KUALA LUMPUR, April 15 – The Ministry of Health (MOH) is discussing with the Communications and Multimedia Ministry on potentially amending the Personal Data Protection Act (PDPA) 2010 to regulate MySejahtera, Khairy Jamaluddin said today.
Section 3(1) of the PDPA, which is Malaysia’s main privacy law under the Communications and Multimedia Ministry’s jurisdiction, states that the Act “shall not apply to the federal government and state governments”.
“We’re discussing the matter with the Communications and Multimedia Ministry and we’ll let you know what happens,” Khairy told reporters today, when CodeBlue asked if the government would delete the exemption clause from the PDPA and table the amendment in the next Parliament meeting to create a regulatory framework for the MySejahtera app.
When CodeBlue pressed Khairy again on whether the government would consider amending the PDPA, Khairy replied: “We’re discussing that right now.”
The health minister spoke to reporters after officiating the launch of 5G ready ambulances by mobile network operator YTL Communications Sdn Bhd and private ambulance service First Ambulance Sdn Bhd here today.
Section 2(1) of the PDPA also states that the Act applies to any personal data “in respect of commercial transactions.”
There are currently no federal laws or regulations that govern MySejahtera, Malaysia’s national Covid-19 app that the government has maintained ownership over, although Khairy said yesterday that MySejahtera data protection practices comply with PDPA requirements.
Neither the Medical Act 1971, nor the Prevention and Control of Infectious Diseases Act 1988 (Act 342), specifically regulate the management, privacy, or confidentiality of one’s personal health or medical information. The Telemedicine Act 1997 is still not yet in force.
MySejahtera’s disclaimer states that the government shall not be liable for any losses or damages “caused by the usage of any information obtained from this application”.
MySejahtera’s privacy policy also does not state which agency or government contractor has access to different types of personal data collected on MySejahtera, how personal information is processed, where data is stored (in a “highly secured server” that is not named), or the duration of time for the storage of data before it is deleted (only for check-ins to premises, which is kept for 90 days).
Intellectual property and information technology lawyer Foong Cheng Leong previously told CodeBlue that the PDPA simply sets out the basics on data protection, omitting requirements for those processing personal data to state security measures or the retention time for data collected.
In its current form as a Covid-19 app, MySejahtera – which has 38 million registered users – collects not just personal information like name, IC number, address, and phone number, but also check-in location data and health and medical information, such as Covid-19 vaccination history, Covid-19 test results, and symptoms, blood pressure, heart rate, and body temperature readings entered on the app’s health assessment tool.
Khairy previously indicated MOH’s intentions to use MySejahtera beyond the Covid-19 pandemic to store users’ electronic health records. Electronic health records, which are kept by the patient, typically contain one’s medical history, diagnosis, laboratory and imaging investigations, allergies, immunisations, medications, and other treatments.
An official from MOH’s disease control division told a forum last October that the ministry was considering using the ubiquitous MySejahtera mobile app to monitor non-communicable diseases, including cancer, for both research purposes and service provision, instead of the current method of four-year population surveys.
