By: Sonny Zulhuda *

The tremendous participation of companies in technological race and in exploiting the cyberspace is often marked with over-excitement and the sense of lawlessness. This is not true if one regards the cyberspace as a space without rule. The fact remains that there are rules in cyberspace just as people have rules in the real physical world.

When it comes to the notion of corporate social responsibility (‘CSR’), the matter may become more confusing: what kind of responsibility companies could have, and to whom they owe such responsibility. Assume that an online business entity does not have a physical presence – not physically registered, therefore not legally incorporated: does it assume a corporate status to subject it to the CSR? As for the incorporated ones, question may arise as to what responsibilities they bear when embarking in the online environment and to whom they are owed.

Indeed, the discussion of CSR in the cyberspace era is duly warranted because cyber world is, more often than not, misunderstood as somehow law-free and ethics-free. This may lead corporations to believe that they can do so many things in cyberspace which are otherwise prohibited in physical world. Hence CSR could be for them another myth of cyberspace, and as a result, online consumer protection could be negated, law compliance ignored, and communal interests were left behind. All what they can do is to gain on others’ pain.

This paper seeks to establish this relationship; that CSR does exist in the cyberspace. Companies that conduct their commercial activities within or through the cyberspace shall remain committed about their social responsibility, amid in different context. There are rules that companies must live by even when they are totally online. Even though the rules may vary in different jurisdictions, the ethical principles would remain universal. And some of them had even been given a universal platform such as corporate behavior on data security and privacy protection. It is this fundamental understanding that this paper wish to create.

*) This paper abstract was presented the 6^th International Conference of Corporate Social Responsibility, 11-14 June 2007, Kuala Lumpur.

By: Sonny Zulhuda

The Internet has now taken us to a new dimension of life complete with its new set of lifestyle. The Web 2.0 that famously led its users (Who? Me you and everyone here!) to be the Time Magazine’s 2006 Man of the Year had made us a reader and a writer at the same time; a consumer and a producer at once.

This is the new you. Yourself 2.0 does not only read news or download articles from the Net, but also write blogs or upload creative works online. That is the new you.

This was the ground I see when writing and presenting the topic “Yourself 2.0: A Cool or a Fool?” at the inter-disciplinary discussion forum for Indonesian Students Association in the International Islamic University Malaysia last February.

(to be continued…)

By: Sonny Zulhuda

This week I was speaking about the misuse and abuse of workplace technologies during a session of a two-day seminar/workshop on employment law in Kuala Lumpur. The workshop was attended by mostly legal executives from a range of local companies. The technologies meant here are those Internet-associated tools such as electronic mails, blogs, Internet messaging and online networking sites (e.g. facebook, myspace, hi5, and the likes).

The main concern on which this presentation is grounded was that organizations need to ensure a good return of investment (ROI) over the technologies they use at their workplace. This is because the ROI may be interrupted by range of risks of the use (and misuse/abuse) of the technologies such as wasted productivity, financial loss due to business discontinuity or system defect, and also legal liabilities.

During Q&A session, the discussion was focused on the potential liability over Internet and email surveillance in the workplace. In other words, is it legal for the employers to do such monitoring? Can it be tantamount to an infringement of privacy (under non-existing law in Malaysia at the moment) or does it fall under criminal offence of illegal interception under the Communications and Multimedia Act (CMA) 1998?

My point of view was that Malaysian employees have to be very cautious in this issue for several reasons. First, when you join an organization, you are embarking into a ‘private domain’ belongs to your employer. They can do whatever they want including technology monitoring, as long as they are not illegal/unlawful. secondly, there is no law in Malaysia -statutory or otherwise- that protects ‘the right to privacy of the employees. I commented however that this position may be improved if the long overdue Malaysia’s draft law on Personal data protection is passed as the alw of the land. The last reason was, because the provision against illegal interception under the CMA 1998 was intended for the network and Internet service operators, thus does not apply in the private workplace. In other words, you employers, may find this option useful. But it is highly advisable -as a good governance practice and to be on the safe side, legally- to include this under the employment terms, as well as internal policies, guideliens, SOP, etc. It’s in short term a risk management through contractual instruments.

Introduction

This paper is aimed at assessing the perspectives and experiences of Malaysia on the concept and application of electronic government (e-government), more on policy context. Attempts are made to observe preparatory initiatives taken by the government of Malaysia in three distinctive but interconnected aspects: administrative measures, regulatory frameworks, and public participation. Some update applications of e-government in Malaysia will also be touched at the later part. This paper will be ended by underlining the lessons that can be learned by Indonesia in seeking the best format for e-government application, especially in tabling policies and regulatory framework.

E-Government Defined

Electronic Government (E-Government) is variably defined, but basically refers to “the use by government agencies of information technologies (such as Wide Area Networks, the Internet, and mobile computing) that have the ability to transform relations with citizens, businesses, and other arms of government.”[1] Nevertheless in this context, this general meaning of the Information Technology (IT) has been so much associated to the use of the Internet. Thus e-government would generally mean the development and utilization of Internet-based solutions in government services and works. Exactly like e-commerce, which is a utilization of Internet-based solutions in business activities.

This form of solutions are seen to serve a variety of different ends: better delivery of government services to citizens, improved interactions with business and industry, citizen empowerment through access to information, or more efficient government management.

Stages of E-Government

Analogous to the concept of E-Commerce, E-Government can be seen to evolve through four stages:

• Publishing
• Interactivity
• Completing transactions
• Delivery

Publishing stage includes mainly making as much as possible the information on government services publicly available for access by citizens through the Net. This would include the making of portals and websites for government agencies, also the updating of government programs and information to be widely informed to the citizens.

Interactivity stage is realized when such Internet-based service can invite and accommodate responses from public through the Net. That is for instance making a mechanism where citizen can forward their questions, complaints, or suggestions so as to make the Internet-based relation interactive and going two ways.

Completing transaction stage happens when the ongoing two-way relationship through the Net can be brought to result in a complete transaction between two parties (e.g. between the government agency and citizen). For example, when there is a facility on the Net for citizen to pay their electric or water bills to a government body without having to come physically to the agency’s office. This is also exemplified when a business sector wants to get tender for a government project through the Net. The other instance is when a private individual can sign up for getting license required for certain business.

Delivery stage is an advance level of e-government service. This is achieved when a government provides the delivery of its service through the Internet mechanism.

Malaysia’s Experience on E-Government

Malaysia is a federation of thirteen states and a federal territory, adopts a system of constitutional monarchy, that is, a monarch that subjects to a constitution. King is the head of state/country while Prime Minister is the head of government. Malaysia’s population is currently about 23.8 million people and mainly comprise of three major ethnics: Malay, Chinese, Indian, and the rest is from other native races in both Malay Peninsula and Borneo parts.[2]

Since independence in 1957 and throughout the past four decades, Malaysia has changed quite tremendously from a country that leaned so much on agricultural sector of development to the highly industrial sector and labor exploitation. Ahead to the end of 90’s, Malaysia is preparing towards another shift from industrial society to a knowledge-based society where information and knowledge are deemed to be the engine of growth of the country.

In 1991, Malaysia’s Prime Minister Mahathir Mohamad launched for the first time in public his long-term planning for Malaysia to become a fully developed country in the year 2020. This planning is now widely known as Vision 2020, and was adopted in the Seventh Malaysia Plan of 1996-2000. With this new vision, Malaysia is expected to shift the paradigm of development from the old industrial perspective to the new informational one. It is asserted by Malaysia’s Prime Minister that the manufacturing sector has become the mainstay for Malaysia’s sustained economic growth of between 7 and 8 percent over the last two decades.[3] But this growth would not last long unless there is a succeeding second engine of growth if Malaysia is to achieve Vision 2020. And according to him, one consistent pounding beat was digital technology. Thus, Malaysia decided to make the Information and Communication Technology the engine of growth within all economic sectors.

Pursuant to this perspective, Malaysia is therefore aiming at a ‘reinvention of future life’ through the IT power. Multimedia Super Corridor (MSC) project is planned and executed as a test-bed with some strategic flagship applications. It tries to reinvent the future education through smart school flagship. It seeks to reinvent the future health care through the telemedicine flagship. It seeks to reinvent the future interaction through telecommunication enhancement. It seeks to reinvent the future business activities through e-commerce. And above all, it seeks to reinvent the future governance through the application of e-government.

