In this digital era, our digital privacy should be our utmost priority. Cloud storage services owned by private organizations such as Apple’s iCloud, Google Drive, and Microsoft OneDrive etc. have been widely used to store our personal data and sensitive information. Hence, prior to the usage of any of these services, we are required to sign a consent form as prescribed by the Personal Data Protection Act 2010 (PDPA) which lays down several personal data protection principles to keep our personal data safe.

In May 2022, the government of Malaysia upgraded its Public Sector Data Centre by entering into a Cloud Framework Agreement (CFA) with Cloud Service Providers (CSP) and Managed Service Providers (MSP) which adopts a hybrid system by bridging the private cloud of the government and the public cloud of the CSP.

This new system, now known as MyGovCloud, will cover the following services to benefit all of the public sector agencies:

1. Cloud Hosting
2. Physical Hosting
3. Disaster Recovery Centre
4. Backup and Restore
5. Operational and Technical Support

Further, government agencies may also benefit from various cloud-based tools provided by the CSP, such as machine learning and artificial intelligence etc. in years to come. This may also promote the growth of Malaysia’s digital economy by providing job opportunities and training in this specialised field.

However, one must not forget that cloud services always carry a certain amount of risk to data security. This is especially a concern when the government holds so much of our important and confidential information, not to mention that our personal data may fall prey to cyberattacks or data leaks, which may result in dire consequences. We have seen data security being compromised previously even with well-established cloud service providers such as Facebook and Accenture.

The question therefore arises as to how will the government ensure the security of our personal data? What measures are in place to prevent the misuse of these data by the CSP and MSP? These questions need to be addressed transparently by the government to give the public the necessary comfort and confidence that their data will be protected and not subject to misuse.

As a safeguard, the PDPA provides 7 personal data protection principles which a data user is required to comply with, they are as follows:

1. General principle;
2. Notice and Choice Principle;
3. Disclosure Principle;
4. Security Principle;
5. Retention Principle;
6. Data Integrity Principle; and
7. Access

A data user who contravenes any of the above personal data protection principles commits an offense and shall on conviction be liable to a fine not exceeding RM300,000.00 or to imprisonment for a term not exceeding 2 years or both. – Section 5 of the PDPA.

However, if the data user is a body corporate, both the organisation and their respective directors, CEO, COO, managers, or other similar officers of the organization (subject to due diligence or knowledge defence) will be guilty of the offence severally and jointly. – Section 133 of the PDPA.

In summary, the adoption of MyGovCloud by the government of Malaysia will most certainly bring benefits to government agencies and to the public in general. However, parties to the CFA must disclose the steps taken to comply with personal data protection principles and other provisions of PDPA to ensure that the personal data of the public is duly protected.

If you have any queries, please contact, Brandon Loo Yung Wen (bly@lh-ag.com) or his team partner G. Vijay Kumar (vkg@lh- ag.com).