Intense acrobatics surrounding MySejahtera deals

Never-ending acrobatics - Conflicting statements, questionable dealings, and controversial company ownerships cast uncertainty over the fate of personal data of millions of MySejahtera users

1647 0
1647 0
English

Published in Astro Awani, theStar, Malaymail, Business Today, MalaysiaKini and MYsinchew, image by Business Today.

How obscure can the entire deal surrounding MySejahtera be that not even high-level officials from the Health Ministry (MoH) and the Ministry of Finance (MoF), have the same understanding of what is exactly happening?

Reports on the Public Accounts Commission (PAC) hearing dated 24 March, 2022 mentioned that Harjeet Singh, deputy secretary-general (finance) of the MoH, told the PAC that KPISoft Sdn Bhd (KPISoft) changed its name to MYSJ Sdn Bhd (MySJ). 

At the same time, we also have Rosni Mohd Yusoff, deputy secretary at the Government Procurement Division from the MoF, reportedly stating that KPISoft and MYSJ are two different entities. 

Through a press statement dated March 27, 2022, the MoH asserts that the Government owns MySejahtera, while mentioning nothing about MySJ. However, later on, Health Minister Khairy Jamaluddin also reportedly pointed out that the negotiations with MySJ would not continue should MySJ disagrees that the government owns the app.

Therefore, how can MoH’s asserted that the government has “decided” that the MySejahtera application is owned by the government, while the ownership could still be in dispute? How can the MoH ignore MySJ’s ability to agree or disagree with this fundamental premise when it released the statement?

If we assume that MySJ has not agreed on the ownership of the app, what is the current fate of MySejahtera’s data?

As reported by CodeBlue, Entomo Malaysia is the owner of “all rights, title, and interest, including all intellectual property (IP) rights” related to the MySejahtera app, based on a share sale agreement on December 31, 2020, between MySJ’s shareholders. CodeBlue noted that this excludes “trademark and data collected through the operation of MySejahtera” that are owned by the Malaysian government.

It is unclear what the implication of the Malaysian government owning the data without “all rights, title, and interest, including all intellectual property (IP) rights” of the MySejahtera app.

Questions may arise on the accessibility, privacy, and security of the data which may not be exclusive to the Malaysian government given that another private entity owns all rights. 

On this note, Khairy reportedly said the following: “The data is kept by the government. It’s just that the new company needs to make a new deal in terms of platform maintenance. But we’re also in the process of looking at what services we need for the long term.”

Again, some key questions come to mind:

  • Is Malaysia’s government the “sole” owner or one of the owners?
  • Is Malaysia’s government the “only” party that has access to the trademark and data collected through the operation of MySejahtera?

Khairy said that the deal to transfer the app’s IP and software license between KPISoft/Entomo and MySJ has nothing to do with the government’s latest negotiation. 

This is merely stating an obvious fact that it is a deal between two private entities. It doesn’t clarify anything. If anything, it also puts more doubt that only the MoH has access to the data gathered and processed by MySejahtera, even if it owns it.

Deals between the government and MySJ legally cannot override established contracts between MySJ and Entomo. Therefore, if the government has an interest to acquire rights and fights for the ownership of the app and its data, the government is at least indirectly involved in this tripartite mess.

Thus, it is unclear how the government can simply move away from MySJ given they are the recipient of the transfer of MySejahtera’s IP and software license from Entomo.

Cabinet’s decision on the matter could be a consequence of the original CSR deal, which appears to have “trapped” the government into dealing with whoever KPISoft/Entomo transferred their IP and license to. 

In other words, relying on a CSR deal with only one company in mind was a mistake. Given how unacceptable this was, it’s reasonable to question if the error was unintentional or planned. 

If the government does not mind not owning all rights to MySejahtera so long as they can be the sole owners of the data, does this mean that the government is stuck with some form of agreement with private entities, through licensing or otherwise, instead of wholly owning all rights to MySejahtera perpetually?

Was the government somehow conned by the owners of KPISoft/Entomo and MySJ?

As reported by CodeBlue, the agreement “grants MySJ rights to use the KPISoft software to exclusively develop, own the application trademark for MySejahtera, and test and support the MySejahtera app”, while “all rights, title, and interest in and to the KPISoft software, the trademarks, and the services, among others, shall be retained by KPISoft unless expressly provided otherwise in the agreement”.

