Expiry of Transitional Period of Personal Data Protection Law
On October 17, 2022, the Government enacted Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”). Under the PDP Law, Controllers, Processors, and other parties relevant to the processing of personal data have 2 (two) years from the date of enactment of the PDP Law to comply with the PDP Law. So, on October 17, 2024, the foregoing transitional period officially expired.
Despite the above, there are several remaining questions that need to be addressed to ensure full compliance with the PDP Law, including the following.
♦ Implementing Regulation of PDP Law
As of October 17, 2024, the Government has not issued the implementing regulation(s) of the PDP Law. The absence of the implementing regulation(s) makes it difficult for the relevant parties to comply with the PDP Law. Without the implementing regulation(s), key aspects such as the scope of processing activities, data subjects’ rights, details on data protection officers, transfer of personal data, enforcement mechanisms, and sanctions procedures remain unclear.
The Government issued a draft implementing regulation of the PDP Law as of August 31, 2023. Based on the information obtained from the website of the Ministry of Communication and Informatics (https://pdp.id/rpp-ppdp/1), the draft is currently at the harmonization stage. The Government is yet to confirm when the implementing regulation of the PDP Law will be officially enacted.
♦ Supervisory Institution
The PDP Law mandates the establishment of a specific supervisory institution, determined by the President, which reports directly to the President. The Institution’s responsibilities are to: (i) formulate and determine personal data protection policies and strategies, serving as guidelines for the personal data subjects and relevant key-players within the data processing environment; (ii) supervise the implementation of personal data protection; (iii) enforce administrative sanctions against violations of the PDP Law; and (iv) facilitate alternative dispute resolutions.
The Institution is crucial for monitoring compliance, providing guidance to organizations, and handling complaints from data subjects. Without a functioning supervisory institution, there may be a lack of accountability and a framework for addressing violations, leaving individuals and organizations without the necessary support to navigate their rights and responsibilities under the PDP Law.
Based on several news publications, the Government is actively preparing for the establishment of the supervisory institution mandated by the PDP Law, though it has yet to confirm an official timeline for its launch.
Notwithstanding the missing links in the PDP Law, we strongly recommend that all relevant parties comply with the PDP Law. We will continue to monitor the situation closely and provide timely updates and guidance as new information becomes available.
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com) or M. Fatih Satria Kasmaliputra (mkasmaliputra@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
Expiry of Transitional Period of Personal Data Protection Law
Health Omnibus Law Series – Data Privacy in the Health Sector
This Newsflash is a part of our Health Omnibus Law Newsflash series with respect to the issuance of Law No. 17 of 2023 dated August 8, 2023 on Health (the “Health Law”). The Health Law governs a wide range of topics in the health sector including the personal data protection in the health sector as well as to harmonize the aspects of personal data protection in the health industry to be in line with the applicable data protection laws and regulations, particularly Law No. 27 of 2022 dated October 17, 2022 on Personal Data Protection (the “PDP Law”). Please refer to our previous Newsflash on the PDP Law at the following link: AKSET Newsflash - PDP Law.
As previously noted, the Health Law is issued using the omnibus method. The Health Law revokes several laws and regulations in the health sector, including Law No. 36 of 2009 dated October 13, 2009 on Health (the “Previous Health Law”). Under the Previous Health Law, provisions relating to data privacy and/or personal data protection were inadequate and were still found sporadically in several implementing regulations under the Previous Health Law, including the Minister of Health Regulation No. 24 of 2022 dated August 31, 2022 on Medical Records. Although the Health Law revokes the Previous Health Law, all implementing regulations of the Previous Health Law remain valid for so long they do not contradict the Health Law.
We highlight the key data privacy related provisions under the Health Law, as follows.
♦ Personal Health Data and Information
- Obligation for Medical Personnel, Health Personnel, and Health Service Facilities to Maintain Confidentiality of Patients’ Personal Health Data and Information
Each Medical Personnel or Tenaga Medis (i.e., doctors and dentists) and Health Personnel or Tenaga Kesehatan (e.g., nurses) must maintain confidentiality of patients’ personal health in providing medical services to individuals. Information on patients’ personal health that shall be kept confidential includes history, condition and treatment, medication for one’s physical and psychological health, as well as the patients’ personal data. Such obligation also applies to Health Service Facilities or Fasilitas Pelayanan Kesehatan.
- Acknowledgement of Patients’ Rights to Confidentiality of Personal Health Data and Information and to Obtain Personal Health Data and Information
Patients are entitled to, among others, the right to obtain confidentiality of personal health data dan information. Further, a patient is entitled to request their personal health, including actions and treatments that a patient has received or will receive from Medical Personnel and/or Health Personnel.
