Leader of the Opposition and Member of Parliament for Port Dickson Dato’ Seri Anwar Ibrahim has raised serious concerns citing the parliamentary Public Accounts Committee (PAC) hearing on March 24 this year regarding the alleged “sale” of the MySejahtera application (MySejahtera) to a questionable private company.

It was said that this transfer of ownership has been decided by the Cabinet on November 26, 2021, allowing the Ministry of Finance to approve the Ministry of Health’s (MoH) appointment of MySJ Sdn Bhd (MySJ) through direct negotiation.

This raises concerns on the fate of the vast personal data collected by MySejahtera and draws criticisms on poor governance standards.

The controversy surrounding MySejahtera’s questionable dealings is a symptom of poor transparency in what is clearly an issue that concerns the nation given its ubiquitous use by 38 million users, including Malaysians, non-citizens, and travelers.

Sensitive data could be at risk if there are regulatory and system loopholes, risking personal health information and other data to fall into the wrong hands.

For example, MySejahtera check-in data maps an individuals’ movement and location, forming a digital image of an individual’s preferences. Data is the “digital gold”, and data brokers can sell this highly sought-after information to the highest bidder.

Data may include personal details such as name, identity and contact number, associated health information (Covid-19 cases, close contacts, health status declarations, etc.), and vaccine certificates.

Medical data is a huge part of the multi-billion-dollar big data industry. Data buyers can range from policy researchers to pharmaceutical companies and advertising agencies.

There have also been reports of personal data crunched by controversial political consultants such as Cambridge Analytica. This is the same company that was allegedly involved with the United Malays National Organization (Umno) during the reign of former prime minister Datuk Seri Najib Razak to influence voting in the 14th General Election in 2013.

The risk of subcontracting the handling of personal data to a private entity can be seen in 2018 when the government reportedly terminated the contract with Nuemera (M) Sdn Bhd—the private firm contracted by the Malaysian Communications and Multimedia Commission to manage telecommunications data—following the company’s alleged failure in safeguarding personal data of 46.2 million telecommunications services users.

Although Nuemera claimed police investigations have cleared them of any wrongdoings that contributed to the nation’s largest data leak case, the points and the risks such as sabotage and hacking remain true despite the existence of personal data protection laws.

Therefore, the ecosystem surrounding the handling of the data must be protected with proper governance processes and systems.

Despite this obvious need, MySejahtera was initially reported to have been developed without a contract by private company called KPISoft Sdn Bhd (KPISoft; now known as Entomo Malaysia) through a Corporate Social Responsibility (CSR) deal that started on March 27, 2020, and ended on March 31, 2021.

In September 2021, Prime Minister Datuk Seri Ismail Sabri Yaakob reportedly said that the government was finalizing payments to MySejahtera developers upon the expiry of the CSR period.

Even if this potential data security loophole i.e., proper procedure to ensure ownership and sufficient legal backing to enforce the protection of personal data was meant to be addressed by purchasing all rights from the original developer KPISoft, it should not have happened via direct negotiation to MySJ.

Accordingly, the sequence of events surrounding MySejahtera deals appears to be a form of a “CSR trap”, which could be a prelude to a lucrative contract without competition.

Echoing the PAC report dated December 1, 2021, what was initially thought of as the lack of an initial contract between the government and KPISoft, should allow the government to take over MySejahtera and its data without additional costs.

Instead, as reported by Code Blue, there was an agreement to transfer MySejahtera’s intellectual property (IP) and software license from Entomo to MySJ was via a 5-year, 3-month licensing agreement between the two parties on Oct 6, 2020, for a staggering cost of RM338.6 million.

Making matters worse, MySJ ownership has been reported to involve companies with potential political links or individuals that may require further scrutiny.

In an attempt to clarify the situation, a press statement by the MoH dated March 27 mentioned that on March 26, 2022, the Government has decided that the MySejahtera application is owned by the government and that the MoH has been appointed as the primary/main owner of this application for national public health management.

