©The
Sun (Used by permission)
by Sonya Liew
RECENTLY, I had gyms calling me up on my mobile phone inviting me to participate in their latest promotions. Hotels are doing the same. Are they implying that I am getting fatter and uglier by the day and so must patronise their gyms and spas or are they just conducting a telemarketing exercise?
I hope it is the latter. I am convinced it is. Which worries me – how did they get my details? I had not at any point in time provided my contact details to any of these gyms and hotels. So who gave them my details?
Did they get it from a credit card company? Hospital? The local doctor? Department store (through their membership card database)? Bank? Telephone company?
I can only deduce that it could be any of these, a list which could also include any government department (which of course includes the National Registration Department), airline, travel agent, and yes, hotel or gym.
In this knowledge era, companies, government departments and even individuals are personal data collectors, even if they are not aware of it. This is perhaps due to the fact that we have computers to digitise and store information.
There are many real life instances where personal data may be divulged without the owner’s consent. For example, a newspaper reported just a few weeks ago that a deputy minister had urged civil servants not to leak secret documents, regardless of their position to any third party.
There is also an article in a British daily which reported that a batch of secret government documents were found on a train bound for London on the same day that another batch of secret documents on Al Qaeda and Iraq were handed to the British Broadcasting Corporation after being found on another train. In these instances, personal data may be divulged if the secret documents contain personal details of individuals.
In the private sector, a quick check on the websites of department stores at home and abroad will show that one could be enticed into providing personal data to get membership club cards. The benefits include the right to redeem free gifts ranging from rubber duckies to walkie talkies with points collected through purchases made at the stores. Purchase points are recorded with a swipe of the plastic cards issued to members. Such swipe cards are a means to identify members and manage matters such as membership, purchase points, gift redemptions, etc.
The reality sinks in. In Malaysia, there are numerous personal data collectors that are either entrusted with statutory authority or specifically set up by private companies to collect personal data. I can imagine that these data collectors could sell, manipulate, use without authority and forward any or all of the information that they collect if they have a mind to, without being detected. As an individual, I believe that any of these activities would amount to a breach of my personal privacy, notwithstanding that it may not be so under Malaysian law.
However, I have my reservations on such scenarios taking place on a big scale, especially in regard to government departments. I also doubt that the entities would have a hand in such breaches, although I do not dismiss the possibility of a certain select few of their employees resorting to “making a quick buck” by committing any of the said breaches. This is why I feel paranoid. I do not have any guarantees from the law or otherwise that these scenarios would not take place. There is no pre–emptive mechanism in place to prevent such scenarios from occurring.
Such a mechanism is commonly known as a Data Protection Regime. Malaysia does not have a complete set of laws or an act to put in place such a regime to govern the collection, use, management, administration and release of personal data akin to that in the United Kingdom and the European Union. We had set out with a Data Protection Bill some time in 2001 to achieve this objective. But until today, we are still waiting for the draft bill to be tabled in Parliament.
Ideally a Data Protection Regime must ensure that Malaysians are not subjected to “harassment” or security breaches due to the wanton disregard of their privacy.
An individual’s data has value and is something that should be protected from being misused and abused. An individual’s consent should be obtained prior to his/her information being divulged to another entity unknown to him/her. Also, an individual must be given the right to choose the level of protection that suits him/her, an idea akin to how one sets the security level of one’s browser whilst surfing the Internet. Such practice and culture demonstrates a mature and civic–minded society, wherein due respect is given to private individuals and their privacy.
Until such time as Parliament enacts data protection laws, what can we do? The data collectors may set in place their respective data protection regimes. Implement and practise standard operating procedures that protect the privacy of the data that they collect. And make available at all times a system allowing individuals to enjoy the right to manage the level of security that they prefer.
As for the individual, one could shop. Indeed, go shop for the bank that respects your privacy. Shop at the right department stores. Shop for the airlines that truly appreciate your privacy. As consumers in Malaysia, we have many options, hence we are at liberty to exercise our right to shop. We should exercise such right. As for my exercise regime and the numerous gym offers, no thanks, I think I will stick to the shabby squash court at my apartment building.
Sonya Liew is a member of the Human Rights Committee, Bar Council Malaysia. For more information, see www.malaysianbar.org.my/hrc. Complaints of rights violations may be forwarded to oysim@malaysianbar.org.my for the consideration of the committee. However, we make no assurance that all cases will adopted for action.