The People’s Volunteer Corps (Rela) has come under fire recently because some netizens found that they were registered as a member of the corps without their knowledge.
This came after they checked their membership status on the Rela website. Members’ details such as membership numbers and platoon code were shown after entering the IC number to check it. However, the particular page on the website is currently under maintenance after the issue happened.
Without having to verify the identity of the user, it is a convenient way for people to check their membership status and help their relatives or friends to do so as well.
However, does this mean others can also freely access your personal data if they have your IC number? And is this considered a violation of privacy?
At the same time, how many other government websites are indirectly disclosing your personal data by requiring your IC number for access?
Enter an IC number, find out what personal data can be obtained from government websites.
Open data convenient for public to access
In Malaysia, it is not difficult to obtain another person's IC number as it is needed for various forms issued by the public and private sectors. It might even be on display on a company’s working pass for employees. Now, even despatch riders ask for an IC number to confirm the identity of the consignee.
Lawyer Chan Shao Kang told Malaysiakini that even the IC numbers of company directors can be easily obtained through the Companies Commission of Malaysia.
“In Malaysia, IC numbers are not completely confidential. In theory, anyone can obtain our IC number and use it to check on government websites, and access our information.”
However, Chan believes the ability to freely check personal information just by using an IC number is a convenient feature as the user does not need to create or register an account or memorise numerous usernames and passwords.
Another lawyer, Foong Cheng Leong, said the government’s stand on the matter seems to be to allow free access to others' data for certain purposes based on the personal data published on government websites.
“Take traffic summonses as an example, banks or potential second-hand car buyers can check if a vehicle has pending summonses,” he noted.
Foong, who is the former co-chairperson of the Bar Council Ad-Hoc Committee on Personal Data Protection (2013 to 2016), said many companies also rely on public information on these websites to work. For example, a lawyer can verify whether someone’s name and IC number are correct.
“Open data websites are convenient for the public and companies, they can get information without paperwork and without the hassle and cost of writing to the relevant departments, which usually takes some time. This may free up time for government agencies to do other work,” he said.
Regarding what kind of personal data should be made public on government websites, Chan said it should not depend on the type of information but for what purpose the information is used.
“For example, in businesses and court cases, a lot of personal data must be made public to protect the right to information, uphold the principles of openness and transparency and the management of public authorities.
“If the matter is not related to the public interest, such as personal traffic summonses, you can consider not making it publicly accessible,” he explained.
Open data for public monitoring
Open data websites also make it easier for the public and media to monitor government policies and other public issues.
For example, it was revealed that Rosmah Mansor, the wife of former prime minister Najib Abdul Razak, was eligible to receive RM800 under the Bantuan Prihatin Nasional (BPN) programme in 2020. Her status was later changed to “not eligible” after the issue was reported.
At the same time, some lawmakers were also found to be eligible to receive the cash aid, and most promised to donate the money.
In a series of exclusive reports in 2006, Malaysiakini, using public information, revealed that more than half of the then cabinet ministers had accumulated a total of 918 unpaid traffic summonses over several years, mainly for speeding, with outstanding fines amounting to at least RM115,680.
Publicly available information on the Election Commission’s website also allows civil societies and political parties to help voters check their information or to target suspicious voters.
Privacy concerns
Although convenient, the access of personal information by using an IC number has raised privacy concerns.
Several government websites, such as BPN’s, indirectly disclose the income range of an individual or family because eligibility is based on this factor.
For example, if someone received RM1,000 under BPN 1.0, this means their monthly household income is between RM4,001 and RM8,000.
Some government websites also allow the public to apply for important documents and there is no mechanism to verify the identity of the applicant.
One example is the Education Ministry’s e-Examination Board (e-Lembaga Peperiksaan) website, which can be used to request a new official certificate of education, such as SPM results.
To test the mechanism, reporter A from Malaysiakini entered the IC number of reporter B on the website, filled in his own (reporter A) address, contact number and email, and made the necessary payment. The SPM certificate was later sent to reporter A's home.
It’s not about hiding from the authority
Nonetheless, the right to privacy is not about hiding from the authorities or the public, but it is about having control over ourselves, opined Serene Lim, the partner-director of KRYSS Network, a human rights organisation.
Hence, she said that the misuse of others’ personal data, in cases where harm is caused, may be argued as violations of bodily integrity.
She said data, in many ways, is an extension of people’s physical bodies and personhood.
“Our IC number carries details that reveal our physical location through our voting info and registered address or where our childhood hometown is; traffic summons will show where we have been to; or our examination results that we may be too embarrassed to share,” she said.
Yet at the same time, Lim pointed out that these data do not always tell the full story of society and fully represent a person.
Stressing that the core of the issue is about consent and control, she said that people were never fully consulted or made aware that their data will be made accessible on such a public platform.
Personal Data should not be freely accessible
Given the expansion of technology and digitalisation at present, especially during the pandemic, protecting personal data can be a more pressing issue than other aspects of privacy, according to Sonny Zulhuda, Associate Professor of Ahmad Ibrahim Kulliyyah of Laws, International Islamic University Malaysia.
“When people are forced to isolate or lock themselves down in their homes and premises, digital interactions escalate and this situation incites more risks of breaches to your personal data. All these data should not be left freely and uncontrollably accessible because once they are accessed by strangers, the impact can be damaging,” he said.
