The latest personal data breach situation involving Malaysian Airlines Berhad is frustrating but not surprising. Just like many people out there, the Consumers’ Association of Penang (CAP) is of the opinion that the Personal Data Protection Act 2010 (PDPA 2010) should be amended to include stricter regulations and that the authorities should crack down on service providers that flout the law.
In the event of a breach, the regulatory body concerned must make the company/institution accountable and answerable in a public manner. A mere statement or announcement that there has been data breach is not enough. The public especially the victim whose data has been exposed must be given a detailed explanation on how it took place, who was the culprit (where available) and the extent of the breach.
Further to that, we would like to focus on the culture of collecting and sharing personal data in Malaysia. There are two points we would like to address.
One is that companies tend to over-collect their customers personal data. They ask for information that is not even necessary to the functioning of their services. An article in the news addressing this issue stated that service providers should not collect what they do not need to render their services and they must provide reason for why the information is necessary. However, we have known for a while now that information equals wealth in this day and age. The more of your information a company has the better it is for them.
A possible way to combat this is for the PDPA 2010 to be amended so it spells out exactly what information a service provider of a specific industry can collect from their customers, and process and store.
The second factor we must address is our culture of sharing our personal data freely. Many of us do not think of the possible consequences when we give out our full name as per IC, IC number, phone number, home address and email address to whoever for whatever reason.
For instance, when a customer is offered a chance to enter a giveaway at a petrol station because they have spent above a certain amount there. By right, reaching the spending threshold should already be enough for the petrol station to give you a chance to enter the giveaway. All they really need is your name and phone number so that they can contact you if you win. If it is a giveaway only for Malaysian citizens, then you should be able to flash your IC to the cashier who can make a note of it on your application. Yet they insist on collecting all this information and we just give it to them without question.
Do you remember all those forms you had to fill up all throughout your schooling years and how even the simplest forms would require you to fill up your personal information; even though the school already has it? This repetitive action of mindlessly jotting down our personal information on paper throughout our childhood and teen years could be why this culture of oversharing personal data without question is so prevalent in our society.
In brief, we ask that the authorities to amend the PDPA 2010 to limit the kind of information that service providers can collect based on their industry and we caution people to be more mindful of the personal data they are giving and to who they are giving it to.
Letter to the Editor/ Press Statement, 16 March 2021