THERE has long been a need to review the country’s Personal Data Protection Act 2010 (PDPA). 

The PDPA is based on a set of data protection principles applying in the European Union (EU) but with an important limitation: It does not apply to federal and state governments. 

Legal scholars have argued that for the sake of personal data protection, the PDPA should be extended to include personal data processed by the government.

The EU law on data protection is contained in the General Data Protection Regulation (GDPR) of the EU (Regulation 2016/679). 

The GDPR provides for mandatory rules on how organisations and companies must use personal data in an integrity-friendly way. Each organisation that processes personal data (which is every organisation with employees and customers) must ensure the personal data it uses fulfils the requirements of the GDPR. 

Article 3(1) of GDPR states that the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, without exempting the government. “Controller” and “processor” include public authority according to Article 4 of GDPR. 

In the United Kingdom, the Data Protection Act 2018 applies to “public authority” and “public body” for the purposes of protecting personal data and requiring it to be processed lawfully and fairly based on the data subject’s consent or another specified basis, among others.

In Singapore, data management in the public sector is governed by the Public Sector (Governance) Act 2018 and the Government Instruction Manual on IT Management. The Personal Data Protection Act 2012 on the other hand, applies to the private sector.  

There are therefore two different legal frameworks governing data management – one in the public sector and the other in the private sector. They are needed because there are different expectations of the services provided by the government and the private sector.

The Madani government, however, does not seem to share the need to use personal data in an “integrity-friendly” or “lawfully and fairly” way or the need for a different legal framework governing data management in the public sector. 

The Personal Data Protection (Amendment) Bill 2024, which was passed by parliament yesterday, does not include amendments to extend the application of the PDPA to the federal and state governments.  

It is a huge disappointment that Digital Minister Gobind Singh Deo – a lawyer by training – has not grabbed the opportunity the bill presented to follow in the footsteps of the EU, the UK, and neighbouring Singapore in reforming the law to ensure personal data protection includes personal data processed by the government. – July 18, 2024.  

* Hafiz Hassan reads The Malaysian Insight.  

* This is the opinion of the writer or publication and does not necessarily represent the views of The Malaysian Insight. Article may be edited for brevity and clarity.