Malaysiakini logo
This article is 3 years old

MP SPEAKS | Explain sale of MySejahtera app to private company

MP SPEAKS | The March 24 Public Accounts Commission (PAC) hearing raised questions about the sale of the MySejahtera Covid-19 tracking app to a company in the private sector.

The government’s decision to give up control of the MySejahtera app was made by the cabinet during a meeting on Nov 26 last year.

Approval was given by the cabinet to the Health Ministry to appoint MySJ Sdn Bhd by direct negotiation to take over the MySejahtera app.

However, in December 2021, the PAC recommended for the government to take over the operation of MySejahtera without incurring any additional costs given that it has become an integral part of the national health system.

The Health Ministry officers who testified in front of the PAC claimed that MySJ is not related to KPISoft, the company which built MySejahtera as a CSR initiative. KPISoft has since changed its name to Entomo. The claim that there is no relation between KPISoft/Entomo and MySJ must be scrutinised.

Political, business connections

The directors of MySJ include two founders of KPISoft. The directors of MySJ also include individuals with political and business connections to parties in the ruling coalition government, including Shahril Shamsuddin, who was the CEO of Sapura Energy until March 2021 and Megat Najmuddin Megat Khas, who was an Umno division chief and later a senior member of Bersatu.

Furthermore, 81.4 percent of MySJ is owned by another company, Revolusi Asia Sdn Bhd, of which 88 percent is owned by the founders of KPISoft.

In other words, 71.2 percent of MySJ is owned by two co-founders of KPISoft, which built MySejahtera. To say that there is no link between KPISoft/Entomo and MySJ is not accurate.

Under an open tender, these facts would be scrutinised by the government and the public. In the case of direct negotiation, this deal appears to resemble a pattern of rewarding companies and individuals that have political and business connections to the ruling government.

That MySJ includes directors whose expertise in operating a software/information technology business is not clear, raises further concerns about the logic of this direct award to MySJ.

Data privacy

Furthermore, the sale of MySejahtera to a private company raises substantial concerns about data privacy and the potential abuse of the private health-related data of millions of Malaysians.

MySejahtera has recorded, according to Health Ministry published data on GitHub, over 11 billion check-ins since December 2020. This check-in data contains intimate details about people’s personal preferences, consumption patterns and social networks.

We assume that MySejahtera databases also include private personal health data about an individual’s reported health symptoms and Covid-19 positive diagnosis.

The PAC was informed that all data in MySejahtera and its confidentiality is under the control of the Health Ministry.

On Nov 19, 2020, the Health Ministry stated that “The data collected through the MySejahtera app is fully owned by the Health Ministry and supervised by the National Cyber Security Agency (Nacsa) and the National Security Council (NSC)”.

On Dec 20, 2020, CyberSecurity Malaysia CEO stated that the MySejahtera data was secure. “These data are solely used for Covid-19 monitoring and not shared with any third party as they are subject to secrecy.”

The MySejahtera website includes a privacy policy that states: “No Personal Data collected by this app will be disclosed to any third party or transferred to a place outside of Malaysia for commercial purposes.”

The MySejahtera website also states: “MySejahtera is owned and operated by the government. It is administrated by the Health Ministry and assisted by NSC and Mampu. The government assures that your personal information will only be used for the purpose of managing and mitigating the Covid-19 outbreak. It will not be shared with any other party.”

Furthermore, the MySejahtera GitHub page states: “As per the MySejahtera privacy policy, individual-level check-in data is purged after 90 days. These summary statistics are stored only as aggregated totals; MySejahtera does not store the underlying data. Consequently, data revisions are not possible for dates more than 90 days ago, even if an inconsistency is spotted.”

Clarification needed

Therefore the following questions must be clarified by the cabinet:

  • Why was the decision made to sell MySejahtera to a company in the private sector instead of allowing the application to remain under the control of the Health Ministry?

  • Why was a public tender not conducted in order to make the sale of this transparent?

  • What are the reasons for MySJ being the only company under consideration for this project?

  • Does the government frequently reward individuals or companies that conduct CSR for the benefit of the Malaysian people with lucrative contracts?

  • What is MySJ’s scope of work as it pertains to the operation of MySejahtera and how is the Health Ministry able to ensure that the data collected by MySejahtera will not be misused by third parties including MySJ?

  • Are the terms of this contract in compliance with the past assurances given by the Health Ministry regarding the appropriate use of Malaysians’ personal private health data, MySejahtera’s data privacy policy, and the country’s data privacy laws?

  • What are the MySJ obligations to ensure that the data which Malaysians shared via MySejahtera on the basis of a public mandate will not be used for marketing, product development, surveillance, or discriminatory purposes?


    ANWAR IBRAHIM is Port Dickson MP and opposition leader.

    The views expressed here are those of the author/contributor and do not necessarily represent the views of Malaysiakini.