Every Malaysian adult is now being funnelled into a single digital identity but the risks are real, and Malaysia cannot afford to run the problematic MySejahtera experiment a second time.
If you tried to renew your road tax last week and were greeted by an “Oops! Something went wrong” pop-up, you are not alone. Since May 1, 2026, the Road Transport Department’s MyJPJ app has accepted only one form of login for users aged 18 and above: MyDigital ID.
By May 4, The Star reported, seven million MyJPJ users had logged in via the new system, alongside complaints about failed sign-ins and stuck one-time passwords.
MyJPJ handles road tax, summons, licence renewals and vehicle ownership transfers for a sizeable slice of Malaysia’s 34 million population.
Forcing every adult user onto a single national digital identity, after two delays from the original February deadline, is one of the largest digital policy moves in the country’s history.
Prime Minister Anwar Ibrahim has stated that 95% of federal government services should be delivered fully online by 2030, with MyDigital ID as the single key. Passport applications, wedding and death certificates, telco SIM verification, public housing and social protection are all being routed through one identity layer.
The target is 17 million registered users by end-2026, up from roughly 12 million today.
The pitch is seductive. One login, no more juggling 14 passwords across MyTax, MyJPJ, MyEG, MySejahtera and the Employees Provident Fund’s i-Akaun. On paper, MyDigital ID is exactly the kind of plumbing a serious 21st-century state should have.
So why are so many Malaysians uneasy?
Because the people asking us to trust them have a questionable track record.
Digital Minister Gobind Singh Deo has said that MyDigital ID does not store personal or biometric data, it only authenticates.
“The MyGOV Malaysia mobile app, which uses MyDigital ID for digital authentication, is built to international security standards and does not copy or store people’s personal data,” he said in November 2025.
That is a comforting line, but one we have heard before.
Consider past data leaks: In 2017, the records of 46 million Malaysian mobile subscribers, including phone numbers and home addresses, were dumped on the dark web.
In May 2022, a database of 22.5 million Malaysians born between 1940 and 2004, complete with MyKad numbers and addresses, was offered for sale for US$10,000, or roughly RM39,500.
In December 2024, another haul of an alleged 17 million MyKad records surfaced, prompting a National Cyber Security Agency probe.
The Election Commission, the Social Security Organisation, the ministry of health and the National Registration Department have each had their turn.
After every breach the script is identical: deny, investigate, blame a contractor, move on.
Then there is MySejahtera, the cautionary tale we appear determined to ignore. The Public Accounts Committee found the app had been rolled out nationally on a “corporate social responsibility” basis without a formal contract.
A share sale agreement dated August 27, 2021 named a private vendor, MySJ Sdn Bhd, as the platform’s owner, contradicting then health minister Khairy Jamaluddin’s assurance that the app was “wholly owned by the government”.
Nobody has since given a clean answer on who actually owned the data of 38 million users.
And then came the audit. In February 2023, the auditor-general confirmed that a ministry of health-approved “super admin” account had downloaded the personal information of three million users between Oct 28 and 31, 2021, using five different Internet Protocol addresses.
The deputy minister of the day said the data was downloaded “to protect it from hackers”. CyberSecurity Malaysia later confirmed misuse of the application programming interface.
Now layer that history on top of the law.
The Personal Data Protection Act 2010, the only real privacy law we have, explicitly does not apply to the federal and state governments. Even the Personal Data Protection (Amendment) Act 2024, hailed as a watershed reform, left that carve-out intact.
A company can be fined for losing your details; Putrajaya cannot.
Compare this with Singapore. Its Singpass covers 97% of the eligible population and now processes more than 41 million transactions a month across upwards of 2,700 public and private services.
Crucially, Singaporean public agencies are bound by the Public Sector (Governance) Act, which imposes privacy obligations parallel to those the private sector faces under its Personal Data Protection Act.
In other words, Singaporeans got a legal cage around government data before they got a digital ID at scale. We are doing it in reverse: mandating the identity first, promising the safeguards later.
So what should the government do?
Three things, urgently. First, amend the Personal Data Protection Act 2010 to apply to federal and state agencies. There is no credible argument left for the carve-out.
Second, legislate a statutory right to compensation for citizens whose data is breached by a government system, overseen by a transparent and independent ombudsman. The digital ministry has said it will study this; studying is not deciding.
Third, publish, in plain Bahasa Malaysia and English, exactly what data MyDigital ID touches, who can query it, and for how long logs are retained.
Trust, as Singapore figured out, is built on statutes, not press releases. Every Malaysian adult is now being funnelled into a single digital identity. The convenience will be real and so will the risks, and we do not have the luxury of running the MySejahtera experiment a second time.
One ID to rule them all is a fine slogan for a fantasy novel. It is a terrifying business plan for a government that might not yet have earned the right. - FMT
The writer can be contacted at kathirgugan@protonmail.com.
The views expressed are those of the writer and do not necessarily reflect those of MMKtT.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.