Towards a Data Protection Act
Information Technology, (IT) is not all bells and whistles, like all things man-made, IT comes at a price, a human price. Some People are beginning to find that it can be a bane, sometimes inconvenient, and even intrusive. We discuss here one of the most intrusive and invasive aspects of IT, that is beginning to leave a lot of people, especially the businessmen, exasperated, frustrated, helpless and hapless!
Nobody said the IT revolution was going to be painless, no revolution ever is, but not even as painful as that famously humorous clip of that frustrated computer user violently attacking his computer, on the Astro, techTV channel! Unfortunately, for the average man-in-the-street, IT?s impact has not been exactly positive, not to mention its contribution to unemployment. But, there are issues in IT that are real, some may even say surreal, and must be grappled with.
Pitfalls of IT
For all the hype, of E-commerce, online banking and other serious online applications of instant information, IT remains an area littered with disappointments and even nightmarish experiences. A simple electrical breakdown, can shut down the best of computer systems, and paralyze the best organisations. It is a common experience at Airports and banks when you hear the magic words "system down," and the greater the computerization the greater the disruption. But, it is a growing process.
It is not merely the threat of cloning of credit cards or online theft of identity; and how many of us have not experienced the wrong debiting of our credit card accounts not merely due to cloning, but from online transactions which have become anything but safe. Or the hair-raising and highly secretive and lucrative stealing of talk-time by sophisticated hand-phone devices spread across thousands of innocent subscribers, undetected and unnoticed. We are already having trouble with mobile-phone companies running up charges on their computerized billings for unconnected calls! These abuses are part of a growing experience, like computer viruses, a teething process.
E-banking, safe banking?
E-banking in spite of all the hoopla and promotion by the leading banks, is still an area where even IT aficionados adopt a hands-off policy. The banks do not make it any easier, by their disclaimer policies. The banks, even foreign ones have clearly distanced themselves from any responsibility for fraudulent transactions via E-banking. Therefore, if the mighty banks themselves do not take this leap of faith, what is there to expect from the powerless consumer? No one wants to open his monthly bank statement, to find all his balance transferred out in a zap! That is why, the potential of E-commerce remains a potential, unless those involved, especially the technocrats, the lawyers, the members of Parliament and the consumer movements get their act together. All the investments in IT will be just that, investments, and wallow in the realm of virtual reality.
In spite of endless, not to mention costly promotional campaigns by some banks, very few people are brave enough to click the button on their bank account numbers on the Internet, even to peek at their balance! If you cannot convince the computer savvy, the initiated, you haven't a hope in the world with the average bank customer. Remember, at the end of the day, everybody is a customer, a consumer, and everybody needs protection.
Apart from illegal hackers, there are already software openly admitted to be used by the "big-boys" that automatically and undetected snoop on your activities on the Internet, and report back to "big-brother" who could be collecting information about you. Of course all in the name of "marketing." So far, its application is mainly benign and commercial, but you do not need an over active imagination to see its invasive applications. Your privacy is threatened! Can we stop it? In this age of globalization and technology, it is impossible to totally stop it! But it is possible to control, manage and mitigate its effects.
This is an area where governmental intervention could bring about some semblance of order in this uncharted area of commercial activity and law, where IT is beginning to impact.
To add further to the negativity, the average men-in-the-street is beginning to experience the adverse impact of IT on their personal lives where their personal and sensitive data is now being tracked, monitored and collected by official and private databases as part of marketing activities and credit-worthy checks without any regulation.
Proliferation of Databases
It is now very common for Banks and Finance Institutions to make credit checks online, although there are at present only a few official databases providing this service. Of the databases of the Banking and Financial Institutions on their own servers and those maintained by Bank Negara and other government institutions and private sector, the most well-known are CTOS and CCRIS. Databases, will become increasingly intrusive, and not merely confined to financial matters. Beware! Big organisations are beginning to maintain huge databases on their employees, clients and potential clients culled from unreliable and questionable sources, it is an inevitable development and by the very nature of the beast cannot be stopped. This activity has grown exponentially especially with the growth, development and easy affordability of IT hardware and software, and databases are being exchanged, traded and probably stolen across borders in this virtually borderless age. All sorts of information are getting onto databases; it is an unregulated area!
Before the advent of IT, the effects of data collection were limited if not attenuated by physical constrains, just as the reach of nations and cultures were limited by geographical and physical confines. With IT, time and distance have ceased to be impediments and information now, is not only easily available, valuable, powerful but can also be very damaging! It is not merely a true or false context. Information can be oppressive. That is why in advanced jurisdictions there is a growing awareness about the brutality of invasion of privacy. Therefore the sprouting up of organisations like the Privacy International, (a parody of Amnesty International, albeit of data management) to name a few, whose passion is the protection of all forms of intrusive data collection. Unfortunately, most of our own so-called NGOs have their own narrow agendas.
