Share this article:
Share

The COVID-19 outbreak saw employers in the private sector taking active steps to prevent an outbreak in the workspace, including mandating that employees sign a health declaration form, checking the employees body temperature of arriving employees, checking on the travel patterns of their employees etc.

However, is this allowed under the Personal Data Protection Act 2010 of Malaysia (PDPA)?

Sensitive personal data includes information as to the physical or mental health or condition of a data subject. Under the PDPA, sensitive personal data should not be processed except where:

  • the data subject has given his explicit consent; or
  • in the absence of explicit consent, where processing of sensitive personal data is necessary to, among others, protect the vital interests (i.e. relating to life, death, or security) of the data subject or another person.

The vital interest provision only applies where consent cannot be given by a data subject, consent cannot be reasonably obtained by the data user, or where consent is unreasonably withheld. It is noted that protecting the vital interests of ‘another person’ (e.g. matters relating to life, death or security of other employees and individuals in the workplace) could also justify the processing of sensitive personal data.

Note to Employers

Notwithstanding the ‘vital interest’ exception, the explicit consent provision should be a safer route to allow employers to process, store or even disclose sensitive personal data of their employees who are suspected of contracting or who have contracted the COVID-19 virus to medical or health officers or the relevant government authorities.

This can be done by inserting a statement to the effect of “I agree to the processing of my sensitive personal data and disclosing the same to public or private health authorities” and obtaining a signature of the employees in any health declaration form.

However, the 7 overarching principles of the PDPA must still be complied with. For example, if the processing of sensitive personal data in the face of an epidemic is not addressed in the existing employee Personal Data Notice or Privacy Policy, a supplementary Notice or Policy should be made available to the employees, and fresh, explicit consent from the employees should be obtained. The employer should also take extra precautions not to collect personal data excessively, and to be very careful with whom it discloses such sensitive personal data to.

***

This article was written by Shawn Ho (Partner) & Ian Liew (Associate) from the corporate practice group of Donovan & Ho.  Shawn leads the corporate practice group of Donovan & Ho, and has been recognised as a Notable Practitioner, whilst the firm has been recognised as a Notable Firm for Corporate and M&A by Asialaw Profiles 2020.  We are also ranked as a Recommended Firm by IFLR1000 2020.

Our corporate practice group advises on corporate acquisitions, restructuring exercises, joint venture arrangements, shareholder agreements, employee share options and franchise businesses, Malaysia start-up founders and can assist with venture capital funds in Seed, Series A & B funding rounds. Feel free to contact us if you have any queries.

 

What are "Essential Services" under the Movement Control Order?
Covid-19 Movement Control Order: Handling of Contracts and Other Obligations
Share this article:
Share