CSR trap: Just come clean on MySejahtera’s dealings (Part 1)

OPPOSITION Leader Datuk Seri Anwar Ibrahim recently had raised serious concerns on Public Accounts Committee (PAC) hearing on March 24, regarding the alleged “sale” of the MySejahtera application to a questionable private company. 

It was said that this transfer of ownership has been decided by the Cabinet on Nov 26 last year, allowing the Finance Ministry to approve Health Ministry’s (MOH) appointment of MySJ Sdn Bhd (MySJ) through direct negotiation. 

This raised concerns on the fate of the vast personal data collected by MySejahtera and drew criticism for poor governance standards. 

Yesterday, Bernama quoted Health Minister Khairy Jamaluddin as saying that the Government would opt for another vendor if it cannot get a fair deal with MySejahtera licence holder MySJ Sdn Bhd, as the data collected by the application is still owned by the Government. 

He stressed that the Government was still negotiating with MySJ on the terms and subscription of the application. 

“We have not concluded the negotiations [with MySJ]. We are still in negotiations and once the negotiations are done, we will inform what the basis of the contract… is but we have to regularise the services that they provide. 

“I can tell you for the fact that the amount that we are negotiating with MySJ is much, much lower than RM300 million… far lower,” he was quoted as saying. 

Nevertheless, the controversy surrounding MySejahtera’s questionable dealings is a sign of poor transparency in what is clearly an issue that concerns the nation given its ubiquitous use by 38 million users, including Malaysians, non-citizens and travellers.  

The real issue here is that sensitive data could be at risk if there are regulatory and system loopholes, risking personal health information and other data to fall into the wrong hands.  

For example, MySejahtera check-in data actually maps an individuals’ movement and location, forming a digital image of an individual’s preferences. Data is the “digital gold” and data brokers can sell this highly sought-after information to the highest bidder. 

Data may include personal details such as name, identity and contact number, associated health information (COVID-19 cases, close contacts, health status declarations, etc.) and digital vaccine certificates. 

Medical data is a huge part of the multi-billion-dollar big data industry. Data buyers can range from policy researchers, pharmaceutical companies and advertising agencies. 

There have also been reports of personal data crunched by controversial political consultants such as Cambridge Analytica. This is the same company that was allegedly involved with UMNO during the reign of former prime minister Datuk Seri Najib Razak to influence voting in the 14th General Election. 

The risk of subcontracting the handling of personal data to a private entity can be seen in 2018 when the Government reportedly terminated the contract with Nuemera (M) Sdn Bhd—the private firm contracted by the Malaysian Communications and Multimedia Commission (MCMC) to manage telecommunications data—following the company’s alleged failure in safeguarding personal data of 46.2 mil telecommunications services users. 

Although Nuemera claimed police investigations have cleared them of any wrongdoings that contributed to the nation’s largest data leak case, it points out to risks such as sabotage and hacking despite the existence of personal data protection laws. 

Therefore, the ecosystem surrounding the handling of data must be protected with proper governance processes and systems. 

Despite this obvious need, MySejahtera was initially reported to have been developed without a contract by private company called KPISoft Sdn Bhd (KPISoft; now known as Entomo Malaysia) through a corporate social responsibility (CSR) deal that started on March 27, 2020, and ended on March 31, 2021.  

In September last year, Prime Minister Datuk Seri Ismail Sabri Yaakob reportedly said that the Government was finalising payments to MySejahtera developers upon the expiry of the CSR period.  

Even if this potential data security loophole i.e., proper procedure to ensure ownership and sufficient legal backing to enforce the protection of personal data was meant to be addressed by purchasing all rights from the original developer KPISoft, it should not have happened via direct negotiation to MySJ. 

Accordingly, the sequence of events surrounding MySejahtera deals appears to be a form of a “CSR trap”, which could be a prelude to a lucrative contract without competition. 

Echoing the PAC report dated Dec 1 last year, what was initially thought of as the lack of an initial contract between the Government and KPISoft, should allow Putrajaya to take over MySejahtera and its data without additional costs.  

