Measures to limit the spread of COVID-19 are being implemented in Thailand just as the country approaches the implementation of its landmark new Personal Data Protection Act (PDPA), which will come into effect in May 2020. This adds another layer of complexity to the COVID-19 issue, as employers find that they need to consider new categories of employee personal data, just as restrictions on doing so are due to come into force. From an employment perspective, employers are considered to be personal data controllers under the PDPA, and will thus be subject to extensive requirements when collecting, using, or disclosing employees’ personal data, once the PDPA comes into force.
To help employers stay compliant, we address below the most common questions about the legality of common COVID-19 prevention measures under the PDPA. Note that, while these FAQs specifically address issues for employers, the PDPA also protects the personal data of customers, business partners, vendors, and any other individuals whose data you might hold or process. Businesses should therefore be ready to comply with the PDPA in relation to all personal data that they hold.
Screening Measures: Checking Physical/Health Conditions
Can you check the temperature of visitors for the purpose of preventing the outbreak?
Can you record their temperature? Can it be detailed with the individual’s personal data?
The temperature of visitors can be recorded, but the purpose should be communicated to the individuals, and it is imperative to keep information about a person’s COVID-19 status strictly confidential.
The data in question is considered to be personal data under the law, so retention of the data must be in strict compliance with the requirements and restrictions of the PDPA. Moreover, a person’s temperature reading, when combined with other personal data (e.g., name, contact information, physical symptoms), could be considered what the law terms “sensitive personal data,” for which the PDPA provides enhanced requirements, restrictions, and penalties.
Thus, it is preferable from a compliance point of view to refrain from recording the temperature of everyone entering the premises alongside their personal details. Regardless, the Communicable Disease Act also requires that this type of information, if retained or processed, be kept confidential and processed anonymously.
Forced Disclosure of Certain Physical or Health Conditions
Can you order your staff to disclose symptoms associated with COVID-19?
This is allowed under current data privacy and employment law, and employers may ask employees to disclose this information to HR. Employers can also require a health certificate or medical report.
Once the PDPA is fully effective, any such information already held may still be kept. However, restrictions on obtaining such sensitive personal data (i.e., health-related data) may need to be revisited.
Can you order your staff to disclose their travel history?
Yes—this is also allowable under both data privacy and employment regulations, and the requirement can be issued as a single announcement together with the requirement to disclose symptoms. This position will be unaffected by the PDPA.
Can you order your staff to disclose the travel history of their family members or close contacts?
Yes. However, it would be prudent to request this information only on a need-to-know basis—a practice referred to as “data minimization.”
If a COVID-19 Infection Is Confirmed
Can you publically communicate the presence of a confirmed case?
Yes. However, any data that could identify the infected individual should not be disclosed. All written communications should be carefully drafted, keeping in mind that information that might not identify an individual to one audience (such as the public) could identify them to another (such as coworkers).
Can you require (and retain) a medical certificate to confirm the case?
Yes. However, once the PDPA is fully effective, the infected individual, once fully recovered, is entitled to exercise his or her right to be forgotten.