Abuses of Databases
The increasing use of online credit checking databases, have become a bane to the average consumer, mainly because this is a free-for-all area. To put it bluntly, there is a total lack of transparency.
It is not uncommon that these databases are not properly maintained, and leaving consumers whose personal particulars are posted in these databases with no recourse, except to the Courts, and even then as the only and last resort.
These issues receive very little publicity, because by its very nature, the victims do not like the glare of publicity, and want to save themselves further embarrassment, even if they have had a nasty experience; and most because of ignorance and inability to resort to legal remedy. They also belong to the category that has no leverage, unlike VIPs and the ilk.
It is very common experience that personal databases which contain erroneous or seemingly correct entries can cause problems to the average man, not to mention financial ruin to a businessman. For the average man-in-the-street who has been victimised, resorting to the Courts is either an expensive or not an alternative at all. Therefore the urgent need for an "ounce" of prevention.
Some databases claim that they just reflect the "actualite" in respect of the subject?s financial and credit worthiness, but the "reality" is sometimes very far from what is a fair or even a true picture. We have come across a case where a defendant sued for vacant possession in a tenancy dispute, had the case particulars entered in his personal data, a clear example of intrusive data collecting.
Development of database law
There have been so far few reported cases on the issue of databases in Malaysia, where such issues have been litigated by our Courts and there is a dearth of decisions on such issues and unfortunately on a very narrow rulings. The development of the law clearly is not keeping up with the reach of the technology.
In the case of Soh Chun Seng v CTOS-emr Sdn Bhd, luckily the Court touching on one of the universal principles of data protection, held that it was the responsibility of the database management to see that the particulars were updated, and opined that the consumer had been wronged, defamed and injured from the failure of the data collector to update the person?s particulars. Data collectors do not consider "up-dating" a responsibility. But, "up-dating" is not always a remedy.
A case history- nightmare
A case history of an oppressive database entry, demonstrates ?
Two directors of a limited company were wrongly sued together with their corporate entity. Then, because the service of the writ was obtained by substituted service, and never actually came to the knowledge of the two directors, default judgment was obtained against them. Only when bankruptcy proceedings were taken did the default Judgment come to their notice, fortunately. But particulars of the judgment and bankruptcy proceedings had been entered in a credit search database, against their names. In spite of successfully setting aside the default judgments and the bankruptcy proceedings, the management of the database refused to totally erase all references to the judgments and the bankruptcy proceedings, and totally delete these particulars from the database. It was only prepared to enter the remark, "set aside" against the entries. Unfortunately, "setting aside" has a totally different connotation (as any rookie lawyer knows) than a total deletion; it still leaves a nasty if not negative taste to the info, not to mention "credit worthiness." It may even give the impression that the matter is still ertui 432 =outstanding.
It can be seen that the offer to enter the expression "set-aside" may be in compliance with letter of Soh Chun Seng vs CTOS-ems Sdn Bhd , but certainly not the spirit. The entries were oppressive and unjust, because the entry should never have been made in the first place as the directors were clearly wrongly sued! As directors of a limited company, unless they were guarantors, ordinarily they had no personal liability. For that experience, they had to undergo for over a year, agony, embarrassment, and futile attempts to obtain erasure of the entries, in spite of several lawyer's letters. A pending banking facility was jeopardized. Eventually, after some "persuasion" the unfortunate entries were completely deleted. In the light of clear signals in the landmark decision in P. Vijendran v MBf Country Homes & Resorts Sdn Bhd.& Anor the aggrieved parties could revisit the issue for some remedy!
Hitting the "delete" button is simple enough, but, to get a recalcitrant data company management or controller to do so, is another matter. But surely, it should not be a jungle out there.
In the case of Ngoi Thiam Woh v CTOS Sdn Bhd & 2 ors. the Plaintiff was not so lucky, and the court refused the grant of an interim injunction to remove the entry pending trial and therefore the continued publication. It can be seen that the common law remedies of defamation may not be suitable or expeditious in the circumstances.
It is high time the Parliament passes a Data Protection Act before more injustices and hardships are inflicted on the innocent public and not to mention, translates to negative votes in what essentially is a non-partisan issue! Remember the agitation to amend the liabilities of guarantors, which surfaced in the 1994 General Elections, but never translated into legislation and remains a "gray" area, subject of a Bank Negara "guideline" to the Banks.
