Personal Data Must Be Deleted Six Months After MCO: Adham

Business premises are meant to collect visitors’ personal data for Covid-19 contact tracing purposes only.

KUALA LUMPUR, Dec 30 — Visitors’ personal particulars collected in business premises must be destroyed or deleted permanently within six months after the end of movement control orders (MCO), Dr Adham Baba said.

Several states and districts are still under movement restrictions, as the Conditional Movement Control Order (CMCO) in Selangor, Kuala Lumpur, and Sabah, as well as certain areas in Penang, Negeri Sembilan, and Johor have been extended to January 14, 2021, amid rising Covid-19 cases.

“Monitoring of personal data recorded manually inside books at business premises is under the responsibility of the Department of Personal Data Protection (PDP),” the health minister stated in a written Parliament reply on December 14 to Kimanis MP Mohamad Alamin.

“The PDP department has also issued operating procedures for collection, processing and storage of personal data collected by the owner’s business premises during the Conditional Movement Control Order (CMCO),” Dr Adham added.

The Ministry of Health (MOH) stated that all business premises were only allowed to record visitor’s name, contact number, date and time of visitor attendance by manual or digital methods.

Mohamad had asked MOH to state how the ministry is cooperating with the PDP Department in monitoring and controlling manual recording of personal data at business premises throughout Malaysia to prevent data embezzlement.

Besides manual registration of personal data, visitors are also allowed to register their visit details in MySejahtera, an app by MOH which requires various personal details from users who download the app, such as their contact number, email address, full name, identity card (IC) number, age, gender, ethnicity, and home address.

According to MOH, all the business premises were also asked to display the purpose of collecting personal data clearly. Particularly, personal data are only collected for Covid-19 contact tracing purposes in accordance with the Prevention and Control of Infectious Diseases Act 1988 (Act 342).

It is to be noted that the Personal Data Protection Act (PDPA) 2010 aims to protect the personal data of individuals with respect to commercial transactions. However, the law does not apply to any federal or state government entity. Thus, contact tracing apps, including MySejahtera and other state-owned apps, are not subject to the PDPA.

However, Deputy Health Minister Dr Noor Azmi Ghazali told CodeBlue that personal data from MySejahtera is only used for contact tracing and it is treated as confidential patient information under the Medical Act 1971 and the Prevention and Control of Infectious Diseases Act.

As of October 1, a total of 804 inspections of business premises have been conducted by the enforcement division of the PDP department nationwide.

You may also like