Despite prior reports of payments to KPISoft were being finalized, reports by Code Blue regarding the licensing agreement and that KPISoft incurred over RM47.8 million throughout its CSR commitment from April to November 2020, the MoH statement asserts that the government has never made any payments to KPISoft.

Yes, maybe not the MoH. But what about MySJ?

The MoH statement does not elaborate on other owners of this data, nor does it clarify what they meant by “decided” or how the government came to the decision that it owns MySejahtera without any payments ever being made. 

Note that the MoH decided the ownership status post PAC hearing on March 24, 2022, as a response to widespread criticisms and questions spread in social media. One might wonder if the MoH would still have made the decisions and come up with statements if the PAC didn’t make the revelation or if the public didn’t make much noise.

Even if we take the MoH’s statement at face value, the question arises on data handling and ownership from the time before March 24, 2022, or before the licensing agreement took place on October 6, 2020. Notwithstanding the nature of licensing agreement, can data before these periods be guaranteed to not have fallen into the hands of third parties?

The MOH statement also asserted that MySejahtera data has always been under MOH’s “supervision” whereby data management follows MOH procedures and is subject to the Prevention and Control of Infectious Diseases Act 1988 (Act 342), the Medical Act 1971, and international standards.

The word supervision instead of ownership is peculiar, and none of these official statements necessarily confirms that the MoH owns the data. Data ownership and its protection must be spelled out in some form of agreement, backed by a combination of effective legislation, physical system structure, digital system design, and enforcement mechanisms.

The MoH statement mentioned the following:

• The government’s decision on November 26, 2021, then agreed that MoH forms a Price Negotiation Committee comprising members from related stakeholder agencies to undertake price negotiations and managing services of the MySejahtera application with the company for a period of two years, in line with procurement procedures”.
• The Finance Ministry (MoF), through a letter dated February 28, 2022, agreed to approve MoH’s request to undertake the procurement for the management of the MySejahtera application and was finalized at the stage of the MoF. This negotiation process has begun and MoH will make sure due diligence is carried out to ensure the government’s priorities.”

Firstly, we can only wonder how much a two-year contract for managing services of MySejahtera would cost given that IP and software licensing from Entomo to MySJ costs RM338.6 million.

These statements also indicate that there are only two actors now—the MoH and KPISoft/Entomo. If MySJ has no role, there must be categorical statements in response to the issues raised in the PAC hearing.

On the other hand, if MySJ was indeed the recipient of the alleged sale of MySejahtera from KPISoft/Entomo, was the transfer including user personal data? This is a valid question as it could involve the breaching of the Personal Data Protection Act 2010.

Also, procurement of data and systems was not specifically mentioned. Instead, “procurement for the management of the MySejahtera application” was mentioned.

Though this could be nit-picking on linguistic accuracy, the nuance in meaning is important. Buying the rights to manage the application may not be the same as buying rights to the data and systems.

The Health Minister appears to have realized that this categorical confirmation is missing in the MoH written statement and supplemented this by stating that MySejahtera is wholly owned by the government with the MoH as the primary/main owner, including all data received by MySj, through his Twitter account.

Assuming “MySj” means MySejahtera (and not MySJ Sdn Bhd), it would mean that the Health Minister himself confirmed MoH ownership of data without a third party/company being involved.

In addition to ignoring the topic of MySJ entirely, how can the MoH guarantee that only it has access to this data?

The MoH statement stated that MySejahtera data is uploaded daily to a cloud server network.

Where is the server and who owns it?

As reported in Code Blue, MySJ only acquires a license to the KPISoft’s software specifically for MySejahtera “and does not acquire any other rights or ownership interests” under the 5-year licensing agreement. Specifically, the agreement “grants MySJ rights to use the KPISoft software to exclusively develop, own the application trademark for MySejahtera, and test and support the MySejahtera app”.

Note that owning the application trademark may not be the same as owning the application in its entirety.

