Contact Tracing: Data Protection, Privacy Rights

Malaysians are no strangers to contact tracing. Many would have experienced filling in manual forms or scanning QR codes to key in details before you were allowed to enter certain premises. The upturn in collection and processing of personal data is evident, as traders and customers are encouraged to use the MySejahtera app for contact tracing during the Recovery Movement Control Order (“RMCO”)[1].

As the public acclimatise to contact tracing and data collection, there are some real and immediate privacy concerns such as:

(a) Who collects personal data for contact tracing?

(b) What happens if individuals choose not to provide personal data?

(c) When can personal data be legitimately disclosed?

(d) How long will personal data be retained?

In this article, the author addresses the above issues against the backdrop of Malaysia’s data protection legislation – the Personal Data Protection Act 2010 (“PDPA”).

Personal Data vs Sensitive Personal Data

Some examples of personal data that are typically processed during the COVID-19 pandemic include:

• Basic identity e.g. name

• Contact details

• Location

• Health status

• Body temperature

• Medical condition e.g. whether individuals display symptoms of the virus

• Results of COVID-19 testing (if any)

All the above information falls within the definition of ‘personal data’ in the PDPA, whereas information relating to an individual’s physical or mental health or condition are categorised as ‘sensitive personal data’[2]. Activities such as collection, recording, holding and disclosure of personal data are considered ‘processing’ of personal data[3].

Do note that during the Conditional Movement Control Order (“CMCO”) period, the Department of Personal Data Protection advised businesses to only collect minimal personal data of their customers e.g. name, contact number, and date and time of arrival (“Advisory”).Unfortunately, at the time of writing guidelines have yet been issued for the RMCO period.

Who collects personal data ?

Persons who process personal data are known as ‘data user’ under the PDPA. In the context of COVID-19, data users would typically include businesses, organisations and employers. Pursuant to the PDPA, data users are required to comply with 7 data protection principles. To address the concerns raised in this article, the author focuses on 4 principles, namely:

(a) the General Principle (e.g. consent);

(b) the Notice and Choice Principle;

(c) the Disclosure Principle; and

(d) the Retention Principle.

(a) The General Principle (e.g. consent)

Consent is considered to be the cornerstone of the PDPA. Generally, consent of the data subject is required to process personal data, whereas sensitive personal data has a more stringent requirement of explicit consent[4]. Take note that the PDPA does not prescribe any specific forms as to how consent must be obtained, as long as it is capable of being recorded and maintained properly[5].

Examples of consent listed in the Personal Data Protection Code of Practice For the Utilities Sector (Electricity)include clickable box indicating consent, signatures and verbal consent. On the other hand, explicit consent may be given where the data subject voluntarily provides sensitive personal data, or provides identification card to be photocopied or scanned.

In short, if a data subject has agreed to furnish personal details to a data user, they can process such personal information. Having said that, data subjects are free to withdraw consent vide a written notice[6].

(b) Refusal to provide personal data

When data users process personal data, they are required to give written notice to the data subject. That notice would contain among others[7]:

(i) The purpose of which the personal data is collected and processed;

(ii) Whether it is obligatory or voluntary to supply the personal data; and

(iii) If obligatory, the consequences for failure to supply personal data.

Depending on the respective data users’ SOPs, individuals would likely be denied the provision of services or entry to premises should they fail to provide personal data.

(c) When can personal data be legitimately disclosed?

Legally, personal data cannot be disclosed without the consent of the data subject[8]. Data users are also prohibited from disclosing personal data for purposes which were not specified at the time of collection. Hence, it is important to understand these basic parameters before clicking that “Yes, I Agree” button or signing a PDPA notice:

(i) What personal or sensitive personal data may be disclosed;

(ii) Whom your personal or sensitive personal data may be disclosed to (e.g. third parties);

(iii) Purpose of such disclosure; and

(iv) Whether the data user may disclose your personal or sensitive personal data without a supplementary notice.

