The recent massive personal data breach of over 40 million individuals as reported in the media is a matter of grave concern.
The authorities are to be lauded for immediately commencing investigations upon learning of the breach. It is in the public’s interest that the outcome of the investigation is made public.
The Malaysian Bar has recently been in communication with the Department of Personal Data Protection on enhancing the accountability of entities, private or public, when such a breach occurs. A mandatory breach notification regime is a means of ensuring that when there is a breach of personal data, the relevant entity is obliged to issue a notification of the breach.
Companies and authorities, holding personal data, are to act transparently in instances of breaches. Informing the individuals whose data had been breached, and the authorities, would be in line with good corporate governance. The introduction of legal provisions to implement such disclosures needs to be studied.
The Personal Data Protection Act 2010 (“Act”) that was implemented in 2013 was the first step towards protecting personal data. The awareness of the rights of individuals under the Act is still lacking despite the efforts by the Department of Personal Data Protection to educate the public. The public is at present still parting with their data where there has not been due compliance with the Act.
The Malaysian Bar is always open to working with the relevant authorities to further improve the legal provisions in order to better safeguard the personal data of individuals.
George Varughese
President
Malaysian Bar
12 December 2017