E-government is seen as the ‘umbrella’ concept of all those new flagships in the series of MSC project. That is because the very function of government itself is to ensure all aspects of public life going smoothly to the happiness of every body. Consequently, Malaysia takes quick and speedy initiatives in preparing and implementing the concept of e-government.

Malaysia perceives that Electronic Government will improve both how the government operates internally as well as how it delivers services to the people of Malaysia.[4] It seeks to improve the convenience, accessibility and quality of interactions with citizens and businesses; simultaneously, it will improve information flows and processes within government to improve the speed and quality of policy development, coordination and enforcement. In addition, Electronic Government will play an essential role in catalyzing the development of the MSC, as well as furthering political and economic development goals in Vision 2020.

Pre-requisite Administrative Measures

Among the initiatives taken by the Malaysian government to support the implementation of E-government concept are:

Malaysia Inc. Concept

This concept envisages the most important perspective subscribed by the government of Malaysia. It basically says that the whole nation of Malaysia should participate in the development of new society. The government and private sectors would have to cooperate hand by hand and to work side by side to achieve the common goal. This concept is to create the feeling of togetherness of the nation to uphold such a big task of transforming the society to the aim of Vision 2020.

Restructuring the Government

Towards the era where information flows freely through the advance technology, Malaysian government is concerned about the effectiveness and efficiency of its management. Thus they try to slim down the structure by holding only the strategic public portfolios within the government machinery such as defense, justice and finance, and to privatize much of the rest. In this respect, public good and services functions such as telecommunications, power and railway transportation, traditionally under the aegis of the government, have now been privatized.[5]

Putrajaya Administrative City

For the whole great Vision 2020 to be achieved, Malaysia moves ahead by moving and concentrating all headquarters of government agencies and ministries from capital city Kuala Lumpur to the newly constructed administrative capital city of Putrajaya Federal Administrative Centre, about 25 kilometers south down Kuala Lumpur in 1998. The move is not merely a physical one, but symbolic of the paradigm shift of the government from the old legacies of paper administration towards online and interconnected administration; from the old industry-based society to a new information-based one. This move is also mainly to ease the congestion in Kuala Lumpur, to centralize previously scattered Federal government offices, and to increase KL’s competitiveness as the biggest commercial center in the country.

Cyberjaya Intelligent City

This is the first model cybercity built for MSC companies and its knowledge workers. As an intelligent city, Cyberjaya will be equipped with advanced IT and telecommunications infrastructure to meet business, residential and recreational needs of the residents within the development. Served by state-of-the-art telecommunications network with a capacity of 2.5-10 gigabits per second, Cyberjaya is expected to be accommodating around 500 IT and multimedia companies by the year 2020.

The Administration of Internet Policies

Another important measure taken to anticipate the e-government application is to hand over all administrative measures on Internet development under one roof. It is the Ministry of Energy, Telecommunication and Multimedia that is responsible for the policies and development of the Internet and related matters including the legislation of Cyber Laws and their enforcement.

In-House Training for Government Agencies

In the wake of emerging Internet technology and the way it influences the policies and regulations, the Malaysian government seeks to educate its officials and public servants to be IT literate. In-house trainings have been organized focusing on the use of Internet for their daily official activities as well as familiarizing the regulations and laws pertaining to the Internet. On this project, the Ministry of Energy, Communication and Multimedia joined private sectors and academicians to organize seminars and training

Massive Allocation on ICT Budget 2002

The national ICT agenda aims to create a knowledgeable, informed and ICT–savvy society. The Government has allocated an amount of RM. 112.7 million to implement the E-Government Flagship Project, Rm. 72.3 million for Smart Schools, Rm. 20 million for Telemedicine, Rm. 86.3 million for Smart Card and Rm. 9.5 million for Integrated Application. Apart from this, an amount of RM. 487.67 million is allocated to increase the computerization programme in ministries and departments and Rm. 205.5 million for computerization of schools.[6]

Legal and Regulatory Framework

As touched earlier, the backbone concept and working of E-Government is mainly the Internet-based solutions and service. Therefore, legal certainty in the Internet is a substantial and initial if Malaysia were to achieve its new digital technology perspective. Aware of this, the Government of Malaysia formally pledges its commitment to become a regional leader in Intellectual Property (IP) protection and Cyber laws.

Through the Ministry of Energy, Communication and Multimedia and the parliament, Malaysia has enacted and passed a number of pioneer cyber laws since 1997. Among its pivotal aim is to provide a comprehensive framework of societal and commerce-enabling laws, which encompass aspects concerning security of information and network integrity and reliability.[7] These cyber laws have been designed to create the right environment for the development of the communications and multimedia industry and to position Malaysia as a major hub for the communications and multimedia information and content services.

In the context of e-government application, these laws are also important to enable the smooth running of the governance. Since the government itself would also be subject to the laws, their existence will ensure the process well managed and regulated.

Several cyber laws that have been passed in Malaysia are:

1. Communications and Multimedia Act 1998

Being the most significant legislation that was brought into force on the 1st April 1999, this legislation provides the policy and regulatory framework for convergence of the telecommunications, broadcasting and computer industries. The Act is based on the basic principles of transparency and clarity; more competition and less regulations; bias towards generic rules; regulatory forbearances; emphasis on process rather than content; administrative and sector transparency; and industry self-regulation.

2. Digital Signature Act 1997

This Act regulates the legal recognition and authentication of the originator of an electronic document. It also enumerates several legal effects of digital signature in matters relating to evidence and transaction.

3. Computer Crimes Act 1997

The Act makes offences, among other things, an unauthorized access to computer material, unauthorized modification of the contents of any computer, and wrongful communication. It imposes criminal penalties on fraudulent or dishonest acts even when committed outside of the country.

4. The Copyright (Amendment) Act 1997

Provides copyright protection on-line, including the protection of a computer-related works from being infringed. This is an amendment to the existing Copyright Act. Thus it only gives more powers to be more effective in the wake of digital changes.

5. The Telemedicine Act 1997

Regulates the application of telemedicine in Malaysia as to who may practice it, and how, and also related rights of the patient therefore.

6. Personal Data Protection Bill 2000

This Bill is still in the process of socialization and is not yet tabled and passed by the parliament. The aim of this law is to regulate the collection, possession, processing and use of personal data by any person/organization or even the government so as to provide protection to an individual’s personal data and safeguard the privacy of an individual. It also seeks to establish a set of common rules and guidelines on handling and treatment of personal data by any person / organization

Some Policy Initiatives and Public Awareness

There are basically two players in the implementation of e-government: government themselves and the citizen or the public at large. Thus the application of e-government without active participation of public is meaningless. Public participation is a necessity, and public awareness and familiarity to computers and Internet technology is seen as pre-requisite to the success of e-government. Recent statistics show an increase in the number of computer ownership as well as the number of Internet hosts and Internet subscribers in Malaysia. There are currently about 30 Internet hosts available in Malaysia for every thousand people.[8] And in 1998 at least, the Internet subscribers in Malaysia had reached 450,000 people.[9] All these increase is partly achieved due to government efforts in campaigning the IT and creating an IT literate generation.

To achieve the aimed level of public awareness, various efforts have been done by the Malaysian government. [10]

They have organized seminars, talks, national IT week with a host of activities such as writing competition, quizzes, etc. and used the media such as television, radio and newspapers to promote an IT culture and IT awareness.

Besides, the government has emphasized IT-related education and training and the setting up as well as upgrading of vocational and technical schools to increase the IT literacy rate.

The government restructures the education system to include basic computer literacy for all, and has moved forward on promoting learning with computers.

Local universities have embarked on distance learning program using the Internet and the videoconferencing. The establishment of UNITAR, the virtual university, and Multimedia University has introduced a new educational dimension in IT era and would provide Malaysian citizens more options to upgrade their knowledge and skills.

However, it is highlighted that most of these projects are notably top-down pilot projects started by restricted pilot institutions. It is observed that in many cases these projects remain restricted in the pilot schools and institutions and yet become of nationwide effect. This is the common consequence when a pilot project is not led to a greater impact and abandoned more public participation.

