Tuesday 06 Jun 2023
By /
main news image

This article first appeared in Forum, The Edge Malaysia Weekly on April 11, 2022 - April 17, 2022

In 2017, The Economist published a story titled “The World’s Most Valuable Resource Is No Longer Oil, But Data”. Today’s tech titans in the US thrive because of their ability to collect — and put to commercial use — the data of hundreds of millions of people on the planet.

Malaysian corporations, no doubt, harbour similar ambitions.

This is where the MySejahtera saga comes into the picture. It began when the Public Accounts Committee (PAC) revealed that no contract was signed between the government and developer KPISoft Malaysia Sdn Bhd in early 2020 when the app was developed. It was later reported that KPISoft (renamed Entomo Malaysia Sdn Bhd) had in October 2020 licensed the MySejahtera software and intellectual property rights to another company known as MySJ Sdn Bhd until 2025 for RM338.6 million. The government is now in talks with MySJ to purchase the MySejahtera software, the terms and fees of which are unknown.

These events triggered a nationwide debate on who ultimately owns the data of the millions of Malaysian citizens and businesses collected by MySejahtera — is it KPISoft, MySJ or the government? Some are also justifiably concerned about the potential disclosure of the personal data of millions of MySejahtera users between private entities. There is further strong public resistance to any attempts by private companies to commercialise MySejahtera beyond its intended objective of combating Covid-19. 

While this is a developing story, there are several lessons to be learnt thus far.

But to do that, one must first appreciate the purpose behind data protection and privacy laws in Malaysia. In 2010, Malaysia passed the Personal Data Protection Act. The PDPA recognises that data privacy is a right that all Malaysian citizens ought to enjoy. Data privacy means having a say in how your data — where you stay, work, dine, shop for groceries on weekends and various other behavioural patterns collected by MySejahtera — is to be used. If data privacy is not respected and leaked, you may be exposed to a variety of risks such as identity theft, phone call fraud, cybersecurity attacks or even discrimination based on your medical history.

Lesson #1: Draft clear agreements from the outset to clarify who owns the personal data

The issue of ownership is crucial because it suggests exclusive control, which is why the government continues to assert ownership of personal data collected by MySejahtera.

PAC’s revelation, however, that no agreement was signed between the government and developer KPISoft has raised doubts on such an assertion. The fact that KPISoft thereafter licensed the MySejahtera software and intellectual property rights to MySJ reinforced the perception that the government never had ownership of the personal data to begin with. Minister of Health Khairy Jamaluddin later clarified that a non-disclosure agreement (NDA) was signed between the government and KPISoft, which allegedly made it clear that the government owns the personal data.

This underlies the importance of clear written agreements on ownership of data. It is surprising why the government did not structure an agreement with KPISoft that would have clearly spelt out who owns the personal data of MySejahtera users. While Khairy relies on an alleged NDA, an NDA (as the name suggests) does not typically stipulate or confer ownership of property, and the NDA has not been disclosed to the public. Put simply, this controversy would not have arisen if a clear written agreement was signed at the beginning.

It is not uncommon for businesses today to enter into joint ventures or collaborate with other businesses in commercial endeavours that involve the collection of personal data. The last thing one needs to face is a tussle on who has ownership over such personal data down the road — hence why written agreements drafted at the start of the relationship are vital. 

Lesson #2: Do not disclose personal data of your customers/users to third parties without their consent

Regardless of who legally owns the personal data, the more important question is this: Besides the government and KPISoft, who else had access to our personal data in MySejahtera?

We do not know for a fact whether MySJ had access to such personal data since it was licensed by KPISoft in October 2020. However, if it did have access and MySejahtera users had not consented to such access, it would be a breach of the PDPA.

Generally, the PDPA prohibits the disclosure of personal data to third parties unless the users themselves consent to such disclosure. The PDPA also prohibits a party from using or processing personal data, whether for commercial purposes or otherwise, without the consent of the users concerned. If there is a breach of either of these prohibitions, one is liable to imprisonment of up to two years or a fine of up to RM300,000, or both.

It is thus of utmost importance that businesses do not disclose the personal data of their customers to any third parties without obtaining the necessary consent. And even if businesses happen to receive a treasure trove of personal data from third parties, they cannot make use of such data without the explicit consent of the users beforehand. In short, tread carefully and seek expert advice, if necessary, whenever personal data is at stake.

Lesson #3: Do not process personal data of your customers/users for endeavours beyond its originally intended purpose without their consent

It is common knowledge that the personal data collected by MySejahtera is for the purposes of combating Covid-19. In fact, MySejahtera’s privacy policy states: “Information collected is used for monitoring and enforcement purposes by government authorities in dealing with the Covid-19 pandemic.”

Can such personal data be used later on by MySejahtera for non-public health purposes? For example, a MySejahtera user receives a notification promoting organic food manufactured by a certain brand — is this legal?

The general position under the law is that personal data should be processed by businesses only for the purpose for which it was collected at the outset, that is, combating Covid-19. If businesses wish to use such data for purposes not directly related to the original purpose, they need to seek fresh consent from such users. Having said that, with proper foresight and drafting of the consent form at the first instance, businesses do not need to constantly seek fresh consent.

This article is in no way discouraging businesses to stay away from data. It is, after all, key to the future of commerce. But if businesses can appreciate that there are human rights dimensions to data and its protection is part of good governance, we can all prosper in a sustainable fashion.

Lim Wei Jiet is a dispute resolution lawyer with core practice areas in commercial, employment and intellectual property law. He is a co-founder and vice-president of the Malaysian United Democratic Alliance (Muda) party.

Save by subscribing to us for your print and/or digital copy.

P/S: The Edge is also available on Apple's AppStore and Androids' Google Play.

      Text Size