On 1 December 2016, the government of the Republic of Indonesia promulgated the Minister of Communication and Informatics Regulation Number 20 of 2016 on Personal Data Protection in Electronic System (“Permenkominfo 20/106”).
Permenkominfo 20/2016 is an implementing regulation of Government Regulation Number 82 of 2012 on Implementation of Electronic System and Transaction, that stipulates that the guide of protection of personal data in an electronic system to be further regulated under the regulation of the minister.
Personal Data is a specific individual data which is saved, taken care of, maintained its truth, and its confidentiality protected. The individual Data is every true and real information which is attached and identifiable, both direct and indirect, to each individual which its utilization is based on the laws and regulations.
The protection of personal data in Electronic System is conducted in the following process:
- Acquisition and collection;
- Processing and analysis;
- Display, announcement, delivery, dissemination, and/or access Granting; and
Acquisition and Collection of Personal Data
Acquisition and collection of personal data by the electronic system organizer must be limited on the relevant information and in accordance with its purposes and must be conducted accurately.
Acquisition and collection of personal data by the electronic system organizer must be based on approval from the personal data’s owner or based on the laws and regulations. If the owner of personal data does not approve the disclosure of personal data then every person who conducts the acquisition and collection of personal data and electronic system organizer must protect the confidentiality of that personal data.
Personal data which is acquired and collected directly must be verified to the personal data owner based on the processed data from many data resources. The resource of data must have a valid legal basis. The electronic system used to store acquisition and collection of personal data must have capability of interoperability and compability as well as use a legal software.
Processing and Analyzing of Personal Data
Personal data may only be processed and analyzed according to the needs of electronic system organizer which has been stated clearly while acquiring and collecting the data. Moreover, the management and analysis must be conducted based on approval, unless the personal data comes from the personal data which has been displayed or announced publicly by electronic system for public service. The personal data that is managed and analyzed must have verified its accuracy.
Personal Data Storing
Personal data which has been stored in an electronic system must be the personal data that has been verified its accuracy and must be in the form of encrypted data. Personal data must be stored in an electronic system:
- in accordance with the laws and regulation which stipulates the termed obligation of personal data storing in each supervisory institution and sectoral inspector; or
- at least 5 years, if there has not been laws and regulations specifically stipulate the particular stipulation.
Data center and disaster recovery center of electronic system organizer for public service which is used for the process of personal data protection must be located in the Republic of Indonesia. Data center is a facility used for locating electronic system and related components for data placement, storing, and processing purposes.
Disaster recovery center is a facility used for recovering the data or information and other important function of electronic system which is disturbed or damaged r caused by disaster originated from natural factors and/or humans. If the duration of personal data storing has exceeded the time limit, then personal data in an electronic system may be destructed unless the personal data will still be in use or process according to the original purpose of its acquisition and collection.
Display, Announcement, Delivery, Dissemination, and/or Access Granting of Personal Data
Displaying, announcing, delivering, disseminating, and/or access granting of personal data in an electronic system may only be conducted:
- on approval unless it is stated otherwise by the stipulation of laws and regulations; and
- after the accuracy and harmony has been verified with the acquisition and collection of the personal data.
Personal data transmission which is managed by the electronic system organizer on government and regional institution and public or private which domiciled in the Republic of Indonesia to the outside of Republic of Indonesia must:
- coordinate with the Minister or officer/institution which is given the authority; and
- apply the stipulation in the laws and regulations relating to cross border Personal Data exchange.
For the law enforcement purpose, electronic system organizer must provide the personal data which is contained in the electronic system or personal data resulted by electronic system on the legal request from the law enforcement officer based on the laws and regulations.
The use and utilization of personal data which is displayed, announced, received, and disseminated by electronic system organizer must be based on approval. The use and utilization of personal data must be according to the purpose of acquisition, collection, processing, and/or analyzation of personal data.