E-Government in Practice

There are mainly five pilot applications for electronic government that have been prioritized.[11] While there are different levels of achievements that have been reached by each of these pilot projects, it is however certain that progresses are underway. Those pilot applications are:

1. Project Monitoring System (PMS)

This assists inert-government collaboration through three phases of Operational Functions, Managerial Functions and best practices knowledge and report generation for decision makers.

• Progress Reporting
• Change Control
• Execution information
• Decision support

2. Human Resource Management Information System (HRIMS)

It addresses the present and future needs of Human Resource Management in the civil service. Developing applications include automating operational processes and information decimation.

• Online job postings / application
• Manpower forecasts

3. Generic Office Environment (GOE)

Provides a fully integrated, distributed and scalable paperless working environment for the Prime Minister’s Office. Staff will have easy and up-to-date access of accurate information.

• Information management, e.g. scanning, Data repository
• Communication, e.g. Video conference, Meeting management
• Collaboration, e.g. Decision Tracking, Groupware

4. Electronic Procurement (EP)

Automates the process for procurement of goods and service between buyers and public sectors via Internet communication.

• Central Contracts
• Direct purchases
• Quotation
• Tender

5. Electronic Delivery Services (E-Services++)

This is an alternate method for transactions and interactions between the public and the government via electronic delivery channels of Wireless Application Protocol (WAP), Interactive Voice response (IVR), Web TV, Kiosks and Personal Computers.

• Driver’s license
• Electricity bills
• Telephone bills
• Health Information

Apart from these pilot applications of e-government that has been laid up systematically and gradually, there is another flagship application under the main flagships on the Multimedia Super Corridor project, which is very much related and supportive to the creation and implementation of e-government. That application is called Multi-Purpose Card or MPC.

This application seeks to develop a single and common platform for a card with a chip or microprocessor that has the capability to perform a wide range of functions, including data processing, storage and file management.

Eight applications have been selected for inclusion in the initial MPC roll out, including the National ID, driving license, immigration to complement passports, health card, electronic cash, debit, ATM and credit card.[12]

What Indonesia can Learn from Here

In this final part, It is submitted that Malaysia has taken very proactive and brave measures towards the realization of e-government, which should end in maintaining prosperity of its people with lesser cost of governance through the advancement of the Information Technology. The planning was long and visionary thus reducing the potential cultural shock.

Nevertheless, there are still loopholes to be corrected, and weaknesses to be cured. The most important thing to have is the willingness to try. There are many ways that Indonesia can share and learn from Malaysian experiences. The most notables are the following:

Long-term Planning with Strategic Vision

E-government is a big concept dealing with complicated matters of overall aspects of our life. It is imperative for the Indonesian government to lay down well-planned strategies, short term and long term, with sufficient budget allocation to allow the realization of systematic e-government. Malaysia has started it as early as the beginning of 90’s and projected the planning within at least 30 years towards the Vision 2020.

Decentralization of the Process

The government should bear in mind that the process to an e-government is not solely their own business. It is for all people. Thus efforts need to be combined also from privates sectors, academician, and other communities of society so as to create the sense of belonging for the e-government to be created. Besides, the potentials from different parts of the country need also be considered and joined in the policy making. This is inline with the emerging spirit of autonomy across the country’s regions.

Preparing Skilled Manpower

Manpower is the key of the success that also means quite great amount of investment. The government should prepare the local skilled manpower thus it will reduce burden of hiring costly foreign workers while at the same time enhancing the quality of local workers.

Educational Curriculum

Very much related to the previous point, our educators should rethink the best way to introduce computer and the Internet to the school children. The idea is, the earlier the child being familiar to the IT, the easier the process will be towards e-government in Indonesia.

Cyber Legislation

Regulatory framework should be tabled comprehensively to anticipate all possible problems that might be created due to the Internet transaction. This is important to create an environment supportive to the e-government process and IT-driven civil society. The current attempts of drafting the cyber laws need to be boosted to meet the speedy change brought by the Internet.

Internet Policies under One Roof

The Indonesian government should take measures to enable all Internet-related matters, from the administration to the implementation, be concentrated by one single ministry or agency, instead of scattering them in many different ministries like what we have now.

Maintaining Regional Cooperation

Last but not least, the Indonesian Government should maintain regional cooperation and improve it to the highest possible productivity degree. That is because still many things on e-government projects that can be shared and learned from neighboring countries like Malaysia, Singapore, and Thailand.

By Sonny Zulhuda

Introduction

The corporate world today has grabbed the efficiencies of information and communications technology (ICT) in its maximum use. Regardless the size and area of industries, workplaces have been equipped with cutting-edge tools of the computers technology and connected to the Internet. With the adoption of electronic tools such as computers, Internet or Intranet, businesses have been operated more or less electronic way. Meeting notices are no longer served by printed paper, and personal data of employees and customers are no longer kept on bulk of papers previously stored in wooden or metal cabinets. In large extent, the electronic mail (email) and electronic storage have been used to replace traditional way of doing business.

Websites have now become a virtual address of companies. They are used to publish companies’ profile, products, promotions, activities, as well as interactive portals. In Malaysia, for public listed companies alone, there are already 225 public listed companies that have website for their business operations, ranging from merely informational sites to commercially designed and transactional websites (Source: Bursa Malaysia). Besides, more and more government agencies are also posting their websites in the World Wide Web.

The adiption of the Internet and computer technology by corporate organizations can be illustrated as follows:

With this vast adoption of the Internet and computer technology, physical workplaces are now prepared to be second in significance compared to the virtual workplaces. Nevertheless, this exposure will certainly bring about new legal risks. This paper seeks to discuss those legal risks in the order of two broad issues; firstly, those risks resulting from the use of electronic mail (e-mail). Secondly, those risks that result from the establishment and operation of corporate websites.

Concerns Related to Companies’ Website

Website has been an essential component for organizations and companies in running their business today. It is used as a portal from which all necessary information about the company can be retrieved by potential customers and business partners.

A website can be either informational or transactional or both. For an informational website, companies usually post their company profile, corporate information, products as well as services. On the other hand, a transactional website usually provides a platform for customers or pre-registered subscribers to forward feedback, or conduct transaction. This is exemplified by the airlines and hotels websites where public users can order and book for tickets or services.

There are certain legal risks exposed with the operation of websites as follows:

a. Liability due to misrepresentation

Since the websites are posted to public through the Internet, the operators of those websites shall bear in mind that the public can rely on whatever they represent in order to take any action or any transaction. For this purpose, website operators shall make sure all the information and statements posted in their websites are accurate, true, legal, and not violating the rights of other people.

Incorrect information is not only detrimental to the customers who may like to rely on the website’s content, but also damaging the reputations of the company or organization that posts such website. Furthermore, if the information or statement contains defamatory material, the operator may be sued for defamation as it is explained previously in the earlier part.

In Malaysia, the case of website misrepresentation arose when Multimedia Development Corporation (MDC), a highly reputable local company lodged a police report against another local company that claims it had a hand in the initial planning for the Multimedia Super Corridor (MSC). This claim was made and posted on that company’s website (The Star, 23 September 2002).

For that matter, MDC had also issued a disclaimer published in Malaysian daily stating that the said company was “not authorised to speak, act, and/ or transact on behalf of MDC or its subsidiaries on any matter relating to the implementation of the Multimedia Super Corridor or matters relating to the national ICT development programmes.” This disclaimer was in connection to the company website’s claim that its executive chairman “created the nation’s first integrated computer network named the chained matrix system” that “emphasizing on the control, supervise, and development of the nation human resources,” including “bringing in of foreign labors into the country.”

In the above case, it is obvious that a statement posted in website may be subject to public scrutiny. And thus, any misleading or wrong information may well lead to others’ disclaimer and even a lawsuit.

To anticipate risks like this, there are certain measures need to be highlighted by the website operators. The operator shall conduct regular checking and rechecking of the content of their websites so as to enable him to identify the parts that require modifications, updates, or changes.

