Come Clean Over Mysejahtera S Questionable Dealings

---

 


Opposition leader and Port Dickson MP Anwar Ibrahim has raised serious concerns, citing the parliamentary Public Accounts Committee (PAC) hearing on March 24 this year regarding the alleged “sale” of the MySejahtera application to a questionable private company.
It was said that this transfer of ownership has been decided by the cabinet on Nov 26, 2021, allowing the Finance Ministry to approve the Health Ministry’s appointment of MySJ Sdn Bhd (MySJ) through direct negotiation.
This raises concerns on the fate of the vast amount of personal data collected by MySejahtera and draws criticisms on poor governance standards.
The controversy surrounding MySejahtera’s questionable dealings is a symptom of poor transparency in what is clearly an issue that concerns the nation given its ubiquitous use by 38 million users, including Malaysians, non-citizens, and travellers.
Sensitive data could be at risk if there are regulatory and system loopholes, risking personal health information and other data fall into the wrong hands.
For example, MySejahtera check-in data maps an individuals’ movement and location, forming a digital image of an individual’s preferences. Data is the “digital gold”, and data brokers can sell this highly sought-after information to the highest bidder.
Data may include personal details such as name, identity and contact number, associated health information (Covid-19 cases, close contacts, health status declarations, etc.), and vaccine certificates.
Medical data is a huge part of the multi-billion-dollar big data industry. Data buyers can range from policy researchers to pharmaceutical companies and advertising agencies.
There have also been reports of personal data crunched by controversial political consultants such as Cambridge Analytica. This is the same company that was allegedly involved with Umno during the reign of former prime minister Najib Abdul Razak to influence voting in the 14th general election in 2013.
2018 case shows data risk
The risk of subcontracting the handling of personal data to a private entity can be seen in 2018 when the government reportedly terminated the contract with Nuemera (M) Sdn Bhd - the private firm contracted by the Malaysian Communications and Multimedia Commission (MCMC) to manage telecommunications data - following the company’s alleged failure in safeguarding personal data of 46.2 million telecommunications services users.
Although Nuemera claimed police investigations have cleared them of any wrongdoing that contributed to the nation’s largest data-leak case, the points and the risks such as sabotage and hacking remain true despite the existence of personal data protection laws.
Therefore, the ecosystem surrounding the handling of the data must be protected with proper governance processes and systems.
Despite this obvious need, MySejahtera was initially reported to have been developed without a contract by a private company called KPISoft Sdn Bhd (KPISoft, now known as Entomo Malaysia) through a corporate social responsibility (CSR) deal that started on March 27, 2020, and ended on March 31, 2021.
In September 2021, Prime Minister Ismail Sabri Yaakob reportedly said that the government was finalising payments to MySejahtera developers upon the expiry of the CSR period.
Even if this potential data security loophole - i.e., proper procedure to ensure ownership and sufficient legal backing to enforce the protection of personal data - was meant to be addressed by purchasing all rights from the original developer KPISoft, it should not have happened via direct negotiation to MySJ.
Accordingly, the sequence of events surrounding MySejahtera deals appears to be a form of a “CSR trap”, which could be a prelude to a lucrative contract without competition.
More details needed
Echoing the PAC report dated Dec 1, 2021, the lack of an initial contract between the government and KPISoft should allow the government to take over MySejahtera and its data without additional costs.
Instead, as reported by Code Blue, the agreement to transfer MySejahtera’s intellectual property and software licence from Entomo to MySJ was via a five-year, three-month licensing agreement between the two parties on Oct 6, 2020, for a staggering cost of RM338.6 million.
Making matters worse, MySJ ownership has been reported to involve companies with potential political links or individuals that may require further scrutiny.
In an attempt to clarify the situation, a press statement by the Health Ministry dated March 27 mentioned that on March 26, 2022, the government has decided that the MySejahtera application is owned by the government and that the Health Ministry has been appointed as the primary/main owner of this application for national public health management.
Despite prior reports of payments to KPISoft being finalised, reports by Code Blue regarding the licensing agreement and that KPISoft incurred over RM47.8 million throughout its CSR commitment from April to November 2020, the Health Ministry statement asserts that the government has never made any payments to KPISoft.
