Advance Blog

March 24, 2020
Tilleke & Gibbins International Ltd.

COVID-19 Prevention Measures under Thailand’s Personal Data Protection Act

Measures to limit the spread of COVID-19 are being implemented in Thailand just as the country approaches the implementation of its landmark new Personal Data Protection Act (PDPA), which will come into effect in May 2020. This adds another layer of complexity to the COVID-19 issue, as employers find that they need to consider new categories of employee personal data, just as restrictions on doing so are due to come into force. From an employment perspective, employers are considered to be personal data controllers under the PDPA, and will thus be subject to extensive requirements when collecting, using, or disclosing employees’ personal data, once the PDPA comes into force.

To help employers stay compliant, we address below the most common questions about the legality of common COVID-19 prevention measures under the PDPA. Note that, while these FAQs specifically address issues for employers, the PDPA also protects the personal data of customers, business partners, vendors, and any other individuals whose data you might hold or process. Businesses should therefore be ready to comply with the PDPA in relation to all personal data that they hold.

Screening Measures: Checking Physical/Health Conditions

Can you check the temperature of visitors for the purpose of preventing the outbreak?

Can you record their temperature? Can it be detailed with the individual’s personal data?
The temperature of visitors can be recorded, but the purpose should be communicated to the individuals, and it is imperative to keep information about a person’s COVID-19 status strictly confidential.

The data in question is considered to be personal data under the law, so retention of the data must be in strict compliance with the requirements and restrictions of the PDPA. Moreover, a person’s temperature reading, when combined with other personal data (e.g., name, contact information, physical symptoms), could be considered what the law terms “sensitive personal data,” for which the PDPA provides enhanced requirements, restrictions, and penalties.

Thus, it is preferable from a compliance point of view to refrain from recording the temperature of everyone entering the premises alongside their personal details. Regardless, the Communicable Disease Act also requires that this type of information, if retained or processed, be kept confidential and processed anonymously.

Forced Disclosure of Certain Physical or Health Conditions

Can you order your staff to disclose symptoms associated with COVID-19?
This is allowed under current data privacy and employment law, and employers may ask employees to disclose this information to HR. Employers can also require a health certificate or medical report.

Once the PDPA is fully effective, any such information already held may still be kept. However, restrictions on obtaining such sensitive personal data (i.e., health-related data) may need to be revisited.

Can you order your staff to disclose their travel history?

Yes—this is also allowable under both data privacy and employment regulations, and the requirement can be issued as a single announcement together with the requirement to disclose symptoms. This position will be unaffected by the PDPA.

Can you order your staff to disclose the travel history of their family members or close contacts?

Yes. However, it would be prudent to request this information only on a need-to-know basis—a practice referred to as “data minimization.”
If a COVID-19 Infection Is Confirmed

Can you publically communicate the presence of a confirmed case?

Yes. However, any data that could identify the infected individual should not be disclosed. All written communications should be carefully drafted, keeping in mind that information that might not identify an individual to one audience (such as the public) could identify them to another (such as coworkers).

Can you require (and retain) a medical certificate to confirm the case?

Yes. However, once the PDPA is fully effective, the infected individual, once fully recovered, is entitled to exercise his or her right to be forgotten.
If you have any queries about the PDPA, employment law in Thailand, the legal implications of COVID-19, or any other matters, please contact [email protected] or call +66 2056 5555.

Please note that Tilleke & Gibbins is implementing practical social distancing measures designed to protect the wellbeing of our clients and staff. These measures ensure that we work together safely and effectively, without any change to the quality and efficiency of the services you receive.

Athistha (Nop) Chitranukroh Partner and Director, Corporate and Commercial
Athistha is a partner and director in Tilleke & Gibbins’ corporate and commercial group, head of the firm’s PDPA team, and a Certified Information Privacy Professional/Asia (CIPP/A) with the International Association of Privacy Professionals.
Pimvimol (June) Vipamaneerut, Partner
Pimvimol is a partner in Tilleke & Gibbins’ corporate and commercial group and head of the firm’s non-contentious employment practice. The Legal 500 Asia Pacific recognizes Pimvimol as a leading employment lawyer in Thailand.
Dusita Khanijou, Consultant
Dusita is a consultant in Tilleke & Gibbins’ corporate and commercial group. She assists associates and partners in providing legal services on a wide range of corporate and commercial matters, including Thai labor law.
Thammapas Chanpanich, Attorney-at-Law
Thammapas is an attorney-at-law in Tilleke & Gibbins’ corporate and commercial group. She advises domestic and international clients on legal issues surrounding personal data management and the technology industry in Thailand, among other areas of corporate and commercial matters.

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.