Personal data collected at business premises for the purpose of contact tracing


Customers must leave personal data such as name, contact number, date and time of visit for the purpose of contact tracing at business premises during CMCO

In a statement by the Ministry of Communication and Multimedia, it was stated that only the customer’s or visitor’s name, contact number, date and time of visit, should be recorded upon entering business premises.

It was also added that it was up to the premises owners to implement either manual or electronic recording.

A notice must also be displayed and easily seen to inform visitors or customers on the purpose of the personal data and that the data is used only for the purpose of contact tracing in accordance with the Prevention and Control of Infectious Diseases Act 1988 (Act 342).

During the conditional movement control order (CMCO), all business premises allowed to operate must comply fully with the operating procedures with regards to the collection, processing and storing of personal data.

Business premises must also ensure the data obtained are accurate, complete and not misleading and it could only be kept up to six months after the conditional MCO ends, after which all data must be destroyed and deleted.

Non-compliance of the procedure is an offence, and if convicted, premises owners could be fined up to RM300,000 or jailed for two years or both, under the Personal Data Protection Act 2010 (Act 7090).

However, the procedures are subject to changes, as and when new rulings are introduced by the government, the statement said.

As such the public need not worry about sharing their personal data at any business premises for the purpose of Covid-19 contact tracing as the ministry would conduct continuous monitoring.

Any complaints regarding the implementation of this advisory may be filed through the Personal Data Protection System (SPDP) at

Comments are closed.