Other than this, some website operators take initiative to put a disclaimer on their website to the effect that the website operators shall not be liable to any damage or loss due to the reliance of information as provided in the website. This disclaimer is not always welcome, since it is usually to the detriment of consumers. However, the disclaimer should be made in such a way easily readable to the viewers.

b. Terms of use of the website

‘Terms of use’ refers to those terms and conditions predetermined by the website owner that serve as the yardstick for consumers in accessing concerned websites. It also provides for the dos and don’ts that may be imposed by the website owner in retrieving information from such website. This term of use is becoming increasingly important in the wake of demand for better consumer protection. Website owner needs to be careful in outlining the terms of use especially in relations with the following:

Ø Privacy, confidentiality and personal data protection

Website owner should mention the principles of personal data protection embraced and practiced in dealing with collection, storage, use, processing and transfer of personal data of customers, employees, and others. In Malaysia, the law on personal data protection has not yet been passed by the parliament. The PDP Bill was introduced in year 2000 and since then underwent series of modifications, review and readjustments. When the time has come where this Bill is passed into law, there will be a lot to do for companies and organizations to adjust their data handling policies in order to be compliant with the law.

Ø Use of ‘cookies’ for direct marketing

Cookies are files stored in a website that records the track of website visitors. They are designed to create the profile of website visitors so as to identify their online activities and tendencies. The website operator should mention if they use cookies in their website so as to warrant the visitors. In Malaysia, some aspects of cookies management will also be governed by Malaysian law on personal data protection.

Ø Protection of copyrighted material

Website operator should ensure that all materials posted in the website do not infringe anyone’s copyrights and other intellectual property rights. This is because for any materials that infringe copyright, website operators are exposed to legal liability. In Malaysia, those provisions of law on this aspect are clearly provided in the Copyright Act 1987 (amended in 1997 for accommodating certain ICT issues).

Ø Disclaimer

Disclaimer in a website is a statement that excludes certain potential liabilities that may implicate the website operator. It is normal to find a website with disclaimer saying that the materials posted does not constitute professional advise thus should not bear any legal liability upon reliance. This is important especially when reliance of the information posted at the website can bring about detrimental effect to consumers.

c. Issues of cybersquatting

As we all know that every website can be remembered through its Unique Resource Locator (URL). This unique locator is also called domain names. Among other important issues to take care for every organizations that are willing to establish and develop their websites is that they should choose the name that would not directly or indirectly create dispute or infringe other people’s rights. In this area arises the issue of cybersquatting.

Cybersquatting is those practices including deliberate bad faith registration as domain name of well-known trademarks in the hope of being able to sell the domain to the owners of those marks (or rivals owners) or simply to take unfair advantage of the reputation attached to those names or marks. Thus it involves the use of domain name by a person with neither trademark registration nor any inherent rights to the name.

Cybersquatters exploit the first-come, first-served nature of the domain name registration system to register names of trademarks, famous people, or businesses which they have no connection. Since registration of domain names is simple and inexpensive, cybersquatters often register hundreds of such famous names as their domain names such as www.sony.net and www.petronas.net. Certainly, this kind of actions will incite those with legal rights on that names to bring a claim of trade mark infringement.

Globally, this cybersquatting issue is addressed by an international arbitration processes administered by international agency such as ICANN and WIPO Arbitration and Mediation Center.

In Sime Darby Berhad Malaysia v. Mr. Sim e-Darby (2002) over a domain name ‘simedarby.com’ by respondent in Canada, the matter went to WIPO Arbitration and Mediation Center, which heard in accordance with the Policy and Rules of the Uniform Domain Name Dispute Resolution Policy (UDRP). The decision of Panel was to transfer the impugned domain name to the complainant, because, among other things, the domain name registered by the Respondent is identical or confusingly similar to the “Sime Darby” trade mark in which the Complainant has rights.

This problem is equally supposed to have been settled in Malaysia. In a local case of Petroliam Nasional Bhd & Ors v Khoo Nee Kiong (2003) Malaysian court decided, among other things, that cyber squatting may be regarded as ‘passing off’. The first plaintiff in that case was a well-known national petroleum corporation. The second plaintiff was one of the marketing arms of the first plaintiff and the third plaintiff was in the business of processing and transmitting natural gas and it conducted its gas business under the trade name ‘Petronas Gas’. The defendant was an individual carrying out trading operations as a registered sole proprietor under the trade/business name ‘Araneum Consulting Services’ and was in no way associated with the plaintiffs.

It was held that by registering the said domain names which contained the word ‘Petronas’, there was a serious issue to be tried in that the defendant was making a false representation to persons who may have consulted the register that the registrant, ‘Araneum Consulting Services’ was connected or associated with the name registered and thus the owner of the goodwill in the name ‘Petronas’.

The court maintained that by registering the said domain names, the defendant had eroded the exclusive goodwill in the name ‘Petronas’ which had cause damage to the plaintiffs. The said domain names were instruments of fraud and any realistic use of them as domain names would result in passing off. This would cause irreparable injury and damage to the plaintiffs and by virtue of this, the balance of convenience tilted in favour of the plaintiffs.

In the circumstances, the plaintiffs had shown that there was a threat of passing off and trademark infringement on the defendant’s part which was likely to cause confusion in the minds of consumers of the plaintiffs’ products, thereby resulting in irreparable injury and damage to the plaintiffs’ trade, business and goodwill. Therefore, as the plaintiffs had provided an undertaking as to damages, the interim injunction sought for ought to be granted.

Summary: Let the Managers Take Notes

From the preceding elaboration, it is obvious that the use of information and communications technology at the workplace brings about various legal risks that should not be overlooked by both employers and employees. Website facilities should not be taken for granted. This knowledge is essential for those whoever engaged in professional activities in today’s corporate world of a cross sector and region. As the time goes on, professionals and workers in Malaysia will need to have certain level of awareness and understanding of these crucial issues.

For that important matter, this paper would leave some notes for those responsible in managing the operation of a workplace and administration of personnel to work within its boundaries. First, as so much that a workplace could expose so many issues and problems, managers would need to increase the level of employees’ awareness of the benefits and threats ICT facilities may offer to them. This is because the risks are real and the harm that may follow from the potential damage could be very detrimental to organizations. And this could be done through series of awareness programs and intensive socialization through newsletters, banners, and regular training or seminar for the employees.

Secondly, organization should make a concerted effort in addressing and managing the risks of using ICT tools at workplace. This means there is a need to gather a mix of expertise in all processes of risk management on this issue. That mix of expertise would need to come from managerial levels of human resource manager, information manager, IT manager as well as legal manager. Without this synergy, efforts to address ICT risks at workplace will become impaired and not comprehensive.

Last but not least, after a team of concerted mix of expertise could be gathered, the next big thing is to plan, draft and communicate a comprehensive set of ICT policies that determine the management of using email, Internet, software as well as information asset security. This policy plays important role as the rule of game in a new invented ‘jungle’ called electronic workplace.

Oleh: Sonny Zulhuda

Saat ini e-mail telah menjadi media komunikasi yang makin popular baik untuk konteks komunikasi personal maupun untuk komunikasi rasmi dan urusan berbisnis. Hal ini disebabkan oleh semakin pesatnya kemajuan teknologi komunikasi dan maklumat menerusi Internet yang telahpun dipakai oleh hampir semua bidang industri dan sektor kerajaan di Malaysia. Hal ini pula merupakan konsekuensi dari perkembangan aplikasi e-government bagi bidang awam dan kerajaan, serta e-commerce bagi sektor industri dan swasta.

E-mel pilihan popular

Dalam menghadapi pesatnya e-commerce, sektor industri kini mula sedar bahawa e-mel dapat menentukan komunikasi yang efektif untuk mencapai hasil yang produktif serta rendah kos. Ini kerana dengan e-mel mereka dapat mencapai pasar yang begitu besar jumlahnya dan tiada terbatasi oleh sempadan geografis. Dengan demikian pula, tiada masa yang terbuang percuma untuk menyampaikan pengiklanan barang dan perkhidmatan yang hendak dipromosikan kepada orang ramai.

Teknologi komunikasi murah menerusi e-mel dapat menggantikan pemakaian talian talipun, terlebih lagi untuk komunikasi antarabangsa dimana kosnya akan sangat tinggi jika menerusi talian talipun. Faksimili pula memiliki kerenahnya sendiri apabila komunikasi yang dilakukan tidak bersifat langsung (instantaneous).

