The Malaysia Personal Data Protection Act (PDPA) is a data protection law that protects the personal data of Malaysians against unlawful processing. It was first enacted in 2002 and most recently amended in 2012. Under the PDPA, personal data means any information relating to an individual who can be identified directly or indirectly from the data, or from the data together with other information that is in possession of, or likely to come into possession of a Data Controller. Processing includes collecting, recording, holding, using, disclosing or disposing of personal data. This article will discuss how processing Covid-19 data would fall under the Malaysian PDPA and what implications this could have for organisations.
Are there been any guidelines from the Malaysia PDPD regarding covid related data processing?
The Ministry of Health of Malaysia published guideline16 to ensure that Compliant record-keeping and controlled processes are followed to reduce the risks of covid transmission between individuals. Employers are permitted to collect and process personal data relating to the health, travel movements and geolocation information to protect the health and safety of their individual employees at the workplace as mandated by the Occupational Safety and Health Act 1994 (“OSHA”)17.
What categories and types of personal data is being processed by employers during the Covid-19 outbreak?
They will of course be the normal person, identity, contact details, location, data and travel records and the information of people in close contact, health details concerning, body temperature interval record and medical health status which are all sensitive high-risk data being processed. Sensitive personal data under the PDPA is subject to more strict additional safeguards.
Whose Temperature are we allowed to take?
Organisations may collect the body temperature readings of their employees, visitors, contractors or third party consultants on-site to protect the health and safety of all individuals at the workplace as required under the Occupational Safety and Health Act 1994 (“OSHA“)
Can organisations collect and monitor the symptoms of employees, third-party contractors or visitors?
Organisations are permitted to collect symptom information of their employee’s third party contractors and visitors to safeguard the health and safety of individuals at the workplace as mandated under the OSHA. This has been recommended by the ministry of health.
Can organisations notify their employee, third party contractors or visitors of any individual who is infected or suspected of being infected?
Organisations can share the status of individuals infected or suspected of infection this would involve both general personal data, and sensitive personal data. General personal data is shared under a legal obligation that organisations fall under the health and safety laws. Sensitive personal data can be shared under the lawful basis of vital interests,. life, death or security of individuals where consent cannot. or obligations mandated under the OSHA.
What other actions are required?
Organisations must review and update their internal and external privacy policies broadening the personal data collection, processing and retentions and sharing segments. If third parties are engaged to process this data then ensure sats processing addendums and standard contract clauses if adequacy is not recognised.
Formiti data International through their SE Asian HQ at VinarcoFormiti Thailand deliver full privacy managed service to ensure clients remain compliant during this pandemic or other situations.