Lessons on Data Protection From The MySejahtera Saga

Managed to pen down my thoughts on what corporate Malaysia can learn from the MySejahtera saga. This piece first appeared in The Edge, and below is the version before it was edited.

Back in 2017, The Economist published a story titled, "The World's Most Valuable Resource Is No Longer Oil, But Data”. Today’s tech titans in the US thrive due to their ability to collect – and put to commercial use – the data of hundreds of millions of people on the planet.?

Malaysian corporations, no doubt, harbour similar ambitions.?

This is where the MySejahtera saga comes into the picture. It first began when the Public Accounts Committee (“PAC”) revealed that no contract was signed between the Government & developer KPISoft Malaysia Sdn Bhd (“KPISoft”) back in early 2020 when the app was developed. It was later reported that KPISoft (now renamed Entomo Malaysia Sdn Bhd) had in October 2020 licensed the MySejahtera software and intellectual property rights to another company known as MySJ Sdn Bhd until 2025 for RM338.6 million. The Government is now in talks with MySJ Sdn Bhd to purchase the MySejahtera software, the terms and fees which are unknown.?

These events triggered a nationwide debate on who ultimately owns the data of millions of Malaysian citizens and businesses collected by MySejahtera – is it KPISoft, MySJ Sdn Bhd or the Government? Some are also justifiably concerned of the potential disclosure of personal data of millions of MySejahtera users between private entities. There is further strong public resistance on any attempts by private companies to commercialise MySejahtera beyond its intended objective of combating Covid-19.??

Whilst this is a developing story, there are several lessons to be learned thus far.

But to do that, one must first appreciate the purpose behind data protection and privacy laws in Malaysia. In 2010, Malaysia passed the Personal Data Protection Act (“PDPA”). The PDPA recognises that data privacy is a right which all Malaysian citizens ought to enjoy. Data privacy means having a say on how your data – where you stay, work, dine, shop for groceries on weekends and various other behavioural patterns collected by MySejahtera –?is to be used. If data privacy is not respected and leaked, you may be exposed to a variety of risks such as identity theft, phone call fraud, cybersecurity attacks or even discrimination based on your medical history.?

Lesson #1: Draft Clear Agreements From The Outset To Clarify Who Owns The Personal Data?

The issue of ownership is crucial because it suggests exclusive control – which is why the Government continues to assert ownership of personal data collected by MySejahtera.?

However, the PAC’s revelation that no agreement was signed between the Government and developer KPISoft has raised doubts on such assertion. The fact that KPISoft thereafter licensed the MySejahtera software and intellectual property rights to MySJ Sdn Bhd reinforced the perception that the Government never had ownership of the personal data to begin with. Health Minister YB Khairy Jamaluddin later clarified that a Non-Disclosure Agreement (“NDA”) was signed between the Government and KPISoft, which allegedly made it clear that the Government owns the personal data.?

This underlies the importance of clear written agreements on ownership of data. It is surprising why the Government did not structure an agreement with KPISoft which would have clearly spelt out who owns the personal data of MySejahtera users. Whilst Khairy Jamaluddin relies on an alleged NDA, an NDA (as the name suggests) does not typically stipulate or confers ownership of property, and the NDA has not been disclosed to the public. Put simply, this controversy would not have arisen if a clear written agreement was signed at the beginning.?

It is not uncommon for businesses today to enter into joint-ventures or collaborate with other businesses in commercial endeavours which involve the collection of personal data. The last thing one needs to face is a tussle on who has ownership over such personal data down the road – hence why written agreements drafted at the start of the relationship are vital.??

Lesson #2: Do Not Disclose Personal Data Of Your Customers/Users To Third Parties Without Their Consent

Regardless of who legally owns the personal data, the more important question is this: besides the Government and KPISoft, who else had access to our personal data in MySejahtera?

We do not know for a fact if MySJ Sdn Bhd had access to such personal data since it was licensed by KPISoft way back in October 2020. However, if it did had access and MySejahtera users had not consented to such access, it would be a breach of the PDPA.?

Generally, the PDPA prohibits the disclosure of personal data to third parties unless the users themselves consent to such disclosure. The PDPA also prohibits a party from utilising or processing personal data, whether for commercial purposes or otherwise, without the consent of the users concerned. If there is a breach to either of these prohibitions, one is liable to imprisonment for up to 2 years or a fine up to RM300,000, or both.?

It is hence of utmost importance for businesses to not disclose personal data of its customers to any third parties without obtaining the necessary consent. And even if businesses happen to receive a treasure trove of personal data from third parties, they cannot make use of such data without the explicit consent of the users beforehand. In short, tread carefully and seek expert advice if necessary whenever personal data is at stake.?

Lesson #3: Do Not Process Personal Data of Your Customers/Users For Endeavours Beyond Its Originally Intended Purpose Without Their Consent

It is common knowledge that the personal data collected by MySejahtera is for the purposes of combating Covid-19. In fact, MySejahtera’s Privacy Policy states: “Information collected are used for monitoring and enforcement purposes by Government authorities in dealing with the COVID-19 pandemic.”

Can such personal data be later on used by MySejahtera for non-public health purposes? For example, a MySejahtera user receives a notification promoting organic food manufactured by a certain brand – is this legal??

The general position under the law is that personal data should only be processed by businesses for the purpose by which it was collected at the outset i.e. combating Covid-19. If businesses wish to use such data for purposes not directly related to the original purpose, they need to seek fresh consent from such users. Having said that, with proper foresight and drafting of the consent form at the first instance, businesses do not need to constantly seek fresh consent.?

This article is in no way discouraging businesses to stay away from data. It is after all key to the future of commerce. But if businesses can appreciate that there are human rights dimensions to data and its protection is part of good governance, we can all prosper in a sustainable fashion.?

Lim Wei Jiet is a dispute resolution lawyer with core practice areas in commercial, employment & intellectual property law. He welcomes feedback at [email protected].