Computing Professionals Bill 2011 Preliminary Analysis

Disclaimer: I’m a registered engineer and a recent law student. I have been in the IT industry for 14+ years and been actively programming for 22 years.

TLDR: go straight to the conclusion at the bottom.

Someone has posted up the draft bill incorporating changes up to 22-Nov-2011. I’d like to put on my law school hat for a moment to read this draft bill and see whether it is screwed up in form and/or substance.

I remember from MLS class that a statute needs to be read in its entirety, including it’s long title:

An Act to provide for the establishment of the Board of Computing Professionals Malaysia and for the registration of computing practitioners, computing professionals, sole proprietorships, partnerships and bodies corporate providing Computing Services and for purposes connected therewith.

Sounds benign enough. No argument there.

Now, the critical part of the bill that everyone seems to have missed out in their over-zealousness to condemn the bill:

2.(1) This Act applies throughout Malaysia.
(2) This Act applies to the Critical National Information Infrastructure (CNII).
(3) Every Registered Computing Practitioner, Registered Computing Professional and Registered Computing Services Provider shall be subject to this Act.
(4) The Minister may, by notification in the Gazette, suspend the operation of this Act in any part of Malaysia or suspend the operation of any part of this Act

One hitch that I have with the bill is that it seems to empower the Minister with quite a bit of discretion in determining where the Act may or may not apply. But the important part is that the proposed bill seems to only apply to those sectors defined as CNII in the bill as:

“Critical National Information Infrastructure(CNII)” refers to those assets, systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on national economic strength or National image or National defense and security or Government capability to function or Public health and safety;

According to the NITC, CNII would cover a range of services:

  • National Defence & Security
  • Banking & Finance
  • Information & Communications
  • Energy
  • Transportation
  • Water
  • Health Services
  • Government
  • Emergency Services
  • Food & Agriculture

Okay, this seems like a pretty wide ranging area but this seems fair enough to me. You don’t want to have any random IT guy write the code running your government do you? There’s still a lot of room to do business such as manufacturing, education, entertainment, multimedia, business services, etc.

Part II of the bill covers the composition and administration of the Board. This is quite mundane and boring. It even mentions remunerations. Arrgh! The next interesting part comes in Part III Section 14, registration of a Practicioner (kinda like a Graduate Engineer).

14.(1) (a) Subject to this Act, a person who holds –
(i) the qualifications required for Graduate Membership of a professional body or organisation recognized by the Board, and the qualifications are recognised by the Board; or
(ii) any qualification in Information Technology or Computing which is recognised by the Board; or
(iii) any other qualifications, certifications or relevant experiences recognised by the Board,
shall be entitled on application to be registered as a Registered Computing Practitioner.

Sounds very fair to me. It does not seem to be limited to only IT graduates but S.14(1)(a)(i) seems to open the way for Electronics Engineers registered with the Board of Engineers to be admitted also as Practitioners. S.14(1)(a)(iii) even allows those without formal academic training but possessing relevant experience to be registered.

Again, this seems fair enough to me as long as they actually implement it. Now, onto the main sticking part (as this is the determining factor on whether one can get the big money or not) – the registration of the Professional:

14. (2) Subject to this Act, the following persons shall be entitled on application to be registered as a Registered Computing Professional:
(a) any person who is a Computing Graduate or any person who has other qualifications recognized by the board
(i) who has obtained the practical experience as prescribed under subsection (1)(b); and
(ii) who has passed a professional assessment examination conducted by the Board, or is a Corporate Member of a professional body or organisation recognized by the Board; and
(iii) who has paid the prescribed fee and
(iv) who has complied with all the requirements of the Board;
(b) any person who, on the appointed date, was a Corporate Member of a professional body or organisation, or held a professional qualification which the Board considers to be equivalent thereto;
(c) any person who satisfies the Board that he was practicing or was carrying on business or was employed as a bonafide computing professional immediately before the appointed date and who applies for registration within twelve (12) months of that date;
(d) any person who, on the appointed date, had obtained a qualification which would have entitled him to be registered as a Registered Computing Practitioner by virtue of paragraph (1)(a) and who, after that date, has obtained outside Malaysia a professional qualification which the Board considers to be equivalent to that required for membership of a professional body or organisation recognized by the Board or has passed a professional assessment examination conducted by the Board.

Now, s.14(2)(c) seems to be the back door in for existing IT guys while s.14(2)(b) seems to be the back-door in for Corporate Members from other professional organisations. So, again, I wouldn’t break a sweat. Guys who are making a living as IT professionals at present, would be entitled to register as a computing professional after the act comes into being.