Selain dari itu e-mel dapat memfasilitasi penghantaran dokumen berupa teks, gambar, mahupun suara. Hal ini tidak dapat dilakukan menerusi faksimili, talipun ataupun radio. Kelebihan e-mel yang lainnya adalah ianya dapat dicapai bila-bila masa dan dimana saja. Baik itu di pejabat, di rumah, mahupun di kafe-kafe siber. Bahkan kini e-mel sudah dapat diakses menerusi perkhidmatan talipun selular (mobile phone). Nyatalah dengan kelebihan-kelebihan ini, teknologi e-mel makin menjadi pilihan ramai.

Untuk tujuan diatas, pihak industri dan sektor kerajaan kini masing-masing telah mula membina sistem komunikasi dan maklumat mereka supaya dapat memfasilitasi komunikasi dan penyampaian maklumat, baik itu komunikasi antara majikan dan pekerja di sebuah syarikat; antara syarikat dengan pelabur, dengan rakan kerja, ataupun dengan para pelanggan dan pengguna. Kini majoriti pekerja di pejabat-pejabat sudahpun mula menggunakan e-mel untuk keperluan komunikasi mereka.

Isu-isu berbangkit

Beberapa isu mula berbangkit manakala e-mel sudah semakin popular dipakai oleh pihak industri. Salah satu isu yang sering terdengar ada isu keselamatan sistem maklumat dan perlindungan privasi pengguna. Bagi isu keselamatan, sudah banyak kejadian yang melibatkan aksi pencerobohan (intrusion) terhadap sesebuah sistem maklumat, dan yang lebih memeritkan lagi, apabila penceroboh itu melakukan pengrosakan dan perubahan terhadap sistem itu, serta mencuri maklumat yang tersimpan di dalamnya. Selain daripada itu, penyebaran virus menerusi sistem Internet juga menjadi salahsatu isu besar yang juga membabitkan keselamatan data dan sistem.

Dalam tahun 2002, MyCERT (Malaysian Computer Emergency Response Team) melaporkan sehingga bulan Oktober, tidak kurang daripada 631 kes berkaitan dengan jenayah komputer berlaku di Malaysia. Lebih dari separuh membabitkan hacking (227 kes), virus komputer (212 kes), dan pencerobohan (57 kes).

Isu privacy pula menjadi hangat setelah banyak berlaku pencurian maklumat peribadi menerusi sistem maklumat. Pada Tahun lepas dilaporkan berlakunya pengambilan wang riuban ringgit menerusi ATM yang menunjukkan pencerobohan dan pencurian maklumat peribadi dari sebuah akaun bank.

Isu spamming kini menjadi ancaman bagi pengguna sistem e-mel dan Internet. Ini berlaku ketika banyaknya e-mel yang masuk mula memenuhi store penyimpanan data bagi sebuah sistem. Jika store itu penuh dengan tiba-tiba, sudah tentu ia akan menegah masuk e-mel-e-mel lain yang penting seperti urusan perniagaan dan bisnis. Bagaikan tamu tak diundang, spam yang menawarkan berbagai barang dan perkhidmatan ini dapat menganggu keselesaan pemakai e-mel, dan dinilai sebagai pencerobohan privasi, kerana memanfaatkan ruang e-mel mereka tanpa adanya kebenaran. Mengikut laporan MyCERT, kes spamming sepanjang tahun 2002 dilaporkan mencecah 100 kes hingga bulan Oktober. Sementara itu, masih lebih banyak lagi kes yang mungkin tidak dilaporkan oleh pemakai.

Penggunaan e-mail tak terkawal

Berbagai isu keselamatan dan privacy ini dapat berpunca dari pemakaian e-mel yang tidak terkawal dan tanpa sebarang bimbingan (guidance) yang betul. Malah hal ini dapat membantu memudahkan aksi-aksi pencerobohan tersebut, serta membuka jalan untuk melakukan bentuk-bentuk jenayah yang lain seperti pencurian maklumat, kes fitnah dan malu (defamation), pencerobohan hak cipta, serta pencurian wang melalui pencerobohan kad kredit.

Pemakaian e-mel syarikat yang tidak terkawal, komunikasi personal yang tidak perlu, serta pemakaian internet bukan untuk urusan pekerjaan disenaraikan sebagai beberapa faktor yang memungkinkan berlakunya pencerobohan sistem dan maklumat.

Pencerobohan ini sering berlaku karena pengguna Internet percaya bahwa identiti mereka dapat disembunyikan ketika mereka online. Anggapan ini tidak tepat sama sekali kerana identity kita sangat mudah terserlah menerusi Internet disebabkan kemajuan berbagai teknologi maklumat seperti cookies.

Cookies adalah fail-fail elektronik yang dihantar oleh pemilik laman web untuk merekodkan aktiviti pengguna menerusi Internet. Rekod digital inilah yang dijadikan oleh pemilik cookies tadi untuk mendapatkan identiti pengguna sehingga dapat digunakan untuk menghantar iklan menerusi spamming.

Dalam konteks ini, pihak kerajaan, industri dan mana-mana pihak yang telah membina sistem komunikasi dan maklumat menerusi Internet perlu mengambil kira berbagai risiko yang dapat menjejaskan aktiviti mereka ini, dan mengambil tindakan preventif (pencegahan) dengan memastikan dasar dan peraturan pemakaian e-mel di pejabat-pejabat mereka.

Tindakan pencegahan menerusi ‘internal e-mail policy’

Tindakan pencegahan ini dapat dilakukan dengan berbagai cara. Yang paling mustahak adalah melalui pelaksanaan kod amalan (Code of Practice) atau dasar dalaman (Internal Policy) bagi pemakaian internet dan e-mel di premis pejabat. Selain itu, tindakan mengikut undang-undang juga perlu dirujuk, seperti undang-undang siber dan kanun jenayah.

Kod amalan pemakaian e-mel perlu difahamkan kepada semua pegawai di premis kerja supaya tahu risiko yang boleh berlaku apabila mereka memakai e-mel dan Internet. Beberapa hal yang boleh dijadikan panduan dalam membuat kod amalan adalah seperti tersenarai:

1. E-mel hanya boleh digunakan untuk keperluan kerja saja;
2. E-mel lama yang sudah tidak relevan perlu dipadamkan dari akaun;
3. Berhati-hati apabila mendapatkan attachment dari e-mel dari alamat yang tidak dikenal, jangan membuka attachment untuk menghindari kemungkinan virus computer;
4. Jika terdapat spam atau e-mel yang memuat iklan jualan, blok alamat pengirimnya, atau hubungi pegawai teknikal sistem; dan
5. Pihak pengurusan dapat melakukan periksa dan pengawasan terhadap sistem e-mel di premis kerja.

Ini hanyalah sebahagian dari contoh dasar-dasar untuk mengawal aktiviti e-mel supaya tidak menyebabkan kes-kes pencerobohan.

Undang-undang Siber dan Perlindungan Data Peribadi

Dalam konteks penguatkuasaan undang-undang, berbagai kes jenayah komputer diatasi dengan Akta Jenayah Komputer (Computer Crimes Act) 1997 yang merupakan rangkaian paket undang-undang siber di Malaysia. Walaupun ada anggapan sesetengah pihak bahwa akta ini masih sangat terhad cakupannya, namun kehadiran akta ini boleh dianggap sebagai langkah yang sangat tepat bagi menjawab cabaran teknologi kamunikasi dan maklumat sekarang ini. Akta ini penting bagi menutupi kekurangan undang-undang lama dalam mengatasi jenayah teknologi.

Sayangnya, manakala kita sudah memiliki undang-undang untuk mengatasi isu keselamatan, isu privacy pula masih belum dilindungi secara komprehensif dalam sebuah undang-undang.

Dalam konteks inilah, rujukan perlu dibuat kepada draft (bill) akta perlindungan data peribadi (PDP) yang mungkin akan diluluskan oleh parlimen pada tahun ini. Ini kerana undang-undang ini adalah yang paling komprehensif bagi pengaturan perlindungan privacy dalam kaitannya dengan sistem maklumat. Undang-undang ini telahpun disusun mengikut perkembangan semasa dalam isu komputer dan Internet.

Akta PDP ini dimaksudkan khasnya untuk mengatur tata cara pengumpulan, pemakaian, pmrosesan (processing), pertukaran, dan penyimpanan maklumat peribadi baik itu dalam bentuk otomatik ataupun manual. Akta ini mengatur hak-hak para pengguna dalam kaitannya dengan perlindungan privacy atau hak peribadi mereka.

