Govt must uphold data protection standard, says think tank

Govt must uphold data protection standard, says think tank

Following breaches of the MySejahtera app, a policy centre says the authorities must be held to high standards of good governance and data security.

The MySejahtera app was developed to manage the Covid-19 outbreak in Malaysia.
PETALING JAYA:
A think tank has urged the government not to practise a double standard when implementing data protection measures, following an audit report exposing more weaknesses in the MySejahtera application.

The Galen Centre for Health and Social Policy said the government has a trust deficit with the public because past instances of data breaches had been poorly managed.

“The government needs to show that it is serious about data protection and apply the same standards it expects from the private sector. They must stop practising a double standard,” Galen’s CEO, Azrul Khalib, told FMT.

He noted that the federal government and state governments were exempt from certain provisions of the Personal Data Protection Act.

Azrul’s remarks come after the Auditor-General’s Report showed that a “super admin” account had downloaded three million information sets through various IP addresses from the MySejahtera database.

The app was developed to manage the Covid-19 outbreak in the country.

The audit report showed that vaccination records of 203,846 people had been posted to the system before the date of vaccination, while 28,735 vaccination records showed that the recipients received the vaccines after the vaccination centres had closed.

Other weaknesses identified in the report include 1,657 people with more than one MySejahtera account, and 12,275 incomplete vaccination records.

Azrul said the findings of the report were highly significant and symptomatic of some fundamental questions raised regarding the application, which remained unanswered.

These included whether a contract had been signed between the government and the company engaged to develop the application, how much the contract was worth, what it covered, and who legally owned the data stored in the application.

He said the government must be willing to practise transparency and accountability as well as be held to high standards of good governance and data security.

Last year, Public Accounts Committee chairman Wong Kah Woh said the appointment of KPISoft Malaysia Sdn Bhd to develop MySejahtera did not follow procedures set by Putrajaya.

He also said there were no minutes of meetings or supporting documents on the appointment of the company.

The committee said Putrajaya must retain full ownership of the app for it to be used in digitising the public healthcare service and must ensure the security of users’ data.

Former deputy health minister Dr Lee Boon Chye said further investigations were necessary to determine if MySejahtera was hacked, or if there was unauthorised access to the data.

“The security of the programme is as good as the security of the person (who developed the programme). If the super admin has made unauthorised changes or extracted data, it is a breach of his (or her) duty,” he said.

Stay current - Follow FMT on WhatsApp, Google news and Telegram

Subscribe to our newsletter and get news delivered to your mailbox.