LEADER of the Opposition and Member of Parliament for Port Dickson Dato’ Seri Anwar Ibrahim has raised serious concerns citing the parliamentary Public Accounts Committee (PAC) hearing on March 24 this year regarding the alleged “sale” of the MySejahtera application (MySejahtera) to a questionable private company.
It was said that this transfer of ownership has been decided by the Cabinet on November 26, 2021, allowing the Ministry of Finance to approve the Ministry of Health’s (MoH) appointment of MySJ Sdn Bhd (MySJ) through direct negotiation.
This raises concerns on the fate of the vast personal data collected by MySejahtera and draws criticisms on poor governance standards.
The controversy surrounding MySejahtera’s questionable dealings is a symptom of poor transparency in what is clearly an issue that concerns the nation given its ubiquitous use by 38 million users, including Malaysians, non-citizens, and travellers.
Sensitive data could be at risk if there are regulatory and system loopholes, risking personal health information and other data to fall into the wrong hands.
For example, MySejahtera check-in data maps an individuals’ movement and location, forming a digital image of an individual’s preferences. Data is the “digital gold”, and data brokers can sell this highly sought-after information to the highest bidder.
Data may include personal details such as name, identity and contact number, associated health information (Covid-19 cases, close contacts, health status declarations, etc.), and vaccine certificates.
Medical data is a huge part of the multi-billion-dollar big data industry. Data buyers can range from policy researchers to pharmaceutical companies and advertising agencies.
There have also been reports of personal data crunched by controversial political consultants such as Cambridge Analytica. This is the same company that was allegedly involved with the United Malays National Organisation (Umno) during the reign of former prime minister Datuk Seri Najib Razak to influence voting in the 14th General Election in 2013.
The risk of subcontracting the handling of personal data to a private entity can be seen in 2018 when the government reportedly terminated the contract with Nuemera (M) Sdn Bhd—the private firm contracted by the Malaysian Communications and Multimedia Commission to manage telecommunications data—following the company’s alleged failure in safeguarding personal data of 46.2 million telecommunications services users.
Although Nuemera claimed police investigations have cleared them of any wrongdoings that contributed to the nation’s largest data leak case, the points and the risks such as sabotage and hacking remain true despite the existence of personal data protection laws.
Therefore, the ecosystem surrounding the handling of the data must be protected with proper governance processes and systems.
Despite this obvious need, MySejahtera was initially reported to have been developed without a contract by private company called KPISoft Sdn Bhd (KPISoft; now known as Entomo Malaysia) through a Corporate Social Responsibility (CSR) deal that started on March 27, 2020, and ended on March 31, 2021.
In September 2021, Prime Minister Datuk Seri Ismail Sabri Yaakob reportedly said that the government was
finalising payments to MySejahtera developers upon the expiry of the CSR period.
Even if this potential data security loophole i.e., proper procedure to ensure ownership and sufficient legal backing to enforce the protection of personal data was meant to be addressed by purchasing all rights from the original developer KPISoft, it should not have happened via direct negotiation to MySJ.
Accordingly, the sequence of events surrounding MySejahtera deals appears to be a form of a “CSR trap”, which could be a prelude to a lucrative contract without competition.
Echoing the PAC report dated December 1, 2021, what was initially thought of as the lack of an initial contract between the government and KPISoft, should allow the government to take over MySejahtera and its data without additional costs.
Instead, as reported by Code Blue, there was an agreement to transfer MySejahtera’s intellectual property (IP) and software license from Entomo to MySJ was via a 5-year, 3-month licensing agreement between the two parties on Oct 6, 2020, for a staggering cost of RM338.6 million.
Making matters worse, MySJ ownership has been reported to involve companies with potential political links or individuals that may require further scrutiny.
In an attempt to clarify the situation, a press statement by the MoH dated March 27 mentioned that on March 26, 2022, the Government has decided that the MySejahtera application is owned by the government and that the MoH has been appointed as the primary/main owner of this application for national public health management.