Dengan akta ini misalnya, pengguna dibenarkan untuk mengetahui samada maklumat mereka ada disimpan oleh industri berkenaan, dan apa yang akan dibuat terhadap maklumat peribadi itu. Selain itu, pihak industri tidak boleh meneruskan praktik pemasaran langsung (direct marketing) menerusi e-mel apabila tidak disetujui oleh orang yang menerima e-mel berkenaan. Ketentuan ini kiranya sedikit banyak boleh membantu memecahkan masalah spamming.

Secara ringkasnya juga dapat dipastikan, bahwa kehadiran akta PDP akan dapat memberikan impak yang positif bagi perkembangan e-commerce di Malaysia.

Penutup

Sebagai kesimpulan, perlu disedari bahwa pemakaian e-mel sangat erat fungsinya bagi memajukan aplikasi e-government dan e-commerce yang kini telah menjadi tumpuan pemabngunan negara. Namun pemakaian kemudahan ini perlulah diarahkan kepada bentuk yang paling efektif baik menerusi dasar dalaman premis kerja, mahupun penguatkuasaan undang-undang. Tindakan ini pada masa yang sama akan mengurangkan berbagai risiko keselamatan dan pencerobohan privacy yang dapat merugikan pemilik sistem itu sendiri.

By: Sonny Zulhuda

By transforming to the workplace environment that uses the Internet and other devices of information and communications technology (ICT) as the enabler in running their businesses, organizations are exposed to potential risks out of the abuse and misuse of the said technology by internal employees and any strangers outside the company alike. Such misuse can take the form of security breaches, theft of company’s informational assets, lost productivity, wasted computer resources, electronic viral infections, business interruption and public embarrassment should a workplace lawsuit be filed.

While lots are done for preventing external hackers from jeopardizing internal network and information system, risks from internal sources are often overlooked by most companies. In fact, the threats exposed by these ‘internal saboteurs’ may be as great as the external intruders, and therefore may be as harmful as the external sources of threats.

More often than not, employees within an organization exchange emails and files not related to works and business through the internal network and end up in flooding server’s capacity with irrelevant materials. What makes things worse is when these materials are offensive in nature for being, for examples, obscene, defamatory, or misrepresenting the truth about something. In online and multimedia context, this ‘offensive content’ is elaborated by section 211 of Communications and Multimedia Act 1998 (Malaysia) as those contents which are indecent, obscene, false, menacing, or offensive in character with intent to annoy, abuse, threaten or harass any person.

Meanwhile, unfiltered transfer of files from the Internet may also end up with electronic virus infecting the whole organization’s system. It is the real story that this virus infection could cost companies millions of dollars due to business interruption, lost informational assets, and system reparation.

Responsible managers and employers should stop these potential risks from turning into real catastrophe for their organizations from very beginning. Measures to manage and mitigate those risks should start right from the employment contractual instruments between employers and employees in the first place. The role of such instrument is critical as it can define initial limits and expectations upon the employees specifically in relation with company’s policy on networks and resources.

By signing this contractual instrument in the beginning, employees understand they are bound to comply by company’s rules and policies, any default of which would result in sanctions being taken against them. Such understanding in the initial employment contract should be provided in clear and unambiguous words in order to avoid misinterpretation; and, they have to be firm and workable too.

What is next? Employment contract normally need not be a long law document defining in every detail the dos and don’ts of the organization. Such objective should be ‘translated’ from initial contract documents into other company’s instruments such as Standard Operating Procedure (SOP), internal service level agreement (SLA), or company’s policy and best practices in relation with online activities, computer resources, email and Internet policy, as well as other ICT uses.

These internal instruments, together with the initial employment contract are important yardsticks that help companies and organizations define their expectations upon their employees’ compliance and practice in online workplace environment.

By: Sonny Zulhuda

Introduction

The massive use of internet and other appliances of information and communications technologies (ICT) at the workplace has intensified productivity through intensive communications between employers and employees as well as between a company and external parties including customers, clients, regulators, etc. Most workplace has now installed Internet and email system by which the employees and employers build their networks and communications both internally and externally. Electronic mail, or e-mail, is a boon to office communications. All employees can be notified instantaneously of important office matters. Phone messages can be logged on the computer and sent via e-mail. A message for someone in a meeting can be e-mailed.

However, what most employees fail to realize with respect to e-mail is that:

• They are probably not the only person who has access to their e-mail, despite the password protection;
• Electronic mail, even if deleted from their personal databases, can be saved in numerous forms by the computer’s own internal backup systems, or by the person to whom the e-mail is being sent.

There is arising concern on employees’ email surveillance that has been widely practiced by employers. This practice, while seen important for maintaining ‘due diligence’ of a company, gives rise to questions of intrusion to privacy.

Latest Survey on Email Surveillance

There are so far no figures reported on the email surveillance at the workplace in Malaysia. Nevertheless, a study of this in the U.S. would be very helpful in describing the trend that may arise and challenge us in the future. The American Management Association (AMA) conducts an annual survey of large organizations in the United States to determine the extent to which of these organizations monitor employee communications. The results of the 2001 survey reveal some interesting trends:

• More than three-quarters of major U.S. firms (77.7%) record and review employee communications and activities on the job, including their phone calls, email, Internet connections, and computer files. The figure has doubled since 1997, when first survey of this kind was conducted by AMA.
• The storage and review of employees’ e-mail messages has increased dramatically over the past four years. In 1997, 14.9% of organizations conducted such reviews, while the 2001 survey reveals that 46.5% of organizations do so.
• The number of companies conducting e-mail monitoring has increased significantly faster over the past four years than the number of companies that monitor other forms of communication, such as telephone conversations, voice mail, computer usage and overall telephone use.
• The only employee activities monitored more closely than e-mail communications are Internet use and telephone use. Sixty-two percent of companies monitor Internet use, while 43% monitor telephone use, looking at numbers that are called and time spent on the phone.
• More than 10% of the companies that conduct e-mail monitoring do not inform employees that they do so.
• Companies in the manufacturing and financial services industries, as a category, monitor e-mail with the greatest frequency, the survey found, while nonprofit organizations in the nonprofit sector monitored e-mail less often.

Reasons behind E-mail Monitoring

• Legal compliance

In regulated industries, taping telemarketing activities gives both the company and the consumer some degree of legal protection. Also, electronic recording and storage may be considered part of a company’s “due diligence” in keeping adequate records and files.

• Legal liability

Employees who are unwittingly exposed to offensive graphic material on colleagues’ computer screens may charge a hostile workplace environment.

• Performance review

Customer service and consumer relations personnel are frequently taped as they field calls, and tapes are reviewed with supervisors to evaluate and improve job performance.

• Productivity measures

Net surfing, personal uses of office emails, and/or dialing up numbers expend time and assets on non-business related activities.

• Security concerns

Protecting the value of proprietary corporate information is a primary concern in an age when email and internet connections continue to expand.

Implications

What are the implications of employee e-mail monitoring? For some employees, it will obviously be regarded as an intrusion of privacy. Given the good economy and the difficulty of finding and retaining qualified people, this could pose a problem for some employers. However, e-mail monitoring will likely end up being about as controversial as employee drug testing. The early reaction is anger, followed by compromise on the extent of its use, followed by its adoption as a standard business practice.

Email Surveillance and the PDP Law

By virtue of the proposed law on personal data protection (PDP), email communication can be aptly categorized as personal information by which a living individual can be identified either directly or with the help of other information. There are some practices involving email that falls under the scope of application of the PDP law:

• Email address may constitute a ‘personal data’ as described by the PDP law. The proposed law defines ‘personal data’ as “any information recorded… which relates directly or indirectly to a living individual who is identified or identifiable from that information.”

With this in mind, anyone communicate by email should know that they must not disclose other’s email address without consent or authorization of the data subject. This normally occurs when a person send a message to several persons at different email addresses at one time. In this case, each person will usually receive the message containing the addresses of other recipients. This has somehow constituted disclosure of a personal data of others. And the sender may be made liable under the PDP law.

