Malaysia - Personal Data Protection In The Age Of Covid-19.
Legal News & Analysis - Asia Pacific - Malaysia - Cybersecurity - Regulatory & Compliance
2 July 2020
With the implementation of the Movement Control Order (“MCO”) since 18 March 2020, the Conditional Movement Control Order (“CMCO”) as well as the Recovery Movement Control Order, the Government has issued a number of Standard Operating Procedures (“SOPs”) to control the spread of the Covid-19 pandemic.
These SOPs1 include measures to facilitate contact tracing and monitoring of potentially infected persons which pose additional complexity to data protection compliance and increased privacy risks. The digital footprint generated from the implementation of these SOPs include the attendance and details of employees such as name, identification number, temperature, health condition, time of entry and exit and the personal details of customers such as their names, temperatures and contact numbers.
In the implementation of these SOPs, compliance with the Personal Data Protection Act 2010 and data security measures must not be overlooked.
Consent and purpose
Companies are required to obtain the consent or explicit consent of the data subject for the processing of any personal data or sensitive personal data2. Collection of data in relation to health information concerning the physical or mental health or condition of a data subject can be considered as sensitive personal data3. Collection of such information may be allowed without the consent or explicit consent of the data subject if the companies are required to comply with legal obligations imposed on them4 or in order to protect the vital interests of the data subject5.
An interesting point to note is that the PDPA6 does not apply to the Federal Government and State Governments. This is to say that notice and consent are not required for the Ministry of Health of Malaysia to collect or disclose personal data.
Further, it is important to note that the personal data should not be used or disclosed for any other purposes other than for purposes necessary in line with the Government SOPs7. The Department of Personal Data Protection (“JPDP”) has prepared an advisory on the collection, processing and possession of personal data by businesses during the CMCO8.
According to the advisory, businesses are only allowed to record minimal information, which are name, contact number, dates and time of visit. Businesses are also required to display a notice citing that it is compulsory for visitors to present the requested information and its purpose.
Nevertheless, companies should conduct due diligence on their privacy notices to ensure that existing notices to their customers are sufficiently wide to cover the type of sensitive personal data collected under the SOPs, the purpose for the processing9, and the third parties to which the companies may disclose this information10. A supplementary privacy notice may be required to ensure that proper notice has been given.
Security of data and devices
Companies are required to ensure that practical steps are taken to protect the collected personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction11. Various options for contact tracing have been introduced by the Malaysian Government including three tracking apps, namely, MySejahtera, MyTrace and GerakMalaysia12.
Regardless of whether the companies choose to collect the personal data of its employees or customers manually or through tracking apps, measures must be taken to ensure that these forms or apps are proper and secure. For manual data collection, a specific document must be prepared and used throughout the CMCO13. Physical forms should not be exposed or disposed of in a manner where there may be disclosure of the personal data to the public or third parties.
In particular, companies may refer to the recommended practices14 set out for personal data security such as to set up 24-hour security monitoring to safeguard computer systems from malware threats. Setting up of proper recommended practices to ensure data security may be a financial strain on many companies. Proper financial management is required to ensure that companies can bear the financial requirements to comply with PDPA and the Government SOPs.
Furthermore, any personal data collected during the CMCO should not be retained perpetually and should be permanently destroyed within six months after the end of the CMCO15.
Collection of personal data by employers
The Ministry of Health of Malaysia issued a management guideline16 to ensure that proper record keeping and practical steps are taken to reduce the risks of transmission between individuals. Employers are allowed to collect personal data relating to the health, travel history and location information to protect the safety and health of their individual employees or other persons not being their employees at the workplace as required under the Occupational Safety and Health Act 1994 (“OSHA”)17.
It is a requirement by the Government for the employers to keep the contact details of all participants and organisers for at least one month from the date of completion of the event. Employees are also under an obligation to cooperate with employers to comply with the measures taken to discharge the employer’s duties18.
Employers are also considering the implementation of work from home arrangements with their employees as a way to reduce the exposure to the risks of the Covid-19 pandemic. If devices are deployed to employees for work from home arrangements, steps should be taken to ensure that the risks of data security breach are minimised. These steps include:
Only dedicated devices are used to collect or store personal data;
Managing access and usage of devices (including no personal use of the devices or unnecessary installation or deletion of apps);
Ensure proper and updated security/virus systems or measures have been installed in the devices;
Avoid connecting the devices to public or unsecured Wi-Fi connections;
Avoid sharing of emails or passwords between employees or non-employees;
Regular checks to ensure the devices are secure and not exposed to any viruses; and
Awareness of phishing or scam emails or software.
Nevertheless, companies should conduct due diligence on their privacy notices to ensure that existing notices to their employees are sufficiently wide. Otherwise, a supplementary privacy notice may be required.
Consequences of non-compliance
Non-compliance of the PDPA is an offence punishable by either fines or imprisonment against the data user. JPDP is monitoring compliance of the level of businesses and failure to comply may result in a fine of no more than RM300,000 or a prison term of no more than two years or both, if convicted19.
