Ideas: MySejahtera episode poses questions about data privacy

This article first appeared in Forum, The Edge Malaysia Weekly, on April 25, 2022 - May 01, 2022.
Ideas: MySejahtera episode poses questions about data privacy
-A +A

Reports have emerged in recent weeks over the potential mishandling of the MySejahtera application, a national-level mobile application used to monitor the Covid-19 outbreak in Malaysia. These reports have caused a public outcry over issues such as transparency in public procurement and data privacy. This is Part 1 of a two-part article that aims to dissect the controversy through a series of questions and answers.

1. What is the MySejahtera issue all about?

During the first outbreak of Covid-19 in Malaysia in early 2020, the government approved a mobile application-based solution developed by KPISoft Malaysia to be made into a national-level app to monitor the spread of Covid-19 in the country. This app, now known as MySejahtera, was developed by KPISoft Malaysia on a corporate social responsibility (CSR) basis and no payment was required from the government for one year. In late 2020, KPISoft Malaysia, now known as Entomo Malaysia Sdn Bhd, entered into a licence agreement with MySJ, a recently incorporated company used as a special vehicle for the commercialisation of the app. The agreement sees Entomo Malaysia transferring the intellectual property of the app to MySJ and granting MySJ the software licence, all for RM 337.6 million. Since then, Entomo Malaysia proposed to the government to commercialise the app by establishing a digital services ecosystem on MySejahtera through a public-private partnership (PPP) or service contract between the government and MySJ. The recent outrage arose when the government’s plan to sell MySejahtera to a private firm via a direct tender was disclosed at a Public Accounts Committee hearing. These revelations sparked confusion and concerns about the lack of transparency regarding the ownership of the MySejahtera app and the protection of private data of more than 38 million users nationwide.

2. Who actually owns the MySejahtera app and all of our data now?

Following the outrage, Minister of Health Khairy Jamaluddin reiterated that the MySejahtera app and its data still belong to the government, despite the previous agreement on its intellectual property and software licence. However, the share sale agreement on Aug 27, 2021, with respect to MySJ states that the original equipment manufacturer (OEM) software licence agreement between Entomo Malaysia and MySJ grants MySJ an exclusive, sub-licensable, and perpetual licence to the MySejahtera app, as well as a non-exclusive, non-transferable, non-sub-licensable right and perpetual licence to use the KPISoft software. The agreement specifies Entomo as the developer and legal beneficial owner of the MySejahtera software and MySJ as the owner of the platform, through which the MySejahtera app operates for the government to manage the Covid-19 outbreak.

With that, there seems to be a direct contradiction between what Khairy said and what the share sale agreement states in relation to the ownership of the MySejahtera app and its data. To further address the issue of ownership, Khairy told Dewan Negara that a non-disclosure agreement (NDA) had been signed between KPISoft and the National Security Council on April 1, 2020, stipulating that the ownership of all data and information obtained through the app usage remained the absolute and whole property of the Malaysian government. Until now, it remains unclear as to who actually owns the data as the various sources seem to contradict one another.

3. Why should we care about this issue? How will it impact you and me?

The MySejahtera app collects data from over 38 million registered users, including the majority of the country’s overall population, due to the public check-in mandated by the government. It is important to note that the consent granted by the 38 million MySejahtera registered users was for the Malaysian government to collect personal data for contact tracing purposes, and not for a third-party private entity.

These data include information such as IC number, contact number as well as data from health assessments. Furthermore, the app also collects private data such as where you live, where you go and when, as well as whom you meet with. These private data can be used to accurately track and predict your whereabouts and map out your spending habits or behavioural patterns. In other words, your private data is not just digits. It represents your personal identity, your life and those around you.

Such information is very valuable and can be misused or exploited if it lands in the wrong hands. For example, your data can be sold and traded by private companies to third parties and advertisers for their own profits without your direct consent. Regardless of whether these personal data are private- or government-owned, the lack of proper data protection may lead to an increased risk of targeted crimes, scams and fraud by cybercriminals. These risks have serious implications for the physical and financial security of you and your loved ones. Hence, it is right to care not just about who owns your private data but also how it is being protected.

4. What are the laws that govern data protection and consumer rights in Malaysia? And under what circumstances is MySejahtera mandatory?

What concerns Malaysians or MySejahtera users, in general, is the legal protection afforded, especially in relation to data protection and their rights as consumers. As you may know, the MySejahtera app collects personal data information and is obtained with the consent of the user. Users are also required to allow permission for their location to be identified, and the recent Bluetooth feature update allows close proximity to be observed.

This authorises the government to learn about users’ whereabouts, although the MySejahtera Privacy Policy states that check-in data is stored for 90 days before disposal. Arguably, as opposed to the global best practices, for instance, in Norway, location data is only stored for 30 days and in Singapore, the TraceTogether Bluetooth data is stored for no longer than 25 days. This raises questions about users’ movements being observed for a relatively long period of time, which could potentially breach privacy.

In Malaysia, there is an absence of a law that governs our right to privacy. However, our personal privacy and data are protected by the Personal Data Protection Act 2010 (PDPA 2010), and although the scope is narrow, the government has assured us that the collection of personal information of MySejahtera is aligned with the PDPA 2010. It is important to note that personal data is not equivalent to privacy as privacy is concerned more with the right to freedom of movement without being tracked.

Nevertheless, there were some instances where users raised concerns about possible data leaks where they received spam emails and one-time passwords (OTP) from the application’s helpdesk. Malaysia’s National CyberSecurity Agency (NACSA) in its initial investigations found that there was a misuse of the application programming interface (API). It was reported that the MySejahtera team had then blocked the API for MySejahtera for security. It can be assumed that the safety of MySejahtera was once in jeopardy, and external parties should be hired to audit how the government handles users’ data.

Although the MySejahtera app has a Privacy Policy clause that states personal data information is provided with consent and is therefore voluntary, users are somehow “forced” into entering their information, which is made mandatory due to the standard operating procedures (SOPs) that fall under the ambit of Prevention and Control of Infectious Diseases Act 1988. Deputy Health Minister Dr Noor Azmi Ghazali assured that personal data collected is treated as a piece of confidential patient information protected under the Medical Act 1971.

The Malaysian government should be concerned about possible lawsuits. For instance, in California, a lawsuit has been filed against the application developer, Google, who allegedly exposed users’ data and violated privacy laws. Pennsylvania on the other hand was served a federal lawsuit over a data breach concerning thousands of users’ personal information, which includes phone numbers and medical information. Hopefully, this gives a wake-up call to the government as issues concerning personal data are not something that should be taken lightly and security measures should be tightened.

This article was produced by the research team at the Institute for Democracy and Economic Affairs (IDEAS), a think tank based in Kuala Lumpur

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.