In the U.S. this incident had once occurred in 2002 (Ely Lili’s case). In this case, the defendant is an online medical service company that regularly emails its customers on the information regarding the way to cure depression. One day one of its employees has sent an e-mail to the all customers revealing others’ email addresses that make them known to every single customer.

This is the subject of the complaint, that such revelation is a breach of the defendant’s own privacy policy protection. And, since the message is in connection with sensitive medical information, even an unintentional disclosure is a breach. As a result, the Company agreed to accept the settlement with the FTC.

• Email has been used by companies as a tool of collecting, processing and transferring personal data from customers, investors or even employees.

The PDP law requires any personal data collected, held, processed or used by a data user shall comply with all the data protection principles as set out in the first schedule of the draft law.

Thus, by virtue of this requirement, anyone who is using email to collect… etc., will need to ensure the nine principles of data protection, as well as preserving the rights of data subjects such as right to access and right to correct the data retained by data user.

• Email is often used for marketing and commercial purposes.

Commercial emails have been one of the most efficient tool relied upon in doing business at this e-commerce era. This is because commercial email can efficiently cut the cost of sending at the shortest time they could have, and it can reach worldwide market.

The problems would arise that many businesses do send their commercial emails without the consent of the target people. This is called unsolicited commercial email (UCE) a.k.a. spamming.The proposed PDP Act requires the marketers to acknowledge their targets that their emails were collected for specific purpose like marketing. And, once the commercial emails are sent, the sender should always notify the recipients that they can always request the sender to cease sending such emails.

Email Policy at Workplace

In summary, it can be noted that the use of email at workplace can give rise to many consequences, be they legal, reputational, or financial. For these reasons, it is suggested that every company or business and government entities should develop their own email and privacy policies. These policies should be written and notified to every individual at the workplace.

Here are some steps that can be taken as guidance:

• Develop company’s policy regarding the email use at the office. This can be done with the help of existing email and privacy policies of different entities, as well as consulting the provisions of law related, especially that of personal data protection law.

• It is useful to develop the policy that specifically prohibits email transactions for personal messages.

• The company may choose to consider monitoring system for the email that will enable the management to bypass the password setup and review employees’ messages in the event the need arises.

• The company is to inform employees of the email procedures in simple policy statement, as follows: “It is the policy of the Company that all electronic mail is for business purposes only and not to be used for personal, private messages of the employees. Furthermore, all electronic mail is considered by the Company to be work-related documentation produced within the course of normal business and may be reviewed at any time.”

• In order to maintain the system’s security, it is best to contract or outsource an outside computer consultant rather than have one of the employees set up the network and email system.

Bibliography:

Abu Bakar Munir & Siti Hajar, Privacy & Data Protection, Sweet & Maxwell Asia, 2002

American Management Association, 2001 AMA Survey on Workplace Monitoring & Surveillance, at www.amanet.org/research/pdfs/ems_short2001.pdf

Federal Trade Commissioner, at http://www.ftc.gov/opa/2002/01/elilily.htm

Frances Lynch, ‘Why your company needs written e-mail policy,’ at http://www.bcbr.com/jun96/mailcol2.htm

Tim McDonald, ‘U.S. Seeks Workplace E-Snooping Limits’, E-Commerce Times, July 21, 2000, at http://www.ecommercetimes.com/perl/story/3839.html

By: Sonny Zulhuda

Implications of Data Protection Laws to Business Organizations

Whichever approach being preferred, it is quite true to forewarn industries and business organizations that the legislatures worldwide are seeking even wider legal measures to protect personal information. It will someday come to the point where all matters will be regulated.

To enable continued business activities and growth, organizations needs to be alert of the legal risks surrounding the personal data protection. The legal fences being enacted will automatically reduce the organizations’ liberty to conduct activities previously enjoyed. Especially with ever increasing consumerism that keeps watching the industries, puts them in liability risks whenever principles of data collection and use is ever infringed. The lack of awareness in this aspect will certainly position them in high risk too. There seems no available option for business organizations other than to follow and comprehend the development of the law and safely avoid legal liabilities.

The education, compliance and operational activities will necessitate strategic palling and implementation. It has been noted that in most cases, companies are waiting to see the implementation of new rules and laws taking place, because the effort and expenses of conforming to the guidelines are not small. This ‘wait and see’ attitude by business organizations is a rather passive but very risky one. Instead, they should adopt more proactive and less risky measures in dealing with the liability risks of personal data protection. And this can only be materialized with the proper and strategic planning supported by strong awareness of the problem.

Other than that, financial consideration is among the utmost concern. The compliance to new rules of personal data protection in the US costs up to 30 dollar billions (Actonline.org, 5/8/2001). This is among other things due to the needs for awareness, administrative compliance, systems adjustment and other compliance matters.

For better understanding of the implications, organizations should drag their attention to the following aspects of risks:

Legal Liability Risk – The law (whether passed or proposed) on personal data protection prescribes rights, obligations and duties to be assumed by all parties involved in the personal data collections, use and management. The data user companies would therefore be affected. For the implementation of these rights and duties, the law regulates the manner of enforcement, and in event of contravention or neglect of those rules, the law provides for penalties, both for criminal and civil claims.

Financial Risk – Whenever there is new law, there must be new cost of implementation. In this case, personal data protection law prescribes that vast amount of data retained by companies would have to be re-administered in accordance with the new rules. New set of internal data privacy and security measures would need to be prepared. There is also substantial cost incurred in complying with the requirements of updating and notifying data subjects about their personal data and not less important costs for updating the information processing and computing systems to support the new mechanism.

Reputation Risk – Personal data protection law is so much related to the notion of good governance and due diligence. Especially because the law involves mainly rights of individuals that are involved in the business: employees, partners, investors, as well as customers. Thus the level of compliance to the new law will substantially influence the reputation enjoyed by them.

International Trade Risk – The non-awareness of the personal data protection law gives rise to some difficulties and barrier to a trans-border business. This is because the new law would restrict a trans-border data flow to countries without having adequate protection for personal data. At the same time, other countries’ legislation, e.g. that of European countries, also has similar restriction. Hence, personal data protection law can be a significant growth factor for international practice of businesses.

Dealing with Risk: Towards Personal Data Management

The privacy risks have been in important aspect of good practice for information security management. A close look to the international standard of ISO 17799 on information security reveals that it identifies some aspects closely related to the protection of privacy and confidential information as follows:

• Awareness of legal obligations
• Complying with the data protection law or equivalent
• Employees’ responsibility to protect confidentiality of data
• Respecting privacy in the workplace
• Establishing the task force for planning, developing and implementing good personal data policy

It is very crucial that organizations should understand first the position of laws that may implicate their business activities. Normally, persons responsible for Human Resources Management are to ensure that all employees are fully aware of their legal responsibilities with respect to their use of computer based information systems and data, especially that relates to the use and processing of personal information.

This presupposition shall also include the need to understand upcoming law on the subject. Like the case in Malaysia, the data protection bill has come to the picture for about four years, undergoing many changes due to comments and proposals from public at large.

This awareness of legal aspects of personal data is important so that users do not inadvertently contravene legal requirements. Familiarity with relevant legal requirements to their duties and functions should be a continuous requirement of the organization’s personal data policy. Data protection legislation normally covers all types of information which may be either in electronic form or held as manual records.

The legislation normally relates to the protection of the rights of individual persons. In many countries it also covers medical records although increasingly this type of information is governed by separate legislation. Internationally, Data Protection has become an important issue. This policy covers its relevance to staff and third parties. For confidential information, it shall be the practice that all employees are required to sign a formal undertaking concerning the need to protect the confidentiality of information, both during and after contractual relations with the organization. It is important for the organizations to create a culture of respect for employee’s privacy in the workplace. However, where the monitoring of employees’ online activity at work is perceived to be appealing for achieving business objectives, such monitoring shall be put in concise policy and clearly communicated to employees.

Finally, as part of creating ‘inner fences’ to the risk management, organizations shall consider establishing special team to plan, develop and execute series of necessary policies in relation with personal data protection.

