COVID-19: Balancing Individuals' Rights Against Community Rights In the COVID-19 Situation (Part II)

(Continued from Part 1)

What are my rights under data protection and privacy laws or regulations?

In the previous article we discussed government measures to contain the spread of the COVID-19 virus. Many of the public health initiatives require organisations to take specific actions such as requiring staff and visitors to submit to temperature checks and to declare any medical symptoms of flu before entering the organisation's premises. They also require organisations to obtain health declarations from individuals about whether or not they have been to countries with a large number of COVID-19 infection cases, or in contact with infected individuals.

While we cannot object to the collection and processing of such personal information that is required in order for organisations to comply with laws on communicable or infectious diseases, etc. there are certain rights that we can exercise in terms of how organisations implement these measures.

Typical Rights of Individuals under Data Protection / Privacy Laws and Regulations

Data protection / privacy laws and regulations give individuals certain rights over their personal information.  What are the common rights of individuals?   In countries where there are data protection / privacy laws or regulations in place they generally include the following rights:

• Right to be informed or notified about the purpose(s) for which personal information will be processed
• Right to access and correct personal information that is processed
• Right to object / blocking / withdraw consent
• Right to erasure of personal information / to have it deleted when it is no longer required to be retained

Regardless of what measures with good intent you are being subjected to by an organisation (whether it’s your employer or one that you visit), you may ask for the specific purposes behind the collection of specific pieces of personal information required in the forms that you fill in. For example, you might be asked to give your ethnicity or birth date in a health declaration form and want to know the reason you need to provide such information.

In Malaysia and the Philippines, individuals have “the right to be informed” under their local data protection laws.

In Singapore’s Personal Data Protection Act (PDPA), while the “right to be informed” is not specifically mentioned, it is implied in the notification obligation. Organisations must notify individuals of the purposes for which their organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data. 

After being given the reasons for personal data collection, use or disclosure, or after reading the privacy notice, you feel that the additional information being requested is excessive, unreasonable or not proportional to the intended purpose, you can object to it (which are specifically provided for Malaysia and Philippines, and many countries’ data protection laws).  In Malaysia, individuals have the rights to prevent processing likely to cause distress due to such malpractices.

In Singapore’s case, although the “right to object” is not specifically referenced, the PDPA requires organisations to collect, use or disclose personal data for legitimate and reasonable purposes. Individuals therefore have the right to complain to the Personal Data Protection Commission if this is not the case.

In addition, when an organisation processes personal information for the purposes of contact tracing or requires certain declarations related to COVID-19, you can ask to access the specific information you had provided to them earlier if you wish to check the accuracy of the submission. If data collected is not accurate, you also have the right to request for corrections to be made.

What many people do not know is that besides a regulatory obligation for organisations to give you access to the data they processed, there is also a stipulated period that they must respond and fulfil your requests. e.g. 30 days in Singapore and the EU, and 21 days in Malaysia.

If after asking for access on how your personal data has been used, you discover unacceptable practices of processing your personal data or that the data is used for another purpose without consent and this is a breach of the law, you can also take action and request that the organisation ceases processing your data. For example, overzealous companies might take advantage of personal data collected during the COVID-19 situation and use it in subsequent direct marketing campaigns. You have the right to object and, if you provided consent at the outset, to withdraw your consent. And even ask for that data used without any necessary consent to be deleted or erased. Data protection laws either specifically give individuals such rights or there are data retention principles that govern this.

Rights of the Community to be Safe

While the laws grant many other rights to individuals over their personal information (for example, the right to portability), it is important to note that they are not absolute rights and are dependent on the legal basis or justification for the processing. In the case of the measures required to cope with the COVID-19 situation, as explained in this article, individuals’ rights are somewhat limited. They apply only if the data is used by the organisation for some other unrelated or unlawful purposes.

In the unfortunate event that an infected person dies, the data protection law still applies in Singapore and in the Philippines. In Singapore, the PDPA applies to a deceased individual who has been dead for 10 years or less, where the provisions relating to the disclosure and protection of personal data will apply. In addition, the law specifically provides that the heirs or assigns of a deceased individual can give or withdraw any consent, bring an action for loss suffered by the individual as a result of a failure to comply with the PDPA and file a complaint under the PDPA.  In the Philippines, heirs or assigns can invoke a statutory right called “Transmissibility of Rights of the Data Subject” to exercise the rights of a deceased individual or when a critically-ill person is incapable of exercising their rights under the law.

By Kevin Shepherdson CIPM, CIPT, GRCP, CIPP/E, CIPP/A,FIP
     Lyn Boxall, CIPM, CIPP/A, CIPP/E, FIP