Technology, Digitalisation & Future Proofing
Views
Jun 6, 2024
6
Minutes read

Enhancing Data Governance in Malaysia: Prioritising Protections, Accountability, and Efficiency

Digital Divide
Society
SME Tech Adoption
Author
Dr Rachel Gong
Deputy Director of Research
Dr Rachel Gong
Deputy Director of Research
Co - Author
No items found.
Download PDF
Loading the Text to Speech AudioNative Player...
Key Takeaway
Data Overview

Malaysia is drafting three data regulations to improve personal data protections, government accountability, and data sharing efficiency across government agencies.

The first regulation is the Personal Data Protection Act (PDPA). The current PDPA applies only to commercial transactional data and not in the public sector. An amendment should expand the scope of the PDPA to include personal data managed by the government.

The second regulation is the Freedom of Information Act (FOI Act). An FOI Act upholds the right for citizens to access public sector data for collective good. Access to government data would improve government transparency and accountability and offer new opportunities for research and evidence-based policymaking.

The third regulation is the Omnibus Act. An Omnibus Act could address multiple data governance concerns, including data sharing and cloud storage among government agencies and unified databases such as PADU.

A responsive regulatory environment is needed to keep pace with technological developments. To this end, it is important to develop sector-specific regulations, consult with public interest technologists, and augment the technological expertise of policymakers.

Table of contents
Content
Content
Content
Content
Content
Title H2
Title H3
Title H4
Title H5
Title H6
Title H2
Title H3
Title H4
Title H5
Title H6
enhancing-data-governance-in-malaysia-prioritising-protections-accountability-and-efficiency-cetvq
Views
Individual perspectives on current issues help people understand the issue better and raise awareness through informed opinions and reflections.
Download PDF
Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Introduction

Malaysia is drafting three data regulations to improve personal data protections, government accountability, and data sharing efficiency across government agencies. Increasing engagement with public interest technologists and building policymakers' technological expertise, as well as setting sector-specific regulations, can support a responsive regulatory environment.

Tech For Good Institute's (TFGI) report, "Evolution of Tech Regulation in the Digital Economy¹," identifies four common goals of tech regulators in Southeast Asia. In this article, I focus on one of those four goals where there is room for improvement in ASEAN: safeguarding personal data to foster trust. I highlight three data regulations being developed in Malaysia: the Personal Data Protection Act² (PDPA), the Freedom of Information Act³ (FOI Act), and the Omnibus Act⁴.

In general, personal data protection laws regulate the processing of individuals' personal data to prevent misuse or abuse. Meanwhile, freedom of information laws uphold the public's right to access information from its government. An omnibus law, by definition, packages multiple disparate bills into one single act unified in its purpose. In the context of data regulation in Malaysia, the Omnibus Act⁵ was proposed in 2023 as a means of regulating data sharing across all government agencies.

Amending the Personal Data Protection Act (PDPA): Expanding to the Public Sector?

When it was first introduced in 2010, Malaysia's PDPA⁶ was the first personal data protection law in Southeast Asia. Other countries followed, e.g., Singapore and the Philippines in 2012, Thailand in 2019, Indonesia¹⁰ in 2022, and Vietnam¹¹ in 2023. However, while Singapore¹² and the Philippines¹³ have amended their data privacy laws since their inception, Malaysia's PDPA ¹⁴ has remained in its original form.

In 2021, the Malaysian government released its Digital Economy Blueprint ¹⁵, indicating its commitment to "strengthening data protection and related regulatory frameworks to ensure holistic personal data protection and privacy." This included a target of reviewing the PDPA by 2025. To its credit, the government has concluded its review and proposed amendments to the law¹⁶, which were scheduled to be tabled at Parliament in March 2024.

As it stands, Malaysia's PDPA applies only to commercial transactional data and does not apply to government data ¹⁷. Ideally, proposed amendments to the PDPA should include one that expands the scope of the PDPA to personal data managed by the government, as is the case, for example, in the Philippines. Given the amount of personal data, including health and financial data, collected, stored, and accessed by the government, Malaysia's overarching data privacy law should apply to the public sector as well as the private sector.

If this is not to be the case, citizens' personal data that rests in the hands of the government should be protected through other laws, clearly spelled out to the public. In Singapore, for example, the Public Sector Governance Act ¹⁸ (PSGA) regulates how government agency officials may share data. Data protections and the right to privacy must be balanced with a need for data access in the public interest, including policy planning, service delivery, and socio-economic growth.

