Client COVID-19 INSIGHTS CENTER/ Newsflash
Personal Data Protection and Privacy: Indonesian Government Turns to Technology to Help Stop the COVID-19 Outbreak
As the number of COVID-19 cases keeps growing, many governments around the world turn to technology to press down the spread of the virus. These technologies serve various purposes, from digital health services to online community management.
The Indonesian government has also been using technology as part of the effort to fight COVID-19. For instance, the Executive Office of the President of Indonesia developed “10 Rumah Aman” Application as a tool to manage the public to stay at home or the modification of “Lancang Kuning Nusantara” Application by the Regional Police of Riau, which previously used to track wildfires and is now altered to track assistance distribution for people affected by COVID-19.
Another use of technology by governments to flatten the COVID-19 curve is the development of a digital contact tracing application. China and Singapore are two of the first countries to launch these contact tracing applications using big data on the movement of people by way of Bluetooth signal to trace if someone has been in close contact within the last 14 (fourteen) days with someone contracted by or suspected to have the COVID-19 virus. Not only the governments, Apple and Google as tech giants are also designing a similar tracking system for their mobile devices.
Learning from other jurisdictions’ experience that has successfully launched digital tracking application, the Indonesian government has recently launched a digital contact tracing application called PeduliLindungi.
- How Digital Contact Tracing Application Works
In general, digital contact tracing applications will only work between users who have installed the application on their mobile phone. The application generally utilizes proximity data using Bluetooth technology. It often uses a randomly generated ID based on the device information as well as the registered name and active phone number (“Device ID”). If a user has been in close contact with COVID-19 patients or patients suspected to have the virus, the application will notify the user. Some applications will forward the information of the COVID-19 patients to health officials.
In collecting and processing the data, there are 2 (two) common models of digital contact tracing applications as follows:
- Centralized models. This model attempts to collect and centralize data by generating and keeping track of the users’ identifiers to construct the contact graph of a user in case they are infected. The generation of identifiers and generation of contact graphs are done on a server which will be controlled by the responsible institution(s). Thus, in the event that someone is tested positive for COVID-19, the application will upload the contact history log of such user, in which the authorized party would be able to match the identifiers with user records and contact people who had been in close contact with the patient.
- Decentralized models. In this model, the data will be kept on the devices as much as possible. It is aimed to strictly control data flows to avoid accumulating and collecting too much data on a centralized server. This means that a server exists but only to enable people to use their own devices to trace contacts. The server is not authorized to collect and store personal data, and it cannot use any identifiers to single out an individual, nor does it provide identifiers for users to broadcast. The key difference here is that the decentralized model will keep as much as data exclusively on the users’ device.
In some cases, a digital contact tracing application can also be equipped with a Past Movement Tracking feature. This feature collects and processes mobile location data generated by a phone’s interaction with cell towers, WiFi, Satelite, or be found in the form of metadata of call log or text log.
- An Ideal Digital Contact Tracing Application from the Perspective of Indonesian Personal Data Protection Regime
Personal data, in essence, is any data relating to an identified or identifiable natural person – directly or indirectly.
Digital contact tracing application often uses the Device ID, in which it relates to one particular user as it was generated from the submitted name and active phone number. In addition, in the event that the application provides a past movement tracking feature or other feature with similar nature, the application will also collect and process mobile location data – which in itself relates to the users’ registered phone number as well as their location.
As digital contact tracing application uses and processes personal data, its operation shall comply and adhere to the personal data protection regime.
The utilization of a digital contact-tracing application to stop the spread of COVID-19 ideally should still consider and implement the following points:
- Use the safest and most appropriate model of digital contact tracing application by considering the prevailing data protection regulatory framework.
- The centralized model can be more effective by nature, since it collects and analyzes more data centrally. However, in order for this model to safely secure the personal data, it would require a more matured and developed data protection regulatory framework to safeguard the security of the personal data – including its enforceability. This is in particular due to the high risk of unwanted misuse of data or even unlawful external breach when all of the data are pooled in a centralized server.
- The decentralized model may be the safest approach for the protection of users’ personal data – from a technical standpoint. Using this model, there is no entity that can access a centralized/pooled personal data since the model will keep as much data on the users’ device as possible. This model, in a way, has built-in technical measures within the design of the application to safeguard the users’ data. In addition, it will also help to ensure that any collected data cannot be used for purposes other than to trace and track the spread of COVID-19.
- Comply with the rules and principles of the prevailing personal data protection regulatory framework. The following are several key provisions that must be taken into account when it comes to personal data processing activities:
- Use the appropriate and available lawful grounds, e.g., consent, public interest, legitimate interest, or other grounds as provided by GR 71/2019 (lawfulness principle). Further, when using users’ consent, it must be noted that lawful consent must fulfill the criteria of unambiguous, freely given, specific, and informed.
- Ensure that the application will only collect and process the personal data that are strictly necessary to achieve the purposes (data minimization principle).
- Ensure that the personal data are only processed for the purposes which have been initially informed to the users (purpose limitation principle).
- The responsible institutions must provide clear and sufficient information relating to the processing activities. For instance:
- identify the responsible party in the operation of the application.
- inform the purposes of processing and the scope of processing activities in a clear and sufficient manner.
- provide sufficient detail and assurance on how the data will be adequately protected when it is shared with any third party.
- provide a sufficient explanation and clarification on how the application actually works, e.g., whether the application strictly processes proximity data utilizing Bluetooth, or also track past movement based on mobile location data.
- Ensure the accountability of the processing operation carried out by the application, inter alia, by keeping a record of every personal data processing activities (accountability principle).
- Keep the collected personal data only for the necessary period of time, and store such data using the state of the art encryption technology to maintain its confidentiality. Further, since the application is dealing with sensitive information (i.e., health data), the responsible controller(s) of the data shall store it in a format which does not allow any direct identification during the retention period to prevent any unwanted leakage or misuse.
- Lastly, during the processing timeframe, it might also be necessary to periodically evaluate whether or not the proposed measure to use the application shall contribute to mitigate and limit the spread of COVID-19.
A digital contact tracing application may give an edge to the Indonesian Government in managing, preventing, and subsequently, stopping the spread of COVID-19 in Indonesia. However, while processing data plays a major role in formulating the right approach to manage the virus containment, it is paramount for the parties involved in this operation to ensure the adequacy of the protection towards individuals’ Personal Data by complying with relevant Personal Data protection rules and principles.
The assurance on complete compliance with the Personal Data protection regime will certainly help the Government to promote and urge our citizens to utilize a digital contact tracing application. The more users of the application, the more effective this application will be.
May 18, 2020
Copyright © 2020 AKSET. All rights reserved.
Please contact Abadi Abi Tisnadisastra (firstname.lastname@example.org), Prihandana Suko Prasetyo Adi (email@example.com), Noor Prayoga Mokoginta (firstname.lastname@example.org), or Irene Vivi N. Sidabutar (email@example.com) for further information.
The foregoing material is the property of AKSET and may not be used by any other party without prior written consent. The information herein is of general nature and should not be treated as legal advice, nor shall it be relied upon by any party for any circumstance. Specific legal advice should be sought by interested parties to address their particular circumstances. Any links contained in this document are for informational purposes and are available and relevant at time this publication is made. We provide no liability whatsoever in respect of any information or content in such links.