FEBRUARY 15 — On February 11, a woman took to Twitter and related an incident about a policeman who stopped her at a roadblock set up as part of the movement control order (MCO). The policeman had asked her where she was going to which she said she was on the way to buy some groceries.

The policeman then jotted down all her information including her identification number, phone number and details of her driving licence. A few minutes later she received a message from the policeman asking her if she had finished her shopping while identifying as himself as the policeman who had stopped her at the roadblock.

When she asked if there was an issue, the policeman replied, “Nothing. Can I get to know you?”

Clearly, the policeman had misused personal information of the woman. If the information had been given to say, a bank officer in the course of a transaction that is commercial in nature, it would have been protected under the Personal Data Protection Act 2010 (PDPA).The Personal Data Protection Act 2010 imposes strict requirements on any person who collects or processes personal data. — AFP file pic
The Personal Data Protection Act 2010 imposes strict requirements on any person who collects or processes personal data. — AFP file pic

Name, IC numbers, passport numbers, personal phone number, home address, email address and bank account numbers are data protected under the PDPA which imposes strict requirements on any person who collects or processes personal data, who are called data users.

The PDPA also grants individual rights to ‘data subjects’ who are individuals to whom personal data belong. The woman above is a data subject. So are we in respect of our personal data.

The PDPA is based on a set of data protection principles applying in the European Union but with an important limitation. The PDPA does not apply to the federal government and state governments.

In the United Kingdom (UK), the Data Protection Act 2018 applies to “public authority” and “public body” for the purposes of protecting personal data, requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis, among others.

Public authority is defined to include the police. (see Schedule 1, Freedom of Information Act 2000)

In Singapore, data management in the public sector is governed by the Public Sector (Governance) Act 2018 and the Government Instruction Manual on IT Management. The Personal Data Protection Act 2012 on the other hand, applies to the private sector. Two different legal frameworks governing data management in the public and private sectors are needed because there are different expectations of the services provided by the government and the private sector.

Clearly, there is a need to review personal data protection law in Malaysia.

*This is the personal opinion of the writer and does not necessarily represent the views of Malay Mail.