MEDIA STATEMENT BY DATUK SERI ANWAR IBRAHIM, PRESIDENT, PKR & PRESIDENT, PAKATAN HARAPAN
Sale of MySejahtera Application To Private Company
The 24 March 2022 Public Accounts Commission (PAC) hearing raised questions about the sale of the MySejahtera Covid-19 tracking app to a company in the private sector.
The government’s decision to give up control of the MySejahtera app was made by the Cabinet during a meeting on 26 November 2021. Approval was given by the Cabinet to the Ministry of Health (MOH) to appoint MySJ Sdn. Bhd. by direct negotiation to take over the MySejahtera app.
However, in December 2021 the PAC recommended the government should take over the operation of MySejahtera without incurring any additional costs given that it has become an integral part of the national health system.
The MOH officers who testified in front of the PAC claimed that MySJ Sdn. Bhd. is not related to KPISoft, the company which built MySejahtera as a CSR initiative. KPISoft has since changed its name to Entomo. The claim that there is no relation between KPISoft/Entomo and MYSJ Sdn. Bhd must be scrutinized.
The directors of the MySJ Sdn. Bhd. include two founders of KPISoft. The directors of MySJ Sdn. Bhd. also include individuals with political and business connections to parties in the ruling coalition government including Tan Sri Dato Seri Shahril Bin Shamsuddin who was the CEO of Sapura Energy until March 2021 and Tan Sri Dato’ Seri Megat Najmuddin who was an UMNO division chief and later a senior member of Bersatu.
Furthermore, 81.4% of MySJ Sdn. Bhd. is owned by another company, Revolusi Asia Sdn. Bhd., of which 88% is owned by the founders of KPISoft.
In other words, 71.2% of MySJ Sdn. Bhd. is owned by two co-founders of KPISoft, which built MySejahtera. To say that there is no link between KPISoft/Entomo and MySJ Sdn. Bhd. is not accurate.
Under an open tender these facts would be scrutinized by the government and the public. In the case of a direct negotiation, this deal appears to resemble a pattern of rewarding companies and individuals that have political and business connections to the ruling government.
That MySJ Sdn. Bhd. includes directors whose expertise in operating a software/information technology business is not clear raises further concerns about the logic of this direct award to MySJ Sdn. Bhd.
Furthermore, the sale of MySejahtera to a private company raises substantial concerns about data privacy and the potential abuse of private health related data about millions of Malaysians.
MySejahtera has recorded, according to MOH published data on GitHub, over 11 billion check-ins since December 2020. This check-in data contains intimate details about peoples personal preferences, consumption patterns, social network. We assume that MySejahtera databases also include private personal health data about individual’s reported health symptoms and Covid-19 positive diagnosis.
The PAC was informed that all data in MySejahtera and its confidentiality is under the control of the MOH.
On 19 November 2020 the Ministry of Health stated that “The data collected through the MySejahtera app is fully owned by the Health Ministry of Malaysia and supervised by the National Cyber Security Agency (Nacsa) and the National Security Council (NSC).
On 20 December 2020 CyberSEcurity Malaysia CEO stated that the MySejahtera data was secure. “These data are solely used for Covid-19 monitoring and not shared with any third party as they are subject to secrecy.”
The MySejahtera website includes a privacy policy which states “No Personal Data collected by this App will be disclosed to any third party or transferred to a place outside of Malaysia for commercial purposes.”
The MySejahtera website also states “MySejahtera is owned and operated by the Government of Malaysia. It is administrated by MOH and assisted by NSC and MAMPU.
The Government assures that your personal information will only be used for the purpose of managing and mitigating COVID-19 outbreak. It will not be shared to any other party.”
Furthermore the MySejahtera GitHub page states “As per the MySejahtera privacy policy, individual-level check-in data is purged after 90 days. These summary statistics are stored only as aggregated totals; MySejahtera does not store the underlying data.
Consequently, data revisions are not possible for dates more than 90 days ago, even if an inconsistency is spotted.”
Therefore the the following questions must be clarified by the Cabinet:
- Why was the decision made to sell MySejahtera to a company in the private sector instead of allowing the application to remain under the control of MOH?
- Why was a public tender not conducted in order to make the sale of this a transparent?
- What are the reasons MySJ Sdn. Bhd. is the only company under consideration for this project?
- Does the Malaysian government frequently reward individuals or companies that conduct CSR for the benefit of the Malaysian people with lucrative contracts?
- What is MySJ Sdn. Bhd.’s scope of work as it pertains to the operation of MySejahtera and how is the MOH able to ensure that the data collected by MySejahtera will not be misused by third parties including MySJ Sdn. Bhd.
- Are the terms of this contract in compliance with the past assurances given by the MOH regarding the appropriate use of Malaysian’s personal private health data, MySejahtera’s data privacy policy, and the country’s data privacy laws?
- What are the MYSJ Sdn. Bhd. obligations to ensure that the data which Malaysians shared via MySejahtera on the basis of a public mandate will not be used for marketing, product development, surveillance, or discriminatory purposes?