However, the confidentiality above is not applicable in certain conditions such as (i) fulfillment of requests by law enforcers for law enforcement, (ii) management of extraordinary events or kejadian luar biasa, outbreaks, or disasters, (iii) limited educational and research interests, (iv) efforts to protect against threats to the safety of others, individually or to the public, (v) health maintenance, treatment, healing, and patient care interests, (vi) the patient’s own request, (vii) administrative, insurance payments, or health financing security interests, and/or (viii) other interests as regulated in the applicable laws and regulations.
♦ Medical Records
- Obligation for Medical Personnel, Health Personnel, and Health Service Facilities to Maintain Confidentiality of Medical Records
In providing medical services to individuals, each Medical Personnel and Health Personnel shall maintain a medical record prepared using an electronic system. A medical record is defined as a document that contains the patients’ identity data, observation, treatment, action, and other services provided to the patients. Such medical records shall be maintained and kept confidential by the Medical Personnel, Health Personnel, and management of Health Service Facilities.
- Acknowledgement of Patients’ Rights to Access Medical Records
Although the medical records are owned by the Health Service Facility, a patient may access information contained in their medical records. The Health Service Facility has the obligation to maintain the security, integrity, confidentiality, and availability of the data contained in the medical records.
- Management of National Health Data
In the context of the management of national health data, the Minister of Health (the “MOH”) is responsible for the management of the medical records. Such management of medical records includes formulation of policies, collection, processing, storage, security, data transfer, and monitoring.
- Operation of Health Information System
To carry out effective and efficient health efforts, the Health Law governs the operation of a Health Information System, which is a system that integrates multiple stages of processing, reporting, and use of information to increase effectiveness and efficiency in health management and directing decision making for health development. The operators of such Health Information System may be the Central Government, a Regional Government, a Health Service Facility, and the public, both individuals and groups (any one of them, an “Operator”).
- Obligation of Operators in Processing of Health Data and Information
An Operator shall ensure the reliability of the Health Information System which covers (i) availability, (ii) security, (iii) maintenance, and (iv) integration. Further, an Operator shall carry out the processing of health data and information in accordance with the applicable laws and regulations which includes (i) planning, (ii) collection, (iii) storage, (iv) inspection, (v) transfer, (vi) utilization, and (vii) destruction.
In carrying out the processing of health data and information, an Operator shall ensure the protection of health data and information of each individual. The Health Law also emphasizes that the processing of health data and information that uses individuals’ health data is subject to consent from the data owners and/or fulfill other requirements as the basis of personal data processing in accordance with laws and regulations on personal data protection.
- Rights of Data Owners in Processing of Health Data and Information
In relation to the data processing by an Operator, the data owners are entitled to, as follows: (i) obtain information regarding the purpose of collecting the individual health data, (ii) access and make changes to the data and information through the Operator, (iii) request the Operator to send the data to another Operator, (iv) request the Operator to delete incorrect data based on the data owner’s consent, and (v) obtain other appropriate personal data subject rights in accordance with laws and regulations on personal data protection.
- Location for Processing of Health Data and Information
An Operator shall carry out the processing of health data and information within Indonesia. Such processing of health data and information includes (i) acquisition and collection, (ii) management and analysis, (iii) storage, (iv) repairs and updates, (v) appearance, announcement, transfer, distribution, or disclosure, and/or (vi) deletion or destruction.
Notwithstanding the above, the Health Law provides that data processing may be carried out outside the territory of Indonesia (in the form of transfer and storage) in accordance with laws and regulations regarding electronic information and transactions, electronic system operation, and personal data protection. Specifically for cross-border data transfers, such data transfers shall be for a specific and limited purpose with a permit from the President.
We note that the Health Law expressly stipulates that provisions relating to medical records and processing of health data and information are to be further governed by a Government Regulation. As a reference, the same also applies to the majority of the provisions stipulated under the Health Law, which will be further governed by Presidential Regulations, Government Regulations, and Minister of Health Regulations.
Considering the current objections from medical society with respect to certain provisions under the Health Law, kindly anticipate that there is a possibility for the Health Law to be challenged by the medical society or other parties of interest through the Constitutional Court. We will monitor the development and will issue further updates as relevant.
August 24, 2023
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com), Clara Anastasia So (canastasia@aksetlaw.com), or M. Fatih Satria Kasmaliputra (mkasmaliputra@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
Health Omnibus Law Series – Data Privacy in the Health Sector
The Highly-Awaited Indonesian Personal Data Protection Law Is Passed
After about seven years in the making, on September 20, 2022, the Parliament finally approved the Personal Data Personal Data Protection Bill (the “PDP Bill”) during the 5th Plenary Session of 2022-2023 of the Parliament.
