By Lee Lin Li / Chong Kah Yee, Tay & Partners

As the Covid-19 pandemic continues its scourge, the Malaysian government imposed a movement control order ("MCO") from 18 March 2020 until 12 May 2020. It restricts the free movement of the people that includes the prohibition of mass gatherings, restrictions on overseas travel for Malaysians, and entry for foreign visitors as well as the closure of schools, government and private premises except those involved in essential services. Written police permit is required for interstate travels. The Royal Malaysian Police and the Malaysian Armed Forces were mobilized to enforce the order. Unprecedented in peacetime, Malaysia became the first South East Asian country to put its citizens under restricted movement to slow the rate of infection for as long as possible and so alleviate the burden on its healthcare system while protecting those most at risk.

Prior to the MCO, beleaguered businesses had already reacted by implementing work from home and other commercially feasible social distancing measures. A purposeful stroll into workplaces had been replaced with long queues for temperatures checks and recording of personal details. Social media platforms were awashed with photo uploads of people being health screened, names of infected individuals and their workplace were being freely shared. Information is being collected and processed in the name of containment of the virus. As Malaysia and much of the world continues to grapple with the virus, data privacy and its vulnerability became heavily tested. The following focuses on the use and sharing of personal information of employees, contractors and visitors by employers in the face of the Covid-19 pandemic.

1. Are there any specific guidelines for the processing of personal data in the context of the Covid-19 outbreak?

There are yet to be any specific guidelines from the Malaysian Personal Data Protection Commissioner on the lawful processing of personal data on the Covid-19 pandemic. Businesses are to adhere to the Personal Data Protection Act 2010 ("PDPA").

The Ministry of Health has issued guidelines to event organizers to keep a record of the contact details of all participants for at least one month from the date of completion of the events. They are required to assist the Ministry of Health who carry out contact tracing and placing close contacts under home surveillance where participants are infected. The guidelines are here.

2. What type of personal data is typically being processed during the Covid-19 outbreak?

Apart from personal data such as basic identity, contact details, location information and travel history and information of close contacts, health status, body temperature measurement and medical condition which are sensitive personal data are also being processed. Sensitive personal data is subject to more stringent and additional safeguards under the PDPA.

3. May employers conduct temperature screening for employees, contractors and visitors?

Yes. Employers may collect body temperature readings of employees, contractors and visitors to protect the safety and health of individuals at the workplace as required under the Occupational Safety and Health Act 1994 ("OSHA").

Such information constitutes sensitive personal data which may be collected without explicit consent to comply with the aforesaid legal obligations or to protect the vital interests (i.e. life, death or security) of their employees, contractors, visitors and others where the consent cannot be given by them, cannot be reasonably obtained by the employers or is unreasonably withheld. 

Nevertheless, employers must ensure that the existing notices are sufficiently wide to cover the type of information being processed, the purpose and the class of third party to whom it may be disclosed, without which a supplementary notice will be required.

4. May employers collect information about travel history of employees, contractors and visitors?

Yes. Employers may collect information about travel history of employees, contractors and visitors to protect the safety and health of individuals at the workplace as required under the OSHA. Further, employers are encouraged to obtain travel declaration from employees pursuant to the guidelines issued by the Ministry of Health.

Such information may be collected without consent to comply with the safety and health obligations. It is also possible to invoke the exception of protecting their vital interests to dispense with the consent requirement.

Nevertheless, employers must ensure compliance with the notification requirement specified in the answer to Question 3.

5. May employers collect information about symptoms of employees, contractors or visitors?

Yes. Employers may collect information about symptoms of employees, contractors and visitors to protect the safety and health of individuals at the workplace as required under the OSHA. Further, monitoring symptoms of employees at workplace is one of the safety measures recommended for adoption by employers under the guidelines of the Ministry of Health.

Such information constitutes sensitive personal data which may be collected without explicit consent to comply with the aforesaid legal obligations or to protect the vital interests of their employees, contractors, visitors and others where the consent cannot be given by them, cannot be reasonably obtained by the employers or is unreasonably withheld.

Nevertheless, employers must ensure compliance with the notification requirement specified in the answer to Question 3.

6. May employers request employees, contractors or visitors to notify them if the latter is diagnosed?

Employers may request employees to notify them if the employees are diagnosed by having such requirement as part of the health and safety measures in the HR policy of the organization. Employees are bound by legal duties to cooperate with employers to comply with such measures including the notification requirement.

Contractors and visitors may be required by an organization to notify to prevent or contain the spread of the virus among employees and other individuals at the workplace pursuant to the OSHA. 

Such information constitutes sensitive personal data which may be collected without explicit consent to comply with the aforesaid legal obligations or to protect the vital interests of their employees, contractors, visitors and others where the consent cannot be given by them, cannot be reasonably obtained by the employers or is unreasonably withheld.

Nevertheless, employers must ensure compliance with the notification requirement specified in the answer to Question 3.

7. May employers notify others of any employee, contractor or visitor who is infected or suspected of being infected? 

Yes. It would be prudent for employers to disclose information of any employee, contractor or visitor who is infected or suspected of being infected, only to other individuals who have come into contact with the former if this is necessary to prevent or contain the spread of the virus among employees and other individuals at the workplace pursuant to the OSHA.

Such information involves the identity and health status (i.e. whether infected or suspected) of the infected or suspected persons which constitute personal data and sensitive personal data, respectively. Employers may collect and subsequently disclose the personal data to the other individuals without consent for compliance with the safety and health obligations. 

Similarly, the sensitive personal data may be collected and subsequently disclosed to the other individuals without explicit consent to comply with the aforesaid legal obligations or to protect the vital interests of the individuals where the consent cannot be given by them, cannot be reasonably obtained by the employers or is unreasonably withheld.

Nevertheless, employers must ensure compliance with the notification requirement specified in the answer to Question 3.

If the purpose is not covered in the relevant notices, the information may still be disclosed to the other individuals as the disclosure is authorized by the OSHA. 

8. Are employers required to disclose personal data of their employees, contractors or visitors to the authorities pursuant to a request by them?

Yes, and three provisions cover this requirement:-

Section 22I of the Prevention and Control of Infectious Diseases Act 1988 ("PCIDA") which criminalizes the refusal to furnish any information required;

Regulation 6 of the Prevention and Control of Infectious Diseases (Measures Within the Infected Local Areas) Regulations 2020 and Regulation 9 of the Prevention and Control of Infectious Diseases (Measures Within the Infected Local Areas) Regulations (No. 2) 2020 (collectively, "PCIDR") which mandate compliance with the request of an authorized officer for any information relating to prevention and control of the infectious disease; and

Section 46 of the OSHA which requires employers to provide assistance to occupational safety and health officers for any entry, inspection, examination or inquiry in respect of a place of work or for the exercise of their duty thereunder.

Accordingly, where there is a request by the health authorities for personal data of an employee, contractor or visitor for investigation or contact tracing purpose, employers are bound by the aforesaid legal obligations to assist and cooperate with them. 

This ultimately means that employers are allowed to collect and subsequently disclose the information to the health authorities without consent to comply with the aforesaid legal obligations.

Similarly, sensitive personal data may be collected and subsequently disclosed to the health authorities without explicit consent to comply with the aforesaid legal obligations or to protect the vital interests of their employees, contractors, visitors and others where the consent cannot be given by them, cannot be reasonably obtained by the employers or is unreasonably withheld.