A proper and comprehensive policy should consider all stages to be involved: preliminary, developmental and operational. The works shall begin with thorough analysis of the needs for awareness & education programs, IT system enhancement, administrative adjustments and associated financial implications. Among the key works to consider in developing the policies are:

• Review privacy policies in accordance with the prescribed data protection principles including email use policy, website terms and conditions, confidentiality in employment agreement and policy for customer relationship management.
• To review their practices of data matching and direct marketing;
• To make this policy available and accessible to all employees, clients, and potential customers;
• To develop sustainable security system to protect the personal data retained by the industries;
• To review the current practice of exchanging and transferring personal data with companies or individuals outside the border of their own country, especially those in the countries without specific adequate legal protection for personal data;
• To prepare code of practice for guidance in complying with requirement of the law, in an association representing the data users; and
• To provide mechanism that allows two-ways communications with consumers in relation with the use of their personal data.

Finally: Let the Business Continue

With the global profits and wealth that today’s information economy promises, business organizations surely do not want to miss the train. For this, they seek to ever redefining the way they run the business by adopting the advantage of information and communications technologies (ICT). These tools have been increasingly exploited in order to secure any single opportunities made possible by the information age.

The controversial part that pursues, however, centers at the clash of demands from the two different ends of the business: corporations and consumers. On one hand, corporations wish to secure as many informational assets as possible that include consumers’ personal information. On the other hand, consumers have now demanded for higher protection on their privacy right including right to control the flow and use of their own personal information. Because of this apparent controversy, in some part of the world, businesses are forced to make some adjustments on their dealing with personal data and information. This appears to be very crucial for them in order to win the consumers’ confidence.

The preceding discussion had reflected the complexity of this issue. Its clear understanding and working knowledge of associated risks management will determine the survival and growth of today’s business organizations. It is submitted that such knowledge will help organizations in creating the rules of game and best practices in relation with the collection and use of personal data that balances the interests of all parties involved in the game.

As the bottom rule one can say that personal data of individuals is a very important asset of business that would require proper management. Otherwise, these assets may just turn to liabilities.

By: Sonny Zulhuda

Legal Responses and Liabilities to the Personal Data Protection

The apprehension of consumers regarding the use of their personal data is increasing. A survey on March 2001 published by the Asian Wall Street Journal and Harris Interactive found that 73% Net users are concerned with their personal privacy on the Internet (AWSJ, 22/3/2001). This fact and many more similar surveys conducted worldwide brought policy makers to ponder on how, and to what extent, the state can make laws and regulations to protect people’s right to control the use and exploitation of their personal data in the networked world.

Questions as to which approach is more effective arise. And there are at least two different approaches being championed by different jurisdictions, and eventually inspired others in the world to adopt. The choice is between having state’s legislation to regulate this problem or to leave the Internet industries to regulate themselves. It is submitted that a working knowledge of those legal requirements is essential for parties in a business organizations involved with data systems that store or process the personal data of members of the public.

Personal Information: to regulate or not to regulate

In comparison to the industry’s self-regulation, which is market-friendly, the legislative measure mandates government to control the use and flow of personal data and information. It has been argued by private industries that such legislative approach does not only restrict their movement but also tend to reduce the potential benefits of electronic commerce.

The United States has not traditionally been among the leading jurisdictions with regard to protection of personal data privacy. Until recently, the European Community has been perhaps the most active jurisdictions on this subject. Legislations in the US were passed rather sporadically and not comprehensively addressing the general protection of privacy, let alone online privacy (Lessig, 1998). There are some laws that are passed to resolve certain particular problems of privacy.

The Privacy Act 1974, for example, is concerned about the misuse of burgeoning government databases on information about individuals. However, the principles for privacy protections that are brought out by this piece of legislation do not apply to private sectors (Henderson, 1999). In 1998, an important law named Children’s Online Privacy Protection Act was passed. It requires operators of web sites directed at children to obtain parental permission before collecting personally identifiable information from children under 13 years of age. This is said to be the only law that explicitly controls the privacy online (Hirschman). It nevertheless is aimed only to protect children.

Regarded as among the most important legislation passed in this subject is the Financial Modernization Act 1999, also known as Gramm-Leach-Bliley Act. By virtue of this Act, financial institutions are required to inform customers of how online and offline personal data is being used and by whom, with an opportunity to opt out of information sharing. This Act however does not apply to information sharing between subsidiaries and affiliates of a parent company. This Act took effect in July 1, 2001. Although many more draft legislations were introduced to the Congress, many have not survived the Congress committees. The only comprehensive piece of legislation passed by the Congress was the Children’s Online Privacy Protection Act that came into effect in 2000.

This situation is in contrast with that of most of legislatures of the European countries –including the European Union. These countries have passed strict and comprehensive set of rules governing the protection of individuals’ privacy in the sense of personal data protection. That is why Lessig has dubbed that a legislative response to the informational privacy or personal data protection is a ‘European’ response.

The European Community’s Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (‘Directive’) was adopted in 1995 and given effect and enforced three years later on 25^th October 1998. The Directive establishes a clear and stable regulatory framework to ensure both a high level of protection for the privacy of individuals in all member states and the free movement of personal data within the European Union. By fostering consumer confidence and minimizing differences between member states’ data protection rules, the Directive will facilitate the development of electronic commerce.

The Directive also establishes rules to ensure that personal data is only transferred to countries outside the EU when its continued protection is guaranteed, so as to ensure the high standards of protection introduced by the Directive within the EU are not undermined. The legislative approach in the protection of personal data and information is highly appreciated and adopted in most of European countries. The majority of them have specific and comprehensive national legislation on data protection, while some others are in the process of drafting and tabling the bills in the parliament. By 2002, more than seventy percent of the EU Member States have adopted and implemented the EU Directive on the Data Protection 1995 into their respective national law.

It is noted here that the existence of EU has made this trend widely and relatively easily accepted, because this economic union has binding power upon its members. It is due to this reason also that one hears of relatively few and minor resistance or objection from other parts of community within the Europe (e.g. the private sectors and liberal activists) compared to the continuing debate in the US on this issue.

All these approaches are bound to fail if the response to online privacy problems is taken partially, ignoring the global nature of it. Conflict of jurisdictions is already imminent in cyberspace issues, thus it should not be given the chance to widen.

The current negotiation between the US and the EU provides the best example. For many years since the enforcement of the EU Directive on Data Protection in 1998, Washington and Brussels have been trying to agree on trans-border data transfer from the EU countries to other than the EEA territories. The negotiations have been taking a long time and incurring substantial cost. This tension has lessened after the EU and the US agreed on Safe Harbor term, enabling data to be transferred to the US under specific conditions. However, though Washington and Brussels have agreed on certain terms, private industries in the US are still reluctant to join. They are not sure whether the agreed term would favor them in their business or otherwise (Informationweek, 25/6/2001).

On the other side of the continent, the European industries are of the view they are not confident of the legislative measures introduced in their countries. They point out that the American industries’ self-regulation seems to be more successful (Infoworld.com 24/1/2001). Apparently, with the existing disagreement on some practical aspects, the workability of Safe Harbor agreement remains to be seen.

Malaysia also sees the threat to online privacy as a global problem that necessitates international effort. Even though its Personal Data protection Bill has invited several criticism and comments, most critics agree that government should intervene in this issue. Being a progressive developing country, it is expected that movement of data will be substantial for Malaysia. The fact is the majority of South East Asian and Eastern Asian countries –the main export and import destinations for Malaysia- do not have any equivalent and adequate law on data protection. This will invite special concern as the PDP Bill restricts personal data to be transferred in cases like this. The workability and success of the law are yet to be attested, at least not yet until the law is passed by Parliament. However, Malaysia can learn from Europe, especially on the issue of trans-border data transfer.

Legal Principles on Personal data Protection

Although the US and EU approach legal measures in a different manner, there are nevertheless common principles of personal data protection that can be summarized. It is pertinent and very timely for every organizations engaged in collecting and processing personal data to understand the gist the ambit of the principles. The focal key points of the principles can be summarized in the following:

• Fair and lawful process of the personal data
• Restriction of data collection only for specified, explicit and legitimate purposes
• Principles of adequacy, relevance, and non-excessive use of the data
• Accuracy and completeness of the data
• Personal data to be retained no longer than necessary

In the term of American Industries self-regulatory approach, the principles are called Fair Information Practices that include the principles of notice and choice. That means, consumers should be given proper and adequate notices as to what the businesses do with their personal information. Furthermore, the consumers shall also be given choice as to whether or not they consent on such use(s) by the industries.