Yes, maybe not. But what about MySJ?
The Health Ministry statement does not elaborate on other owners of this data, nor does it clarify what they meant by “decided” or how the government came to the decision that it owns MySejahtera without any payments ever being made.
Note that the Health Ministry decided the ownership status post-PAC hearing on March 24, 2022, as a response to widespread criticisms and questions spread on social media.
One might wonder if the Health Ministry would still have made the decisions and come up with statements if the PAC didn’t make the revelation or if the public didn’t make much noise.
Semantics or loophole?
Even if we take the Health Ministry’s statement at face value, the question arises on data handling and ownership from the time before March 24, 2022, or before the licensing agreement took place on Oct 6, 2020.
Notwithstanding the nature of licensing agreement, can data before these periods be guaranteed to not have fallen into the hands of third parties?
The Health Ministry statement also asserted that MySejahtera data has always been under Health Ministry’s “supervision” whereby data management follows Health Ministry procedures and is subject to the Prevention and Control of Infectious Diseases Act 1988 (Act 342), the Medical Act 1971, and international standards.
The word “supervision” instead of “ownership” is peculiar, and none of these official statements necessarily confirms that the Health Ministry owns the data. Data ownership and its protection must be spelt out in some form of agreement, backed by a combination of effective legislation, physical system structure, digital system design, and enforcement mechanisms.
The Health Ministry statement mentioned the following:
“The government’s decision on November 26, 2021, then agreed that MOH (Health Ministry) forms a Price Negotiation Committee comprising members from related stakeholder agencies to undertake price negotiations and managing services of the MySejahtera application with the company for a period of two years, in line with procurement procedures.
“The MOF (Finance Ministry), through a letter dated February 28, 2022, agreed to approve MOH’s request to undertake the procurement for the management of the MySejahtera application and was finalised at the stage of the MOF.
“This negotiation process has begun and MOH will make sure due diligence is carried out to ensure the government’s priorities.”
Firstly, we can only wonder how much a two-year contract for managing services of MySejahtera would cost given that intellectual property and software licensing from Entomo to MySJ costs RM338.6 million.
These statements also indicate that there are only two actors now - the Health Ministry and KPISoft/Entomo. If MySJ has no role, there must be categorical statements in response to the issues raised in the PAC hearing.
On the other hand, if MySJ was indeed the recipient of the alleged sale of MySejahtera from KPISoft/Entomo, was the transfer including user personal data? This is a valid question as it could involve the breaching of the Personal Data Protection Act 2010.
Also, procurement of data and systems was not specifically mentioned. Instead, “procurement for the management of the MySejahtera application” was mentioned.
Though this could be nitpicking on linguistic accuracy, the nuance in meaning is important. Buying the rights to manage the application may not be the same as buying rights to the data and systems.
The health minister appears to have realised that this categorical confirmation is missing in the Health Ministry written statement and supplemented this by stating that MySejahtera is wholly owned by the government with the Health Ministry as the primary/main owner, including all data received by MySj, through his Twitter account.
Health Minister Khairy JamaluddinAssuming “MySj” means MySejahtera (and not MySJ Sdn Bhd), it would mean that the health minister himself confirmed the Health Ministry ownership of data without a third party/company being involved.
Data access
In addition to ignoring the topic of MySJ entirely, how can the Health Ministry guarantee that only it has access to this data?
The Health Ministry statement stated that MySejahtera data is uploaded daily to a cloud server network. Where is the server and who owns it?
As reported in Code Blue, MySJ only acquired a licence to KPISoft's software specifically for MySejahtera “and does not acquire any other rights or ownership interests” under the five-year licensing agreement.
Specifically, the agreement “grants MySJ rights to use the KPISoft software to exclusively develop, own the application’s trademark for MySejahtera, and test and support the MySejahtera app”.
Note that owning the application trademark may not be the same as owning the application in its entirety.
