Who owns MySejahtera? Although this sounds like a simple question, the notion of “wholly owning” MySejahtera does not appear to be applicable at the moment as no one party seems to own everything related to MySejahtera.
Revelations from reported legal documents point to the splitting of “ownership” into three main parts: 1) the MySejahtera application (app); 2) the data gathered and processed by MySejahtera; and 3) the background software used to develop MySejahtera.
Below is what we know thus far regarding who owns each of the components and the legal basis.
1. Ownership of the MySejahtera app: MySJ
Based on a share sale agreement on December 31, 2020, between MySJ’s shareholders, Entomo Malaysia is the owner of “all rights, title, and interest, including all intellectual property (IP) rights” related to the MySejahtera app, as reported by health portal CodeBlue.
However, this may have been superseded by a share sale agreement dated August 27, 2021, whereby in relation to MySJ, the OEM software licence agreement between Entomo Malaysia and MySJ grants MySJ an exclusive, sub-licensable, and perpetual licence to the MySejahtera app, as well as a non-exclusive, non-transferable, non-sublicensable right and perpetual licence to use the KPISoft software, as revealed by CodeBlue.
In the same share sale agreement, MySJ is described as the “owner of the platform”, likely referring to MySejahtera as one of the platforms running on or developed using KPISoft software.
This is likely on the basis that the license is exclusive and perpetual i.e., almost as good as “owning” it.
Specifically, the health portal reported that the share sale agreement states that MySJ is the “legal and beneficial owner of all rights, title, and interest, including intellectual property rights in the MySejahtera application and all related technology, knowledge, know-how, updates/ upgrades, and trade secret in relation to the MySejahtera application.”
2. Ownership of the data: Malaysian government
Based on a share sale agreement on December 31, 2020, between MySJ’s shareholders, the “trademark and data collected through the operation of MySejahtera” have been reported as being owned by the Malaysian government.
Also, Health Minister Khairy Jamaluddin revealed that the “ownership of all data and information obtained through the use of the MySejahtera application rests entirely with the government” was said to be part of the terms and conditions in a non-disclosure agreement (NDA) between the National Security Council (NSC) and KPISoft Malaysia Sdn Bhd (now known as Entomo Malaysia Sdn Bhd) dated April 1, 2020.
3. Ownership of KPISoft software: Entomo Malaysia
According to the August 27, 2021 share sale agreement, Entomo is the “developer and legal and beneficial owner of the KPISoft software”.
Based on the same share sale agreement, MySJ “is and shall be the legal and beneficial owner of all rights, title and interest in and to such additions, enhancements, changes, modifications, including the introduction of new or changes in features to the MySejahtera application or made to the KPISoft software for the MySejahtera application, save and except that the rights, title, and interest in and to the KPISoft software and its trademarks shall be retained by Entomo”, as reported by CodeBlue.
Legally-defined ownership versus real-world separation
The app, which is owned by MySJ, collects data that is owned by the government, running on software developed and owned by KPISoft/Entomo.
Although we have a slightly clearer picture of ownerships based on these agreements, it remains unclear how this separation of ownership is operationalised outside of the legal documents.
For example, as far security and data integrity go, what do the rights, title, and interest in and to the KPISoft software and its trademarks mean, when it comes to accessibility to the MySejahtera app, and the data?
Only through cross-examination of all related agreements in their entirety, especially clauses regarding “security”, “confidentiality”, “data ownership” and “accessibility” can we confirm finer details such as the names of parties defined to be governed under confidentiality clauses and data access and exclusivities, if any.
Even so, legal language can be written ideally, that is, in an ideal situation, clauses state how it should be. But often the ideal legal clauses can be written without or insufficient respect for physical realities. The ideal separation between the app, the data, and the software the app is built on may not be as clearly separated in day-to-day operations and may lack real-world enforcement to back it up.
This issue is for specialists such as programmers and coders to study and investigate the programming structure and coding of the app to shed light on how these three main components can be completely segregated.
The objective is to make sure that ownership and access to data in MySejahtera remain exclusively with the Health Ministry (MoH), and not only that that user personal data is fully protected, but also that it has not and could not have been transferred or accessed, intentionally or otherwise, to any other parties in whatever form.
This means expanding the investigating into the software and hardware of all places that the MySejahtera app communicates with, either directly or indirectly, such as those related to the server, any “mirror” servers, and cloud databases elsewhere that may have duplicated MySejahtera data for backup purposes.
In other words, as far as investigating the security and integrity of the data, examination of legal documents would not suffice. A forensic digital investigation or audit of the entire ecosystem is needed.
Changing tone on ownership
Aside from data ownership, Khairy’s statements at Dewan Negara on March 31 and the press statement by the MoH dated March 27 which cumulatively assert the government’s ownership of the app, IP rights, modules, trademarks, and source code appear to contradict reported statements in the above-mentioned agreements which defines the three-way ownership split.