Note that having the rights to use the software and owning the application trademark may not be the same as owning the application in its entirety.

Foreign ownership in MySejahtera developers?

On the issue of ownership, CodeBlue also revealed that the Singaporean company Entomo Pte Ltd has been listed as the sole shareholder of Entomo Malaysia and that Entomo Pte Ltd’s biggest shareholder is also a Singaporean company.

As a direct consequence, “all rights, title, and interest, including all intellectual property rights” related to the MySejahtera app owned by Entomo Malaysia is indirectly owned by a Singaporean entity.

Raveenderen Ramamoothie, reportedly one of the founders of KPISoft, and Naveen Prashad Despanden —who have been reported as directors for both KPISoft/Entomo Malaysia and the company Revolusi Asia which holds the majority share in MySJ, have also been reported as directors in Singapore’s Entomo Pte Ltd, alongside two other Singaporean individuals, Tan Seng Hong and Finian Tan.

However, as revealed by Tech In Asia journalist and writer for The Malaysianist, Emmanuel Samarathisa, Entomo Pte Ltd’s major shareholder i.e., Singapore-based DreamTeam Inc, is majorly controlled by Malaysians. Reveenderen, who is also reported as a director in MySJ, and Rekha Mani, one of the directors in Entomo Malaysia, are both directors in DreamTeam Inc.

Emmanuel also revealed that DreamTeam Inc has 16 shareholders consisting of eight Malaysians, one Singaporean, one Indonesian, and six Indians, whereby the top three largest shareholders of DreamTeam Inc are Raveenderen, Naveen, and Anuar Rozhan. 

Recall that Raveenderen and Anuar are the so-called founders of KPISoft/Entomo and both are also directors in MySJ, while all three individuals (Raveenderen, Naveen, and Anuar) have been reported as directors in the company Revolusi Asia, which holds the majority share in MySJ.

Again, we have similar names and the same individuals across companies and international borders, engaging in commercial transactions. 

Is this a case of the “Right pocket dealing with left pocket, yet somehow, the brain apparently knowns nothing about it”?

Naveen, in particular, appears to be everywhere. The Indian national has been reported as a co-founder and group chief operating officer for Entomo (formerly KPISoft), a director in Singapore’s Entomo Pte Ltd and Revolusi Asia, and also appears to be the second-largest shareholder in DreamTeam Inc—the major shareholding company in Entomo Pte Ltd, which in turn is the sole shareholder of Entomo Malaysia.

Although Malaysians appear to hold the highest number of shares (if we combine Raveen’s and Anuar’s shares) in DreamTeam Inc, ultimately Entomo Pte Ltd is a company based in Singapore and there are other shareholders from other countries.

CodeBlue reported that Singapore’s Entomo Pte Ltd has 28 shareholders, consisting of Singaporean, American, and Japanese corporate and individual shareholders, and individual shareholders from Malaysia, India, and Indonesia.

Thus, even if Malaysians appear to have the “controlling” stake, by indirect consequence, the ownership of “all rights, title, and interest, including all intellectual property rights” related to the MySejahtera app could be accessible, if not outrightly and equally shared, to Singaporean, American, and Japanese corporate and individual shareholders, and individual shareholders from Malaysia, India, and Indonesia.

Malaysia’s sensitive personal data could be at risk of being siphoned out of the country, where Malaysia’s Personal Data Protection Act (PDPA) holds no jurisdiction. 

How can the government miss this basic due diligence and risk assessment? 

Privacy and regulatory research portal DataGuidance mentions the following: 

“The PDPA prohibits the transfer of personal data out of Malaysia unless such transfer is to a country, which has been specified and recorded in the Official Gazette by the Minister. Currently, no countries have been specified officially. Notwithstanding the prohibition on transfers of personal data out of the country, the PDPA sets out a number of exceptions to the prohibition, such as, where the consent of the data subject has been obtained for such transfer and where the transfer is necessary for the performance of a contract between the parties. When in doubt as to whether the exemptions on data transfer apply, the prudent approach would be to obtain consent from the data subject in respect of such out of Malaysia transfer.”

The PDPA defines “data subject” as an individual who is the subject of the personal data. So, if the transfer of personal data did happen, even in the case of fulfilling a contract, users of MySejahtera i.e., data subjects have not been approached to give consent. This would be a breach of PDPA.