Proposed enhancements to the PDPA
In early 2020, the PDP Commissioner issued a Consultation Paper to review the PDPA. Under the Consultation Paper the PDP Commissioner had proposed 22 amendments to the PDPA. The proposed amendments will impose additional obligations on companies and we would like to highlight some of these below:
Appointment of a data protection officer
The PDPA as it stands does not require data users to appoint a data protection officer unlike in other jurisdictions. This amendment is much welcomed as lack of essential knowledge on data protection matters is one of the main challenges faced in compliance, particularly in the current situation where various Government SOPs have been issued.
Report of data breach
Unlike the General Data Protection Regulation (“GDPR”)20, the PDPA has no express provision that requires any data breach to be reported to the PDP Commissioner. Lack of an express requirement in the law to report this breach can lead to organisations covering up any data breach at the expense of the customer’s personal data. Any amendment that includes such reporting obligation should include a clear guideline encompassing the procedure to be adhered to such as the type of breach that needs to be reported, and the time frame for the report to be made.
Privacy by design
The concept of privacy by design can be explained easily as putting privacy as priority when creating new technologies or systems.
This concept requires organisations to set up privacy measures in the whole process of developing a system, such as taking proactive measures to anticipate probable breach before it actually happens. Its importance is especially apparent to organisations who run their businesses online. Examples of measures that can be taken by data users are name pseudonymisation, end-to-end encryption and strict use authentication.
Application to non-commercial activity
The application of the PDPA is currently limited to personal data processed in commercial transactions only. A blanket application to all entities who processes data is a good initiative to further protect personal data.
It is proposed in the Consultation Paper for the PDPA’s application to be extended to include personal data processed outside Malaysia. This proposal is in line with some other jurisdictions who are starting to impose extra-territorial obligations on organisations who process data of their citizens. However, the Consultation Paper proposes to restrict the application to data users outside Malaysia who monitor and do profiling of Malaysian data subject only.
While data collection and contact tracing are of vital importance during the Covid-19 pandemic, companies should ensure that their obligations under the PDPA are complied with when processing these personal data. Issuance of the advisory from the JPDP is much welcomed to standardise the approach for the collection of data for contact tracing and the protection thereof from unauthorised use and disclosure.
For further information, please contact:
Elyse Diong Tze Mei, Shearn Delamore & Co
1 https://www.pmo.gov.my/2020/05/sop-pembukaan-semula-sektor-ekonomi/; Annex 25 of the Guidelines COVID-19 Management No. 5/2020.
2 Sections 6(1)(a), 6(1)(b) and 40(1) of the PDPA.
3 Section 4 of the PDPA.
4 Sections 6(2)(c) 40(1)(b)(i) of the PDPA.
5 Sections 6(2)(d), 40(1)(b)(ii), 40(1)(b)(iii) of the PDPA.
6 Section 3(1) of the PDPA.
7 Section 6(3) of the PDPA.
8 Advisory titled “Tatacara Pengendalian Bagi Aktiviti Pengumpulan, Pemprosesan Dan Penyimpanan Data Peribadi Oleh Premis Perniagaan Semasa Perintah Kawalan Pergerakan Bersyarat (PKPB)” dated May 2020; https://www.pdp.gov.my/jpdpv2/pengumuman/tatacara-pengendalian-bagi-aktiviti-pengumpulan-pemprosesan- dan-penyimpanan-data-peribadi-oleh-premis-perniagaan-semasa-perintah-kawalan-pergerakan-bersyarat- pkpb/?lang=en.
9 Section 7(1)(b) of the PDPA.
10 Section 7(1)(e) of the PDPA.
11 Section 9 of the PDPA.
12 https://www.thestar.com.my/tech/tech-news/2020/05/04/covid-19-mysejahtera-and-mytrace-apps-now-linked; https://www.thestar.com.my/tech/tech-news/2020/04/17/mcmc-launches-contact-tracing-app-gerak-malaysia.
13 Para 2.3 (a) of the Advisory titled “Tatacara Pengendalian Bagi Aktiviti Pengumpulan, Pemprosesan Dan Penyimpanan Data Peribadi Oleh Premis Perniagaan Semasa Perintah Kawalan Pergerakan Bersyarat (PKPB)” dated May 2020.
14 The Personal Data Protection Standard 2015.
15 Para 2.4 of the Advisory titled “Tatacara Pengendalian Bagi Aktiviti Pengumpulan, Pemprosesan Dan Penyimpanan Data Peribadi Oleh Premis Perniagaan Semasa Perintah Kawalan Pergerakan Bersyarat (PKPB)” dated May 2020. 16 https://www.moh.gov.my/moh/resources/Penerbitan/Garis%20Panduan/COVID19/Annex_25_COVID_guide_for_ workplaces_22032020.pdf.
17 Sections 15 and 17 of the OSHA.
18 Section 24 of the OSHA.
19 Para 3.0 of the Advisory titled “Tatacara Pengendalian Bagi Aktiviti Pengumpulan, Pemprosesan Dan Penyimpanan Data Peribadi Oleh Premis Perniagaan Semasa Perintah Kawalan Pergerakan Bersyarat (PKPB)” dated May 2020.
20 Article 33 of GDPR.