(Used by permission)
by Giam Say Khoon and Husna Yusop
PETALING JAYA: It has been more than seven years since work began on the Data Protection Bill but Malaysia has yet to enact this crucial piece of legislation to prevent the abuse of personal information.
Over the years, amid concerns from the industry about the obstacles posed by regulation, the task of drafting the bill has shifted from the Ministry of Energy, Communications and Multimedia to the Ministry of Finance.
With one credit reference company now in the spotlight, after several politicians and individuals cried foul over its services, there are renewed calls for the government to speed things up.
The Data Protection Bill was initially supposed to be drafted by the Ministry of Energy, Communications and Multimedia. When contacted, the ministry’s Malaysian Communications and Multimedia Commission chairman Datuk Dr Halim Shafie said the commission used to help in drafting the bill but is no longer involved in it.
In an emergency motion on the issue in Parliament last week, Datuk Mohd Zaid Ibrahim (BN–Kota Baru), who is a lawyer, said there is a need for a data protection legislation to regulate companies which sell credit information.
Deputy Finance Minister Datuk Dr Awang Adek Hussin said the ministry had started looking into drafting a data protection bill.
Bar Council chairwoman Ambiga Sreenevasan said the recent controversy over CTOS showed the need to introduce “appropriate safeguards” to personal information.
“Credit reference companies, such as CTOS, must be licensed, controlled and regulated,” she said in a recent press statement.
“They must be made to assume liability for inaccurate reporting that results in loss to any party.
“The Data Protection Bill which protects private information and which was discussed some years ago must be looked at again. Without a regulatory framework, there is a pervasive risk of abuse,” she said.
Countries such as the United States (US) and United Kingdom (UK) have set up specific legislations to protect privacy and personal information. In the US, there are the Fair Credit Reporting Act 1970 and the Fair and Accurate Credit Transactions Act 2003.
Banks can also obtain personal credit information from Bank Negara’s Central Credit Reference Information System (CCRIS). Asked whether a bank needs the consent of its customers before getting their credit report, Bank Negara corporate communication manager Lee Poh Fong said the bank obtains permission from its customers through the loan application form, which contains a clause under the terms and conditions section.
“Any bank without the permission from the customers is not allowed access to the credit report of the customers,” she told theSun.
However, unlike a private company, CCRIS adopts some procedures guided by the Central Bank of Malaysia Act 1958, the Banking and Financial Institutions Act 1989 (BAFIA) and the Islamic Banking Act 1983 (IBA).
The legal provisions set limitations on access to information and impose penalties to deter unauthorised access, abuse or misuse of the data.
According to its credit bureau website, the bureau gets credit information from lenders, which include all licensed commercial banks, Islamic banks, finance companies, merchant banks and financial institutions.
The bureau sources reference information on the particulars of borrowers from the National Registration Department and the Companies Commission of Malaysia for verification, and the data are updated by the data providers on a regular basis.
Financial institutions using CCRIS data are required to observe banking secrecy under the BAFIA and the IBA. These laws prohibit the institutions from divulging the affairs of their customers – except in legally permitted circumstances, like court proceedings between the customer and financial institution or when disclosure is authorised by law to be made to the police.
The bureau can provide credit information only to help financial institutions evaluate loan applications; it does not provide credit rating on the applicants’ credit–worthiness.
Financial institutions can access credit information to only evaluate loan applications or update customer records.
The Central Bank of Malaysia Act 1958 also allows the bureau to disclose credit information on a person to himself to verify the information’s accuracy.
The individual should report any inaccurate information, which will be investigated by the bureau and conveyed to the financial institution that provided the disputed information. The institution is required to immediately amend any inaccurate information.
Given all the procedures and limitations in place, one question that crops up is why are financial institutions going to CTOS when there is CCRIS?
Association of Banks in Malaysia chairman Datuk Sri Abdul Hamidy Abdul Hafiz declined to comment on this when contacted.
In past news reports, he had said that banks and financial institutions used only 10% of the information from CTOS for reference and it was not to make decisions.
The Data Protection Act 1998 in the UK specifies that personal data must be:
1. Processed fairly and lawfully;
2. Obtained for specified and lawful purposes;
3. Adequate, relevant and not excessive;
4. Accurate and up–to–date;
5. Not kept any longer than necessary;
6. Processed in accordance with the “data subject’s” (the individual’s) rights;
7. Securely kept; and
8. Not transferred to any other country without adequate protection in situ (in its original place).