News and developments

Employee’s Sensitive Personal Data Collection Amid COVID-19

Introduction

As the world struggles to combat the COVID-19 (Coronavirus) pandemic, employers around the globe are allowed to collect personal data of employees such as their travel history to prevent the spread of the virus at the workplace. In Malaysia, the Ministry of Human Resources has issued a Frequently Asked Questions (FAQ'S) on Movement Control1 on 24 March 2020. Under the FAQ's, the employers in the essential service sectors are required to provide a body temperature monitoring device and take a daily recording of their employees' body temperature.

Within the context of the global spread of COVID-19, the employers have discovered a new reality, which also raises the following questions within the scope of the processing of personal data-

1.    Can the employer ask its employees to undergo COVID-19 diagnosis tests it provides?

2.    Can the employer systematically check the body temperature of its employees?

3.    Can the employer require its employees to periodically complete questionnaires relating to COVID-19 symptoms? And questionnaires relating to recent trips of its employees and the dates they left and returned to the country? Can these questionnaires include questions relating to people living with the employee?

4.    Can the employer require its employees to state whether or not they belong to risk groups?

5.    Can the employer inform the rest of the employees when it identifies a company employee infected by COVID-19?

6.    Can the employer ask an employee suspected of being infected with COVID-19 to give the names of the employees with whom they have recently been in contact?

7.    Can the employer share data on employees suspected of being infected with COVID-19 with the health authorities?2

The employers should be aware that personal data related to their employees' health conditions constitutes "sensitive personal data" of the employees under section 2 of the Personal Data Protection Act 2010 ("the Act") where we reproduce as below:

"sensitive personal data" means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;"

In light of the above, the employers must be cautious in dealing with sensitive personal data of the employees. It is a legal duty of the employers to ensure that the collection and processing of such sensitive personal data comply with the principles of the Act.