IN light of the Covid-19 pandemic and the urgent need for contact tracing, public health specialist Associate Professor Dr Wan Mohd Zahiruddin Wan Mohammad believes that Malaysia’s contact tracing through the MySehahtera App has done well so far in balancing personal privacy and health security.
In fact, one of the significant contributing factors for Malaysia’s quick response to counter the spread of Covid-19 is its contact-tracing system.
“According to the 2019 Global Health Security Index, Malaysia is one of the highest-ranking countries on the pandemic preparedness. So, looking at our country’s trend of the Covid-19 pandemic as compared to others, at least until the recent spike of cases, I think one part of the effective country’s responses to curb the disease is the contact tracing program done by the Health Ministry, ” says Dr Wan Mohd Zahiruddin, who is from Universiti Sains Malaysia’s School of Medical Sciences.
“As part of measures to control the outbreak, there will be several limitations to personal freedom such as quarantine, isolation and lockdown orders as well as the need to provide personal information to authorities or employers about our health status. On top of that, people are also required by law to provide their personal information to authorities as part of contact-tracing mechanisms. Many of these measures, perhaps at the current pandemic stage, are understood and supported by the affected populations.”
Dr Wan Mohd Zahiruddin points out that the Health Ministry has reassured that the personal data stored in the government’s MySejahtera app is treated as confidential patient information under the Medical Act 1971 and the Prevention and Control of Infectious Diseases Act 1988. It also follows provisions under the Personal Data Protection Act (PDPA) 2010.
However, Dr Wan Mohd Zahiruddin recognises the concerns raised about the intrusiveness of personal privacy and potential future implications. This is especially so in contact tracing apps that are used by states, private companies and various commercial entities and whether they are sufficiently protected both against cyber-risks and unauthorised sharing.
MySejahtera is more than just a national-level contact tracing app. It also acts as a resource for information in terms of self-risk Covid-19 assessment, provides a list of health facilities, daily news updates and a hotspot tracker which gives information on whether there are any Covid-19 cases within a 1km radius of a location entered into the app.
However, there have been complaints that the app does not provide specific details or locations of cases.
“MySejahtera does not state the number of cases in a particular area, nor exactly where people with Covid-19 travelled to within that 1km radius. The purpose is to help a person be aware of the risk surrounding his or her residential area, and not meant for a positive case to be tracked by anyone else, ” he explains.
Dr Wan Mohd Zahiruddin says that it is the responsibility of everyone in a community to reduce their risk of exposure rather than tracking who is infected with Covid-19 as the use of this feature is mainly to educate and inform so that it helps the users to plan their travels better.
“I agree with what [Health director-general] Tan Sri Dr Noor Hisham has mentioned that the Health Ministry will not share the exact location of Covid-19 cases as this will only create unnecessary stigmatisation toward the people and places affected, ” he says.
Dr Wan Mohd Zahiruddin explains that this approach is consistent with the principle of public health ethics in communication risk during public health emergencies where effective risk communication allows people most at risk to understand and adopt protective behaviours but not to the extent that it will cause harm to the other people.
“In my opinion, MySejahtera is one of the most practical, safe and user-friendly apps during this Covid-19 pandemic, ” he says, adding that it could be further developed into a large national database for future preparedness, research and knowledge sharing platforms on infectious disease pandemic.
International Islamic University Malaysia (IIUM)’s data protection law specialist Assoc Prof Dr Sonny Zulhuda says that contact tracing, which is largely working well in Malaysia, must be distinguished from surveillance or guilt-finding.
“Contract tracing is neither surveillance nor censorship. We need to educate people, including premise owners, so as not to cause hardship for people. People are willing to submit their personal information because they understand the need for contact tracing. I find it good that both governments and citizens are generally now aware about such needs. The systems put in place are largely working well, ” he says.
He points out that the authorities have a big responsibility to guarantee data security on the information gathered during contact tracing.
Ensuring data security will require sufficient awareness, education and good management on the part of the public. There is also a need for a sound, fair and transparent process and procedure in place. And finally, a secure and sustainable system for data governance, says Sonny.
Respect patient privacy
Sonny raises his concern on the lack of respect for the identities of Covid-19 patients and Persons Under Investigation (PUI).
“People are all too eager to know who are infected in their neighbourhood or workplace. They arbitrarily spread this information to others on the pretext of protecting others. We can and should minimise disclosing the identities of Covid-19 cases. Don't spread them, don't post their pictures on social media. If you happen to know anything about it, report it to your superior or authority, ” he says, explaining that disclosing this information can be a violation of the PDPA and the public should instead let the medical and government authorities deal with the matter.
Another issue is data collection for contact tracing at premises by way of writing in log books and on paper. This practice has to be reduced or minimised, so as to avoid misuse, says Sonny.
“First, the data should be minimum. Secondly, the log book must be secure from public view. And third, the person handling the log book must know what to do with that personal data, ” he says.
As for contact tracing by way of a mobile app, it is generally the way to go, but it is not necessarily breach-proof either, says Sonny.
“Even though the Government is not subject to the PDPA, yet it is desirable to practise similar data protection principles in their Standard Operating Procedures (SOPs) as a matter of best practice and winning public trust. The fact that there are some third party providers involved in between will make it more necessary to have a strong SOP that conforms with such principles of personal data protection, ” he says, adding that data storage must also be secure.
Like many other data experts, Sonny is also of the view that the PDPA needs improvement.
“The Government is in fact undertaking some review processes involving industry, regulators, consumers as well as academia. Among the points raised include the obligation to report data breach, the need of data protection officers, civil remedies for data subjects, and issues involving international transfers of personal data. The process is very well planned and structured, including an open public consultation. I hope we can hear more positive news in the months to come, ” says Sonny, who is partly involved in the PDPA review process.