In this age of digital transformation and IR4.0, it is necessary to provide clarity on how our data are protected
pic by MUHD AMIN NAHARUL
I REFER to the article published in The Malaysian Reserve on Dec 28, 2020, entitled “CyberSecurity: MySejahtera data safe”.
There is widespread concern about how data are being managed in the MySejahtera application. The fact that CyberSecurity Malaysia has to make this statement shows there are concerns about the security and usage of the MySejahtera data. This is the second time this month that MySejahtera has had to engage the public through the media to explain and give assurances that our personal data are safe.
Despite these assurances given, there is still much concern about privacy, including the potential “harvesting” of personal data, and even a significant perception that the government is using this application to track its citizens.
I believe these concerns are valid and the government needs to respond clearly, with transparency as a priority.
It is good that CyberSecurity CEO Datuk Dr Amirudin Abdul Wahab has shared that MySejahtera’s data are confidential and subject to appropriate levels of governance. However, it is not enough to come out to say that our data are safe.
In this age of digital transformation and IR4.0, it is necessary to provide clarity and clearly explain the processes that will demonstrate how our data are protected. There are clear data security and governance standards available. From the cyber security standpoint, it may be true that MySejahtera’s data may not have been hacked, but this does not mean that the data have not been abused or compromised.
While the technical aspect of the data security may be strong, the real problem is the issue of trust or lack of it. There needs to be a strong priority placed on clearly defining the role of MySejahtera. This application was formulated and implemented by the government to play a critically important public health role. Its purpose is a vital one to help mitigate the spread of the Covid-19 pandemic. This role has a significant social dimension to it.
Because of this, it is essential to address the trust factor, although MySejahtera comes along with social media apps such as Facebook, Telegram, WhatsApp Snapchat or even Instagram. We must appreciate that MySejahtera is NOT a social media application.
FAQs on MySejahtera
According to the FAQ (frequently asked question) section on mysejahtera.gov.my, this is the definition of MySejahtera:
- MySejahtera is an application developed by the government of Malaysia to assist in managing the Covid-19 outbreak in the country. It allows users to perform health self-assessment on themselves and their families. The users can also monitor their health progress throughout the Covid-19 outbreak.
- In addition, MySejahtera enables the Ministry of Health (MoH) to monitor users’ health conditions and take immediate actions in providing the treatments required.
MySejahtera app is developed to:
- Assist the government in managing and mitigating the Covid-19 outbreak.
- Help users in monitoring their health throughout the Covid-19 outbreak.
- Assist users in getting treatment if they are infected with Covid-19.
- Locate nearest hospitals and clinics for Covid-19 screening and treatment.
Next, we cannot compare how intrusive the application is based on permissions alone. The said article may be right that Facebook or WhatsApp requires far more permission to access specific data from our devices. They are fundamentally different.
We need to clearly understand the type of data provided by the public to the MySejahtera application. The big difference with social media applications is that MySejahtera makes it compulsory to enter our complete personal identity information. This includes personal data such as full name, gender, date of birth, mobile phone numbers, address, and most pertinently, MyKad numbers (or passport numbers). If we have filled out the Penjana claim and link our MySejahtera with an e-wallet, the data are complete.
I cannot remember any occasion that Facebook, WhatsApp, Telegram, or other popular social media applications ask us for any personal identity information, such as MyKad numbers, passport numbers or even an address.
Having provided your identity data and being able to link that to the places you have and the ability to access precise locations make it possible to locate and track individuals. I am not saying that the government is using this to track individuals. However, the perception of tracking is there. This is what we must address.
In this situation where the Covid19 outbreak needs to be contained through contract tracing, a careful balance between the privacy and outbreak management needs to be present. This may not be an easy task for the government to manage.
Ideas and Suggestions
This lack of trust issue has many dimensions and the main reason why this is happening is the lack of information, transparency and proper communications. Here, I agree that there is a need for the government to be more transparent about how it utilises the data collected through MySejahtera.
Here are some ideas and suggestions the government could consider doing to address this trust deficit:
1. Develop and execute a comprehensive and impactful communication plan.
Communication is everything. In order for the public to be able to effectively share accurate information, the communication plan needs to regard the public as a stakeholder in this effort to battle Covid-19. It impacts the public economically, socially and emotionally, so, the government needs to systematically explain what is being done.
2. Tell the public how secured their data are.
Start by telling the public that their data are safe. Share that the data are stored in a location that has the necessary certification and compliance with security and cyber security. The exact location may not be revealed. I think it is fine.
3. Show the public that their data are safe and used for appropriate reasons.
The prevailing law today is the Personal Data Protection Act (PDPA) 2010. It would be good to express compliance. While it may not be necessary as the PDPA does not apply to the government, it would be good to show that MySejahtera complies with the principles of the PDPA. At least another contact tracing app in Malaysia has already expressed compliance with the PDPA.
4. Share with the public on how their data are being used.
Many of us read with concern when the minister of health on Nov 12 replied in Parliament that MySejahtera has only directly detected 4% of total reported Covid-19 cases in Malaysia. It would be good for the MoH to explain how the data are being used and the steps taken to prevent the spread of Covid-19. As they remain in the four-digit scale of daily new cases, the perception is that MySejahtera is not working.
5. Tell the public how the app is being used.
Understanding the pandemic management in a holistic manner and how MySejahtera is deployed in this whole process is important. Helping the people understand will help the govt in the fight against Covid-19, together.
6. Demonstrate how the govt manages the above.
One of the best ways to address is to have independent/oversight committees composed of credible and notable individuals to have oversight and access to the workings of MySejahtera.
Allow them the opportunity to speak on behalf of the government that the compliance and data governance is intact. If there are shortcomings, address them accordingly.
This is not an exhaustive list of suggestions which I hope the government will seriously consider. This is the “new normal” in privacy versus healthcare, and the citizens’ wellbeing which needs to be addressed seriously.
ED, Spirit of Endeavour Sdn Bhd
The views expressed are of the writer and do not necessarily reflect the stand of the newspaper’s owners and editorial board.