The situation surrounding the way the MySejahtera app collects and stores personal data of about 38 million accounts is too reminiscent of Nuemera Sdn Bhd, which is involved in a personal data leakage case involving 46.2 million accounts.
Lembah Pantai MP Fahmi Fadzil said this is why he fears that MySejahtera could be the “new Nuemera”.
“With regards to MySejahtera, if you were to look at the original setup, whoever gave the green light to KPISoft Sdn Bhd (later renamed to Entomo Malaysia Sdn Bhd) to build this app and subsequently monopolise all of this data, there is too much of the modus operandi that reminds me of Nuemera,” he said when contacted by Malaysiakini today.
He reminded that similar to MySejahtera, Nuemera had been awarded a monopoly of data from telecommunications companies (telcos) in 2014 which forced the companies to hand over all the data they had on their users to Nuemera.
“Just like now, Malaysians don’t really have a choice not to use MySejahtera and the problem with Nuemera, as is the problem now with the MySejahtera app is where is our data stored exactly?
“In terms of scale, MySejahtera now handles about 38 million accounts. Nuemera handled 46.2 million. So we are talking about a huge amount of data.
“There are too many questions, too many things here that remind me exactly of Nuemera,” Fahmi said.
No clarification
Until today, there is also no clarification on which minister had signed off on “awarding this monopoly of our data” to Entomo, he said.
As such, Adham Baba, who was the health minister when the MySejahtera app was developed, or then prime minister Muhyiddin Yassin must explain the reasoning behind choosing Entomo to develop the app, he said.
On Monday, Health Minister Khairy Jamaluddin had stressed that the data collected from the MySejahtera app remains safe with the government and has never been given out to the private sector.
But digital rights activist Jac SM Kee has raised concerns about how long the data is being kept and how that could potentially be a danger to data privacy as well.
She said among the principles of good data protection is storage limitation, which means retaining personal data only for as long as it is necessary for the purposes that it was clearly and explicitly intended for.
She noted that the privacy policy of MySejahtera clearly states that the data collected is explicitly for Covid-19 management and contact tracing and that the location check-in data will be purged after 90 days.
“This is actually really good. (It) indicates that the government understands the importance of safeguarding personal data and the potential it can have for abuse,” she said.
No storage limitation period
However, she said MySejahtera does not appear to have a storage limitation period for all other forms of data collected, including “very sensitive ones” that could link together personal information such as names, addresses, IC numbers, gender, dates of birth and so on.
All this information might come into play again later on if the government, for example, chooses to add on different kinds of functions to the MySejahtera app.
“So it becomes very possible to link your actual person and where you live, religion, gender etc to, for example, your income level, what you buy, where you go, what kinds of health issues you have – depending on what add-on functions are created,” she said.
The government also has the power to make MySejahtera a critical app that is compulsory in practice, which means there is a high potential for a government body like the Health Ministry to subject 38 million users to “very detailed data monitoring in extremely invasive ways”, Kee added.
The Health Ministry can also change its mind about the use and related privacy safeguarding policy linked to the data simply by updating the terms on the page itself, which she said is a very bad practice.
“MySejahtera should be guaranteed to be explicitly limited in purpose and scope and the app, as well as all related data, should be purged within a reasonable period once the Health Ministry policy on managing the Covid-19 pandemic crisis is expired.
“And there should be an expiry – such widespread and detailed health surveillance is always an exception, not the norm,” she said.
Kee, who is also the Centre of Independent Journalism (CIJ) co-director, reminded that the government is explicitly excluded from the Personal Data Protection Act (PDPA) – something which she said needs to be reformed as soon as possible.
“Without any legal protection, we really are at the mercy of arbitrary decision-making by the government,” she said.
It is clear that there are complex and interlinked relationships between government agencies and private corporations in controlling and processing personal data, she said.
Encrypted in servers
Though the data may be encrypted in servers that have limited access, it is still likely to be managed by a third-party private company, which means there is still a risk of security breaches.
“This is why we need comprehensive data protection from any parties who handle and manage our data, regardless of whether this is for commercial, policy or other forms of use,” she said.
Lawyer and CIJ co-director Ding Jo-Ann also echoed the concern that there must be legal safeguards to ensure that personal data such as the location check-in data is purged after 90 days, as stated in MySejahtera’s data policy.
“There must be legal safeguards to ensure this and not just a statement on a webpage. There must also be safeguards that the private entity running the app will also be subject to this requirement,” she said when contacted by Malaysiakini.
She pointed out that countries such as Australia had enacted legislation to ensure data collected is deleted once its use has expired and to allow users to request the deletion of their data, after launching contact tracing apps in response to the Covid-19 pandemic.
If a private entity is running the app, such as in the case of MySejahtera, it is also important that there are contractual and legal consequences if any of the data is improperly stored, shared or sold, Ding said.
She said the PDPA also states explicitly that personal data should not be kept longer than the purpose for which it was collected and processed, but similar to Kee, she noted this does not cover data held by the government.
"So if indeed the MySejahtera data is owned by the government as they keep insisting, then it is not subject to any of the legal guarantees provided by the PDPA.
"It has always been important for the PDPA to be extended to include data held by the government and the current situation with the MySejahtera data only serves to highlight how urgent this is," she said.
Issues surrounding the MySejahtera app – from its handling of personal data to the negotiations surrounding the contract for the app’s licence – had been highlighted recently after the Public Accounts Committee published its transcript questioning the Finance Ministry and the Health Ministry on the matter. - Mkini
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.