All government agencies, statutory bodies, and local authorities (PBT) using QR codes for registration are urged not to rely on unverified third-party QR code generators.
The Malaysia Digital Economy Consumer Organisation (MyDigitalConsumer) said all QR codes, whether generated via links, forms, or apps, must be valid, secure, and collect only necessary data.
The organisation also advised against using static QR codes for sensitive purposes, particularly those involving identity verification, personal information, or access to internal systems.
Agencies must conduct regular security audits and monitoring of all QR codes distributed to the public.
“These measures are essential to prevent malicious actors from exploiting public trust in official government transactions,” said MyDigitalConsumer.
The government continues to encourage integrated mobile applications to reduce dependence on multiple apps for the same department. Examples include:
- JPJ: MyJPJ, JPJeQ, JPJeBid
- Prasarana: MyRapid PULSE, Rapid On Demand, RapidBus e-Pass
An integrated approach helps reduce security risks from multiple apps sourced externally.
The guidelines apply to any department or agency using QR codes for official events, engagement sessions, public services, or transactions involving citizens’ personal data.
MyDigitalConsumer warned that insecure or low-quality QR codes expose users to cybercrime, including identity theft, data interception, fraud, financial loss, and banking account breaches.
All mobile app development and digital technology use by public agencies must comply with the Personal Data Protection Act (PDPA) principles, covering data notice and choice, limited disclosure, data security, storage, and disposal.
Even though certain exemptions exist for government agencies under the PDPA, voluntary and ethical compliance is crucial to protect users and maintain public trust.
Referring to a recent media report titled “Sessions Court Dismisses Maybank Customer Lawsuit Over Third-Party QR Code Losses”, the organisation noted that it highlights the importance of strong digital security controls, as reliance on third-party QR codes can cause financial loss and legal complications for users.