Despite prior reports of payments to KPISoft were being finalised, reports by Code Blue regarding the licensing agreement and that KPISoft incurred over RM47.8 million throughout its CSR commitment from April to November 2020, the MoH statement asserts that the government has never made any payments to KPISoft.
Yes, maybe not the MoH. But what about MySJ?
The MoH statement does not elaborate on other owners of this data, nor does it clarify what they meant by “decided” or how the government came to the decision that it owns MySejahtera without any payments ever being made.
Note that the MoH decided the ownership status post PAC hearing on March 24, 2022, as a response to widespread criticisms and questions spread in social media. One might wonder if the MoH would still have made the decisions and come up with statements if the PAC didn’t make the revelation or if the public didn’t make much noise.
Even if we take the MoH’s statement at face value, the question arises on data handling and ownership from
the time before March 24, 2022, or before the licensing agreement took place on October 6, 2020.
Notwithstanding the nature of licensing agreement, can data before these periods be guaranteed to not have fallen into the hands of third parties?
The MOH statement also asserted that MySejahtera data has always been under MOH’s "supervision" whereby data management follows MOH procedures and is subject to the Prevention and Control of Infectious Diseases Act 1988 (Act 342), the Medical Act 1971, and international standards.
The word supervision instead of ownership is peculiar, and none of these official statements necessarily confirms that the MoH owns the data. Data ownership and its protection must be spelled out in some form of agreement, backed by a combination of effective legislation, physical system structure, digital system design, and enforcement mechanisms.
The MoH statement mentioned the following:
• The government’s decision on November 26, 2021, then agreed that MoH forms a Price Negotiation Committee comprising members from related stakeholder agencies to undertake price negotiations and managing services of the MySejahtera application with the company for a period of two years, in line with procurement procedures”.
• The Finance Ministry (MoF), through a letter dated February 28, 2022, agreed to approve MoH’s request to undertake the procurement for the management of the MySejahtera application and was finalised at the stage of the MoF. This negotiation process has begun and MoH will make sure due diligence is carried out to ensure the government’s priorities.”
Firstly, we can only wonder how much a two-year contract for managing services of MySejahtera would cost given that IP and software licensing from Entomo to MySJ costs RM338.6 million.
These statements also indicate that there are only two actors now—the MoH and KPISoft/Entomo. If MySJ has no role, there must be categorical statements in response to the issues raised in the PAC hearing.
On the other hand, if MySJ was indeed the recipient of the alleged sale of MySejahtera from KPISoft/Entomo, was the transfer including user personal data? This is a valid question as it could involve the breaching of the Personal Data Protection Act 2010.
Also, procurement of data and systems was not specifically mentioned. Instead, “procurement for the management of the MySejahtera application” was mentioned.
Though this could be nit-picking on linguistic accuracy, the nuance in meaning is important. Buying the rights to manage the application may not be the same as buying rights to the data and systems.
The Health Minister appears to have realised that this categorical confirmation is missing in the MoH written statement and supplemented this by stating that MySejahtera is wholly owned by the government with the MoH as the primary/main owner, including all data received by MySj, through his Twitter account.
Assuming “MySj” means MySejahtera (and not MySJ Sdn Bhd), it would mean that the Health Minister himself confirmed MoH ownership of data without a third party/company being involved.
In addition to ignoring the topic of MySJ entirely, how can the MoH guarantee that only it has access to this data?
The MoH statement stated that MySejahtera data is uploaded daily to a cloud server network.
Where is the server and who owns it?
As reported in Code Blue, MySJ only acquires a license to the KPISoft’s software specifically for
MySejahtera “and does not acquire any other rights or ownership interests” under the 5-year licensing agreement. Specifically, the agreement “grants MySJ rights to use the KPISoft software to exclusively develop, own the application trademark for MySejahtera, and test and support the MySejahtera app”.
Note that owning the application trademark may not be the same as owning the application in its entirety.
