Cabinet should include Data Protection Bill in the first batch of cyberbills to be passed by the current meeting of Parliament to protect the privacy of Malaysians in the computer age

(Petaling Jaya, Monday): The Cabinet should take serious note of the incident uncovered in San Francisco last week where a purchaser of a used IBM Personal Computer at an Internet auction found that the hard disk contained 2,000 patient records from a supermarket chain of pharmacies..

When booting up the computer which she bought for US$159, the purchaser found that all the software that the pharmacy had used for record keeping was still on the computer’s hard disk, including patient names, addresses, social security numbers and a chronological list of all the medicine that they had bought at the pharmacy.

The value of the data in the used computer would be many times its cost.

It was later found that the computer was one of the 34 PCs leased by pharmacies in the chain and which had been returned to the leasing company when the old computer system was replaced.

This shocking episode should alert the Malaysian Cabinet to the urgent need to address the problem of data protection, especially as the Telemedicine Development Bill is going to be one of the first batch of cyberbills to be passed by the current meeting of Parliament.

The Cabinet should take a policy decision to include the Data Protection Bill in the first batch of cyberbills to be passed by the current meeting of Parliament to protect the privacy of Malaysians in the computer age.

The Data Protection Act which Malaysia should enact should include the following eight principles, which have been adopted by some other countries:

• The information to be contained in personal data shall be obtained and processed fairly and lawfully.
• Personal data shall be held only for specified and lawful purposes.
• Personal data held for any purpose shall not be used or disclosed in any mannter incompatible with that purpose.
• Personal data held for any purpose shall be adequate, relevant and not excessive in relation to that purpose.
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data held for any purpose shall not be kept for longer than is necessary for that purpose.
• An individual shall be entitled to be informed by any data user whether he holds personal data of which that individual is the subject and to access any such data; and where appropriate, to have such data corrected or erased.
• Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against accidental loss or destruction of personal data.

(7/4/97)