“If we project this argument (from LFL), if no PDPA is extended to public data, then the government cannot continue any process that involves the rakyat’s data. This would mean all the government agencies would have to close, because indeed the PDPA does not cover the government agencies, and there is a reason for it.”
PUTRAJAYA (Jan 4): Economy Minister Rafizi Ramli has dismissed privacy concerns about data collected by the government via the Central Database Hub or Padu, which is exempted from the Personal Data Protection Act 2010 (PDPA).
This is because data collected by Padu is already covered by existing legislations regulating government agencies that dictate how the data is handled as well as its confidentiality, said Rafizi.
Lawyers For Liberty (LFL) earlier on Thursday pointed out that the government is exempted from liability under the PDPA, meaning that data collected by Padu can be disseminated or used by the government beyond its declared purpose of targeted subsidies. This, it warned, placed the public at a "terrible disadvantage and danger of loss and damage", with no legal recourse if a privacy breach or data security issue arises. As such, it called on the government to amend the PDPA to place responsibility and liability on the government for the protection and security of data collected.
"If we project this argument (from LFL), if no PDPA is extended to public data, then the government cannot continue any process that involves the rakyat's data. This would mean all the government agencies would have to close, because indeed the PDPA does not cover the government agencies, and there is a reason for it.
“Public data is controlled by each agencies' respective legislation. For example registration at JPJ (Road Transport Department), matters regarding the responsibility of data confidentiality and handling by public servants is included under the JPJ (Road Transport) Act," Rafizi told a press conference on Thursday.
“It's the same with the National Registration Department, which also has its own Act. So why doesn’t the PDPA cover government bodies? Because every government body that collects data already has its own respective Act.
"I was hoping that at least the LFL, before they issue statements like this, would understand what the difference is between PDPA and public data because public data is regulated by the respective Acts of every agency that collects public data," Rafizi added.
He also said civil servants have dozens of Acts that regulate the handling of data that are in line with the risks that exist in their work.
"I find it very difficult to comprehend that before this, we didn't have an issue with registering here and there, at government departments and so on. Suddenly, when the government wants to digitalise the service — and for us to digitalise the service we need a central database like this — everyone turns away from data.
"Understanding the whole concept is very important because otherwise, we look silly if we start talking about an Act that we don't understand," Rafizi added.
What has changed with Padu, said Rafizi, is that agencies can now contribute their data to Padu via data sharing agreements inked between respective government agencies, while the legislation governing the aforesaid data remains the same.
Rafizi further explained that the government decided to use data sharing agreements instead of waiting for the Omnibus Act — which is at this stage a proposed law to allow for data sharing between agencies — as it would delay the deployment of targeted subsidies.
“We could wait for the Omnibus Act, but previous administrations usually took three to four years to enact a law; we are trying to set a new record by enacting it in one year,” he said, noting that the government can accomplish "a lot" in that one year.
With or without the Omnibus Act, Rafizi reiterated that the protection and security of data in Padu are already covered under existing legislations that regulate the respective government agencies.
“That is why the best way is to allow for data sharing first using agreements while we work in parallel to have the Omnibus Act,” he added.
While the data-sharing agreements and Omnibus Act serve the same purpose of enabling agency-to-agency data sharing, Rafizi said the proposed legislation will enable the government to cut red tape.
“The [data sharing] agreements have a limited timeframe and entail a specific purpose. Without the Omnibus Act, civil servants would have to ink agreements between agencies every year — the bureaucracy of that just doesn’t make sense,” he said.
The minister also stressed that the government’s digitalisation aspirations will require the development of digital services and products, which is an iterative process that is both agile and continuous.
“Imagine, you want to design an application but the data doesn’t allow for it. So, we have to negotiate a data sharing agreement first because the previous one is about to expire, or its scope is limited,” Rafizi said.
“There are over 490 government databases. Do you have one Omnibus Act that governs all these [databases] or replicate the [data sharing agreement] process and renew it when needed — which is better?
“That [replication of data sharing agreement] will slow down everything and we will never catch up,” he said.
He also noted that the government's previous approach for systems development was outsourcing to vendors — third parties — that are not accountable to data security in the end.
Having the government to develop its own systems and applications not only helps to drive up the expertise of our civil service but also limits data access to third parties.
"It's important to push through govtech and to drive up the expertise of our civil service to be able to handle a huge system like this, so that we can be at par or even better than what the private sector can offer. Because, along the way, this process will build and centralise the government's cyber security expertise," he said.
Read also:
Lawyers for Liberty: Rafizi’s claim that govt data must not be subjected to PDPA is baseless, goes against global trend
Padu to flag false info from existing databases like IRB, EPF and the cash aid STR
Rafizi skirts question of who has access to Padu's database
Launch of Padu before amending PDPA 2010 raises legitimate and serious concerns — Lawyers for Liberty
IDEAS: Uptake among ministries, public, key to ensure Padu’s success
Padu registration should be suspended until the security flaws are fixed, says Ong Kian Ming
Rafizi allays concerns about Padu registration after former lawmaker raises possible teething issues
PM launches Padu ahead of targeted subsidy implementation