1. Startups

When the State Fails to Protect its People's Data

The PDP Law, which is supposed to be a protector, is not finished yet

The public was again shocked by the community's findings about data leak containing important information about the population. This time the data is allegedly sourced from BPJS Health – including based on data samples that are now being traded on the black market, the structure is identical to the database managed by BPJS Health, consisting of Name, NIK, No. Card, No. Phone, Email, TIN, Salary, etc.

This is not the first time, previously in the middle of last year, millions of population data were discussed from the Permanent Voters List for the 2014 Election. If you refer to the classification of data in Government Regulations, the leaked data is included in the category of "strategic electronic data", the highest level even the location of the server may not be outside Indonesia.

In response to this, BPJS Kesehatan and the government [in this case represented by Kominfo] stated that they were conducting an investigation and deepening.

Danger of abuse

If the convenience presented by digital services is like a double-edged sword, the threat of data misuse can be one of the negative ends. The impact can be felt directly by the community. For example, it is used for identity fraud, conducting digital financial transactions illegally, or being studied to find certain patterns for bad purposes.

The fact is that there are still many gaps in various digital services that are currently widely used by Indonesian consumers. Such as the lack of strict verification systems from various platforms – there are incidents of people printing fake identity cards with NIK and possibly correct names to go through the e-KYC process with a selfie ID card. Fortunately, some developers are now starting to improve security such as by implementing biometric-based digital signatures.

With its strategic nature, it is clear that the data should have a high security and privacy system. Ideally, it is also the right of the community to get protection from data related to themselves. Since it happened, then who should be responsible? What repressive measures should be taken?

This question is still quite difficult to find an answer to. Based on our previous experience, we have never heard of the government's follow-up [sanctions] on consumer data leaks that had injured several digital services with massive users in Indonesia, even though it also contains important data related to user identities. The reason is that there is not a single legal obligation that can be imposed because the regulations do not yet exist.

What's up with the PDP Act?

Reportedly, it's still not finished. The bill draft which was included in the 2021 Priority National Legislation Program was said to be completed before Eid this year, in fact it has not yet been completed.

Based on draft as of December 2019, the regulation contains 72 articles and 15 chapters governing the definition of personal data, types, ownership rights, processing, exceptions, controllers and processors, delivery, authorized institutions that regulate personal data, and dispute resolution. In addition, it regulates international cooperation to sanctions imposed for misuse of personal data.

From our analysis speaking with the sources, at that time there were still many potential loopholes that still threatened the privacy rights of personal data – with the hope that the draft has now been refined. In fact, if it is legalized, many consumer rights will be facilitated through regulations, for example, users may ask data management companies to delete their data and no longer use them [including for commercial purposes].

Including fines with a very large nominal which is said to be a legal obligation to the electronic system operator if it is proven that the consumer data is leaked. It is hoped that this step will force developers to pay more attention to strategies and preventive measures in securing their important data.

Then with a series of cases that continue to occur, does the regulator still want to delay the ratification of the Personal Data Protection Act? Two hundred million more population data on the black market should be a hard slap for the parties concerned.

Society can only surrender?

Unfortunately under certain conditions: YES. What can we do to provide more protection for BPJS Health data. In fact, for applications developed by digital companies, the steps that might be taken are around routinely changing passwords, enabling two-factor authentication, or paying attention to the credibility of the service. There is no formal mechanism in place for requests for deletion of data or the like.

More Coverage:

This situation really makes the urgency of the enforcement of the PDP Law even more crucial. Legal protection will be an important umbrella that provides convenience to the public for the data they have. Because the data of one person has a very expensive value and their privacy rights must be protected.

-

Header Image: Depositphotos.com

Are you sure to continue this transaction?
Yes
No
processing your transactions....
Transaction Failed
try Again

Sign up for our
newsletter

Subscribe Newsletter
Are you sure to continue this transaction?
Yes
No
processing your transactions....
Transaction Failed
try Again