KUALA LUMPUR, June 20 — Government agencies must enhance their verification processes to prevent possible abuse, such as the unsolicited registration of Malaysians by the People’s Volunteer Corps (Rela), personal data protection advocates and cybersecurity experts said.
One method is to employ eKYC (Electronic Know You Customers) solutions in which government departments and agencies would require users to submit documentary proof of identification, said Cybersecurity company LGMS director Fong Choong Fook.
“Nowadays, organisations should not just accept simple personal info, they need to ask for additional proof, for example latest pictures, utility bills, etc. to further ascertain the identity of the applicant,” he told Malay Mail when contacted.
Some Malaysians made the news recently when they discovered they were listed as Rela members without their prior knowledge or consent.
Rela has since denied that it was automatically registering Malaysians without their knowledge or consent, and pointed out that the Malaysia Volunteers Corps (Rela) Act 2012 governing the agency specifically stated that those wishing to join members must do so in writing.
It also pledged to review its registration procedures and vowed to take action against those who may have abused Malaysians’ personal data.
Fong suggested that Rela update its registration process, such as adopting the EKYC methods.
“So for registration, Rela should do a more stringent filtering, for example instead of just accepting personal info, they should request more recent details, such as the latest picture of the applicant and proof of residence, such as water bills,” he said.
Right to know
Human rights activist Maryam Lee said the Rela incident suggested a breach of the Personal Data Protection Act in principle, and that Malaysians have a right to know how the agency was dealing with the information already in its database.
“Based on the facts of the case alone, the incident violates key principles of the Personal Data Protection Act (2010), namely the General Principle: Citizens find out that they are enrolled into Rela without their consent, the Notice and Choice Principle: Citizens are not informed that their personal information resides in Rela’s database; the Retention Principle: In Rela’s statement, they are undergoing a “whitening programme” of their membership database to remove lapsed members who they define as members who are inactive for five years or more.
“However, the fact remains that citizens are being registered unknowingly into a paramilitary volunteer programme managed by MOHA, with some citizens reporting that they were registered more than five years ago,” she said, referring to the Ministry of Home Affairs.
Lee said Rela must clarify how it obtained the personal data of those who did not apply as it suggested that at least one party had unauthorised access.
She also said Rela must explain if it was purging its database of this information or simply deactivating the memberships of the unwitting members.
While acknowledging the issue that the PDPA did not apply to government agencies, she said it should still be an impetus for the government to review how it handled private data.
“Incidents like these are urgent reasons for an update of how the country approaches privacy and data protection of citizens in a digital era. One way we can do that is through the development of a national action plan for business and human rights (BHR) that Malaysia has committed to, it must consider digital rights and data protection as part of Pillar 1 of the United Nations Guiding Principles BHR — State Duty to Protect Human Rights to include privacy and data rights protection in electronic government services,” she said.
On June 14, Rela pointed out that the unsolicited member registration may have resulted from a massive membership campaign back in 2012, but did not explain how people were registered without their consent.
Sinar Project co-founder Khairil Yusof also said the incident was an abuse of private information as stipulated under PDPA and a violation of government agencies’ policies on personal data.
Khairil said the incident must also invite questions on other possible abuse of the data including for fraud.
“It is interesting that Rela sources have quoted the year 2012, as that was actually the year PDPA was enacted. So the source may not be from the government,” said Khairil, pointing to the source of a potential leak that may not originate from government sources.
“The implications for this is beyond just abuse of private data, but may also be institutional fraud in allocation and use of public funds. For example in the budgeting and procurement of uniforms, equipment etc. as per Rela or Volunteer Corps Bill.
“If the numbers were inflated since 2012 with involuntary sign-ups, how many were involved? If the number was significant, then hundreds of millions of public funds could have been wasted for allocations for numbers that were falsified,” said Khairil.
“Having said that, data leaks by the government are very rare. I can’t recall a single instance of a large data leak from a government database.
“Government agencies and statutory bodies, while not covered by PDPA, do not share personal data freely between each other.
“Some ministries such as health, for example, have even stricter rules when it comes to public health records,” he said.
Home Minister Datuk Seri Hamzah Zainudin said on June 15 that his ministry has ordered Rela to investigate the possibility of data misuse following viral reports of many Malaysians being registered as members without their knowledge.
Yesterday, he disclosed that his ministry has identified those who were unknowingly made members and will be contacting them individually.