Thursday, 28 January 2010

MGDC 2010 - A Brief Retrospective

Last week, (20-21 January 2010), I had the privilege to present a paper on: "Malaysian Data Protection Bill; Some Useful Headways from the United Kingdom (UK) and the European Union (EU)" at the Malaysia-Glasgow Doctoral Colloquium. My 20 minutes presentation was scheduled at the Social Science Stream parallel session 4.

My presentation slides are viewable HERE.

It was the inaugural colloquium, jointly hosted by the Glasgow-based Universities; University of Strathclyde, University of Glasgow and Glasgow Caledonian University. The colloquium was sponsored by the Ministry of Higher Education, some benefactors and sponsors of the Universities. Overall, it was a well-managed one, albeit, the first time, such a Malaysian postgraduate research colloquium took place in Scotland. Congratulations to the resources and all who were involved with this colloquium directly and indirectly.

During the presentation, I have shared:-

1. The current Data Protection Bill's position in Malaysia - that will be potentially to undergo a third (3rd) reading in the Parliament.

2. The Executive Summary of my research and the link with my PhD research in RFID, data protection and privacy in the UK and EU.

3. Literature Review and Research Methodology (content analysis, data analysis and observations)

4. Research Limitation.

5. Substantial issues under the Malaysian Bill: Governance, Corporate Binding Rules, Enforcement, Application of the Bill only to commercial and private sectors - not the State and the Government, Dissemination, Diffusion and Standard of adequacy protection.

6. Cross references to issues and challenges posed by the UK and EU by responding to the potential issues under item number 5 above.

7. A way forward for Malaysia.

8. What's next in my research.

The above are related substantial pointers that I have had presented. In the interest of time, I managed to complete the presentation and called for more questions and discussions. It was exceedingly an eye opener to have had witnessed interactive members of the audience that were very much interested to share their insights and opinions on data protection and privacy. The reviewer (panel) had provided useful comments too. I was asked four (4) questions. But, I have selected two (2) leading questions (not in verbatim, but have been proof edited by myself) that captured my next stage of research, as follows:-

Question 1: Whether should there be an extension of data protection and privacy from the perspective of pyschology and the professionals in this area ? (as the questioner is an expert from one of the local universities in Malaysia).

Answer: Yes. However, the notion of data protection and privacy was not yet embedded as a culture, generally, in Malaysia. However, some professions have been abiding with the confidentiality clauses in relation to the client's confidentiality alike of lawyers and doctors. However, at times, there is a tendency for one to share the information and prying a client's privacy to someone that they trust in a relationship (like to their spouses, families or siblings). The intrusion and prying indirectly happened without knowing the condition that the more one speaks and talks about their works, the higher, his or her client's privacy is intruded. However, for the time being, it is also best to propose a code of conduct or code of ethics that may self-regulate any professions whilst awaiting the Bill's translation to be transformed into a Law, restrospectively. If there are such codes,  not only to the aforementioned professionals, but to all, a harmonised application should be adopted by looking into the spirit and motivation of data protection bill.

Question 2: What do you think about the current MyKad ID, wondering whether are there any data protection and privacy issues that may potentially arise?

Answer: MyKad ID has been developed through and by different service providers and platforms. Thus, there are several and selected deployed technologies embedded. However, the issues that may arise is whether; what would be the security risks of the respective parties when it comes to issues of data protection and privacy breach. Taking an example of four (4) different companies, having deployed four (4) different platforms, in a MyKad deployment. The important notion is whether all companies are able to share the collective risks in the event there shall be security and data breach. In the absence of data protection legislation, I may argue that the technology and controls prevail (like encryption and other security technology methods and standards). However, should the Data Protection Bill be a reality, the respective parties should make a compliance checklist in accommodating the data protection and privacy priorities. So much so, in this context, the technical liabilities of data protection and privacy apply.

Besides the two (2) questions above, the Reviewer has commented on my research methodology and proposed a feasible alternative as to ensure the research should be mapped for a PhD research as opposed to a Post Doctoral research. The similar sentiment was also mooted out by a PhD colleague (also a Presenter) from Warwick Institute of Education. His insightful comments, observations and views motivated me to revisit and relook my research coherently pragmatic. A mouthful thanks for the inspiration.

There are also three (3) questions that were posed by some of the presenters in relation to the retrospective effect of the Malaysian Data Protection Bill towards the banking industries. A presenter of Durham asked me the latter. I aptly responded that banking industries should be able to anticipate the compliance costs as to make themselves compliant and relevant. Road shows, awareness and diffusion are the key towards that. Issues of governance, resource, implementation and enforcement should also be prioritised.

A different presenter of Durham asked me about Radio Frequency Identification Technology (RFID) by inferring to the United States' recent surveillance limbo. I briefly responded that when it comes to surveillance issues, there are mixed responses, especially when it comes to RFID. It used to be a military technology. Now, it is a commercialised technology. Yet, the world (one day) will witness the ambient intelligence (Ai) communications that are surrounded by objects and things communicable via RFID chips. It maybe harmful and prying one's privacy if there are no controls. It may also be useful for our daily lives' activities. It may depend on how one looks at a particular RFID technology. It goes back to purpose. He, then, passed the remark: "...we are living in an Orwellian world" - during the introductory part of his presentation, by relating to my presentation topic earlier. I might partly agree.

A presenter of Glasgow Caledonian asked: how RFID technology works, the interrelationship within an RFID environment. Within my knowledge, reading and exposure, I shared with her the generic illustration on the RFID tag categories - active and passive. It is depending upon the frequency usage of the tags, database management and notification to the stakeholders/consumers (I have cited the examples of some leading retailers in the UK that have deployed RFID). I hope my brief technological explanation to her was succintly clear.

After one (1) week of analysing my paper. I have made some improvements to my current works (research and writing). This paper, shall be submitted to the Malaysian Government and stakeholders by June 2010. For a long term strategy and plan, I will cite this paper in one of the PhD chapters (under the Data Protection and Privacy Chapter).

Thank you very much indeed for the experience, networking, discussions and opportunities. I look forward to attending my next paper presentation in BILETA 2010, to be held at the University of Vienna.

Respectfully reported.

Noriswadi Ismail
MPhil/PhD Candidate
Institute of Computer and Communications Law
Centre for Commercial Law Studies
School of Law, Queen Mary, University of London

No comments: