Malaysia - Employee’s Sensitive Personal Data Collection Amid Covid-19.
Legal News & Analysis - Asia Pacific - Malaysia - Labour & Employment
1 June 2020
As the world struggles to combat the COVID-19 (Coronavirus) pandemic, employers around the globe are allowed to collect personal data of employees such as their travel history to prevent the spread of the virus at the workplace. In Malaysia, the Ministry of Human Resources has issued a Frequently Asked Questions (FAQ’S) on Movement Control1 on 24 March 2020. Under the FAQ's, the employers in the essential service sectors are required to provide a body temperature monitoring device and take a daily recording of their employees’ body temperature.
Within the context of the global spread of COVID-19, the employers have discovered a new reality, which also raises the following questions within the scope of the processing of personal data-
Can the employer ask its employees to undergo COVID-19 diagnosis tests it provides?
Can the employer systematically check the body temperature of its employees?
Can the employer require its employees to periodically complete questionnaires relating to COVID-19 symptoms? And questionnaires relating to recent trips of its employees and the dates they left and returned to the country? Can these questionnaires include questions relating to people living with the employee?
Can the employer require its employees to state whether or not they belong to risk groups?
Can the employer inform the rest of the employees when it identifies a company employee infected by COVID-19?
Can the employer ask an employee suspected of being infected with COVID-19 to give the names of the employees with whom they have recently been in contact?
Can the employer share data on employees suspected of being infected with COVID-19 with the health authorities?2
The employers should be aware that personal data related to their employees’ health conditions constitutes “sensitive personal data” of the employees under section 2 of the Personal Data Protection Act 2010 (“the Act”) where we reproduce as below:
“sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;”
In light of the above, the employers must be cautious in dealing with sensitive personal data of the employees. It is a legal duty of the employers to ensure that the collection and processing of such sensitive personal data comply with the principles of the Act.
Protection of Sensitive Personal Data Under the Act
The general principle of the Act stipulates that any sensitive personal data of a data subject shall not be processed by the data user unless it falls within the following exceptions, as provided in Section 40(1) of the Act:
the data subject has given his explicit consent to the processing of the personal data;
the processing is necessary—
for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment;
in order to protect the vital interests of the data subject or another person, in a case where—
(A) consent cannot be given by or on behalf of the data subject; or
(B) the data user cannot reasonably be expected to obtain the consent of the data subject;”
In the present circumstances, the employers may be required to collect the employees’ temperature data if such obligation is imposed by the relevant authorities, as one of the conditions before any approval is granted for the re-opening of the business or operation. In addition, the employers also have a general duty to ensure the safety, health and welfare at work of all his employees3. Nonetheless, there is yet to be any specific rules, regulation or guideline issued by the authorities to regulate the collection of sensitive personal data of the employees due to or as a result of the COVID-19 pandemic. Although the employers may justify that the processing of sensitive personal data is necessary to protect the vital interest of the employees as COVID-19 is now a public health concern, it is advisable for the employers to obtain explicit consent from the employees and disclosure of such data shall only be permitted under very limited circumstances.
Besides, when dealing with the sensitive personal data of the employees, the employers must also comply with other data protection principles under the Act such as the Notice and Choice Principle, the Disclosure Principle, the Security Principle and the Retention Principle.
In light of the above, we recommend that the employers could take the following actions:
The employers shall obtain explicit consent from the employees in the form of written notice if it is not already included in the employees’ Personal Data Protection Notice. The notice shall include but not limited to what type of sensitive personal data to be collected, the purpose of the collection and also consent to disclose to the relevant authorities.
The employers shall ensure that the personal data collected must not be used or disclosed for other unrelated purposes other than in relation to COVID-19.
The employers shall take reasonable steps to protect the sensitive personal data from any loss, misuse, modification or unauthorized access.
The employers shall put in place appropriate measures to ensure that the sensitive personal data shall be destroyed or permanently deleted when it is no longer required.
The pressing need to contain the outbreak of the COVID-19 pandemic is no doubt, the primary concern for the health authorities and the employers. Nonetheless, the employers shall not deviate from their duty to handle the personal data of their employees with care in compliance with the data protection principles stipulated under the Act. In any case, the employees should be informed of the processing of any personal data the employers intend to carry out, and the employers must apply appropriate safety measures in line with the risk of such processing.
For further information, please contact:
Omar Saifuddin Abdul Aziz, Azmi & Associates
1 Ministry of Human Resources. (2020, March 24). Frequently Asked Questions (FAQ’S) On Movement Control Order Ministry of Human Resources. Retrieved from http://jtksm.mohr.gov.my/images/novel_coronavirus/soalan_lazim/FAQ%20KSM%20English%20Version.pdf
2 J.Miranda & B.Isabel. (2020) COVID-19: What precautions should companies take when processing personal data within an employment context? Retrieved from https://www.garrigues.com/en_GB/new/covid-19-what-precautions-should-companies-take-when-processing-personal-data-within-employment
3 Section 15 Occupational Safety and Health Act 1994
(1) It shall be the duty of every employer and every self-employed person to ensure, so far as is practicable, the safety, health and welfare at work of all his employees.