Covid-19: Advisory on Collection of Personal Data by Department of Personal Data Protection during CMCO

On 1 May 2020, the Prime Minister of Malaysia announced that all businesses except those which are set out in the List of Prohibited Activities are permitted to operate from 4 May 2020 (‘MCO Phase 4’) subject to strict compliance with the standard operating procedures established by the relevant regulatory authorities.
The Department of Personal Data Protection (‘JPDP’) has issued an advisory (‘Advisory’) on the collection, processing and retention of personal data by businesses which are permitted to operate during the conditional movement control order (‘CMCO’) period, following its approval in a Special Ministerial Committee Meeting on the Implementation of the MCO held on 21 May 2020. A copy of the Advisory is available here.  
This Alert outlines the requirements prescribed in the Advisory that must be complied with by businesses operating during the CMCO period, in line with the data protection principles under the Personal Data Protection Act 2010 (‘PDPA’). The requirements are as follows:
  • Businesses shall only collect minimal personal data of customers or visitors i.e. name, contact number, date and time of visit/arrival; and businesses may choose to collect such information manually or digitally.
  • A notice must be displayed to inform the visitors or customers on the purposes of the collection of their personal data. Such notices shall be placed at an easily seen location. A sample of the notice (in both English and Malay) is appended in the Advisory (Appendix A).
  • For manual data collection, the information shall be recorded by the staff of the businesses to avoid unauthorised or accidental disclosure of the information. Further, a specific document must be used throughout the CMCO period – the applicable format for such manual data collection is appended in the Advisory (Appendix B).
  • For both manual and digital data collection, businesses shall ensure that the personal data are only collected for the purposes of contact tracing, pursuant to the requirements under the Prevention and Control of Infectious Diseases Act 1988 (Act 342).
  • Personal data collected shall only be kept up for a maximum of six (6) months after the CMCO ends, after which such personal data collected shall be destroyed or permanently deleted (having regard to the appropriate methods of disposal for both manual and digital forms of data collection).
  • Ensure that the personal data collected are accurate and not misleading.
  • The Access Principle under the PDPA shall not apply during the CMCO period – data subjects do not have the right to be given access to his/her personal data held by businesses and to correct such personal data.
JPDP will be monitoring the compliance level of businesses from time to time and will not hesitate to take enforcement actions, if necessary. Failure to comply with the Advisory may result in a fine of not exceeding RM300,000 or an imprisonment term not exceeding two (2) years, or both.
If you have any queries, please contact our Ms. Jillian Chia (Partner) at or Ms. Beatrice Yew (Associate) at