The recent news report of a potential data breach at the National Registration Department (JPN) raises concern regarding the security measures that are in place to protect the rakyat’s data. The report states that a database of four million Malaysian citizens containing data freshly obtained from JPN and hasil.gov.my (Inland Revenue Board) through the MyIdentity API has been put on sale through an online forum.
1. Data security must be of a high standard
The government must be held to at least the same standard as private companies, if not higher, when it comes to both data protection and security. This is especially true for data that is highly personal in nature. JPN, in charge of one of the most important databases of personal data in the country, must be held to the highest of security standards.
For example, regular penetration testing is one of the most basic measures that should be carried out by all
government agencies controlling personal data - it should be made clear if this is currently practiced, as the intrusion analyst who first reported these leaks claims that his previous efforts to inform the agencies about these leaks were not taken seriously.
Secondly, the fact that ten different government databases are accessible through a single API suggests that it may not have been designed with the highest security standards in mind. There should be
an emphasis on security by design and privacy by design for public digital services.
2. Transparency is paramount
The fact that myIDENTITY depends on citizens voluntarily updating their personal data makes a potential breach even more consequential for public trust. Trust needs to be earned - people will be less willing to offer their personal data if they cannot be confident in the government’s ability and willingness to protect it. The most important element in building trust is to be transparent. Estonia, a world leader in e-government, has illustrated this point time and again by being fully transparent about (i) the way they use citizens’ data (use cases) and (ii) data breaches or other shortcomings. If the Malaysian government truly wants to provide better digital public services, it would do well to practice this level of transparency.
3. Invest in cybersecurity, review PDPA
The government’s ‘Cloud First’ strategy and MyDigital policy, which intends to migrate 80% of public data to hybrid cloud systems by the end of 2022, must include serious investment in cybersecurity in the public sector. We must also review our data protection laws and update the Personal Data Protection Act (PDPA) with particular attention to the question of the PDPA’s applicability to federal and state governments. One of the key provisions we need to adopt (made evident by these events) is the requirement to inform data subjects when a breach has occurred.
Whilst it is encouraging to note that the government is keen to create a more digital nation, this can only be done if our digital policies are fit for purpose with sufficient attention paid to data security. We need assurance (including in the law) that our personal data will be properly secured before further data centralisation happens and it is only by building trust would the people embrace the necessary digital disruption.
* SERI is a non-partisan think-tank dedicated to the promotion of evidence-based policies that address issues of inequality, particularly at the intersection of technology and society
**The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the position of Astro AWANI.
Astro Awani
Fri Oct 01 2021
Whilst it is encouraging to note that the government is keen to create a more digital nation, this can only be done if our digital policies are fit for purpose with sufficient attention paid to data security, says think-tank SERI - File Pic
Kes demam denggi meningkat pada ME16, empat kematian dilaporkan
Kes demam denggi dilaporkan meningkat kepada 2,321 kes pada Minggu Epidemiologi ke-16 (ME16) iaitu bagi tempoh 14 April hingga 20 April lepas.
KFC tutup sementara sejumlah cawangan, pindah pekerja tempat lain
QSR Brands bagaimanapun tidak mendedahkan jumlah cawangan KFC Malaysia yang telah ditutup buat sementara waktu dan bilangan pekerja yang terjejas.
Nor Farah Ain tidak percaya bergelar juara dunia
Atlet boling pada negara Nor Farah Ain Abdullah masih tidak percaya sudah bergelar juara dunia pada penampilan sulungnya di Kejohanan Boling Padang Dalam Dewan Dunia 2024 di Guernsey, Channel Islands
Program Jana Wibawa dilaksana selepas dapat persetujuan Jemaah Menteri - Saksi
Mahkamah Sesyen di sini hari ini diberitahu bahawa cadangan mengenai Jana Wibawa telah dibawa ke mesyuarat untuk pertimbangan sebelum Jemaah Menteri memutuskan supaya program itu diteruskan pada 2020.
[TERKINI] Sidang Media Perdana Menteri di Riyadh, Arab Saudi
Datuk Seri Anwar Ibrahim mengadakan sidang media susulan lawatan kerja rasmi ke Mesyuarat Khas WEF 2024 di Riyadh Arab Saudi.
SPR keluar 188 kertas undi pos bagi PRK Kuala Kubu Baharu
Pengeluaran kertas undi pos itu dilakukan oleh petugas pilihan raya yang dilantik Pegawai Pengurus dengan kehadiran ejen undi pos daripada semua empat calon yang bertanding.
Video disalah sunting, Teo Nie Ching buat laporan polis
Teo berkata pilihan raya bukanlah tiket untuk mana-mana pihak menyebarkan fitnah dengan niat mencetuskan perbalahan antara masyarakat pelbagai kaum dan agama.
KDN muktamad pembelian empat helikopter untuk APMM bernilai RM600 juta
Kertas kerja bagi perolehan aset itu sudah diserahkan kepada Kementerian Kewangan untuk keputusan akhir.
Tulis ancaman bom atas bungkusan, pekerja stor didenda RM3,000
Muhammad Rozali Rahim, 23, membuat pengakuan itu ketika pertuduhan terhadapnya dibacakan di hadapan Majistret Muhammad Bukhori Md Ruslan.
Kempen PRK KKB lancar setakat ini - Polis Selangor
Kempen PRK DUN KKB yang memasuki hari ketiga hari ini berjalan lancar dan tiada sebarang insiden tidak diingini dilaporkan setakat ini.