Tabling a Freedom of Information Act (FOI Act): Improving Accountability and Analysis

This is where an FOI Act ¹⁹, sometimes called a Right to Information Act (RTI Act), comes in. This act upholds the public's right to access information held by the public sector, enabling individuals and organisations to request and receive data and information from their government. There are, of course, exceptions to data sharing, such as in cases involving government information that would compromise national security. Malaysia has been considering tabling such a law at the federal level since 2018²⁰.

In 2023, Prime Minister Anwar Ibrahim announced²¹ that the Special Cabinet Committee on National Governance had "agreed in principle to the enactment of a Freedom of Information Act to establish clear parameters and guidelines to give the public access to information from public bodies and the government²²." Minister in the Prime Minister's Department (Law and Institutional Reform), Azalina Othman, subsequently said that the introduction of such a law would have to go hand in hand with amendments to the Official Secrets Act²³ (OSA). The OSA²⁴ is currently the law that regulates government data, allowing individual government agencies to unilaterally decide what constitutes restricted, confidential, or secret information.

Globally, FOI Acts have typically been used by journalists, scholars, and activists to access government information to hold public officials accountable for their actions. In 2000, a Thai journalist²⁵ requested and received information under the Official Information Act²⁶ (ΟΙΑ, Thailand's version of an FOI Act), uncovering large-scale corruption within the Thai government. Subsequently, more restrictive amendments were proposed to Thailand's OIA²⁷, possibly to curtail such use.

An FOI Act would have additional benefits now that public services are turning digital (e.g., electronic tax filing) and public data are being digitised (e.g., public transportation maps and weather pattern data). Access to government data would not only improve government transparency and accountability but also offer new opportunities for research and evidence-based policymaking. For example, access to weather pattern trends²⁸ could enable climate researchers to identify hotspots for heat waves or floods²⁹, facilitating the development of better climate adaptation policies.

Casting a Wide Net with the Omnibus Act: Cross-agency Cloud Computing and Cybersecurity

Data governance is more than a binary of data protection and information freedoms. Data governance is needed all along the data value chain³⁰, and an Omnibus Act³¹ for data governance has the potential to address multiple concerns simultaneously. With the aim of making better data-driven policies, Malaysia's Economy Ministry proposes to unify government data sources across all government agencies³². In principle, this seems sound. In practice, however, there are many complications, such as incompatible databases and data storage standards, potentially increased cybersecurity risks in consolidating personal data using cloud storage and computing, and an assortment of agency-specific data governance circulars and rules that need adjustments.

The Omnibus Act³³ was proposed to resolve as many of these issues as possible. The Omnibus Act is also intended to support the use of the government's Central Database Hub³⁴ (PADU) and facilitate PADU as the default government database going forward. The Act has the potential to play a key role in data governance by promoting open government data by default, streamlining data governance rules across government agencies, and enforcing cybersecurity and data privacy best practices. However, it remains to be seen what exactly will be included in this Act, scheduled to be tabled in 2024³⁵.

Recommendations for a Responsive Regulatory Environment

Governments around the world are increasing their tech regulations to rein in exploitative use of technology. However, technological innovation outpaces lawmaking. As such, it is important to have a responsive regulatory environment that can adapt to changing circumstances.

The following three recommendations can support the establishment and maintenance of a responsive regulatory environment:

1. Develop sector-specific data regulations as necessaryThe broad definition of data complicates the regulation of various data types generated and analysed for different purposes. Government or public data, typically collected using public funds, should be regulated differently from intellectual property resulting from private research and development efforts. Consumer data utilised for marketing and advertising should be subject to different regulations than data from health records used for healthcare service delivery or public health policy. Identifying sector-specific data requiring additional protection or oversight against misuse and regulating them separately, such as health data, can facilitate future amendments to these regulations without impacting general-purpose data regulations.

2. Enhance engagement and consultation with public interest technologistsWhile there's often emphasis on a multistakeholder approach to governance, the third sector-particularly public interest technologists³⁶-is frequently overlooked or underrepresented. Formally, this constitutes an emerging interdisciplinary field seeking socially responsible technology solutions for public benefit. Informally, this field is occupied by civic tech practitioners, citizen scientists, digital rights activists in civil society, and researchers and lobbyists in industry and academia. Increased engagement between policymakers and these technological experts can enhance assessments and adjustments of tech regulatory environments, contributing to capacity building among policymakers.