This makes sense as the licensing agreement states that all rights, title, and interest in and to the KPISoft software, the trademarks, and the services, among others, shall be retained by KPISoft unless expressly provided otherwise in the agreement, as reported by Code Blue.
Therefore, how can the government guarantee that only the MoH has access to this data and that the data will not be accessible by the server owner/operator, and in this case, KPISoft/Entomo and MySJ?
In addition to raising further questions on data security and integrity, the lack of clarification on MySJ is baffling.
Are we supposed to just ignore the rest of the issues raised in the PAC report?
Or, is the MoH statement indirectly stating that these reports are untrue or never happened?
It has been reported that during the PAC hearing, an MoH official added that the best model for procuring the [MySejahtera] system is being negotiated, whereby the MoH must determine the system operator and maintainer should the MoH procure the entire MySejahtera system.
Therefore, was MySJ intended to be said operator and maintainer of MySejahtera? Again, this does not necessarily mean owning the data. Either way, if the sale/transfer did happen, why was it through direct negotiation?
This is particularly concerning given that there are valid questions surrounding the ownership of MySJ and KPISoft.
The directors of the MySJ reportedly include two founders of KPISoft, Raveenderen Ramamoothie and Anuar Rozhan, and also high-profile individuals with political and business links namely former President and CEO of Sapura Energy, Tan Sri Dato Seri Shahril Bin Shamsuddin, and Tan Sri Dato' Seri Megat Najmuddin who was a former UMNO disciplinary committee member and later Bersatu’s disciplinary board’s chairman.
Sapura Energy was reported to rake in a whopping net loss of RM8.9 billion, yet received an urgent appeal from the former prime minister Najib Razak to be bailed.
Shahril, Raveenderen, and Naveen Prashad Despande have been reported as directors in the company
Revolusi Asia, which holds the majority share in MySJ. Although not named as a director, Anuar also reportedly has shares in Revolusi Asia.
Anuar is apparently the brother of former Astro Malaysia Holdings Bhd group CEO Rohana Rozhan, who has allegedly profited from the 1MDB scandal.
All in all, people are innocent until proven guilty and there is such a thing as coincidence. However, it is also reasonable for people to wonder if this is a case of collusion between political and business cronies.
Other companies that own shares in MySJ include Hasrat Budi, which has individuals from a property developer as shareholders, and P2 Asset Management which has been reported to consist of young directors aged 26- to 29-year-olds.
Who are these individuals? What are the interests of a supposed asset management company and a property developer in MySJ?
An open tender process with good governance standards would ensure these alleged linkages and potential conflicts of interest are accounted for and flagged.
According to CodeBlue, both MySJ and KPISoft have the same registered address at Wisma Adiss Udarama Complex in Kuala Lumpur (KL) and the same business address at Q Sentral in KL Sentral.
The MoH statements that were meant to reassure the people of MoH’s data ownership, security, and privacy are insufficient and rely mostly on the people to simply trust in their word. If anything, it raises more questions than answers.
Furthermore, it also completely ignores the issue surrounding MySJ (and the people involved).
Now that the dispute between MySJ shareholders has been brought to light, will the warring entities withdraw the case and look to “directly negotiate” behind closed doors with the government again?
EMIR Research asserts the following points as the way forward for the authorities:
1. Ownership and access to data in MySejahtera must remain only with the MoH
2. There must be full transparency and due process with any dealings related to MySejahtera
3. Apply strictest governance and integrity standards when dealing with vast amounts of highly sensitive personal data
4. Investigate MySejahtera deals through an independent commission to ensure loopholes are addressed and prevent repeat cases in the future
5. Re-affirm that user personal data are fully protected and have not been transferred to any other parties
6. Ensure data integrity and privacy through sufficient legislative and systems (physical and digital) safeguards are in place
7. Clarify all statements and concerns raised in the PAC report, particularly on the “sale” to MySJ
Authorities must come clean over these questionable dealings, take steps to protect sensitive personal data, and clarify the situation once and for all.
Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.
** The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the position of Astro AWANI.
Astro Awani
Tue Mar 29 2022
Authorities must clarify MySejahtera's questionable dealings, protect sensitive information, and implement proper governance processes to avoid a case of "CSR Trap". - BERNAMA
ISIS Malaysia's perspective of Budget 2025
An excellent rakyat-centric budget under the overarching principle of a caring and humane economy.
Budget 2025: Record increase in STR, SARA aid initiatives
The government will provide a significant boost to the Sumbangan Tunai Rahmah (STR) and Sumbangan Asas Rahmah (SARA) initiatives next year.
Budget 2025: EPF contributions to be made mandatory for foreign workers – PM Anwar
The government plans to make it compulsory for all non-citizen workers to contribute to the Employees Provident Fund (EPF).
What policies to expect from Indonesia's new President Prabowo
Prabowo will be open to foreign investment, his aide has said, such as by offering investors management of airports and sea ports.
Budget 2025: Govt allocates RM470 mil to empower women's participation in PMKS
The Women's Leadership Apprenticeship Program will be intensified as an effort to produce more female corporate personalities.
Israel sends more troops into north Gaza, deepens raid
Residents of Jabalia in northern Gaza said Israeli tanks had reached the heart of the camp, using heavy air and ground fire.
Indonesia ramps up security ahead of Prabowo's inauguration
Prabowo Subianto will be sworn in as Indonesia's president on Sunday with Vice President-elect, Gibran Rakabuming Raka, also taking office.
Immediate allocation of RM150 mil for local authorities, DID to tackle flash floods
Datuk Seri Anwar Ibrahim said this allocation is intended to address the recent flash floods that hit the capital and several major towns.
Budget 2025: Sabah, Sarawak to continue receiving among highest allocations - PM
Sabah and Sarawak continues to be prioritised under Budget 2025, with allocations of RM6.7 billion and RM5.9 billion respectively.
NFOF will be operational in November 2024 with funding of RM1 bil
PM Anwar Ibrahim said NFOF will support venture capital fund managers to invest in startup companies with RM300 million set aside for 2025.
Minimum wage to increase to RM1,700 effective Feb 1, 2025
The Progressive Wage Policy would be fully enforced next year with an allocation of RM200 million, benefiting 50,000 workers.
Bursa Malaysia ends higher on Budget 2025 optimism
The benchmark index, which opened 1.85 points higher at 1,643.29, moved between 1,641.71 and 1,649.31 throughout the trading session.
Five important aspects relating to people’s lives in Budget 2025 - PM
The focus is on driving the MADANI Economy, speeding reforms, cutting red tape, raising wages, and tackling the cost of living.
Economic outlook: Govt plans to leverage, expand existing city transit system
The expansion aims to provide a more efficient and reliable public transportation network, reduce congestion, and improve accessibility.
Economic outlook: Budget 2025 to lay foundation for a digital-driven economy
The report said Budget 2025 will entail efforts to position Kuala Lumpur as a top 20 global startup hub by 2030 through the KL20 initiative.
Economic outlook: Corruption and lack of accountability hinder economic progress
Special Cabinet Committee on National governance is established to curb corruption, law reforms to modernise outdate regulations, MoF said.
National Wages Consultative Council will be strengthened
The govt will also incentivise hiring women returning from career breaks, offer job matching and improve care services facilities.
Economic outlook: Ensuring 11 years of compulsory education for all children
Budget 2025 will continue prioritising upskilling and retraining initiatives to equip workers with the latest skill sets necessary.
Consolidated public sector projected to record lower surplus of RM41.7 bil 2024
The MoF said the consolidated general government revenue is estimated to increase slightly to RM384.7 billion in 2024.
PM announces substantial Budget 2025 hastening Malaysia to become Asian economic powerhouse
Datuk Seri Anwar Ibrahim said it would create jobs and also tackle financial leakages to enhance public spending efficiency.