Pangkalan Data Utama (PADU) is going live on 2nd January 2024. The government is urging Malaysians to register and update their information on the central database hub by the end of March 2024.
What is PADU and what is it for? And most importantly, how is the data collected and what are the safeguards to protect your data from falling into the wrong hands? Ahead of the official launch, here’s what we know so far.
What is PADU?
PADU is aimed to be a central database system which combines data from various government agencies under one roof. As mentioned by Prime Minister Anwar Ibrahim back in May 2023, the data the government has is incomplete and it is hard to formulate good policies and plans for the public with improper data.
Managed by the Department of Statistics and several other agencies, PADU aims to help find, keep and store data better which will then aid the government in providing holistic data to implement targeted subsidies and social protection.
As shared by Domestic Trade and Cost of Living Minister Datuk Armizan Mohd Ali, Malaysia has spent RM81 billion on subsidies in 2023 alone and there’s a need to distribute it fairly to those in need. He said the effective identification process through PADU will enable the government to ensure that the subsidies reach the intended target groups and are not misappropriated by irresponsible parties to gain profit.
With the implementation of PADU, the government aims for a more focused distribution of subsidies, which also covers the number of dependencies and locations. It is moving away from the general income categories such as B40, M40 or T20 to disburse subsidies which doesn’t give a true picture of household disposable income.
Minister of Economy Rafizi Ramli said in May, “Once we get to that level (household net disposable income), we will get a clearer picture of the net disposable income’s comparability for households, and that will allow us to refine any government programmes and target subsidies accordingly.”
To entice users, Rafizi announced last week that there will be some freebies for early bird users of PADU. The first 3,000 users will receive an Enhanced Touch ‘n Go card with NFC functionality as well as discounts to shop at Mydin. Details of the redemption of these benefits are expected to be revealed during the official launch.
[ UPDATE 2/1/2024 10:30 ] Here’s where you can redeem your Touch ‘n Go NFC card from PADU.
The PADU portal will be accessible here.
Who is behind the development of PADU?
Countering critics, Rafizi said PADU is fully developed by civil servants from the Ministry of Economy, Department of Statistics Malaysia and the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU), as well as all other agencies. He said the development is by the expertise of the entire civil servant and it doesn’t rely on consultants or external contractors.
When asked about the cost of development, Rafizi said there are two parts to it. He said the manpower cost is “free” because it is built by civil servants who have spent the last 7 months developing it on top of their existing tasks. The second cost is for server and bandwidth which amounts to a few million ringgit and it taps into the existing budget allocated by the government for 2023 and 2024. He said the hardware cost itself is RM2 million for a start.
What happens if you don’t sign up for PADU?
Malaysians are given until 31st March 2024 to update and validate their details on PADU. However, PADU isn’t compulsory and Rafizi has confirmed that no action will be taken if you opt-out.
He reminded that PADU is using information that’s readily available in all government databases to gauge the household profile and the information will determine their eligibility for subsidies. Malaysians are urged to register and update their information to ensure that they won’t be left out of future initiatives by the government. He said the public must not “be mad at the government” if they do not receive the targeted subsidies after they choose to opt out of the database.
When asked about underserved communities especially those living in rural areas without connectivity, DOSM said there will be onground outreach programs that will assist with the manual registration for PADU. The manual registration can be carried out at Digital Economy Centres (PEDi), district offices and government offices.
PADU requires eKYC during registration
From what we know so far, PADU will collate all data about you from over 270 existing government databases of various agencies. This means you do not need to fill up any new information if the presented data is correct and up to date. All that is required is for you to check and update the information especially when it comes to your income and dependency.
According to PADU’s FAQ, the registration process requires an e-KYC (Electronic Know your customer) process to verify if the person is you. Until the portal is open for registration, we still don’t know how this eKYC process will be carried out. The verification process is crucial as giving access to the wrong user will be detrimental as it is a central database containing all of your information from various government agencies.
It is not clear if PADU will require users to take a selfie and a photo of their MyKad for verification purposes. If they do, hopefully, it adheres to industry standards to prevent any potential data breaches involving photographs of IC. Back in 2022, a 67GB database containing eKYC photos of Malaysians purportedly from the Election Commission was put on sale for USD 2,000.
The PADU FAQ also mentions that MyDigital ID will be integrated with PADU at a later phase. This seems to be a missed opportunity as PADU could have been the perfect first use case to get Malaysians to use MyDigital ID. Since MyDigital ID is a digital extension of an IC, users can immediately log in to PADU without an additional eKYC verification process. Of course, an initial enrolment process with fingerprint verification at a kiosk would be required but at least it is a one time process.
How secure is PADU? How will the govt protect your personal data?
When asked about data protection, Rafizi said the ownership of data still belongs to the respective government agencies. For example, your IC details still fall under the National Registration Department. He said all data used by PADU is still governed by existing Acts of the respective government departments or agencies. In the meantime, they have data-sharing agreements between the agencies so that they can share data.
Rafizi has shared that the government is going to put forth an Omnibus Act which will enable data sharing among all government agencies via Padu. At the moment, he said data ownership is still by the respective agencies but PADU will still be owned and managed by the Department of Statistics.
During the press conference, Rafizi said all the collected information obtained would be placed into a data lake and the process is mostly done via Secure FTP. To ensure the records are up to date, the respective agencies will provide the data periodically. Once the PADU portal is open, he said users can update at any time.
However, going forward, he said the idea is to start developing as many APIs as possible. He said the current method of using FTP can be almost real-time depending on the frequency of the data submission by the agencies. Rafizi explained that with an API, if an individual for example has changed employment, the new income recorded by EPF will automatically be updated to PADU.
The current PDPA excludes government
Malaysian Digital Economy Corporation (MDEC) Chairman Syed Ibrahim Syed Noh also said recently that Malaysians should not be concerned about data collected under PADU as it is regulated by existing laws. He said the Omnibus Bill would also be tabled by the government and it would be able to prevent any abuse by irresponsible parties.
As quoted by Bernama, he said “So there won’t be a situation where the data will be misused (in) scams and such. To me, it cannot happen easily now, as there are laws that regulate such matters.”
The lingering concern is the current Personal Data Protection Act (2010) in its current form which does not apply to federal and state governments under Section 3. In the past few years, there have been several data breaches involving government departments in Malaysia and the lack of accountability over these incidents doesn’t inspire confidence that the current laws are effective.
The latest confirmed incident just happened last month where PERKESO was attacked and a database containing personal details including phone numbers was put on an online forum. As we all know, personal data can be misused for phishing scams and most Malaysians would have received a scam call impersonating authorities every now and then.
Lawyers have been calling for PDPA to be amended soon to hold government agencies accountable for future data breaches. While PADU’s objective to channel subsidies to the right people is a good one, the amount of data it holds necessitates greater responsibility and accountability to ensure everyone’s data is safeguarded at all times. We’ve all heard it before, “With great power comes great responsibility.”