However, Khairy’s reported latest statement in a press conference in Perak on April 5 appears to have a change in tone compared to earlier remarks. Khairy was reported to have said the following: “We own the data, modules in MySejahtera, and the brand“.
Owning the data and the brand (trademark) is consistent with what the legal documents reveal, but the statement of “modules in MySejahtera” appears to be a distinction from the previous notion of “owning the MySejahtera app”.
Thus, Khairy’s latest remarks (thus far) appear to be the most consistent with the reported legal documents pertaining MySejahtera and its developers and licensors.
Although prior contradictions are baffling, at least this indicates a trajectory of improving accuracy and consistency as far as ownership issues go.
One-sided exclusivity with KPISoft/Entomo
EMIR Research mentioned previously that there are no indications of an exclusive arrangement the government had with KPISoft.
However, the apparent exclusive treatment of the CSR deal by the government (by not stopping and finding a new “operator”) appears to be one-sided, as KPISoft/Entomo entered into a commercial arrangement with MySJ while the CSR deal was still in effect.
Note that the CSR deal with KPISoft/Entomo started on March 27, 2020, and ended on March 31, 2021. KPISoft/Entomo entered into a licensing agreement worth RM338.6 million to grant the intellectual property of the MySejahtera app and a software license to MySJ on October 6, 2020.
All the while, the Malaysian government did not attempt to find other operators or providers within or earlier than the presumably “limbo period” of eight months between the expiry of the CSR deal (March 31) to the date when the Cabinet made the decision on November 26, 2021.
Based on publicly available information, the government has no legal basis to wait for the CSR period to be over to start approaching other companies.
Silence on the indications of conflicting interest related to MySejahtera dealings
The government cannot ignore disputes between shareholders of MySJ and certainly cannot remain silent on indications of conflicting interests.
Earlier, Khairy said that the deal to transfer the app’s IP and software license between KPISoft/Entomo and MySJ has nothing to do with the government’s latest negotiation. This is merely stating an obvious fact that it is a deal between two private entities.
On April 5, Khairy was reported to have said the following:
“Whatever happens with the dispute of the companies in court, it has nothing to do with us.”
Firstly, deals between the government and MySJ legally cannot override established contracts between MySJ and Entomo. Therefore, if the government has the interest to acquire rights and fights for the ownership of the app, the government is at least indirectly involved in this tripartite mess.
Secondly, the involvement of various parties owning different “parts” of MySejahtera cast more doubt that only the MoH has (exclusive) access to the data gathered and processed by MySejahtera, even if it owns it.
Thirdly, although data ownership issues get clearer, the issue of company shareholding, directorships, and ownership structures get more convoluted. The authorities must deeply investigate these obvious red flags or at least, clear indications of conflicting interests.
There have been multiple reports from various sources on similar names appearing across companies and across international borders that are dealing with one another. Some of the individuals could be linked with the political and business elites, while others are unknown, mysterious, or even questionable local and foreign business figures.
Yet, there have been no actions or even any mentioning of this issue from the authorities. Why is there a deafening silence on this?
MySJ may have had commercial plans all along
EMIR Research speculated in an earlier article that in addition to the “much lower than RM300 million” deal the Malaysian government has with MySJ, there could be other revenue streams for MySJ.
As speculated, MySJ actually had plans for the acquisition/investment of healthcare companies, which has been reported by CodeBlue.
Although these presumably “MySejahtera-expansion” companies don’t appear to have the same indication of conflicting interest as the MySJ-Entomo deals from the shareholder/directorship perspective, the fact that all these companies share the same or similar address with each other and with MySJ-Entomo should at least raise some eyebrows.
Based on the coordinating committee meeting minutes dated September 22, 2021, an investment into Mudah Healthcare and a digital insurance business plan (whereby the company AmanInsure was listed for action) were discussed, according to CodeBlue.
CodeBlue revealed that Mudah Healthcare’s stated address is Unit 27-12, Level 27, Q Sentral in Kuala Lumpur, supposedly next to Unit 27-13, Level 27, Q Sentral, which is the shared business address of both Entomo Malaysia and MySJ.
As for AmanInsure, CodeBlue revealed that AmanInsure’s website lists the company’s address as the same as Mudah Healthcare’s address, and based on SSM filing, AmanInsure has the same registered address as Entomo Malaysia and MySJ at Wisma Adiss Udarama Complex in Kuala Lumpur and the same business address as MySJ and Entomo Malaysia.
There is nothing wrong with having business partners sharing the same office and other similarities, but a higher level of sensitivity and importance surrounding MySejahtera, especially the indications of conflicting interest and the presence of questionable local and foreign figures should lower the threshold for flags to be raised or trigger an investigation.
(Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.)