22 May COVID-19 and Personal Data protection laws
On 16 March 2020, the Government of Malaysia issued a nationwide Movement Control Order (MCO) until 31 March 2020, of which was extended until 28 April 2020 and further extended until 12 May 2020 pursuant to the Prevention and Control of Infectious Diseases Act 1988. On 1 May 2020, the Government of Malaysia announced a relaxation of regulations under the Conditional Movement Control Order (CMCO) from 4 May 2020 and is tentatively scheduled to expire on 9 June 2020.
1. WORKING FROM HOME & DATA PROTECTION
Working from home is an increasingly common work lifestyle and has become the ‘new norm’ during the COVID-19 pandemic. To facilitate working from home, the use of video conferencing tools have surged. For example, the daily users of Zoom have increased from 10 million in December 2019 to 200 million in March 2020.1
While video conferencing tools are advantageous because of its convenience, potential cost efficiency, and flexibility, there are prevailing concerns on data protection and privacy. Security concerns such as unauthorised entries into Zoom video conferences or ‘Zoombombing’ can bring about a myriad of problems ranging from damage to reputation, breach of confidential information, and misuse of personal information. Although there has yet to be any report on hacked Zoom accounts from Malaysia, there has however been an increase in other cyber security cases such as fraud, intrusion and cyber-harassment by 82.5% during the MCO so far compared to the same time last year.2 Below are some 2 precautions to take to stay safe online:3
2. CONTACT TRACING
With the ongoing Conditional Movement Control Order (CMCO) and as the nation gears up to reopen the economy in a controlled manner, contact tracing remains a core disease control measure implemented by the Malaysian Government, employers, and businesses.
Effective contact tracing would require a collaborative effort across public and private agencies to stop the transmission of COVID-194. From mobile applications managing 4 interstate travel permits like ‘Gerak Malaysia’, to ‘QR’ codes to be scanned before entering business premises, and even a manual pen-to-paper registration of employees returning to their work premises – how do you protect your personal data?
3. THE LAW
In Malaysia, the primary legislation which governs personal data protection is the Personal Data Protection Act 2010 (“PDPA”).
Section 4 of the PDPA provides a wide definition of “personal data” and, in summary, includes any information in respect of commercial transactions which is being processed or recorded by a ‘data user’, where that personal data relates to an individual who is termed a ‘data subject’. Section 4 also provides for the definition of “sensitive personal data” as any personal data consisting of information as to the physical or mental health or condition of a ‘data subject’.
The general principle under Sections 6 and 40 of the PDPA with regards to “sensitive personal data” is that the data shall not be used except with the explicit consent of the data subject.
However, where explicit consent cannot be reasonably obtained or is unreasonably withheld, Section 40 of the PDPA also provides that the “sensitive personal data” may still be processed if it is necessary to, among others, protect the ‘vital interests’ of the data subject or another person. Here, ‘vital interest’ is defined under Section 4 of the PDPA as “matters relating to life, death or security of a data subject”.
3. HOW SHOULD EMPLOYERS COLLECT PERSONAL DATA DURING THIS PANDEMIC?
Employers should also be cognisant that the requirements under Section 7 of the PDPA applies to the sensitive personal data of people visiting the office premises, contractors, and third parties.
With regards to the type of information which can be collected, the Occupational Safety and Health Act 1994 (“OSHA”) provides that information for the purposes of occupational safety such as temperature readings may be collected.
All in all, it is important for the employers and employees to understand that the personal data may be required to be disclosed to the authorities if it is required under the Prevention and Control of Infectious Diseases Act 1988 which requires compliance of the regulations therein to prevent and control infectious diseases like COVID-19.
However, the collection of personal data in the context of this pandemic does not provide a blanket right to retain or misuse the data beyond the necessary requirements. For instance, Section 10 of the PDPA provides that the personal data processed for any purpose shall not be kept longer than is necessary for the fulfilment of that purpose, and it is required to take all reasonable steps to ensure that all personal data is destroyed or permanently deleted after that purpose is fulfilled.
At this juncture, it is important to note that while the PDPA provides for principles to protect personal data, the issues relating to personal data protection in the specific context of this pandemic are yet to be tested in Malaysian courts.
In order to proactively manage the protection of personal data during this period, a comprehensive and authoritative guideline along with accessible enforcement mechanisms would be appropriate. Until such measures are implemented by the relevant legal and governmental bodies, clarity on this falls short of being crystal.
2 & 3.https://www.thestar.com.my/news/focus/2020/04/12/cybersecurity-cases-rise-by-825
Disclaimer: Please note that the contents above do not constitute legal advice. Should you require legal advice, please contact any of our lawyers as listed below:
If you have any queries, please contact our via e-mail, we are available for a scheduled conference call.
Messrs. Jeeva Partnership
V. Jeevaretnam di firstname.lastname@example.org
Dato’ Shamesh (Partner) : email@example.com
Charlotte Williams (Senior Associate): firstname.lastname@example.org
Vince Tan di email@example.com
Lim Yi Chan (Associate) : firstname.lastname@example.org