On 7th June 2020, the Government announced the Recovery Movement Control Order (“RMCO”) effective 10th June 2020 through 31st August 2020. Under the RMCO, additional restrictions are lifted, and most businesses are allowed to operate with adherence to strict standard operating procedures (‘SOP’).
During the RMCO, businesses, particularly the retail businesses are required to take steps to register their customers or visitors in order to assist the authorities in tracking individuals who have contracted Covid-19, if any. This unprecedented measure means that companies now face real questions about their rights and obligations to collect, use and disclose personal data during this restriction period, as well as the risk of non-compliance with the Personal Data Protection Act (“PDPA”).
To address this issue, the Department of Personal Data Protection (“JPDP”) has issued an Advisory circular to guide businesses concerning the collection, processing and retention of such data in the context of Covid-19. It is noteworthy that any non-compliance with the Advisory circular may be deemed as a breach of the PDPA and may result in a fine of not exceeding RM300,000 or an imprisonment term not exceeding two (2) years, or both.
During this time, the JPDP will be monitoring the compliance level of businesses from time to time and it will take enforcement actions if necessary. Hence, it is important that all business owners are aware of their data protection obligations during this period.
HOW CAN PERSONAL DATA OF CUSTOMERS BE COLLECTED DURING THE COVID-19 OUTBREAK?
Following the Advisory circular, businesses shall only collect minimal details of customers or visitors, i.e. name, contact number, date and time of visit/arrival and nothing more, and you may choose to receive such information manually or digitally. Since this information is considered as “personal data” under the PDPA, all handling and processing of the data should be in accordance with the PDPA. In this respect, Section 7 of the PDPA is particularly worth mentioning.
Section 7 of the PDPA states that all businesses should always give written notice informing their customers/ visitors that their personal data will be collected prior to entry. In this sense, we recommend businesses to always display conspicuously a copy of such notice at the entrance of the businesses that reads as follows:
“The Collection of your details is required under the Prevention and Control of Infectious Diseases Act 1988 [Act 342] and it is hereby compulsory.
You are only required to provide details as follows:
- Name of customer;
- Contact Number; and
- Date and time of arrival.
Failure to provide such information, we may not be able to offer our service to you.”
In view of the above, it is essential to note that business owners must also ensure that all personal data collected are accurate and not misleading. The personal data collected shall only be kept up for a maximum of six (6) months after the restriction period ends, after which such personal data collected shall be destroyed and permanently deleted.
WHEN CAN THE EMPLOYERS PROCESS AND DISCLOSE THE PERSONAL DATA?
As a general principle under the PDPA, personal data shall not be processed unless:
- The personal data is processed for a lawful purpose directly related to an activity of the data user;
- The processing of the personal data is necessary for and directly related to that purpose; and
- The personal data is adequate but not excessive in relation to that purpose.
In the context of Covid-19, businesses can only disclose personal data of their customers or visitors to a third person in the following circumstances:
- Where there is a request by the health authorities or an authorised officer for any information relating to prevention and control of the infectious disease throughout the r estriction period.
- Where there is a request by the health authorities or an authorised officer for the purpose inspection, examination or inquiry in respect of the place of work.
In simpler terms, personal data of a person can only be collected and disclosed by businesses for the purposes of contact tracing under the Prevention and Control of Infectious Diseases Act 1988. It cannot be used for other purposes, for example, direct marketing and other purposes not authorized by the JPDP.
Final point, in cases where the disclosure of the customer’s identity or data is necessary but not mentioned in the notice, business owners are advised to first inform the individual of the intended disclosure and as far as possible, try to obtain his or her consent before sharing his/her data to a third person.
Disclaimer: This article is intended for general information and education purposes only and not to provide legal and professional advice. If you have any specific questions about data protection, please contact us today at firstname.lastname@example.org, or send us a direct message through the WhatsApp button on our website.