KUALA LUMPUR, August 12 — Personal data stored in the federal government’s MySejahtera app is treated as confidential patient information under the Medical Act 1971 and the Prevention and Control of Infectious Diseases Act 1988.
Besides the laws governing medical practice and contagious illnesses respectively, Deputy Health Minister Dr Noor Azmi Ghazali said protection of data on the Ministry of Health’s (MOH) Covid-19 management and contact tracing mobile app also follows provisions under the Personal Data Protection Act (PDPA) 2010, even though the latter legislation does not apply to government.
“The data is only used for contact tracing,” Dr Noor Azmi told CodeBlue yesterday in an exclusive interview at Parliament here.
“It’s confidential under the Medical Act 1971, and we’re very strictly following it,” added the Bagan Serai MP, who is also a general practitioner (GP).
MySejahtera requires various personal details from users who download the app, such as their contact number, email address, full name, identity card (IC) number, age, gender, ethnicity, and home address, that may help MOH with Covid-19 clinical and epidemiological analysis. MySejahtera does not record people’s temperatures upon checking in at a location.
Extraction of data from MySejahtera only happens when there is a positive Covid-19 case to perform contact tracing activities. Strict data process flow is adhered to, as information on MySejahtera is only accessible to seven people — from the national Crisis Preparedness and Response Centre (CPRC) and disease control division under MOH, as well as the National Cyber Security Agency (NACSA), the lead government agency on cyber security matters under the Prime Minister’s Department. Performance assessment tests are done periodically to ensure safety from hacking attempts. NACSA is responsible for MySejahtera’s data security and governance.
“Our aim is so beautiful and so noble. MySejahtera is well-protected,” Dr Noor Azmi said. “The rakyat must learn to understand it and cooperate.
“If everybody has MySejahtera downloaded, our work will be easier, and more secure and efficient. The end result will be — we can contain the disease. This is what we want.”
Dr Noor Azmi also said data on MySejahtera that was developed by KPISOFT — a Malaysian analytics company with headquarters in the United States, Europe, Asia, and the Middle East — is stored in Malaysia. The Malaysian government did not pay a sen to KPISOFT, as the vendor provided the service for free out of corporate social responsibility.
MySejahtera managed to detect 251 confirmed Covid-19 cases, or 3 per cent of 8,303 coronavirus cases, as of June 6. Close contacts uncovered through MySejahtera depend on individual Covid-19 cases, ranging from as low as 10 to thousands.
The app initiated by MOH that manages data on MySejahtera — with assistance from the National Security Council (NSC), the Malaysian Administrative Modernisation and Management Planning Unit (MAMPU) under the Prime Minister’s Department, the Malaysian Communications and Multimedia Commission (MCMC), and the Ministry of Science, Technology and Innovation (MOSTI) — has been downloaded by 13,284,611 users, as of August 10.
This represents almost 60 per cent of those with mobile phones in Malaysia’s 32-million population.
The percentage of bad data on MySejahtera, according to Dr Noor Azmi, is very low because about 10 million users’ IC numbers have been verified with the National Registration Department so far. MySejahtera also uses one-time passwords (OTP) sent to one’s mobile phone to register individual users.
Cumulative check-ins with MySejahtera numbered 256,100,324 as of August 10, with about 85 to 90 per cent of check-ins done through the app. Total premises (comprising both private businesses and government offices) registered nationwide with the app were 590,829, as of August 10. Check-ins through MySejahtera do not require one to fill in their name and phone number, unlike camera scans of the QR code that need those details to be entered manually for each check-in at a location.
How MySejahtera Does Contact Tracing
The MySejahtera team at national CPRC has a two-hour turnaround time to identify close contacts from MySejahtera once a positive Covid-19 case is confirmed. A request to retrieve data on people believed to have been in physical contact or proximity with a coronavirus-infected person within the past fortnight goes to MOH’s disease control director, after which NACSA gives permission. A coronavirus patient’s name, IC number, or phone number is entered to produce a log of their MySejahtera check-ins.
Then, close contacts are determined from looking at the Covid-19 patient’s timestamped check-in at a particular location, perhaps half an hour before or after the check-in, to see which other people were in that area at about the same time as the person with coronavirus.