Destruction of Personal Data
Destruction personal data in electronic system may only be conducted if:
- it has exceeded the time limit of personal data storing in electronic system based on this regulation or in accordance with the laws and regulations which spefically stipulates in each supervisory institution and sectoral inpector; or
- by the request of personal data owner, unless it is stated otherwise by the laws and regulations.
Rights and Obligation of the Parties
Personal data owner has the right:
- on the confidentiality of its personal data;
- to file a complaint in the event of dispute settlement of personal data on the failure of its personal data protection by the electronic system organizer to the Minister;
- to obtain an access or chance to revise or renew its personal data without interfering the personal data processing system, to acquire the history of its personal data which has been delivered to the electronic system organizer, unless it is stated otherwise by the laws and regulations; and
- to request for its individual data in electronic system which is managed by the electronic system organizer, unless it is stated otherwise by the laws and regulations.
Each electronic system organizer has the obligations:
- to conduct a certification of electronic system which is managed in accordance with the laws and regulations;
- to protect the truth, validity, confidentiality, accuracy, and relevancy also the accordance with the purpose of acquisition, collection, processing, analyzation, storing, display, announcement, delivery, dissemination, and destruction of personal data;
- to report in written form to the personal data’s owner if there is a failure of personal data protection in electronic system it is managed, with the terms of reports such as:
- must be accompanied with reason or cause of the failure of the personal data protection;
- may be conducted electronically if the personal data’s owner has provided approval which is stated on the acquisition and collection of its personal data;
- must be confirmed that it has been received by personal data’s owner if the failure contains a potential loss for the owner; and
- written notification which is sent to the personal data’s owner no later than 14 days since the failure is acknowledged.
- to have internal rules related to the personal data protection which is according to the laws and regulations;
- to provide audit track record in the whole electronic system organization it is managed;
- to provide options to personal data’s owner regarding the managed personal data that it is able or unable to be used and/or displayed by/to third party on approval as long as it is related with the purpose of acquisition and collection of personal data;
- to provide access or chance to personal data’s owner to revise or revew its personal data without interfering the personal data processing system, unless it is stated otherwise by the laws and regulations;
- to destruct the personal data according to this regulation or other laws and regulations which specifically regulates in each supervisory institution and sectoral inspector; and
- to provide contact person which can be easily contacted by personal data’s owner regarding its personal data processing.
Each personal data owner and electronic system organizer may file a complaint to the Minister on the failure of personal data protection. The complaint and complaint handling shall be conducted based on the procedure such as:
- complaint is filed no later than 30 days since the complainant obtain the information;
- complain is filed in written form and must be accompanied with the supporting evidences;
- officers/dispute settlement institution must respond to the complaint no later than 14 working days since the complaint is received which is at least contains completed or incomplete complaint;
- an incomplete complaint must be completed by the complainant no later than 30 working days since the complainant receive the respond and if it exceeded the time limit, the complaint is considered as cancelled;
- officers/dispute settlement institution must handle the complaint settlement starting from 14 working days since the completed complaint is received;
- the dispute settlement based on the completed complaint is conducted by deliberation or by other alternative settlement in accordance with the laws and regulations; and
- officers/dispute settlement institution which handles the complaint may submit a recommendation to the Minister for the administrative sanction pronounced to the Electronic System Organizer although the complaint may or may not be settled by deliberation or by other alternative settlement.
If the dispute settlement by deliberation or by other alternative settlement is unable to settle the dispute on failure of personal data protection, every personal data’s owner and electronic system organizer may file a civil claim regarding the failure of personal data protection.
If in the process of law enforcement by the officer in accordance with the laws and regulations the authority must conduct a confiscation, then the things that may be confiscated would be the personal data which related to the case without having to confiscate the whole electronic system.
Every person who acquires, collects, processes, analyzes, stores, displays, announces, delivers, and/or disseminates personal data wrongfully or not in accordance with the terms in this regulation or other laws and regulation will be imposed administrative santion according to the laws and regulations such as: (a) verbal warning; (b) written warning; (c) temporarily activity suspension; and/or (d) announcement in an online system.
Indira Sarah Lumbanraja