KUALA LUMPUR, March 31 – Khairy Jamaluddin today asserted that the Malaysian government owns MySejahtera’s intellectual property (IP) rights and source code, and personal data collected through the Covid-19 app.
The health minister said that among the main terms and conditions of the NDA signed between the National Security Council (NSC) and KPISoft Malaysia Sdn Bhd (now Entomo Malaysia Sdn Bhd) on April 1, 2020, are that “the government has full and absolute ownership of all data and information obtained through the usage of the MySejahtera app”.
“I guarantee that all the data stored in MySejahtera’s database is preserved and used only for pandemic control purposes told by the Ministry of Health (MOH),” Khairy the Dewan Negara today during a special motion filed on the MySejahtera issue.
“In this respect, the use and management of MySejahtera data is subject to the Prevention and Control of Infectious Diseases Act 1988 (Act 342), the Medical Act 1971, and international standards.”
A December 31, 2020 share sale agreement between two MySJ Sdn Bhd shareholders – Revolusi Asia Sdn Bhd and P2 Asset Management – which was disclosed in a supporting affidavit by Entomo Malaysia in an ongoing court case, also states that the Malaysian government owns the MySejahtera trademark and data collected through the operation of the app.
However, the share sale agreement states that Entomo Malaysia is the owner of “all rights, title and interest, including all intellectual property rights” related to the MySejahtera app.
Through an October 6, 2020 license agreement disclosed by the affidavit, Entomo Malaysia gave MySejahtera’s intellectual property rights to MySJ and granted MySJ a perpetual license to use Entomo Malaysia’s “proprietary software” to develop and support the MySejahtera app for RM338.6 million in a deal until end 2025.
Khairy today did not specifically mention the legal basis for the government’s ownership claim over the IP rights and source code of the MySejahtera app developed by KPISoft Malaysia. A source code is the set of instructions and statements written by a programmer using computer programming language.
“I want to explain here that the ownership of MySejahtera, the trademark, the application, and the modules, besides the three early modules, including the source code, belongs to MOH,” Khairy said.
“What the company has is operation of the platform – software as a service – but the IP, source code, and developed modules are owned by MOH.
“For example, when we go to Apple Store or Google Play, we see that MySejahtera is owned by the government of Malaysia. When we download it, the owner is not KPISoft, but the Malaysian government.”
He said that a Cabinet memorandum by the Prime Minister’s Department, which holds purview over NSC, was discussed last November 26 and agreed upon by the Cabinet for the full transfer of MySejahtera’s ownership to MOH.
“Just to be clear, this is not a transfer of ownership from a private company to MOH, but from another government agency to MOH as the sole custodian and owner.”
Khairy explained that when he was appointed health minister last August 30, he looked at the governance structure of MySejahtera and was of the opinion that MOH should completely take over management and operation of the app because previously, under the NSC, there were instructions related to MySejahtera from the National Cyber Security Agency (NACSA), the Malaysian Administrative Modernization and Management Planning Unit (MAMPU), the NSC, and MOH.
“The governance structure wasn’t clear, so I asked that MySejahtera be transferred to MOH.”
In line with the Cabinet’s November 2021 decision, a steering committee was set up – chaired by Khairy and comprising the Ministry of Science, Technology and Innovation (MOSTI); NACSA; the Malaysian Communications and Multimedia Commission (MCMC); MAMPU; and MDEC – to negotiate with the “MySejahtera operating company, the operator of the platform”, Khairy said.
“On the issue of direct negotiations, why this company, this is because when the corporate social responsibility (CSR) period ended, we found a lot more requests for modules and we found that rather than stop and find a new operator, we continue with the existing operator,” Khairi said, referring to MySJ Sdn Bhd.
Khairy also said the government has not made any payment to date to the “operator” of the MySejahtera app ever since KPISoft developed MySejahtera for the government for free in a CSR initiative from March 27, 2020 to March 31, 2021.
The MySejahtera app was launched on April 20, 2020, with three modules: self-assessment, contact tracing (not through QR code scans, but written documentation of one’s contact history), and delivering information on Covid-19 to the public. The app has since grown to 15 modules.
In response to Dominic Lau’s questions on MOSTI giving payments of RM10.4 million to NACSA that were paid to KPISoft, Khairy said this payment was for Google API and SMS alert functions, “not to KPISoft”.
Khairy also said the government’s negotiations with MySJ are for “far lower” than RM300 million.
“We’re in the final stages of negotiations, we’re almost signing the contract,” he said, adding that whatever agreement that is signed later will be presented to Parliament’s Public Accounts Committee (PAC) that will launch an investigation mid-April into the development and procurement of MySejahtera.
Khairy explained that although Entomo Malaysia’s parent company is based in Singapore, Entomo Pte Ltd’s majority shareholders are Malaysians.
“They decided to be based in Singapore because like other tech companies from Malaysia, they find it easier to get investors in Singapore. That’s why they are based in Singapore, like Grab.”
He also said MySejahtera’s data server is located at AIMS Data Center in Kuala Lumpur. Data transactions from MySejahtera are uploaded onto the cloud server daily and “can only be accessed for the use of the MySejahtera app and supporting apps related to the Covid-19 pandemic”.
MAMPU and NACSA, he said, ran several tests, including penetration and vulnerability tests, to ensure that the MySejahtera app was secure prior to its launch.
“Besides that, NACSA runs periodic security audits every month and conducts penetration tests from time to time, besides running an audit trail on the server hosting MySejahtera data.”
Finally, Khairy indicated that MOH wants to continue using MySejahtera beyond the Covid-19 pandemic, citing the Malaysian Medical Association’s (MMA) proposal that the app be used to store personal medical records.
“MySejahtera’s database is among the biggest in the world. So it’s very important to continue using MySejahtera as an app.” MySejahtera has 38 million registered users.
Before Khairy’s explanation in the Dewan Negara, 13 senators from the government and Opposition took part in the MySejahtera debate, including on MySejahtera’s ownership, data security, and business model for the app.
“Who is the owner of this application? Does MOH still have rights over the application or is the app owned by a private company?” questioned Senator Koh Nai Kwong from MCA.
Senator Arman Azha Abu Hanifah from Umno pointed out three key issues in his debate on the MySejahtera application. That includes assurance of confidentiality, financial implication to the government, and credibility of the involved parties.
He also asked MOH about the need for additional payment for the “new features” in the MySejahtera app.
“Is there any additional payment that should be made for additional features? What are the new features? Is there any contract between the government to include additional features in the application? Would these components require personal data of the users?”
Senator Wan Martina Wan Yusoff from PAS demanded that the government provide an assurance for the public that the personal data collected by MySejahtera would not be used for business or election purposes.
Senator Zurainah Musa from Umno urged the government to be transparent and admit if there are any mishaps in the MySejahtera application issues.
“Besides providing verbal assurance that the data would be protected, are there any regulations or contracts involved in protecting the data of Malaysians who use this application? Is the Personal Data Protection Act 2010 applicable for MySejahtera?
“Are there any regulations that prevent the involved company from misusing the data? Where the data is collected and saved? Is it in Malaysia or abroad?”