The Malaysian Communications and Multimedia Commission (MCMC) recently found itself in hot water after it was reported that the regulator had requested telcos to share detailed call and internet records for the first three months of the year. MCMC quickly responded to the article with an official statement, and several telcos have also provided their statements regarding the project, known as Mobile Phone Data (MPD).
Fast forward to yesterday, MCMC organised an engagement session to address the MPD issue directly with media members, which was also joined by representatives from telcos and the Department of Statistics Malaysia (DOSM). It was rather an informative session, and even though we couldn’t get all of our questions here answered, here are some of the key points that we have learned during the session.
Why is there no public consultation regarding MPD?
In general, the majority of the population was only aware of the MPD’s existence last week through the report by the South China Morning Post (SCMP). Hence, one of the biggest questions that everyone has been asking is why the public was not consulted about the MPD?
As it turns out, MCMC is looking to have the public consultation at a later stage. Despite being greenlit by the Cabinet in April 2023 following a successful pitch to make MPD a national Big Data project by DOSM, it is still in its infancy according to the regulator.
In fact, we have also just learned from the response to our query by Jamaliah Jaafar, the Senior Director of the National Big Data Analytics Centre, during the media session today that 2025 is the year for DOSM to implement the pilot phase for the MPD project. She also said that this pilot test will run until 2026.
Here’s what Zulkarnain Mohd Yasin, the Deputy Managing Director of MCMC, has to say regarding this question:
“No public consultations (at the moment) because it (currently) is the process of getting the operators (MNOs) ready, in terms of how to operationalise the data, in terms of assessing the readiness of operators, but most importantly, is how do we collectively protect the data.
That’s the stakeholder engagement we are doing, before we go to the public.
So, get the system right in terms of readiness, in terms of assuring privacy and security is in place.
So that we do the public consultations, the public are assured that these (issues) have been taken into consideration.” – Zulkarnain Mohd Yasin, Deputy Managing Director, MCMC.
Here’s what the telco data that was submitted to MCMC looks like
One of the major talking points by MCMC when it comes to MPD so far is data anonymity. In the 6 June’s statement, MCMC said that the MPD requested from telcos is anonymised and contains no Personally Identifiable Information (PII).
To further drive its point, the regulator has shared an actual data sample from the MPD project which indicates the 8 types of information that it has requested from the telcos for the project.
Let’s take a look at the first 7 entries that belonged to the MSIDN xty2pvgl. While one might not be able to directly identify the individual behind the MSIDN since the identifier has been scrambled, the data listed generally showed the location of the cell tower that the person is connected to.
In addition to that, you may noticed from the sample MPD that this individual was making many late-night calls from 12:00 AM to 4:56 AM. So, we might not know the name or the address of the individual with MSIDN xty2pvgl directly but we might already be able to identify the individual’s general location and late-night activities based on this information.
So, what we are seeing here is not anonymisation which would make it impossible to re-identify the individual even via indirect method. Instead, it is more skewed towards pseudonymisation. Despite the differences, we were told that telcos are free to use either method for the MPD submission, as noted in a letter to an unnamed telco that MCMC shared during the media session.
Here’s something to ponder – the regulator pointed out that anonymised MPD is not classified as a “personal data” under Malaysia’s Personal Data Protection Act 2010 but how about pseudonymised MPD then?
Users can’t opt out of MPD
Let’s say that you are not comfortable with the information that MCMC requested from the telco for the MPD project even though it may not able to directly identify you. So, can you opt out from having your MDP information pass to MCMC?
The short answer is no, you can’t. The long answer…well, see them for yourself:
“It is a cabinet decision and I think what we are doing is that it is for national development as well as this is part of the regulatory requirements that we have asked the operators to comply.” – Zulkarnain Mohd Yasin, Deputy Managing Director, MCMC.
“It’s in our Communications and Multimedia Act, even in 1998, the ability to do this to improve infrastructure, to be able to get the relevant data. But we do it within benchmark international standards and international practices.” – Derek John Fernandez, Commission Member, MCMC.
Only 3 telcos have anonymised MPD in-house
In the 6 June’s statement, MCMC said that the telcos have the option to anonymise and aggregate their MPD information either within their own secure environment or pass it to MCMC for processing. As noted earlier, it turns out that telcos can choose to either anonymise or pseudonymise the MPD information before handing it over to the regular.
At the media session, the regulator revealed while all telcos have complied with MCMC’s MPD request but only Celcom, Digi, and Maxis have performed the data anonymisation in-house. The rest chose the 2nd option although MCMC has informed them that the preferred option is in-house anonymisation and they apparently already “moving towards that” said Zulkarnain.
Where is the MPD information being stored? Who has access?
Naturally, the question of where is the data being stored was also discussed during the media session yesterday. According to Derek, the data is not being hosted on cloud and MCMC did not appoint any contractor to handle MPD.
Instead, MPD is being processed and stored on location at MCMC’s premise. Zulkarnain also insists that the access to the data is highly restricted through various policies that the commission has:
“At MCMC, we have very strict governance in terms of who can manage this data. It is not widely available to every 1,700 staff of MCMC – it is only those who handle data from the Statistic Department of MCMC.
Within MCMC, only those groups manage them, and we have standards that we need to comply and internal controls that (determine) who have access to the data.
And then, MCMC have IT security policies that cover information security policy, organisation information security, asset management, access control, cryptography, physical & environment security, operation security, communication security, information security incident management, compliance and information security aspect of business continuity management.
So, we have that in place to ensure that this data is not shareable. Even within MCMC organization, it has to comply with security protocols.” – Zulkarnain Mohd Yasin, Deputy Managing Director, MCMC.
As for DOSM, Jamailah said that the organisation was given access to perform searches through the MPD information, but the data is still being stored at MCMC. She also highlighted that DOSM is under the jurisdiction of the Statistics Act 1965, which deems all individual data confidential, and the department is only able to publicly disclose aggregated data.
During the session, we have also learned that MCMC may keep the MPD information for up to three years. This is based on the regulator’s existing in-house policies, but there were hints during the briefing that the storage duration might be reduced as the MPD project progresses.
Closing thoughts on MCMC’s MPD project…for now
In general, the key takeaway from the MPD’s first-ever media session is that MCMC is doing its best to convince the public that the regulator is doing its utmost to protect personal data through various means and policies. MCMC and DOSM have also provided justifications on why the MPD project is important – mainly to speed up the information gathering process which can potentially help improve policymaking and development.
However, the fact that the general public mainly knows about the existence of MPD through a “leak” is not something that should have happened in the first place. You don’t need to have highly detailed information or complete data structures to let the public know that you are working on a project that involves their personal data.
Even though PDPA 2010 said that anonymised MPD is not “personal data”, the information was derived from personal data anyway. Perhaps, the response from the general public might be slightly different if MCMC had at least hosted this media session early on.
This is especially given that Malaysia’s track record with personal data is not that great over the past few years.
