Personal Data Breach in Government Agencies – What Actions Can Be Taken? – Data protection

In the third week of May 2022, public attention was again drawn to an alleged data breach involving the personal information of 22.5 million Malaysians between the ages of 18 and 82. It has been reported that this personal information was leaked from the National Department of Records database (“NRDThe allegation, however, was denied by Home Minister Datuk Seri Hamzah Zainuddin, who said the dataset did not belong to NRD local technical forums such as Amanz and Lowyat. Net reported that the 160 GB database size is listed for sale on the dark web for US$10,000.

Disappointed but not surprised – is probably the correct public response to the breach, given that this is the second time an alleged breach at the NRD has been reported as the same thing happened in September last year involving the sale of personal data of 4 million Malaysians, stolen from the NRD and the Inland Revenue Board.

Impact of personal data breach

This massive personal data breach has put the security and interests of citizens at stake, as evidenced by the growing number of scammers on a daily basis. Personal details such as names, phone numbers, addresses, and bank details have made it easier for scammers to convince people that they are bank, court, or police officers. Although cyber scam is yesterday’s news, many people still fall into the trap as the tricks of the scammers keep growing and becoming more and more unsuspected to trick the victims as the scammers have access to the personal data of victims through these breaches. It is an even scarier fact that personal data is found in the dark web market which is the playground of hackers to facilitate criminal activities and the purchase of illegal products and services such as money laundering, drugs, human trafficking, identity theft, pornography, counterfeit currency. , false passports and other illegal activities involving personal data.

Not only that, breach of personal data can also jeopardize national security. For example, in 2016, Russian agents bought stolen information about US citizens, which was then used to open US bank and PayPal accounts, buy access to US-based servers, buy Facebook ads for political rallies and impersonating Americans on social media accounts to interfere with the US political system, including the 2016 presidential election.

Malaysia’s position

In 2013, Malaysia implemented the Malaysian Personal Data Protection Act 2010 (“PDPA“) which sets out the 7 Data Protection Principles to regulate and secure the processing of personal data. Violation of any of the said principles by any data user is a criminal offense under the PDPA and is subject to a fine up to RM 300,000 and/or up to 2 years imprisonment.However, the PDPA only applies to commercial transactions and, pursuant to Section 3(1) of the PDPA, federal governments and states are not subject to the PDPA, so it can be said that people have no recourse against the government for violating the PDPA.

Data breach involving government agencies in other jurisdictions and how they address it

There are a number of reported cases where the governments of other countries have admitted to vulnerabilities in their system that caused their citizens’ personal data to be leaked. To name a few, in September 2021 there was a cyberattack on the French government’s “France-Visas” website where the personal data of people seeking to visit or emigrate to the country was hacked. . According to French government ministries, they immediately implemented measures to secure their visa website to prevent further attacks. Affected individuals were also notified of the data breach and given recommendations to protect their personal data and online identity.

In February 2020, the government of Quebec, Canada, acknowledged a data breach that could affect approximately 360,000 teachers employed in the Canadian province. It has been reported that affected individuals have the option of requesting free credit monitoring and will be notified by the provincial government if their information is leaked. A dedicated breaches hotline has also been set up to deal with the burst.

What can be done?

Despite the limited scope of the PDPA and its non-applicability to government, some steps can be taken through legislative reforms to mitigate the risk of data breaches. When it comes to government accountability, simply amending the PDPA to include some degree of government agency accountability for the protection of personal data will not do the trick. In order to have better protection of personal data, legislators might need to consider adopting the measures taken by other countries that have been proactive in handling personal data breach cases by their governments, or better yet, apply any new specific legislation, policy or guidelines that bind the government on its commitment to protect the personal data of citizens.

In Canada, in addition to the Personal Information Protection and Electronic Documents Act (PIPEDA) which covers the handling of personal information by the private sector, there is also the Privacy Act (“the act“) which applies to federal government institutions that collect, process, use, retain and disclose an individual’s personal information. The Act has a schedule listing all federal government institutions that would be subject to the Act, including government departments, agencies, and government-related companies and their wholly-owned subsidiaries.The law also clearly sets out how government institutions can handle personal information, from collection, use, accuracy , retention and disclosure Not only that, the law also provides for data subject complaints and investigation procedures to be handled by the Privacy Commissioner.

Apart from this, the approach taken under the European Union’s General Data Protection Regulation (“GDPR“) in relation to the public sector may also be adopted. One of the GDPR requirements for government agencies that process personal data is to appoint a data protection officer (“DPO“) who will be responsible for, among other things, monitoring the government agency’s compliance with the GDPR and other data protection provisions and policies. In addition, the GDPR also requires public sector bodies to comply with specific transparency by providing data subjects with information such as the identity, contact details and representatives of government agencies who are the controller of personal data, contact details of the DPO and the purposes of processing personal data as well as the basis legality of the processing.

In addition to this, regular training and awareness programs should also be conducted among public officials on data protection and cybersecurity protocols. By now officials should have known that using a weak password such as “12345” will undoubtedly provide hackers with an easy way to break into the government database system and result in a leak of personal data. Not only that, data subjects should also benefit from their individual right to be compensated by data users, which should include government agencies for losses suffered due to the data breach. Finally, government agencies should improve the quality of their database security by investing in improved cloud-based software, hiring qualified IT managers, and improving their IT ticketing strategy to prevent any potential cyber attacks from going undetected. .


Despite being ranked among the top ten countries with high cybersecurity commitment in the Global Cybersecurity Index 2020, Malaysia still has a lot to improve in the area of ​​privacy and personal data protection. The disturbing increase in the number of personal data breaches may require an urgent amendment to the PDPA or new legislation, policy or guidelines for better protection of citizens’ personal data. A strong and transparent investigation must also be conducted to ensure that data breach cases are handled effectively with a fair outcome.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

Ashley C. Reynolds