I was asked by CodeBlue, a health care news portal, to comment on the recent debacle about MySejahtera App, particularly, on the disclaimer of MySejahtera’s terms and conditions. The term states-
DISCLAIMER
https://mysejahtera.malaysia.gov.my/penafian_en/
Government of Malaysia shall not be liable for any loss or damage caused by the usage of any information obtained from this Application.
Here is an extract from the article-
Intellectual property (IP) and information technology (IT) lawyer Foong Cheng Leong said the MySejahtera disclaimer does not allow the government to disclaim liability for negligence.
“This clause has no legal effect for damages and losses due to negligence claims,” Foong told CodeBlue. “Data breach is a form of negligence.”
He explained that the MySejahtera disclaimer means that the government cannot be held liable for loss or damages in incidents that do not involve negligence, such as wrongly reporting Covid-19 cases.
When asked if the government could be held liable, despite its disclaimer, if a private company somehow manages to get access to MySejahtera users’ personal data and uses it for marketing purposes, Foong replied in the affirmative, but said a data breach must first be proven.
He also pointed out that MySejahtera’s privacy policy merely states how the government treats one’s personal data on the app, but omits specifying its data retention policy, security measures, or government contractors handling the app. The only retention period mentioned by the app’s privacy policy relates to check-in data, which is 90 days, but nothing for other user data like personal details and medical and health information like Covid-19 diagnostics, close contact status, and blood pressure and heart rate readings.
“The privacy policy is scarcely explained.”
….
Foong said although the government may claim that MySejahtera data protection is in compliance with PDPA requirements (which the government is not legally subject to), the lawyer said the law just sets out the basics.
“Under the PDPA, the privacy policy has to be in a certain format, for example, describe what is collected, the purposes of collection, whether it’s obligatory to collect and if so, consequences for not providing those obligatory data. But no requirement to state what kind of security is provided, what is the retention time etc.”
…
In the intellectual property section of the App Store review guidelines for app developers, Apple requires app developers to ensure that their app “only includes content that you created or that you have a licence to use.”
This includes avoiding use of protected “third-party material such as trademarks, copyrighted works, or patented ideas” in the app. “Apps should be submitted by the person or legal entity that owns or has licensed the intellectual property and other relevant rights.”
Foong said this does not indicate that the Malaysian government, which is described on Apple’s App Store as the MySejahtera developer, owns the app and its IP.
“The app and content are different,” the lawyer said, adding that MySejahtera content includes things like user data, images, write-ups, charts, or source codes of the app.
Leave a Reply