KUALA LUMPUR: Mobile phone data (MPD) has become a focal point of debate in Malaysia. Public concerns over privacy, surveillance and consent are valid, especially in a country that has experienced high-profile data leaks. Yet these concerns risk overshadowing the immense potential of MPD when it is handled ethically, transparently and within the boundaries of the law.
According to data governance and cybersecurity expert Datuk Husin Jazri, when MPD is properly anonymised, with personal identifiers removed, and aggregated into larger datasets, it cannot be traced to specific individuals.
"It does not reveal the content of calls, messages or browsing history. In this form, it becomes a powerful tool for the public good," he wrote in his recent opinion piece.
"Globally, responsibly managed MPD has supported data-driven governance. During the Covid-19 pandemic, aggregated mobility data was widely used to understand population movement and inform public health responses. In several countries, similar data has been applied to support tourism management, manage seasonal travel patterns and reduce congestion.
"In Malaysia, MPD could help identify underserved communities, optimise transport routes, guide emergency response and enhance tourism strategies, but only if public trust is secured."
He added that the central concern for the public is not whether MPD works, but how it will be used.
"Without a clearly stated purpose and open communication, even well-intentioned initiatives can invite suspicion. Transparency must therefore be the first principle of MPD governance," wrote Husin, an Associate Professor at the School of Computer Science, Faculty of Innovation & Technology, and Director of the Global Centre for Cyber Safety at Taylor's University.
"Those collecting or processing data should clearly articulate the purpose, scope and safeguards before any collection begins. If the objective is to reduce traffic congestion, improve rural connectivity or strengthen tourism planning, this should be communicated openly, supported by impact reporting and visible accountability. Such openness strengthens public confidence and reinforces compliance with the Personal Data Protection Act (PDPA)."
Husin said consent in this context does not mean individual approval for each anonymised dataset.
"Instead, it is embedded within the contractual relationship between the public and their service providers. Telecommunications companies, bound by the PDPA, have a responsibility to safeguard subscriber data. Where third parties require access, they should receive only aggregated and anonymised datasets processed by the telcos themselves, ensuring that no personally identifiable information leaves the organisation."
He warned that even anonymised data can be misused if handled carelessly. Inference, where anonymised datasets are cross-referenced with other sources such as closed-circuit television footage, can lead to re-identification.
"This is why anonymisation must be paired with aggregation. Together, these safeguards reduce risks and protect against abuse.
"Those handling MPD should position themselves as guardians of privacy, setting strict standards for anonymisation and aggregation before any data exchange takes place. This ensures that systems are designed to protect citizens, not threaten them."
Husin said international best practices increasingly emphasise privacy-by-design, independent oversight and transparency in data governance.
"Countries that have embedded these principles into their legal and institutional frameworks have been more successful in building public trust and enabling the responsible use of data for public benefit," he added.
He said in Malaysia, the perception that PDPA obligations apply more strictly to private companies than to other entities undermines trust.
"For public acceptance, all parties, public or private, must be held to the same standards of transparency, accountability and fairness. Policies introduced for the public good should apply uniformly, without exception.
"To further strengthen trust, oversight should be managed by an independent data privacy commission instead. Such a body would ensure equal enforcement without fear of bias, political influence or selective application of rules, while signalling Malaysia's commitment to impartial governance and the highest level of data protection."
Looking ahead, Husin said anonymisation should be irreversible, and that data storage and deletion protocols must be strictly enforced.
"Independent audits should verify compliance. These are not merely technical measures; they are ethical commitments to use data only for its intended purpose, protect it from misuse and dispose of it responsibly."
To unlock MPD's full potential, Husin said Malaysia must publicly declare the purpose of data collection, ensure that telcos handle anonymisation and aggregation, apply equal legal and ethical standards to all parties, and implement independent oversight for compliance.
"Handled with strong safeguards and transparency, MPD can drive smarter investments, improve public services and strengthen long-term economic resilience while protecting privacy. Malaysia's strategic location, cultural diversity and digital ambitions offer an opportunity to lead the region in ethical big data use.
"By applying fairness, openness and consistent governance, mobile phone data can shift from a source of concern to a valuable national asset, supporting better infrastructure, stronger tourism and shared prosperity," he said.