I hope that they do recognise the ICT Tech and CEng registration provided by the UK Engineering Council to ICT guys. Don’t be like the engineers who choose to become jaguh kampung and not recognising others. We’ve got to open up the service sectors soon anyway.

Computing Graduate is defined as:

“Computing Graduate” means a person who has completed a computer science or equivalent degree programme of study.

Now, this will cheese many people off but it applies largely to future applicants who’re not existing IT pros. It would make the degree a basic requisite of becoming a Registered Computing Professional. This is where there might be issues as there are lots of IT guys who do not have a degree especially since most of their role-models (Bill Gates, Steve Jobs, etc) dropped out of school and never finished.

This issue needs to be seriously addressed. I do not want to see a scenario like that of engineers where even 3-year degrees are not recognised and those who do not have degrees are virtually denied the opportunity to become a GE because the graduate exams seem to have gone on a holiday.

But the main sticking point to me seems to be the registration of companies under s.15 as service providers and the restriction of their services to only specific fields under s.15(4). In engineering, there is a clear demarcation between civil, mechanical, electrical etc. Can the same be said of IT?

Take the case of deploying a secure web-site – the systems administrator sets up the web-server with SSL, the network administrator sets up the firewall, the programmer writes the code for the site, the database admin sets up a secure database etc. Yes, it is possible to separate the roles but what about people who can do them all?

I can personally do them all. Would that mean that I’d need to register as a Computing Professional under different categories? Would that even be possible or allowed? Or would I need to hire half a dozen guys just to do the work that I can do solo?

This is a question that needs to be clearly answered. Otherwise, we end up with the same random problems as the engineers, where an Electrical Engineer can sign for Electronics but not the other way around. Supersets and subsets of fields, though tempting, are not the solution to this problem.

Another sticky part is Section 19:

19.(1) In relation to section 2 no person shall, unless he is a Registered Computing Professional—
(a) practice, carry on business or take up employment which requires him to carry out or perform the services of a Registered Computing Professional;
(b) be entitled to describe himself or hold himself out under any name, style or title—
(i) bearing the words “Registered Computing Professional”, or the equivalent thereto in any other language;
(ii) using abbreviation after his name or in any way in association with his name subject to the approval of the Board;
(c) use or display any sign, board, card or other device representing or implying that he is a Registered Computing Professional;
(d) be entitled to recover in any court any fee, charge, remuneration or other form of consideration for any professional technology services rendered.
(2) Notwithstanding subsection (1) –
(a) a Registered Computing Practitioner may take up employment which requires him to perform Computing Services subject to the
i. work is carried out under the supervision or instruction by a Registered Computing Professional, or
ii. similar work scope has been carried out by the Registered Computing Practitioner before.
(3) A Registered Computing Professional may only provide Computing Services in the disciplines or specialisations of Computing he is qualified to practise and as is shown in the Register under subsection 12(2).

Most of this section is pretty reasonable such as s.19(2) essentially covers supervision and s.19(b)-(c) that protects the use of the title to only those properly registered. This is merely to protect and distinguish those who are qualified versus those who are not.

Now, s.19(1)(a) and (d) seems to be the part that most people are screaming their lungs off about. However, it’s got to be read in with s.2, which limits the applicability of s.19 such that nobody who is not a registered Computing Professional can provide services and charge fees for only those services to the CNII industries.

But there’s a catch – they are not legally allowed to simply practice it! The trick lies in the definition of practice and according to my legal dictionary of what this means:

1) n. custom or habit as shown by repeated action, as in “it is the practice in the industry to confirm orders before shipping.”
2) n. the legal business, as in “law practice,” or “the practice of the law.”
3) v. to repeat an activity in order to maintain or improve skills, as “he practices the violin every evening.”
4) v. to conduct a law business, as “she practices law in St. Louis.”

While this is specific to law, if we were to use it as an analogy and replace the words with computing, we get a scary meaning. This means that even working on free hobby open-source projects for the purpose of improving skills, may be construed to be breaking the law. This seems particularly onerous and as an OSS advocate, I cannot agree to it.

I can understand it if you want to protect these services if there is money involved but when there’s no money involved, one should be free to practice their own craft if they wish to, even if they are not certified as such. Otherwise, it would essentially limit their fundamental freedoms particularly since much of IT is developed through practice.

Part IV is administrative law – the disciplinary committee. Even more boring shit.

Uh-oh! I just spotted an ouster clause! S.39(1) and S.42 essentially protect the Board and anyone else involved in the administration this law from being sued while carrying out their duties. Does this mean that judicial review would only be limited to procedural aspects of the law?