The first step itself was a mistake

Khairy was reported to have said that the appointment of KPISoft for the management of MySejahtera app was made by the National Security Council (NSC) early on in the pandemic. 

Over the confusion of MySJ and KPISoft/Entomo, and as a response to PAC chairman Wong Kah Woh’s query on how it gained Cabinet’s approval, Rosni has been reported to have said the following: 

“Yes, that’s right. Maybe NACSA (National Cyber Security Agency) is the one who brought this paper, or the NSC. They all didn’t do a thorough check, but no matter, we have instructed MOH to check this issue. If it’s found that this really is inaccurate, then Mr Chairman needs to bring this back to the Cabinet”. 

According to CodeBlue, KPISoft was appointed to develop MySejahtera by NACSA, which is under the Prime Minister’s (PM) Department. 

Needless to say, the appointment chronology is questionable. Some questions include:

  • If it was NACSA, why was it appointed under the PM’s department? 
  • If it was the NSC, then it is still chaired by the PM. How can a public health matter be left to either the NSC or NACSA? Why wasn’t the Health Ministry involved in the appointment?
  • If indeed the NSC or NACSA invited other companies (in addition to KPISoft) to present their proposals, who were these companies and why was KPISoft selected? 
  • If KPISoft was selected, was it mainly because they offered a CSR deal at no cost? What was the offer by the other companies? Even so, how can that be agreed given the importance of ensuring app and data ownership by the Malaysian government?

Whatever the reasons may be, the NSC and NACSA must conduct the necessary due diligence to uncover the potential risks surrounding data ownership and the clear conflict of interests given similar names appearing on the companies involved. 

Where are Malaysia’s local capabilities?

Singapore reportedly spent SGD13.8 million for the development and acquisition of the SafeEntry digital check-in system and TraceTogether app and tokens, while KPISoft/Entomo has reportedly priced MySejahtera’s licensing at RM338 million to MySJ.

The huge gap in cost is the difference between developing it yourself, versus when buying IP and rights from someone else who developed it earlier. One is the development cost, while the other is the commercial price, which usually has built-in profit margins. 

Only Entomo can explain what its profit margins are. 

Selling IP or ownership of a valuable asset is usually marked up when the company is giving up ALL its rights to potential future profits, in exchange for a large sum now. That is the understood trade-off.

However, in the case where MySJ was reported to only acquire a license to KPISoft’s software specifically for MySejahtera “and does not acquire any other rights or ownership interests”, RM338 million may be quite steep, to say the least. 

The TraceTogether app was developed by Singapore’s Government Technology Agency (GovTech) with their Health Ministry, reportedly in just over 8 weeks and at a fraction of the reported cost to license from Entomo.

Is the pricing fair?

The reported RM338 million licensing deal and the proposed 15-year scope expansion of MySejahatera for a reported RM138 million annually will require an in-depth analysis of the breakdown of the costs, which has not been provided to the public.

This is also why an open tender for such services by other app developers will give a better idea of the industry landscape to have a better grasp on the fairness of the pricing. Direct negotiation gives no room for comparative analysis.

On this note, a Malaysian software developer released a press statement on March 29, 2022 offering to not only replicate MySejahtera but also improve it, for about RM6 million. The company claims that its software can also be enhanced with a Geographical Information System (GIS) which can gather data for visualisation and analysis for pandemic crisis management.

There could be many other proposals by other companies if only an open tender was conducted, and if what appeared to be a “CSR trap” didn’t happen. 

The price given for extra features (proposed scope expansion) on top of what MySejahtera was initially intended for reportedly may include tracking of other vaccination, management of other infectious diseases (not just Covid), predictive analysis, and integration with other existing government health systems.

The proposed scope expansion is a question for public health experts to determine if it is truly value-adding or not, and to investigate if it can work in practice to really help improve the public health system in the country.

MySejahtera check-ins have reportedly dropped 26% due to mounting doubt and distrust by app users since the entire thing unfolded. Therefore, it is good that Khairy has requested for the deals surrounding MySejahtera to be debated on March 31 in Dewan Negara as there are certainly more questions than answers at the moment. 

Dr Rais Hussin and Ameen Kamal are part of the research team of EMIR Research, an independent think tank focused on strategic policy recommendations based on rigorous research.

In this article