Instead, health portal Code Blue reported that there was an agreement to transfer MySejahtera’s intellectual property (IP) and software license from Entomo to MySJ was via a five-year, three-month licensing agreement between the two parties on Oct 6, 2020, for a staggering cost of RM338.6 mil. 

Making matters worse, MySJ ownership has been reported to involve companies with potential political links or individuals that may require further scrutiny. 

Attempting to clarify the situation, MOH said that on March 26 that the Government has decided that MySejahtera application is owned by the Government and MOH has been appointed as the primary/main owner of this application for national public health management.  

Despite prior reports of payments to KPISoft being finalised, reports by Code Blue regarding the licensing agreement and that KPISoft incurred over RM47.8 mil throughout its CSR commitment from April to November 2020, the MoH statement still asserts that the Government has never made any payments to KPISoft. 

 

Yes, maybe not the MOH. But what about MySJ? 

The MOH statement also did not elaborate on other owners of this data or does it clarify what they meant by “decided” or how the Government came to the decision that it owns MySejahtera without any payments ever being made.   

Note that the MoH decided the ownership status post PAC hearing on March 24 as a response to widespread criticisms and questions spread in social media. One might wonder if the MOH would still have made the decisions and come up with statements if PAC did not make the revelation, or if the public did not make much noise. 

Even if we take the MOH’s statement at face value, the question arises on data handling and ownership from the time before March 24 or before the licensing agreement took place on Oct 6, 2020. Notwithstanding the nature of licensing agreement, can data before these periods be guaranteed to not have fallen into the hands of third parties?  

The MOH statement also asserted that MySejahtera data has always been under MOH’s “supervision” whereby data management follows MOH procedures and is subject to the Prevention and Control of Infectious Diseases Act 1988 (Act 342), the Medical Act 1971, and international standards. 

The word supervision instead of ownership is peculiar, and none of these official statements necessarily confirms that the MOH owns the data. Data ownership and its protection must be spelled out in some form of agreement, backed by a combination of effective legislation, physical system structure, digital system design, and enforcement mechanisms.  

The MOH statement mentioned the following: 

  • The Government’s decision on Nov 26 last year, then agreed that MOH forms a Price Negotiation Committee comprising members from related stakeholder agencies to undertake price negotiations and managing services of the MySejahtera application with the company for a period of two years, in line with procurement procedures”.  
  • The MOF, through a letter dated Feb 28 agreed to approve MoH’s request to undertake the procurement for the management of the MySejahtera application and was finalised at MOF’s stage. This negotiation process has begun and MOH will make sure due diligence is carried out to ensure the Government’s priorities.” 

Firstly, we can only wonder how much a two-year contract for managing services of MySejahtera would cost given that IP and software licensing from Entomo to MySJ costs RM338.6 mil. 

These statements also indicate that there are only two actors now—the MOH and KPISoft/Entomo. If MySJ has no role, there must be categorical statements in response to the issues raised in the PAC hearing. 

On the other hand, if MySJ was indeed the recipient of the alleged sale of MySejahtera from KPISoft/Entomo, was the transfer including user personal data? This is a valid question as it could involve the breaching of the Personal Data Protection Act 2010 (PDPA).  

Also, procurement of data and systems was not specifically mentioned. Instead, “procurement for the management of the MySejahtera application” was mentioned.  

Though this could be nit-picking on linguistic accuracy, the nuance in meaning is important. Buying the rights to manage the application may not be the same as buying rights to the data and systems. 

The Health Minister appears to have realised that this categorical confirmation is missing in the MOH written statement and supplemented this by stating that MySejahtera is wholly owned by the Government with the MOH as the primary/main owner, including all data received by MySj, through his Twitter account.  

Assuming “MySj” means MySejahtera (and not MySJ Sdn Bhd), it would mean that the health minister himself confirmed MOH ownership of data without a third party/company being involved.  

In addition to ignoring the topic of MySJ entirely, can the MOH guarantee that only it has access to this data? The MOH also stated that MySejahtera data is uploaded daily to a cloud server network.  

So, where is the server and who owns it? – March 29, 2022

 

Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research.

The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia. 

Subscribe and get top news delivered to your Inbox everyday for FREE

Latest News