The right to privacy is enshrined in Article 5(1) of the Federal Constitution, which states that “no person shall be deprived of his life or personal liberty save in accordance with law.”
The Federal Court in the case of Sivarasa Rasiah vs Badan Peguam Malaysia & Anor (2010) ruled that such “personal liberty” includes the right to privacy.
Sonny said protecting the right to privacy means protecting an individual's personal liberty and any data which can identify a person's identity either directly or indirectly, including name, address, contact number, IC number, vehicle plate number, etc.
According to the Personal Data Protection Act 2010 (PDPA), personal data is understood as any information that relates directly to an individual, he added.
Sonny also said while it is a good development globally that government agencies are making data publicly available, especially in terms of transparency and efficiency, the potential for abuse must be minimised.
“Making (other) personal information easily accessible to the public is not consistent with the objectives that we want to achieve. Opening up personal data without sufficient control may instead threaten the system of basic trust that we need in building the digital economy,” he cautioned.
Misuse of personal data can be unlawful
Although personal data on government websites are publicly accessible, Sonny said the collection of personal data on these platforms could be unlawful.
“Anyone who collects the data and then processes or stores them for their commercial purpose may be committing an offence.
“Another scenario of PDPA violation can happen if a third-party entity that is hired by the government for data processing discloses the personal data through online platforms for their business purposes – acting as a data user, not data processor,” he added.
Although the misuse of personal data for commercial purposes violates the PDPA, some grey areas exist in terms of privacy protection in Malaysia.
Chan pointed out that the existing laws do not address the action of “checking others' personal data by using IC numbers” and it does not constitute an offence under civil law.
“However, some follow-up actions after obtaining the data may be illegal, such as forged identities or documents, and fraud,” he added.
Therefore, the lawyer suggested that government websites should reduce or even abolish the function of allowing users to check specific personal data through IC numbers, especially traffic summonses and certificates of education.
Multi-factor authentication for protection
Several experts have suggested that a multi-factor authentication system and accounts registration be implemented to better protect privacy.
Sonny said this can still allow the public to freely access their personal information on government websites while limiting access to third parties.
“One should not be allowed to easily paste another's IC number to enable him or her access to more information in that service. There is no security at all,” he said.
However, there are currently some government websites that require users to register an account before they can check their data. The authentication process of Bantuan Sara Hidup (BSH) has been strengthened since it was renamed Bantuan Prihatin Rakyat (BPR) in 2021.
When users register for an account on the BPR website, they must answer several security questions such as marital status, postal code or city of registered address to verify their identity before being allowed to check their application status.
Members of the public also need to register an account if they want to check their traffic summonses in the police’s MyBayar Saman portal or the MyEG website.
For Razwan Mokhtar, a cyber security senior consultant, the benefit of accessing personal data from the government website by using an IC number outweighs the disadvantages.
He said it is unavoidable that there will be some “smart people with evil minds” who will attempt to manipulate things, but the government can follow the example of other countries to strengthen protection such as including two-factor authentication (2FA).
In such systems, for example, the user will obtain a personal identification number (PIN) through their phone or email so their identity can be identified, he clarified.
Razwan, who has experience in helping various government agencies to implement new IT security systems, said some companies and banks in Malaysia had already implemented 2FA.
In addition, he said, the authorities should also raise public awareness to prevent the misuse of personal data.
Meanwhile, Foong said it is difficult to strike a balance between privacy and the right to information, but there should be some barriers such as registering an account with full details or paying a fee before getting access to data.
“The rule of thumb is that if one submits to do something of a public nature e.g. conduct business, sue in court, certainly his or her personal data should be made public to ensure transparency or to protect the public.
“This is so the person is traceable if they commit fraud,” he added.
Data fully owned by government
The Department of Personal Data Protection (JPDP), however, sidestepped Malaysiakini’s queries on privacy concerns concerning government websites.
The department only explained that data that is owned and managed by the federal and state governments, especially for assistance programmes for the people, is fully owned by the government.
“Further information on policies and standard operating procedure (SOP) in the management of personal data can be obtained from the relevant government agencies,” it added.
The PDPA regulates the processing of personal data in commercial transactions by data users and protects the interests of data subjects. This law does not apply to the federal and state governments, it said.
“However, JPDP constantly encourages the federal and state governments to apply the principles under the PDPA as guidelines or best practices to ensure that the security of personal data is always maintained,” it added.
Data protection rules stricter in other countries
Even though PDPA does not apply to governments, however, the concept of personal data can arguably be applied in this respect, Sonny said.
“In many other jurisdictions, governments are subject to the personal data protection law in their own country. This fact alone makes data processing by the government rigorously subject to the data protection rules,” he added.
To improve personal data protection measures in Malaysia, he gave several suggestions, including improving data risk management and implementing the privacy by design (PbD) concept in their working process.
“We need to see that the government maintains and implements clear rules and procedures throughout their open data initiatives. There should be SOPs to follow and it should be audited,” he stressed.
Sonny said the government could also implement standards like ISMS or ISO 27001 on security management, and the Privacy Information Management System (PIMS), coded as ISO/IEC 27701.
“They may also designate a data protection officer to deal with personal data processing in the government.
“Government agencies need to establish a good and proper data privacy policy and make it known to the public,” he said.
He also suggested improving data literacy among government agencies and personnel, such as having a comprehensive policy covering the process, starting from collection to storage, sharing, and finally to disposal.
