Sale of MySejahtera Application To Private Company

27 March 2022

On March 24, Public Accounts Commission (PAC) hearing raised questions about the sale of the MySejahtera COVID-19 tracking app to a private company.

The Government’s decision to give up control of the MySejahtera app was made by the Cabinet during a meeting on Nov 26. Approval was given by the Cabinet to the Health Ministry (MOH) to appoint MySJ Sdn. Bhd. by direct negotiation to take over the MySejahtera app.

However, in December 2021, the PAC recommended that the Government should take over the operation of MySejahtera without incurring any additional costs given that it has become an integral part of the national health system.

The MOH officers who testified in front of the PAC claimed that MySJ Sdn. Bhd. is not related to KPISoft, the company which built MySejahtera as a corporate social responsibility (CSR) initiative. KPISoft has since changed its name to Entomo. The claim that there is no relation between KPISoft/Entomo and MYSJ Sdn. Bhd must be scrutinised.

The directors of the MySJ Sdn. Bhd. include two founders of KPISoft. The directors of MySJ Sdn. Bhd. also include individuals with political and business connections to parties in the ruling coalition government including Tan Sri Shahril Bin Shamsuddin who was the CEO of Sapura Energy until March 2021 and Tan Sri Megat Najmuddin, who was an UMNO division chief and later a senior member of Parti Pribumi Bersatu Malaysia.

Furthermore, 81.4% of MySJ Sdn. Bhd. is owned by another company, Revolusi Asia Sdn. Bhd., of which 88% is owned by the founders of KPISoft.

In other words, 71.2% of MySJ Sdn. Bhd. is owned by two co-founders of KPISoft, which built MySejahtera. Hence, to say that there is no link between KPISoft/Entomo and MySJ Sdn. Bhd. is not accurate.

Under an open tender system, these facts would be scrutinised by the Government and the public. In the case of a direct negotiation, this deal appears to resemble a pattern of rewarding companies and individuals that have political and business connections to the ruling Government. That MySJ Sdn. Bhd. includes directors whose expertise in operating a software/information technology business is not clear raises further concerns about the logic of this direct award to MySJ Sdn. Bhd.

Furthermore, the sale of MySejahtera to a private company raises substantial concerns about data privacy and the potential abuse of private health related data about millions of Malaysians.

MySejahtera has recorded, according to MOH published data on GitHub, over 11 billion check-ins since December 2020. This check-in data contains intimate details about people’s personal preferences, consumption patterns and social network. We assume that MySejahtera databases also include private personal health data about individuals reported health symptoms and COVID-19 positive diagnosis.

Rewarding cronies?

The PAC was informed that all data in MySejahtera and its confidentiality is under the control of the MOH.

On Nov 19, 2020, the MOH had stated that “The data collected through the MySejahtera app is fully owned by the Health Ministry of Malaysia and supervised by the National Cyber Security Agency (Nacsa) and the National Security Council (NSC).

On Dec 20, 2020, CyberSEcurity Malaysia CEO stated that the MySejahtera data was secure. “These data are solely used for COVID-19 monitoring and not shared with any third party as they are subject to secrecy.”

The MySejahtera website includes a privacy policy which states “No Personal Data collected by this App will be disclosed to any third party or transferred to a place outside of Malaysia for commercial purposes.” The MySejahtera website also states “MySejahtera is owned and operated by the Government of Malaysia. It is administrated by MOH and assisted by NSC and MAMPU. The Government assures that your personal information will only be used for the purpose of managing and mitigating COVID-19 outbreak. It will not be shared to any other party.”

Furthermore, the MySejahtera GitHub page states “As per the MySejahtera privacy policy, individual-level check-in data is purged after 90 days. These summary statistics are stored only as aggregated totals; MySejahtera does not store the underlying data. Consequently, data revisions are not possible for dates more than 90 days ago, even if an inconsistency is spotted.”

Therefore, the following questions must be clarified by the Cabinet:

• Why was the decision made to sell MySejahtera to a company in the private sector instead of allowing the application to remain under the control of MOH?

• Why was a public tender not conducted in order to make the sale of this a transparent?

• What are the reasons MySJ Sdn. Bhd. is the only company under consideration for this project?

• Does the Government frequently reward individuals or companies that conduct CSR for the benefit of the Malaysian people with lucrative contracts?

• What is MySJ Sdn. Bhd.’s scope of work as it pertains to the operation of MySejahtera and how is the MOH able to ensure that the data collected by MySejahtera will not be misused by third parties including MySJ Sdn. Bhd?

• Are the terms of this contract in compliance with the past assurances given by the MOH regarding the appropriate use of Malaysian’s personal private health data, MySejahtera’s data privacy policy, and the country’s data privacy laws?

• What are the MYSJ Sdn. Bhd. obligations to ensure that the data which Malaysians shared via MySejahtera on the basis of a public mandate will not be used for marketing, product development, surveillance or discriminatory purposes?

Datuk Seri Anwar Ibrahim

Opposition Leader / PKR President