Undeniably, a vital element in hindering the virus’s chains of transmission is fast response time. This may result in situations where it is not viable or possible for data users to trace each data subject and obtain their consent before disclosing information to health authorities. In such situations, the following two legal grounds may exempt the requirement of consent:

(i) Where data users are required or authorised by law to disclose personal data; or

(ii) Disclosure is necessary to protect ‘vital interests’.

First, if required or authorised under any law, data users are allowed to disclose personal data without consent of the data subject[9]. This exemption applies only to disclosure of personal data, not sensitive personal data. Pursuant to Regulation 9 of the Prevention and Control of Infectious Diseases (Measures within Infected Local Areas) (No. 7) Regulations 2020, an authorised officer (e.g. health authorities) may request for information relating to prevention and control of infectious disease.

To illustrate, businesses may be required to disclose their visitor or customer entry logs if requested by health authorities in the event of a second COVID-19 spike. Although a data user’s compliance with Regulation 9 is not mandatory[10], it may afford data users the legal justification to disclose personal data to health authorities without consent of the data subject.

Secondly, consent may be dispensed with if the processing (which includes disclosure) of personal data is necessary to protect a data subject’s ‘vital interests’ (e.g. matters relating to life, death or security of a data subject)[11]. Similarly, for sensitive personal data, explicit consent may be waived to[12]:

(i) Protect the vital interest of the data subject or another person, where –

• Consent cannot be given by or on behalf of the data subject; OR

• The data user cannot reasonably be expected to obtain consent of the data subject.

(ii) Protect the vital interest of another person where consent of the data subject has been unreasonably withheld.

Processing of personal or sensitive personal data in the context of COVID-19 may fall within the meaning of vital interests if there is a life or death situation. However, this legal argument may not shield data users from liability if they process personal or sensitive personal data only in the namesake of COVID-19, unrelated to the vital interests of the data subjects or other individuals. Unfortunately, at the time of writing there are no local case law precedents or directives from the Personal Data Protection Commissioner which may serve as guidance to interpret ‘vital interests’.

(d) How long will my personal data be retained?

The rule of thumb is that personal data should not be kept longer than necessary. Further, data users bear the onus to ensure that all personal data is destroyed or permanently deleted if it is no longer required for the purpose for which it was processed[13].

The Advisory issued by the Department of Personal Data Protection states that business are allowed to retain personal data for a maximum of 6 months after the CMCO ends. In other words, personal data collected during CMCO must be destroyed or permanently deleted by 9 December 2020.

As for other organisations, the retention rule is open to interpretation. To illustrate, some may argue that information should be deleted after the 14 days average incubation period. However, longer periods of retention may be justified as in many cases, asymptomatic individuals who have initially tested negative would later test positive for the virus.

Conclusion

While governments, researchers and health authorities around the world race to find a vaccine to contain the COVID-19 pandemic, contact tracing has been systemically applied to help break the chain of virus transmission. As we do our part to help contain the virus, it is equally important for us to be informed of our basic rights as data subjects.

The infographic below summarises the key takeaways discussed in this article:

Written by Alyson Phung.

[1] https://asset.mkn.gov.my/web/wp-content/uploads/sites/3/2019/08/SOP-Norma-Baharu-Bagi-Individu-_14-Jun-2020.pdf [2] “Personal data” and “sensitive personal data” are defined in Section 4 of the Personal Data Protection Act 2010 [3] “Processing” is defined in Section 4 of the Personal Data Protection Act 2010 [4] Section 6(1) of the Personal Data Protection Act 2010 [5] Regulation 3(1) of the Personal Data Protection Regulations 2013 [6] Section 38(1) of the Personal Data Protection Act 2010 [7] Section 7(1) of the Personal Data Protection Act 2010 [8] Section 8 & Section 39(a) of the Personal Data Protection Act 2010 [9] Section 39(b)(ii) of the Personal Data Protection Act 2010 [10] Cf Regulation 8 of the Prevention and Control of Infectious Diseases (Measures within Infected Local Areas) No. 3) Regulation 2020 [11] Section 4 and Section 6(2) of the Personal Data Protection Act 2010 [12] Section 40(1)(a) and Section 40(1)(b)(ii) of the Personal Data Protection Act 2010 [13] Section 10(1) of the Personal Data Protection Act 2010