While the inevitable era of digitalization poses new threats and risks related to personal data, it is of paramount importance to continually improve digital literacy as Indonesia gears up for the Satusehat system.
It should be acknowledged that Indonesia still lags behind other advanced countries in personal data protection practices, with infrastructure and culture cited as the primary factors.
Europeans are generally more literate regarding the importance of personal data, which has been embedded in their culture, and because of this, the issuance of the personal data protection laws in European jurisdictions did not cause a reaction as it did in Indonesia. In Germany, for example, the first data protection law was enacted in 1970 because of growing concerns over the menace of automated processing of personal data, unethical use of said data and the utilization of personal data for commercial purposes which can lead to the abuse of personal data processing by both public and private entities, and criminals. Even with an adequate literacy, European countries tends to be more conservative in dealing with personal data to ensure that the data is not manipulated or further used for purposes other than what is initially stated.
Meanwhile, Asia is a very lucrative market for the development of various internet-based technologies. Particularly, Indonesia ranks as the world’s fifth largest market for metaverse users, which shows that the public is responding positively to new technologies. Indonesia Digital Literacy Report 2022 reported that only half of the respondents demonstrated good literacy in personal data protection. This shows that overall, as country that is in the top 5 rank of biggest internet-based technology such as Metaverse, Indonesians still lag in understanding personal data protection.
Amid this low awareness about the importance of personal data protection, the government is developing Satusehat, a health digital ecosystem which aims to provide convenience in independently accessing and managing health data. The Minister of Health Regulation No. 24 of 2022 on Medical Records provides the standards and requirements to support the digitalization of medical records management through Satusehat.
Satusehat aims to collect and compile comprehensive medical records of an individual sourced from various health facilities which are connected to the system. The primary objective is to manage and ensure availability of a complete medical records of a patient so that both patients and medical professionals have a comprehensive understanding of the patient’s medical history.
This digital transformation on health sector through Satusehat is prone to risks of data privacy breaches in the healthcare industry. Health data by default is confidential and cannot be opened or accessed unless there is consent from the patient or there is an exception to do so provided under the applicable laws and regulations.
Aside from being conducted by a certain individual or organization, data leaks can also be caused by the absence of access restrictions or a lack of security and access procedures within an organization or company, which may trigger a personal data breach.
When personal data is used fraudulently, it can have a huge impact and could be harmful to the relevant individual (data subject). Moreover, if it is health data, it does not only threaten the welfare of the data subject but could also cause casualties. Imagine if an irresponsible person accesses and fabricates someone’s health data, such as their medical history or drug prescriptions. This could harm the subject’s well-being or even cause fatalities.
Based on PwC Global Digital Trust Insights 2024, data breaches in the health sector have the highest loss value at 47 percent. This can be caused by parties who violate personal data for profit motives through insurance fraud and other criminal acts. Without improving digital literacy, an initiative like Satusehat Indonesia may not be as effective as expected. It is common in Indonesia for senior people to be less literate on digital products and are reluctant to learn the basics. Most of the time, the completion of personal data is done by other people (not the person who owns the personal data), such as their children or relatives, which can lead to the inability to verify the truth and a challenge to maintain accuracy of the personal data.
Accordingly, not only the patients, but also the health workers and professionals must also be aware and have good digital literacy in order to operate and manage such health electronic system.
PDP Law
The Personal Data Protection (PDP) Law No. 27, which was issued in 2022, confirmed the crucial role that digital literacy plays in improving people’s ability to exercise their rights as data subjects.
The key message that the PDP Law delivered to the public was that it would help people get control over their personal data and require both the public and private sectors to enhance their governance frameworks and actively contribute to the protection of personal data by embedding the personal data protection governance and framework in their businesses.
The personal data protection framework implemented by companies and public bodies can be seen as an act of responsibility to protect the personal data of the data subjects, minimize the misuse of personal data, and to prevent any harmful effects to individual data owners.
For individuals, the passing of the PDP Law means greater legal certainty regarding personal data protection. The PDP Law provides individuals with the right to use, manage and control their personal data by prioritizing the protection of the individual’s human rights. The PDP Law also enhances the role of corporations in carrying out an ethical and responsible business conduct. The PDP Law requires that personal data processing activities be processed with an appropriate legal basis and the processing activity must be recorded.
In the context of health industry, health facilities such as hospitals and clinics are responsible for ensuring that any personal data being processed by the hospital and the distribution of such data has been implemented according to a robust personal data protection framework, or we can say that the framework was established with privacy by design element into it.
For business partnerships, hospitals must first establish the purpose of the personal data exchange and confirm the utilization of such data by their business partner. Second, the hospital needs to make sure the appropriate legal basis is in place for the distribution and exchange of the personal data to their business partners. For example, if hospitals are partnering with any goods and/or services provider in mother and baby care for gifting of the providers product to any newborn babies and moms. It is likely that hospitals will need consent from data subjects to receive marketing gifts from business partners as the hospitals will share data with the business partners.
Solutions
Improving digital literacy should be an equal responsibility of the public and private sectors. Corporations are encouraged to implement good practice and governance for protecting personal data, and therefore, the PDP Law provides a significant monetary sanction for corporations that violate or misuse personal data.
As a short-term solution, corporations in Indonesia need to raise awareness among decision-makers to ensure that they manage personal data properly, transform the system and improve technical security. Furthermore, improvements can be made by updating technology as needed. People’s awareness of personal data related to corporations also needs to be improved. A continuous awareness training is required to help people adapt to good practices on personal data protection.
The existence of sanctions makes both corporations and individuals liable in the case of personal data breaches and related criminal acts. Nowadays, companies need to examine their business processes to understand how personal data is processed and whether they have applied the correct principles.
The PDP Law emphasizes the rights individuals have over their personal data, including the right to request the deletion of data and the right to know what their data is being accessed for. There are also provisions related to monetary compensation and the establishment of a certain process.
The health law also implements provisions related to personal data and regulates the importance of the confidentiality of personal health data.
As explained above, the government needs to transition from paper-based to electronic medical records. Based on Article 351 of the Law No. 17 of 2023 on Health (the Health Law), the applicable principles are in line with the principles of the PDP Law, including the requirement to obtain consent from individuals to process their personal data and the obligation to inform the data subject in regards with the personal data processing conducted by the organization or companies.
Specifically, Article 351, paragraph (6) of the Health Law provides references to the PDP Law and other provisions related to the protection of personal data and information.
The PDP Law serves as a push factor to improve digital literacy and adapt to the current culture of digitalization. Cultural changes must be made to raise the awareness of personal data given that personal data can be used and misused by illegal parties.
The PDP Law is expected to raise public awareness that as technological development increases, it needs to be followed by individual self-adjustment regarding personal data as a precaution against personal data threats.
To conclude, the PDP Law is a good move from the government in keeping up with fast-changing technology, the trend of digitalization and the protection of the wellbeing of the public from unforeseeable harm caused by the misuse of personal data. As such, implementing personal data protection requires a collective improvement of digital literacy, a behavioral and cultural change toward personal data and the provision of regulations and guidance for personal data protection practices.