AMID recent news on the unconstitutional privacy violations by Malaysia’s Inland Revenue Board (IRB) to access its citizens’ bank account, we wish to raise a number of concerns over the future ability of the Personal Data Protection Commissioner’s office (PDPC) to function independently of government interference.
Section 45 of the Personal Data Protection Act 2010 permits the disclosure of personal information without consent and allows information to be disclosed when required for:
- The prevention and detection of crime.
- The apprehension or prosecution of offenders.
- The assessment or collection of tax or duty or if any imposition of a similar nature.
The PDPC has to date not responded nor published its views to the recently announced Government’s decision to give the IRB access to taxpayers’ bank account details under the latest amendment of Section 106A of Income Tax Act 1967.
It is critical that this Government ensures that Malaysia is future-ready and capable of dominating the global digital economy.
The Government should impose a requirement on the PDPC to consider competition when performing its tasks, including the obligation to cooperate and communicate with other regulators, as well as the authority to prepare a set of strategic priorities that the PDPC must consider in addition to its other authorities.
We further recommend that the PDPC’s existing structure as a sole corporation – a single legal entity consisting of an incorporated office held by one person – be ended, and that an independent board led by a chair, non-executive directors, and a CEO be established at the PDPC’s Office.
The chairperson would be given the title of PDPC in the future.
Those that pertain to ensuring the Commissioner’s powers are effective are welcomed. Despite the widespread support for the measures to change the Commissioner’s constitution, we have serious reservations about a few key suggestions that threaten regulatory independence.
In order for the future Commissioner’s Office to be able to hold the Government accountable, it is critical that its governance model maintains its independence while also being viable within the framework established by Parliament and with effective accountability.
It is critical to have independence within a framework of strict accountability to Parliament. It enables us to regulate without fear of retaliation, and to make decisions on where the Commissioner should intervene or act based on an objective assessment of the harm or possible harm to its inhabitants.
It also gives the people the assurance that their acts are fair and that both the Government and corporations are held accountable.
We’d like to share some further reservations about the legislation’s ideas. For example, we should examine whether legal data processing purposes are overridden by individuals’ fundamental rights and freedoms.
This necessitates greater information on a number of areas, including how the Government defines the nature of various sorts of data processing and how the changes would affect citizens’ rights.
Data protection is not just an academic exercise or the province of regulators or data protection officers. It matters to all of us and has the power to affect every aspect of our lives.
My office will continue to work with the Government to ensure that a data protection framework that works for everyone is in place, and that it is ready to meet the challenges and opportunities that lie ahead.
We are willing to provide support throughout the development of these proposals, and stands ready to implement the reforms that Parliament decides upon.
George Mathews is the principal data privacy & security compliance analyst/data protection officer at NT Business Consulting & Training.
The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.
Pic credit: The Edge Markets