A mechanism must be set up to control the collection of personal data, for access, for challenges to and for appeals to be made against particulars in such databases especially in circumstances as related above. Individuals whose particulars are entered should have a right to be receive due notice, to object, to correct and a body set up to appeal against decisions made by the pervaders of the databases. The argument that these are private records just does not hold water and have been totally rejected by civilized jurisdictions.
At the present moment, even to access your own particulars, not to mention to download a hard copy of the entry in respect of a person is almost impossible, unless you know a friendly bank, finance company or a subscriber, prepared to help you. Most financial institutions, apart from giving you the bad news, are not willing to go further! They do not want to get involved! You cannot believe the hassle involved in trying to obtain proof of your own particulars kept by "data controllers." Some people may even be shocked about some of the personal information written about them! There is no protection!
This should not be the state of affairs. The very concept of IT is the cutting edge of technology and transparency, not a primitive jungle, be it a tropical one! Transparency! Why should not a person be entitled to have access to his own particulars to see what is being written about him, when it is available to the public at large, albeit by subscription?
The UK Data Protection Act, 1998
The United Kingdom, as with most progressive jurisdictions, has passed laws to protect individuals from the oppression brought by the storage of personal data, known as the Data Protection Act 1998, which has come into effect since 2001. In accordance with a European Union directive, similar legislation have been enacted by many states in the Union, examples are UK, Italy and Germany.
Eight Principles of Data Protection
The UK Act enunciates the concept of the Eight Principles of Data Protection and this seems universal. The data must be-
Fairly and lawfully processed
Processed for limited purposes;
Adequate, relevant and not excessive;
Not kept longer than necessary;
Processed in accordance with the data subject?s rights;
Not transferred to countries without adequate protection.
Mandatory registration of Data collectors
The provisions of the Act are not confined to IT processing, it includes manual records and contains exemptions for certain categories, such as "national security."
Most importantly, it requires Data collectors to be registered and criminalizes gathering data without registration. It extends protection to cover facts as well as opinions.
The Act defines a Data Controller, a Data Subject and appoints a data Protection Tribunal and Commissioner and also defines personal data and sensitive personal data.
The paramount provision enshrines the rights of a Data Subject (the individual) to have access and input as to the data kept about him, subject to varying degrees of protection as to whether it is "personal data" or "sensitive personal data".
Interestingly, "Sensitive personal data" is defined as data pertaining to-
- Racial or ethnic origin.
- Political opinion.
- Religious beliefs.
- Membership of trade unions.
- Physical or mental health
- Sexual life.
- Commission or alleged commission of any offence.
- Proceedings of offences or outcome.
It can be seen from the definition of "sensitive personal data" that it is intended that data collection be not intrusive. In essence the Act is to protect the data subject and to regulate the database in a wide swath of organisations including the Crown. It has nothing to do with passwords or encryption.
Rights of the Data Subject
The most important provisions of the Act are in Part 11, which contains the important "rights of data subjects and others." This provides a right to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller, and to be given a description of (i) the personal data (ii) the purposes; (iii) the recipients or classes of recipients of the data; (iv) the information constituting any personal data and any information available to the data controller and the source. Most importantly, where the processing is for the purpose of evaluating matters of work performance, creditworthiness, to be informed of and to challenge even, the "logic" involved in the decision.
It can be seen that the protection afforded by the United Kingdom Act is extensive, and so it should be! It also entitles a subject to prevent data processing in certain circumstances, for instance, for direct marketing purposes.
Power to rectify, block, erase or destroy data
Section 13 provides even for compensation in certain circumstances to individuals affected, without the proof of actual damage. More importantly under section 14 of the Act, the court has extensive powers to order a data controller to "rectify, block, erase or destroy" personal data which are inaccurate, which can be seen accommodates the case history illustrated above, as it envisages that remarks like "set aside" can be totally misleading and unfair.
The Data Protection Act of the UK is a far reaching and complicated piece of legislation, but it is a legislation derived from experiences of the UK 1984 Data Protection Act, which it replaces. This is a piece of legislation, whose time has come.
Time running out
What we are experiencing, is the tip of the iceberg, let us not be indifferent to the effects of data collection and dissemination, and leave it in the hands of businessmen, whose only motive is the monetary, without responsibility. Malaysia, must immediately enact a similar Act, albeit, adapted to local conditions.
Let it not be, that the only recourse for the man-in-the-street, is to take matters into his own hands, like the case history related above, if the authorities that be, continue to turn a blind eye and a deaf ear. The next Data Subject could be, and in fact, is you!
Or are we encouraging the establishment of a sub-culture of computer geeks, setting up a hacker service to penetrate these databases and hit that "delete" button- for a fee? That could be one way of creating employment for our jobless computer geeks at this point of the downturn in the IT industry!
Yeap Ghim Guan ©
3rd April, 2002