In the age where personal data processing activities seem inevitable, the PDP Bill is expected to be the cornerstone and centerpiece of Indonesia’s personal data protection regulatory framework. The PDP Bill will serve as an “umbrella” regulation for all personal data processing activities horizontally across all sectors while still allow flexibility for each sector to tailor a specific regulation according to each sectoral characteristic.
At present, the approved version of the PDP Bill has not been circulated publicly. Nevertheless, based on the latest publicly available PDP Bill on September 20, 2022, we note that the PDP Bill will adopt similar concepts found in a more-mature data protection regime (e.g., the European Union’s General Data Protection Regulation/GDPR).
Below we highlight several key-concepts that are in the PDP Bill based on the latest publicly available version.
♦ Supervisory Institution
Since an independent supervision is an essential component of the enforcement of data protection law, the PDP Bill gives a mandate for the establishment of a specific supervisory institution (the “Institution”) which reports directly to the President. The Institution has myriad of authorities and powers, notably:
-
- Formulate and determine personal data protection policies;
- Supervise personal data protection compliance;
- Impose administrative sanction against personal data protection violations;
- Assess cross-border data transfer activities.
♦ Separation of “Controller” and “Processor”
Adopting the similar concept to that of the EU’s GDPR, the PDP Bill recognizes and separates a “Controller” from a “Processor” within a data processing ecosystem. Both parties are the key-players within the data processing environment as the users of personal data. A Controller is defined as any person, alone or jointly with others, that determines the purposes and has the control over the processing of personal data. Meanwhile, the Processor is defined as any person who processes the personal data on behalf of a Controller.
♦ Newly Formulated Lawful Grounds for Personal Data Processing Activities
One of the most significant changes that will be brought by the PDP Bill is the acknowledgement of other lawful grounds—in addition to the traditional approach that solely relies on “consent”—such as:
-
- For the performance of a contract;
- Legal duties of a Controller;
- Vital interests of a data subject;
- Public interest and exercise of official authority; and
- Other legitimate interests.
♦ Introduction of “Data Protection Impact Assessment” Obligation
The Data Protection Impact Assessment (DPIA) is required to be carried out by a Controller where the intended personal data processing activities are likely to result in a high risk for the data subjects. The DPIA is carried out to evaluate a potential risk that may occur from a processing activity and identify mitigating steps.
To this end, the PDP Bill stipulates a list of processing activities that may be considered as having a high risk—to which, a DPIA is necessary—namely in cases where:
-
- Individual automated decision making that may produce legal effects or have similarly significant effects to the data subjects;
- Processing of sensitive personal data;
- Processing of personal data on a large scale;
- Processing of personal data for the purposes of evaluation, scoring, or systematic supervision towards the data subjects;
- Processing of personal data for the purposes of grouping or merging data group;
- The use of new technologies in the processing of personal data; and/or
- Processing of personal data which restrict the enforcement of data subjects’ rights.
♦ Appointment of Data Protection Officers
The PDP Bill requires a Controller and a Processor to appoint a Data Protection Officer (DPO), if all of the following conditions apply:
-
- The processing of personal data is carried out for public interests;
- The nature, scope, and/or purposes of the Controller’s core activities require the regular and systematic monitoring of personal data on a large scale; and
- The Controller’s core activities consist of processing activities on a large scale towards sensitive personal data and/or personal data related to criminal activities.
A DPO may be an internal person (i.e., a staff member) or an external person (e.g., a consultant/lawyer) as long as the DPO is appointed on the basis of professional qualities, expert knowledge and practice of personal data protection, and the ability to fulfill his/her tasks. In this case, a DPO has the task to:
-
- Inform and advise the Controller or the Processor to comply with the PDP Bill;
- Monitor and ensure the compliance of the PDP Bill and the relevant policies of the Controller or the Processor, including the assignment, responsibilities, awareness-raising, and training of all the parties involved in the processing activity, as well as related audits;
- Provide advice relating to the data protection impact assessment and monitor the performance of the Controller and the Processor; and
- Coordinate and act as the contact point for issues related to personal data processing activities.
♦ Sanctions
Under the PDP Law, a personal data protection violation may be subject to both administrative and criminal sanctions.
The criminal sanctions are in the form of monetary fines (up to Rp6 billion) and imprisonment (up to 6 years). Meanwhile, in addition to written warnings and temporary suspension of personal data processing activities, the PDP Bill imposes administrative fine up to 2% of the Controller or the Processor’s annual income against the relevant violation variable—which will be further regulated an implementing regulation.
September 22, 2022
AKSET
Please contact Johannes C. Sahetapy-Engel (jsahetapyengel@aksetlaw.com), Raden Suharsanto Raharjo (rraharjo@aksetlaw.com), or Noor Prayoga Mokoginta (nmokoginta@aksetlaw.com) for further information.
Disclaimer:
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances.
Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.
The Highly-Awaited Indonesian Personal Data Protection Law Is Passed