3. Augment the technological expertise of policymakersJust as public policymakers find it useful to be versed in income inequality and trade tariffs, familiarity with technological issues like cross-border data flows and algorithmic management can be equally beneficial. Well-informed and technology-savvy policymakers and their staff are better equipped to address challenges stemming from competing interests around technology adoption. Consultations and partnerships with regional counterparts, as part of initiatives like the ASEAN Framework on Digital Data Governance³⁷, can complement engagements and consultations with public interest technologists.

Read Full Publication

Article highlight

Dr Rachel Gong
Deputy Director of Research
featured report

Conclusion

Share this publication
Share
https://stg.krinstitute.org/publications/enhancing-data-governance-in-malaysia-prioritising-protections-accountability-and-efficiency-cetvq
Download Resources
Files uploaded
File name
Last updated
Action
No items found.
Footnotes
Attributes
References

Alibeigi, Ali, and Abu Bakar Munir. 2020. 'Malaysian Personal Data Protection Act, a Mysterious Application'. U. Bologna L. Rev. 5. HeinOnline: 362.

ASEAN Telecommunications And Information Technology Ministers Meeting (TELMIN). 2018. 'Framework On Digital Data Governance'. Policy Paper.

Ashraf, Shaharudin. 2021. 'Open Government Data in Malaysia: Landscape, Challenges and Aspirations'. Discussion Paper. Kuala Lumpur: Khazanah Research Institute. http://www.krinstitute.org/Discussion_Papers-@-Open_Government_Data_in_Malaysia-_Landscape,_Challenges_and_Aspirations.aspx.

Bernama. 2023. 'Rafizi: Govt to Table Omnibus Act for Better Data Management'. Malay Mail. 19 June 2023. https://www.malaymail.com/news/malaysia/2023/06/19/rafizi-govt-to-table-omnibus-act-for-better-data-management/75193.

---. 2024. 'Omnibus Act Will Be Enacted This Year, Says Nor Azmie'. The Star. 2 January 2024. https://www.thestar.com/my/news/nation/2024/01/02/omnibus-act-will-be-enacted-this-year-says-nor-azmie.

Bloomberg. 2021. 'Prasong Lertratanawisute Bloomberg'. 2021. https://www.bloomberg.com/news/articles/2001-07-01/prasong-lertratanawisute.

Chongkittavorn, Kavi. 2021. 'Thailand Tightens Information Law'. 25 May 2021. https://www.eria.org/news-and-views/thailand-tightens-information-law/.

DLA Piper. 2024. 'Law in Philippines - DLA Piper Global Data Protection Laws of the World'. 2024. c=PH.

EPU. 2021. 'Malaysia Digital Economy Blueprint'. Policy Paper. Putrajaya: Economic Planning Unit, Prime Minister's Department. https://www.epu.gov.my/sites/default/files/2021-02/Malaysia-digital-economy-blueprint.pdf.

Gong, Rachel. 2022. 'Different Policy Priorities for Different Data Types'. Kuala Lumpur: Khazanah Research Institute..

Government of Indonesia. 2022. Personal Data Protection Act Indonesia.

Government of Malaysia. 2010. Personal Data Protection Act 2010 - Jabatan Perlindungan Data Peribadi. https://www.pdp.gov.my/jpdpv2/laws-of-malaysia-pdpa/personal-data-protection-act-2010/?lang=en.

Government of Singapore. 2012. Personal Data Protection Act 2012 - Singapore Statutes Online. https://sso.agc.gov.sg:5443/Act/PDPA2012.

---. 2020. Personal Data Protection (Amendment) Act 2020 Singapore Statutes Online. https://sso.agc.gov.sg:5443/Acts-Supp/40-2020/.

Government of Thailand. 1997. Official Information Act.

---. 2019. Personal Data Protection Act B.E. 2562 (2019) Personal Data Protection Act B.E. 2562 (2019). https://data.thailand.opendevelopmentmekong.net/en/laws_record/2562/resource/ec616be5-9fbf-4071-b4b5-cb1f3e46e826.

Government of the Philippines. 2012. Republic Act 10173 Data Privacy Act of 2012. https://privacy.gov.ph/data-privacy-act/.

