Almost all of us have shopped online. When we shop, we easily give our name, address and contact number to the seller. Then when the item is delivered to us, the abang Poslaju takes down our IC numbers before handing us the package. And lately with Covid-19 around, we’ve been asked to give our particulars to shops, restaurants and other premises before entering them.
Having all this personal information known by others is inevitable and for the most part, it may seem like a harmless thing. But the trouble starts when those handling this information misuse it. And sadly, this happens quite often. You might remember this massive data breach that was reported in 2017, where 46.2 million Malaysian mobile phone numbers were leaked, or when 30 million Malindo Airlines customers’ information was breached in early 2020.
Besides having their information breached by others, some Malaysians may have also received scam calls and accidentally given out their name or IC number to the caller. So the question is, if someone has your name, IC number, address and phone number, what can they do with that information...and what can YOU do if this info has gone to the wrong hands?
Your information can be used for...anything
There’s actually no fixed list of what people can do with your information once they have it. We’ve written several articles to illustrate this better and how the law may be able to help in certain situations, which you can read here:
Now if someone has your IC number, they can look you up on the electoral (voter) roll, or even see if you’re receiving government aid such as Bantuan Prihatin Nasional. Back in the day, all you needed was someone’s name and you could look up their phone number in the Malaysian Yellow Pages. In current times, it’s possible to reverse search someone using their number with apps like TrueCaller.
Even businesses like banks and online shopping platforms can at any time access all the info you provided them with when you first signed up. And with this, they may be able to see all your spending history, and your contact information can be passed down to telemarketers and salespeople.
So...you get the idea—it’s impossible to list every single thing someone can do with your information. While these things cannot be fully prevented, there is still a silver lining here. One, it’s impossible for someone to empty your bank account or steal your identity with just a single piece of information. They also won’t be able to sign you up for things or make you a guarantor because you would need to be physically present for these. Secondly, the law can penalize those who release or steal your personal information.
Companies are legally required to keep your info safe
You should note that there are actually no blanket laws to prevent all types of data breach in Malaysia...but there is one that requires businesses to keep your personal info safe. This Act, known as the Personal Data Protection Act (PDPA) 2010 only applies to commercial transactions. It covers businesses such as telcos, email service providers and any other business that takes personal info from consumers. Section 103 of that Act says:
According to the Act, personal data is defined as information that makes it possible for a person to be identified, or identifiable. This can include things such as your name, address and number, or even a specific description that fits only you. So, businesses are allowed to store personal info, but they will be penalized if any of that info is leaked. Section 130 also goes on to say:
Take note that there are instances where businesses CAN give out your information, such as when the court or a Minister requires it...or you yourself agreed to it when accepting the terms and conditions of using that business’ services.
But if your data was leaked without your consent and not for legal reasons, you can file a complaint with the Personal Data Protection Commissioner who is under the Ministry of Communications and Multimedia. This Commissioner is in charge of investigating crimes pertaining to user data. However, as we said, the PDPA only applies to commercial transactions/companies. So what can you do if your info landed in the hands of someone who can’t be charged under the PDPA?
Make a report if you feel your data has been leaked
If the PDPA doesn’t apply to your case, the next best thing to do would be to file a report with PDRM. To reiterate, outside of the PDPA, PDRM won’t be able to charge anyone for breaching your data. However, those people can be charged for what they do using your data. So some examples of this would be scam calls where your money is stolen and identity theft, where someone else uses your information pretending to be you.
As we said, it’s impossible to fully prevent your information from being taken by irresponsible parties. But where possible, it’s best to be vigilant. So be wary of unknown numbers pretending to be a police or court officer, and make sure to read through the T&C of a service before using it.