. The Malaysian Communications and Multimedia Commission (MCMC) said in a statement on Friday that the agency and police are investigating the allegation.
This is not only invasion of privacy, but also theft, pure and simple. The scary thing is personal records contain our names, addresses and mobile phone and MyKad numbers. Just imagine the list of potential abusers of data: entities involved in communications, banking and finance, insurance, healthcare, hotels, transport, education, direct selling, services, real estate, utilities and others. We do not need lawyers to tell us that selling and reselling is not the “commercial” purpose for which the personal data was provided to companies under the Personal Data Protection Act 2010 (PDPA).
It is time the authorities brought errant data users, data processors and other traders to book. Fines and imprisonment are the only answer. Otherwise, the PDPA will lose its long arm, and bite, too. The PDPA is built on principles of protection and security, and we provide our personal data with confidence that these principles will form the foundation for the data to be supplied. Because non-compliance will be punished, we are encouraged to provide them. One of the principles is the requirement that the data user obtain the consent of the data provider if such data are to be used for any other purpose. The data provided can only be processed for a purpose directly related to the “commercial transaction” we are entering. Trading our personal data for bitcoins is not the purpose for which we provided our personal information to, say, a telco. Lawyers will tell us that the PDPA imposes obligations on the data user to do all they can to protect personal data during processing from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Sometimes, data processing is outsourced to third parties by the data user, but one would think the same duty to protect will apply. Have data users taken steps to ensure the security of our data? Who is policing them? The people need answers, not just advice.