Government of Vietnam. 2023. 13/2023/ND-CP in Vietnam, Decree No. 13/2023/ND-CP Dated April 17, 2023 on Protection of Personal Data in Vietnam. https://thuvienphapluat.vn/van-ban/EN/Cong-nghe-thong-tin/Decree-No-13-2023-ND-CP-dated-April-17-2023-on-protection-of-personal-data/564343/tieng-anh.aspx.

Griggs, David, Mark Stafford-Smith, David Warrilow, Roger Street, Carolina Vera, Michelle Scobie, and Youba Sokona. 2021. 'Use of Weather and Climate Information Essential for SDG Implementation'. Nature Reviews. Earth & Environment 2 (1):2-4. https://doi.org/10.1038/s43017-020-00126-8.

Ikhsan, Muhammad Izwan, and Lenny James Matah. 2022. 'Enacting Freedom of Information Act in Malaysia: A Cost-Benefit Analysis'. Malaysian Journal of Social Sciences and Humanities (MJSSH) 7 (2):e001297-e001297.

Monihuldin, Mahadhir, Ragananthini Vethasalam, and Martin Carvalho. 2023. 'Amendments to Personal Data Protection Act in Final Stages, Says Deputy Comms Minister | The Star', 12 October 2023. https://www.thestar.com.my/news/nation/2023/10/12/amendments-to-personal-data-protection-act-in-final-stages-says-deputy-comms-minister.

MyGOV. n.d. 'MyGOV - Open Government Data | Policy, Strategy and Governance | Freedom of Information'. Accessed 27 May 2024. https://www.malaysia.gov.my/portal/content/30718.

PMO. 2023. 'Enactment Of Freedom Of Information Act Approved In Principle - PM Anwar'. 14 September 2023. https://www.pmo.gov.my/2023/09/enactment-of-freedom-of-information-act-approved-in-principle-pm-anwar/.

Schneier, Bruce. 2022. 'Public-Interest Technology Resources'. 30 May 2022. https://public-interest-tech.com/.

Sentian, Justin, Carolyn Melissa Payus, Franky Herman, and Vivian Wan Yee Kong. 2022. 'Climate Change Scenarios over Southeast Asia'. APN Science Bulletin. Asia-Pacific Network for Global Change Research.

Sharon, Alita. 2023. 'Malaysia's Omnibus Act: Streamlining Data Sharing for Efficient Governance OpenGov Asia'. 22 June 2023. https://opengovasia.com/2023/06/22/malaysias-omnibus-act-streamlining-data-sharing-for-efficient-governance/.

Tech for Good Institute. 2024. 'Spotlight on Southeast Asia: Evolution of Tech Regulation in the Digital Economy'. Tech For Good Institute (blog). 29 January 2024. https://techforgoodinstitute.org/research/tfgi-reports/spotlight-of-southeast-asia-evolution-of-tech-regulation-in-the-digital-economy/.

Vethasalam, Ragananthini, Martin Carvalho, and Junaid Ibrahim. 2023. 'Freedom of Information Act Needs Amendments to OSA First, Says Azalina | The Star', 30 October 2023. https://www.thestar.com.my/news/nation/2023/10/30/freedom-of-information-act-needs-amendments-to-osa-first-says-azalina.

Photography Credit

Related to this Publication

Explore More Publication
No results found for this selection
You can  try another search to see more
Homepage

Related to

Technology, Digitalisation & Future Proofing

Explore More Publication
Discussion Paper
Dec 1, 2023

Putting Patients First: Principles for Future-Facing Electronic Health Records in Malaysia

Our paper discusses the critical design aspects that need to be considered to ensure the rollout of an agile, resilient and patient-centric national health records system.
Discussion Paper
Apr 15, 2021

Open Government Data in Malaysia: Landscape, Challenges and Aspirations

With the need for better open government data in Malaysia, this paper discusses the challenges in making government data more open in Malaysia and provide some policy recommendations.
Views
Mar 31, 2023

Menangani Isu Hak Berpaksikan Data: Melindungi Kembar Digital Kita

Data kita boleh digunakan untuk membuat keputusan penting yang mempengaruhi kehidupan kita. Justeru itu, perlindungan data dan pengawalseliaan AI diperlukan untuk melindungi hak digital kita. Baca lebih lanjut:

Want more stories like these in your inbox?

Stay ahead with KRI, sign up for research updates, events, and more

Thanks for subscribing. Your first KRI newsletter will arrive soon—filled with fresh insights and research you can trust.

Oops! Something went wrong while submitting the form.
Follow Us On Our Socials