This makes sense as the licensing agreement states that all rights, title, and interest in and to the KPISoft software, the trademarks, and the services, among others, shall be retained by KPISoft unless expressly provided otherwise in the agreement, as reported by Code Blue.

Therefore, how can the government guarantee that only the MoH has access to this data and that the data will not be accessible by the server owner/operator, and in this case, KPISoft/Entomo and MySJ?

In addition to raising further questions on data security and integrity, the lack of clarification on MySJ is baffling.

Are we supposed to just ignore the rest of the issues raised in the PAC report?

Or, is the MoH statement indirectly stating that these reports are untrue or never happened?

It has been reported that during the PAC hearing, an MoH official added that the best model for procuring the [MySejahtera] system is being negotiated, whereby the MoH must determine the system operator and maintainer should the MoH procure the entire MySejahtera system.

Therefore, was MySJ intended to be said operator and maintainer of MySejahtera? Again, this does not necessarily mean owning the data. Either way, if the sale/transfer did happen, why was it through direct negotiation?

This is particularly concerning given that there are valid questions surrounding the ownership of MySJ and KPISoft.

The directors of the MySJ reportedly include two founders of KPISoft, Raveenderen Ramamoothie and Anuar Rozhan, and also high-profile individuals with political and business links namely former President and CEO of Sapura Energy, Tan Sri Dato Seri Shahril Bin Shamsuddin, and Tan Sri Dato’ Seri Megat Najmuddin who was a former UMNO disciplinary committee member and later Bersatu’s disciplinary board’s chairman.

Sapura Energy was reported to rake in a whopping net loss of RM8.9 billion, yet received an urgent appeal from the former prime minister Najib Razak to be bailed.

Shahril, Raveenderen, and Naveen Prashad Despande have been reported as directors in the company Revolusi Asia, which holds the majority share in MySJ. Although not named as a director, Anuar also reportedly has shares in Revolusi Asia.

Anuar is apparently the brother of former Astro Malaysia Holdings Bhd group CEO Rohana Rozhan, who has allegedly profited from the 1MDB scandal.

All in all, people are innocent until proven guilty and there is such a thing as coincidence. However, it is also reasonable for people to wonder if this is a case of collusion between political and business cronies.

Other companies that own shares in MySJ include Hasrat Budi, which has individuals from a property developer as shareholders, and P2 Asset Management which has been reported to consist of young directors aged 26- to 29-year-olds.

Who are these individuals? What are the interests of a supposed asset management company and a property developer in MySJ?

An open tender process with good governance standards would ensure these alleged linkages and potential conflicts of interest are accounted for and flagged.

According to CodeBlue, both MySJ and KPISoft have the same registered address at Wisma Adiss Udarama Complex in Kuala Lumpur (KL) and the same business address at Q Sentral in KL Sentral.

The MoH statements that were meant to reassure the people of MoH’s data ownership, security, and privacy are insufficient and rely mostly on the people to simply trust in their word. If anything, it raises more questions than answers.

Furthermore, it also completely ignores the issue surrounding MySJ (and the people involved).

Now that the dispute between MySJ shareholders has been brought to light, will the warring entities withdraw the case and look to “directly negotiate” behind closed doors with the government again?

EMIR Research asserts the following points as the way forward for the authorities:

1. Ownership and access to data in MySejahtera must remain only with the MoH.
2. There must be full transparency and due process with any dealings related to MySejahtera.
3. Apply strictest governance and integrity standards when dealing with vast amounts of highly sensitive personal data.
4. Investigate MySejahtera deals through an independent commission to ensure loopholes are addressed and prevent repeat cases in the future.
5. Re-affirm that user personal data are fully protected and have not been transferred to any other parties.
6. Ensure data integrity and privacy through sufficient legislative and systems (physical and digital) safeguards are in place
7. Clarify all statements and concerns raised in the PAC report, particularly on the “sale” to MySJ.

Authorities must come clean over these questionable dealings, take steps to protect sensitive personal data, and clarify the situation once and for all.

(Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.)