This makes sense as the licensing agreement states that all rights, title, and interest in and to the KPISoft software, the trademarks, and the services, among others, shall be retained by KPISoft unless expressly provided otherwise in the agreement, as reported by Code Blue.
Therefore, how can the government guarantee that only the Health Ministry has access to this data and that the data will not be accessible by the server owner/operator, and in this case, KPISoft/Entomo and MySJ?
In addition to raising further questions on data security and integrity, the lack of clarification on MySJ is baffling.
Are we supposed to just ignore the rest of the issues raised in the PAC report? Or, is the Health Ministry statement indirectly stating that these reports are untrue or never happened?
It has been reported that during the PAC hearing, a Health Ministry official added that the best model for procuring MySejahtera is being negotiated, whereby the Health Ministry must determine the system operator and maintainer should the Health Ministry procure the entire system.
Therefore, was MySJ intended to be said operator and maintainer of MySejahtera? Again, this does not necessarily mean owning the data.
Either way, if the sale/transfer did happen, why was it through direct negotiation? This is particularly concerning given that there are valid questions surrounding the ownership of MySJ and KPISoft.
Dubious links
The directors of the MySJ reportedly include two founders of KPISoft, Raveenderen Ramamoothie and Anuar Rozhan, and also high-profile individuals with political and business links, namely former president and CEO of Sapura Energy, Shahril Shamsuddin, and Megat Najmuddin Megat Khas who was a former Umno disciplinary committee member and later Bersatu disciplinary board chairperson.
Sapura Energy was reported to have raked in a whopping net loss of RM8.9 billion, yet received an urgent appeal from Najib Abdul Razak to be bailed out.
Shahril, Raveenderen, and Naveen Prashad Despande have been reported as directors in the company Revolusi Asia, which holds the majority share in MySJ.
Although not named as a director, Anuar also reportedly has shares in Revolusi Asia.
Anuar is apparently the brother of former Astro Malaysia Holdings Bhd group CEO Rohana Rozhan, who has allegedly profited from the 1MDB scandal.
All in all, people are innocent until proven guilty and there is such a thing as coincidence. However, it is also reasonable for people to wonder if this is a case of collusion between political and business cronies.
Other companies that own shares in MySJ include Hasrat Budi, which has individuals from a property developer as shareholders, and P2 Asset Management, which has been reported to consist of young directors aged 26- to 29-year-olds.
Who are these individuals? What are the interests of a supposed asset management company and a property developer in MySJ?
An open tender process with good governance standards would ensure these alleged linkages and potential conflicts of interest are accounted for and flagged.
According to CodeBlue, both MySJ and KPISoft have the same registered address at Wisma Adiss Udarama Complex in Kuala Lumpur and the same business address at Q Sentral in KL Sentral.
The Health Ministry statements that were meant to reassure the people of Health Ministry’s data ownership, security, and privacy are insufficient and rely mostly on the people to simply trust in their word. If anything, it raises more questions than answers.
Furthermore, it also completely ignores the issue surrounding MySJ (and the people involved).
Now that the dispute between MySJ shareholders has been brought to light, will the warring entities withdraw the case and look to “directly negotiate” behind closed doors with the government again?
Emir Research asserts the following points as the way forward for the authorities:
Ownership and access to data in MySejahtera must remain only with the Health Ministry
There must be full transparency and due process with any dealings related to MySejahtera
Apply the strictest governance and integrity standards when dealing with vast amounts of highly sensitive personal data
Investigate MySejahtera deals through an independent commission to ensure loopholes are addressed and prevent repeat cases in the future
Reaffirm that user personal data are fully protected and have not been transferred to any other parties
Ensure data integrity and privacy through sufficient legislative and systems (physical and digital) safeguards are in place
Clarify all statements and concerns raised in the PAC report, particularly on the “sale” to MySJ
Authorities must come clean over these questionable dealings, take steps to protect sensitive personal data, and clarify the situation once and for all. - Mkini
RAIS HUSSIN and AMEEN KAMAL are part of the research team of Emir Research, a think tank focused on strategic policy recommendations based on rigorous research.
The views expressed here are those of the author/contributor and do not necessarily represent the views of MMKtT.

---