Close contacts from particular venues are chosen based on the probability of contracting Covid-19, like crowded and enclosed areas where one spends a significant amount of time, such as a restaurant. Places with low risk of transmission will likely be omitted, depending on individual cases and epidemiological investigation.
Data from MySejahtera is corroborated from an investigator’s interview with the Covid-19 patient on the places the latter has visited in the past 14 days. Once close contacts are identified, a notification is sent through their MySejahtera app telling them to visit the nearest district health office. The relevant district health offices will also call them.
When asked if the 149 district health offices (PKD) across states use MySejahtera to look for Covid-19 patients’ close contacts, Dr Noor Azmi said they use manual methods of contact tracing and report to the national CPRC, which will then look for close contacts on MySejahtera.
“The PKD will do the groundwork. PKD will set up a risk assessment team, who will call or go down and check the necessary and inform the response team. The response team will get the details and pass the information to CPRC,” Dr Noor Azmi said, adding that manual contact tracing is still necessary because not everyone has downloaded MySejahtera.
The deputy health minister also said MySejahtera has yet to be integrated with other contact tracing apps because “there are many technical issues, tak ngam”. CodeBlue understands that elements like security threats, liability issues, and cost are being considered before integrating MySejahtera with any other app.
The Penang state government has decided to phase out its PgCARE contact tracing app in favour of MySejahtera, after Senior Defence Minister Ismail Sabri Yaakob announced last August 3 that legislation would be enacted to make MySejahtera mandatory for businesses.
Besides Penang, the Selangor and Sarawak state governments also have their own contact tracing apps, like the former’s SELangkah and the latter’s Qmunity and COVIDTrace apps. The Kuala Lumpur City Hall and various commercial entities, like shopping centres, have also developed their own contact tracing apps.
Beyond Contact Tracing, Plus Upcoming Features
Besides contact tracing, MySejahtera has other features like a hotspot tracker and a travellers’ module for Malaysians who are quarantined upon returning home from overseas.
“You can monitor your health, there’s a hotspot tracker, [a list of] health facilities, daily updates in the news. Those under the HSO (home surveillance order) have to use it every day for monitoring of their health and submit it during their 14 days’ quarantine,” Dr Noor Azmi said.
The hotspot tracker states if Covid-19 cases have been detected in the past 14 days within a 1km radius of a location entered into the app. MySejahtera does not state the number of coronavirus cases in a particular area, nor exactly where people with Covid-19 travelled to within that 1km radius.
The Covid-19 cases determined by MySejahtera in a particular area on its hotspot tracker are based on a possible source of infection, like the place of detection and locations visited by a person with coronavirus.
As for the travellers’ module, Malaysians returning from overseas are required to do daily health assessments on MySejahtera everyday during their 14-day quarantine so that those with coronavirus symptoms — like fever, sore throat, cough, and shortness of breath — can be identified and told to seek medical attention. Other users can also check their own risk for coronavirus by filling in a simple five-question assessment.
MySejahtera lists Covid-19 screening health facilities near users, including private GP clinics that MOH has allowed to run antigen rapid tests for low-risk people (not a person-under-investigation and no history of close contact with positive cases). The app further lists a few digital health providers that can be booked for clinic appointments.
Users can also list dependents on MySejahtera who do not have the app and they may be able to soon check-in their dependents through a future group check-in feature. MySejahtera provides daily official updates on the Covid-19 situation in Malaysia, like new cases, fatalities, or recoveries reported, the number of active cases, as well the total number of official coronavirus cases and deaths.
MySejahtera is even helpful to businesses registered with the app, as they have a dashboard to monitor the number of check-ins across a time series throughout the day.
“This enables business premises to plan and have insights on visitor management,” Dr Noor Azmi said.
MOH plans to add more features to MySejahtera to make it more user-friendly for people with disabilities. Dr Noor Azmi suggested voice-assistive technology.
He added that MySejahtera may also introduce a complaints feature enabling users to send in photographs of violations of social distancing or other standard operating procedures (SOPs) at any location or outlet, like what he receives sometimes on WhatsApp.
“Such complaints may be used for investigations.”