The world has been hit with the spread of the novel coronavirus (COVID-19) since the end of 2019, and many countries have come up with measures of containment to stop the virus from spreading. Malaysia has not been spared, with the recent announcement of an extension to the ongoing Movement Control Order for another two weeks, until at least 14th of April 2020. Further extensions have not been ruled out.
While extraordinary measures can and must be implemented given the scale of the pandemic, it is nonetheless disquieting how massive amounts of personal data needs to be collected from individuals as a measure to reduce the spread of the virus. The manner in which these personal data is collected, processed and used are explored.
Personal Data Protection Act 2010
Malaysia’s privacy law is regulated by Personal Data Protection Act 2010 (“PDPA”). Personal data has been given a broad definition in the PDPA as information relating to a data subject who is identifiable from that information. It covers ID information such as names, contact details and identity certification number.
Sensitive personal data however, is information that might be personal to the data subject, such as their physical or mental health, religious beliefs and political opinions.
Is information requested in Travel and Health Declaration Forms breaching the PDPA?
Information has been collected by individuals in a massive scale as the government encourages employers to monitor their employees’ whereabouts and health conditions by filling in Travel and Health Declaration Forms. This involves processing sensitive personal data, in which data users must conform to the provisions and principles set out in the PDPA.
Section 40 of PDPA outlines certain circumstances which allow such sensitive personal data to be processed. Amongst these are:
a) Data subject has given explicit consent to the processing of the personal data;
b) Processing of the personal data is necessary for the purpose of performing any obligation imposed by law on the data user (employee) in connection with the employment;
c) Medical purposes and is undertaken by a healthcare professional or a person who in the circumstances owes a duty of confidentiality equivalent to a healthcare professional;
d) For the exercise of any functions conferred on any person by or under any written law or any other purposes the Minister thinks fit.
Given that the employee is made known of the purpose filling up the Travel and Health Declaration Forms, they can be said to have given consent to the collection of data provided. Data collected is also vital for the control of COVID-19.
Section 10 of the Prevention and Control of Infectious Diseases Act 1988 requires every person in charge of or is in the company of any person suffering from or who has died of an infectious disease to notify the authorities, where failure to do so constitutes an offence.
Furthermore, any person who refuses to furnish any information required under the Act would be committing an offence under Section 22(c).
For non-sensitive personal data, the employers are bound to the principles in the PDPA, mainly:
a) General Principle: Consent must be given by the data subject to process personal data, unless necessary for compliance with any legal obligation of the data user, or to protect the vital interest of the data subject.
b) Notice and Choice Principle: Data subject to be informed by written notice of all information regarding the process or collection of the data – purpose, third parties involved etc
c) Disclosure Principle: Personal data given shall not be disclosed without the consent of the data subject other than for the purpose already informed
d) Security Principle: Data user shall take practical steps to protect the personal data
However, remember that collecting information of a data subject will be exempted from principles and provisions of the PDPA, as provided in Section 46 of PDPA, if the collection was necessary to avoid serious harm to the physical or mental health of the data subject or any other individuals and if it is to be used to prepare statistics or research.
Generally, employers have to ensure that personal data collected could only be with the consent of the employee subject to the permitted circumstances, especially in disclosing information of employees that are suspected to or are infected by COVID-19 within the company and/or to relevant third parties as necessary.
What happens to the information given once COVID-19 is over?
Under the Retention Principle in the PDPA, employers cannot retain personal data of their employees longer than necessary for the fulfilment of the relevant purpose. Once the purpose has been fulfilled and no longer required, reasonable steps must be taken to ensure that all the personal data has been destroyed or permanently deleted.
We would be happy to take your questions. Contact firstname.lastname@example.org if you wish to speak to a lawyer to assist you, or visit our website for more information.
Copyright © 2020 Naqiz & Partners