The Department of Personal Data Protection (“DPDP”) has shed some light on how businesses should process personal data of customers or visitors while the CMCO is in force. An advisory document (“Advisory”) on the operating procedures for the collection, processing, and retention of personal data by businesses during the CMCO was issued by the DPDP on 31 May 2020. The Advisory outlines the minimum requirements based on the Principles which all business premises allowed to operate during the CMCO are required to comply with fully, which include:
When collecting personal data of customers or visitors, only minimum information (e.g., the name, contact number, date, and time of arrival of the customers or visitors) shall be recorded. Businesses may choose to record such information either manually or electronically.
- Notice and Choice Principle
A notice shall be displayed at a clear and visible space to inform the customers or visitors on the purpose of collection of the personal data. A sample of the notice in the national and English languages is set out in Appendix A of the Advisory.
- Disclosure Principle
If personal data is collected manually, such information shall be recorded by employees of the businesses so as to avoid unauthorised or accidental disclosure of personal data. In addition, a specific document must be used throughout the CMCO period to record such information. The suggested format to be used for manual data collection is appended in Appendix B of the Advisory.
- Security Principle
Regardless of whether the personal data is collected manually or electronically, businesses shall ensure that the personal data collected will not be used for any other purposes save and except for the purposes of contact tracing in accordance with the Prevention and Control of Infectious Diseases Act 1988. Businesses shall keep the personal data collected secured and protected at all times.
- Retention Principle
Personal data collected by businesses shall only be kept up to six (6) months from the date the CMCO is lifted. Thereafter, all personal data collected shall be destroyed or permanently deleted.
- Data Integrity Principle
Businesses shall ensure that the personal data collected is accurate and not misleading.
- Access Principle
During the CMCO period, the Access Principle (which allows data subjects to access and correct their personal data) shall not be applicable.
The Advisory was issued to help businesses to understand how personal data collected during the CMCO should be processed and to reduce the risk of personal data breaches whilst allowing contact tracing in order to contain the spread of the Covid-19 as there has to be a balance between privacy and public interest.
The DPDP will be monitoring businesses to assess the level of compliance with the Advisory and will not hesitate to take enforcement action against business owners, if necessary. Failure to comply with the Advisory is an offence. Upon conviction, business owners may be liable to a fine not exceeding three hundred thousand Ringgit Malaysia (RM300,000.00) or to imprisonment for a term not exceeding two (2) years or to both.
In a press statement released by the Ministry of Communications and Multimedia (“MCM”) on 29 May 2020, the MCM advised the public to not worry about sharing their personal data at any business premises for the purpose of COVID-19 contact tracing as the MCM will also conduct continuous monitoring on business owners’ compliance with the Advisory and the PDPA. However, the MCM has stated that the implementation of the Advisory is subject to new rulings introduced by the Government from time to time.
In view of the above, business owners are advised to implement the guidelines in the Advisory as soon as possible so as to minimise the risks of improper handling or unlawful use of personal data collected and potential enforcement actions by the authorities, and to keep abreast of potential developments to the requirements issued by the Government in respect of processing personal data.