Alright. It’s almost 2am and I’ve spent several hours reading law today. Tort is giving me a headache.


Some feel that the definition of CNII covers too broad an area, which it actually doesn’t. It is very clear that only critical areas where the destruction would endanger national interests, the keyword being destruction. So, not everything under the sun will fall under CNII. There is still plenty of room to make money.

Furthermore, it seems that there is a clause to allow existing computing professionals to be eligible for registration without much additional requirements. There also seems to be back-doors to allow registered professionals from other bodies to be transferred in. So, this seems a non-issue as well.

One sticky issue would be for future registrations, where one would presumably need to get a CS or equivalent degree. This wouldn’t be so much of a problem if all the IT role-models actually finished school. Most of them never did. This should be looked into.

However, the part that restricts a non-registered person’s practice of IT is particularly onerous. Since the development of IT is largely through practice, this clause would severely limit the development of the IT industry in Malaysia. This is the part where I think that the drafters failed to appreciate.

IT needs less restrictions to develop. I think that the best solution to this problem would be to ‘live and let live’. Allow non-registered person’s to practice whatever that they want particularly if they’re not going to charge any money for it. IT development needs the room for experimentation otherwise, it will die.

I’ve not yet looked into how this will affect FDI and whether the companies would need to be owned by a Registered Computing Professional, which might just have to be a Malaysian. I’m also not quite sure how companies like Intel would respond to this. Microsoft might lobby to get it’s MCSE recognised. Still lots more to consider for another blog.

Leave comments and let me know if there’s anything else that I missed out.

Published by

Shawn Tan

Chip Doctor, Chartered/Professional Engineer, Entrepreneur, Law Graduate.

6 thoughts on “Computing Professionals Bill 2011 Preliminary Analysis”

  1. Be a bit careful of CNII clause, in the info comm part, does it mean infrastructure is involved? if so, how about web server software? and guess what, the govt did use Apache, and it is open source, and it have many contributor, which many don’t have a formal degree…

    to continue on, if you want to talk about finance, how about application that need to interface with bank negara, such as your payment gateway.

    IT is full of software that interface with many different system. and use in many different place. In fact, chances is there is many software/hardware that is used in way they are not intended to be. 3D simulation software ends up in games. graphic card that ends up increase performance for finding cure for cancer. Smartphone that ends up handling payment(look at nfc). P2P is used in super computer ends up as a technique for efficient transfer of files

    Unintended usage is the norm of IT. We got a name for that, it is called scope creep. Even the term CNII is more specific, there is no guarantee that software that is not for CNII usage, will not ends up being used in one.

    1. Agreed that the CNII needs to be clearly defined. I agree with the unintended uses part. That’s why I am not happy with the fact that even ‘practice’ is being regulated, which is a bit too much and IT actually develops through use. So, it will unintentionally stifle innovation.

      With regards to the OSS point, the proposed law can be applied as it doesn’t affect foreigners and only the local contributors to Apache need to be RCP. Then, the vendor that sells the system running Apache would need to be RCSP. So, they can work around it. However, I am not happy with the part where contributions to OSS will also be regulated by the law if it falls under the CNII area.

  2. This shall be my last post here.

    A lot of open source project DO NOT IMPOSE any restriction on contributor. What make you think that a country can do that.

    Second, it is another slippery slow. Once a programmer setup an environment, he have access on everything. A c programmer can write a version of a webserver, a python/ruby dev can do so with fewer lines. Because everything is there to be used. What is a govt to say that, a programmer cannot use that? If you need a web application, everything that can be uses to write anything comes with the package. In theory, a person can rewrite an operating system, because again I say, a programming environment comes with the whole package to do everything.

    1. Please do not confuse points of law with technical issues.

      It is true that OSS do not impose restrictions on contributors. As a real OSS advocate and active contributor to the OSS community, with real OSS products in the market, I totally understand OSS and embrace it as a business model for my company.

      I thought I had made it clear that I’m a hardcore techie and active programmer for 20+ years. 🙂

      However, what I am raising now are points of law, not technical issues. That’s because I’m also a law student and I’m viewing this through different points of view.

      Not all regulation is necessarily bad. Law can be good or bad. OSS would not be possible without strong regulation – particularly copyright law. Without that, none of the OSI licences can be enforced.

      So, the bigger question that I’m thinking of now is whether the CPB2011 can be made into a law that actually encourages more freedom (like OSS) instead of restricting it. Now, that’s the legal headache.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s