corona app

Almost 4-percent cases identified by MySejahtera

Despite being in existence since 2006, Malaysians and residents in the country only became acquainted with the CPRC when the coronavirus was declared a pandemic in March this year. CPRC, or the Crisis Preparedness and Response Centre, is a section under the Ministry of Health’s Disease Control Division (DCD) of which Dr. Mahesh Appannan is one of the senior principal assistant directors.

He explained that the DCD is tasked to manage outbreaks like this and during the pandemic, Dr. Mahesh’s role as the lead for Malaysia’s COVID-19 digital response came to the fore. He recognised that management of the pandemic response has to be data-driven, and stated, “I can attribute Malaysia’s success at managing it to how we manage the data, and how we came up with the conclusions based on science and facts.

Dr. Mahesh’s role as the lead for Malaysia’s COVID-19 digital response came to the fore.

“And here we are now as one of the few countries that managed to control its pandemic quite well.”

The digital response could be grouped into two main categories, namely data analysis and everything else digital that was leveraged to disseminate information to stakeholders and the public.

For example, the e-COVID system manages even granular data to produce daily case statistics which the Health Director General, Datuk Dr. Noor Hisham Abdullah, shares at 5.00 in the evening, every day. The information is also disseminated via a Telegram chat group, the Health DG Facebook page and MOH Malaysia Facebook page which Malaysians and residents can subscribe to.

Today, the CPRC chat group shares statistics about pandemic cases as well as news and notes from the Health DG, to 897.6k subscribers, on a daily basis.

Dr. Mahesh also added, “However, the one success we would always be proud of is our mobile application, MySejahtera, which was incepted somewhere in March.”

MySejahtera

MySejahtera was built with close cooperation from MAMPU which provides technical and application development support, NACSA which provides the application and data security measures, and the MOH which provides the system specifications and is custodian of the data collected.

NACSA, the National Cyber Security Agency of Malaysia, is also the owner of the app.

Dr. Mahesh attributed the quick app deployment to the Ministry of Health (MOH) already thinking of creating a mobile app for infectious diseases in 2019.

“Because we already had the framework in place, we managed to pull this up very, very quickly.”

The app hopes to achieve what he called ‘everyone’s dream’ which is to get to a community as quickly as possible.

The good doctor has a medical and public health background which treats the population, instead of individual patients. “Conventional methods like surveys and investigations, can only do so much. With the mobile phone, we can reach up to millions of people,” he pointed out.

Currently, the app is mandated for COVID-19 response initiatives and Dr. Mahesh shared that development of the app began in earnest after he established that MOH needed to start the app on the right footing quickly, and with as little mistakes as possible.

Conventional methods like surveys and investigations, can only do so much. With the mobile phone, we can reach up to millions of people.

Realising that technical and technology assistance was required, MOH had approached MAMPU, and turned to the National Security Council’s or NSC’s NACSA for assistance in securing the app. Dr. Mahesh explained, “We knew we were going to deal with data and very, very important personal information, hence we partnered with NACSA.”

Two weeks after the first meeting of the 20-member national Digital Enablement Task Force (DETF), a pilot MySejahtera app was up and running. The app project is under the purview of MAMPU, with its former deputy DG, Datuk Dr. Suhazimah Dzazali herself, overseeing the project and the pool of MAMPU’s and vendor’s engineers working on it.

The journey

When the first phase of the MCO was relaxed, our Prime Minister had mandated that every place of business has to record names and contact number of visitors. This is per advice by the MOH.

MySejahtera has a component which allows visitors to log their attendance by scanning the associated MySejahtera QR code at the business premise. So information like visitor name, phone number, location and time of visit is logged and kept for a period of 30 days before it is archived, and a further 60 days before it is purged.

Upon a positive case detection, information as far back as 14 days is pulled up to identify and call the persons of interest within the same business premise as patient, at the time patient was there.

“We are actually collecting limited personal data, and we anticipated lots of problems.” Dr. Mahesh shared, admitting that there was a lot of competition from state-level mobile apps that was similar to MySejahtera and that also collected personal data.

Imagine walking into a restaurant and being presented with two or more QR codes to scan. Your information could be logged by the Selangkah app at one shop, then the MySejahtera app at another shop.

This de-focuses efforts to trace persons of interest if a positive COVID-19 case emerges. How will the MOH execute contact tracing if data is being collected by different parties?

Dr. Mahesh shared, “And to be very honest with you, none of the other apps shared data with us (at that time).”

Consolidating efforts

After having established itself as the main app around, things have changed for MySejahtera.

“Commercial entities with their own apps are actually communicating with the MOH. They are all in favour of collaborating with us, and perhaps eventually consolidate,” Dr. Mahesh shared. “A few state-level initiatives have also called to inform they are ceasing their app development.”

He observed there are parties who take advantage of the confusion about apps to come up with their own apps that collect data for commercial purposes.

For example, PGCares in Penang has slowed down development and has seemed to pass the “baton” to the MOH.

Dr. Mahesh rationalises that at the end of the day, the data is for MOH. “When there is a case, we want to do contact tracing.

“The data is needed by us, and not anyone else. And we have to follow a very strict protocol when managing the data.”

He observed there are parties who take advantage of the confusion about apps to come up with their own apps that collect data for commercial purposes.

“We also have competitors publicly announcing that they have integrated with MySejahtera. This reflects upon the legitimacy and integrity of those apps,” Dr. Mahesh pointed out. This leads to more confusion and distrust of contact tracing apps is very prevalent right now.

“Under current circumstances, only MOH can collect data (and we do so) under the Medical Act of 1971, Infectious Diseases and Control Act of 1988, and even the Personal Data Protection Act 2010 (PDPA 2010) even though PDPA does not apply for government apps.”

NACSA’s Chief Executive, Ir Md Shah Nuri bin Md Zain later explained, “All personal data collected by MySejahtera will be kept confidential in accordance with any applicable laws, including the Personal Data Protection Act 2010 (Act 709).  The MySejahtera data can only be accessed by designated personnel at the CPRC and MOH, for managing and mitigating the COVID-19 outbreaks.”

Digital trust

According to Dr. Mahesh, MySejahtera is totally apolitical and not associated with any political party.

 “We have to create digital trust in the app. And we do this with the good partnerships we have, and the stringent process for data acquisition and data flow.

“We have communicated this to the public, but the challenge of instilling public trust in the app, still remains.”

Ir. Md Shah Nuri also said, “Our focus today is on growing the functions of the app, as specified by the MOH, and ensuring that the app could efficiently serve the existing 18 million registered users.  We urge all Malaysians to use the App to help the MOH in managing the COVID-19 pandemic.

Now, the taskforce has engaged the Attorney-General Chambers (AGC) and even the custodians of the PDPA Act, to come up with stricter data managing protocols.

Fellow taskforce member, NACSA also regularly conducts security testing to ensure the integrity of the application and data.

To date, MySejahtera has helped to identify 322 positive cases, a 3.4-percent contribution towards total COVID-19 cases in the country.

Now, the taskforce has engaged the Attorney-General Chambers (AGC) and even the custodians of the PDPA Act, to come up with stricter data managing protocols.

Contact tracing and breaking the infection chain can help in containing the virus spread. But its efficacy depends on Malaysian’s and resident’s attendance/visitor information being consolidated into one pool of data, or database for the Ministry of Health.