You received a call from an unknown number, asking if you would like to have your house rented out or perhaps take up a loan? You’re not too sure who or how these people got your phone number, you haven’t provided anyone with such information recently. Then it dawns on you, you recently provided your home’s management office with your personal details; somehow your information was transferred without your authorization to other parties.
What can you do? What are your rights in this digital age with regards to your digital data? Here’s what you need to know, to get up to speed on the Personal Data Protection Act 2010.
My Story with Data Abuse
Long story short, I was filling a complaint to our apartment’s management team, and they requested personal data such as our home unit number, full name and MyKad number. Few days later, home owners like me who had filed complaints with the management team, had our complaints with all of our unit numbers and MyKad details published publicly. Is this legal? Definitely not.
So what is considered personal data? Basically any information that can be used to personally identify you, your whereabouts, your history and your actions. Here’s a common list, but not limited to:
- Full name
- House and office address
- Phone number
- Car plate number
- Social media profile
- Clothing size
- Purchase history
- Financial data
- Credit/debit card numbers
- Medical records
- Political and religious beliefs
Basically anything that tells someone else about you, is your personal data. With my full name, MyKad and unit number published publicly, me and my family are now suddenly at risk of getting harassed, kidnapped, raped or other forms of criminal activity. I am now easily targeted as people knew exactly where I lived. PDPA protects these data, it protects you.
What did I do?
First thing I did, contacted the management team to have the information taken down. It was about damage control, but both you and I know, any kind of information once published digitally or physically, it’s very difficult to control its dissemination. The management team did not respond to my urgency, instead I was bombarded with questions as to why they cannot do so. Don’t be surprised that there are many ignorant people (regardless of age and job titles) who do not understand the implications and risk of releasing personal data of other people.
Here’s what you need to know before acting:
- Under the Personal Data Protection Act 2010, any entity or organization (hereby known as the Data User) who wishes to collect any form of personal data, would be required to have themselves registered with the Department of Personal Data Protection and acquire a certification authorizing them to do so. My apartment’s management team do not possess such a certificate; first offence.
- Acquiring the certification isn’t enough, a Data User is required to declare exactly what type of data is required, purpose of its acquisition, duration of storage and disposal upon expiry of that data; which the management team failed to do so, hence, its second offence.
- Providing adequate and demonstrating effort to protect collected data are also a must under the Act. Failure to do so will see the Data User prosecuted and brought to court. In my case, the management team also failed in this area, rewarding themselves with the third offence.
- With all the offences committed, the punishment is brutal if found guilty. Up to RM500,000 in fines or 3 years jail or both for EACH data. Each data is defined by per person’s data in this case. If the party has 1,000 data in place, you could easily do the math.
And here’s what you could do (which I did):
- Capture proof of data abuse: You need to either have the photo of the data that is being leaked captured or screenshot as evidence. If the data is in softcopy, acquire the file and save it somewhere secure to use as evidence.
- Request Data User immediate take-down: This should be your very first step, but if the Data User do not show urgency nor respond to your request, follow through on Step-2.
- File a police report first: Head over to the nearest police station and file a police report. Keep things under record so when required to appear in court, you have proof that you had done your part.
- File an official complaint with the Data Protection Commissioner: Filling a complaint is simple and direct, and could be done easily through their website or email. Include the screenshot or photograph for evidence. Describe the incident in detail.
- The Commissioner will then issue a show-cause to the Data User: The Data User would be required to respond and failure to do so within the stipulated time, there will be additional offence compounded.
Fighting for your Data Rights
Whether you’re a data owner or a data user, you need to know your rights and protect your data or data that is entrusted to you. The awareness of PDPA is low among Malaysians, even for many working professionals, but that doesn’t mean the ignorance may provide you a jail-free card.
If you’re like me, have had your data abused by irresponsible parties, gather your evidence and file your report and complaint. It is time to put these people into jail.
Protect your data, protect your family.