Central Contact Tracing App May Threaten Data Protection, SELangkah Creator Says

Any entity that holds individuals’ personal data should be subject to laws and regulation, says Dr Helmi Zakariah.

KUALA LUMPUR, July 16 — No single party should be allowed to monopolise the collection of personal data, said the creator of the Selangor government’s SELangkah Covid-19 contact tracing app.

According to Dr Helmi Zakariah, different data ecosystems with unified integration is the key for an effective digital contact tracing measure in the coronavirus outbreak.

“In a scenario like a contact tracing system, we know it is important to have a certain degree of centrality, but it is also important to balance the data sharing ecosystem to be guarded and custodied [sic] by multiple parties,” Dr Helmi told CodeBlue in an interview.

He pointed out that pools of sensitive data can be a threat to data protection. He also stated that SELangkah does not collect sensitive personal information, such as identity card numbers, to make the data set look unattractive to hackers.

This is different from other Covid-19 contact tracing apps that are being used in Malaysia, like the federal government’s MySejahtera and the Sarawak state government’s Qmunity that require users to sign up with their MyKad number.

“We are not a commercial entity. There’s no real reason to have one app or market domination. There is no need for something like market domination to exist, but integration is important,” said Dr Helmi.

“SELangkah, MySejahtera are all public initiatives. These are public tools. It is important to have integration to ensure similar experiences for the people.”

“SELangkah: Langkah Masuk dengan Selamat” is a Selangor state government initiative that was introduced to assist the state health department to trace new Covid-19 infections.

The SELangkah visitor registration system includes all government and registered business premises, as well as private premises. The public or visitors simply need to provide their name and mobile number when they scan a QR code with their phone before entering those buildings. SELangkah records a visitor’s date and time of visit to the particular premise.

In the era of advanced technology, every individual has the responsibility to be the custodian of their personal data, said Dr Helmi.

“The one that is responsible for the custody of our data is actually ourselves. But of course, it’s not usually feasible,” Dr Helmi told CodeBlue.

“The reason why the best custody of data is individual, is because again, it relies on the principle of data non-centrality. It means that no one entity should be the custodian of all data,” he added.

This raises the issue of data protection in parallel, as the Personal Data Protection Act 2010 is inapplicable to federal and state government bodies.

“In SELangkah, the custodian of data is the state government. In some other system, they are governed by city council, some like private entities,” Dr Helmi said.

“We are happy to disclose that SELangkah has actually initiated a meeting with PDPA for them to actually go through and do a penetration test; go through our system and for them to acknowledge that SELangkah adheres to PDPA principle,” he stated further.

Dr Helmi highlighted the principles of PDPA that SELangkah complies with, such as the general principle of consent (Section 6), notice and choice principle (Section 7), disclosure principle (Section 8), security principle (Section 9), retention principle (Section 10), data integrity principle (Section 11), and access principle (section 12).

At the same time, Dr Helmi stressed that any entity that handles data should be subject to laws and regulation, citing banks as an example.

“I think even though it will not be a PDPA, all entities that hold data, regardless whether they are government, non-government, commercial, non-commercial, there should be some safeguard measures to put in place.

“If it is not in terms of PDPA, it must be in the form of different legal measures, but some regulatory measures must be put in place,” he emphasised.

It is to be noted that countries like India mandated the compulsory installation of the government’s contact tracing app on people’s smartphones, which sparked criticism from the public.

Australia recently introduced a law to protect users’ data privacy in the country’s contact tracing app.

The need to enact a special law for data privacy of contact tracing apps continues to be echoed in countries like Canada, China, France, Germany, Italy, and other parts of the world.

Bandar Kuching MP Dr Kelvin Yii previously insisted that the government look into centralising a common mobile contact tracing app throughout the country not only for the convenience of the public, but for accountability purposes in the management of sensitive data collected through various apps.

You may also like