Commemorating International Data Privacy Day:
A Comprehensive Personal Data Protection Policy is Needed in Indonesia
Jakarta, January 27, 2022 - As public interaction with the digital world increases, the need for a conducive and secure digital ecosystem is crucial, especially regarding data privacy. The Personal Data Protection Bill Draft (“RUU PDP”) that has already passed public testing is expected to be able to serve as a policy instrument that helps improve personal data protection in Indonesia. However, a survey taken by the Ministry of Communications and Information (“Kominfo”) and Katadata Insight Center last year showed that more than 60% of the public remained unaware about the existence of the Personal Data Protection Bill and only 31.8% of companies knew about it. Celebrating the momentum of International Data Privacy Day that falls on January 28 every year, Kominfo, VIDA, and Indonesia Cyber Security Forum (ICSF) urged the public and industry stakeholders to become better-informed about the existence of the Personal Data Protection Bill.
VIDA Co-Founder and CEO, Sati Rasuanto explained, “As a Certificate Authority (CA), it has been our role and responsibility to take part in efforts to support the Government’s mission in creating a secure digital ecosystem in Indonesia. Through technology and world-class standards, VIDA guarantees our user personal data security through the online identity verification that we offer to our clients, which is required in the onboarding process involving any digital platform or in digital signatures. Given that this mission needs support from multiple parties, we see the urgency in implementing the personal data protection bill (RUU PDP) to reduce the risk of further misuse of identity while protecting public digital identity.”
Currently, Government Regulation 71 year 2019 about System Operations and Digital Transaction (“GR no. 71/2019”) lays out the obligation that requires an Electronic System Organizer (“PSE”) to inform the owner of personal data by written message in the case of any failures in protection of personal data they manage (data breach). Later, RUU PDP that is undergoing deliberation at the DPR will outline the policy in a more detailed manner besides defining data and personal data owner rights. Some of the arrangements include affirmation of the obligation and responsibilities of data controllers and data processors, formation of a Data Protection Officer (DPO), administrative sanctions as well as criminal sanctions.
Ministry of Communication and Information Acting Director of Information Technology Application Governance, Teguh Arifiadi explained, “The RUU PDP that is still being finalized by both the Government and Parliament is expected to be able to improve the governance of Indonesia's electronic system. Simultaneously, various policy instruments implemented in RUU PDP have been made more effective in reducing cyber crime and personal data breach in the process. Kominfo is committed to implementing transparency in administrative sanctions such as fines resulting from data breach. The fines for violating the PDP principles that we are currently drafting are expected to be an ideal policy instrument for controlling personal data protection in Indonesia.”
In the discussion over the implementation of the regulations, failure in fulfilling company obligations in implementing personal data protection principles will be subject to an administrative sanction. Based on GR no. 71/2019, there are several principles associated with personal data collection and processing, namely:
Accomplished in a limited and specific manner, legally valid, fair, and with the knowledge and consent of the owner of the personal data
Done according to the purpose
Done by guaranteeing personal data owner rights
Done accurately, completely, not misleading, up-to-date, accountable, and taking account of the purpose of personal data processing.
Achieved by protecting personal data security from loss, misuse, access, and unauthorized disclosure, including personal data change or destruction.
Done by informing the purpose of data collection, processing activity, and failure in personal data protection.
Destroyed and/or deleted unless it is still in the retention period in accordance with the needs based on the provisions of the legislation
Sati explained that as a Certificate Authority (CA), VIDA upholds principles that guarantee digital identity will be in line with RUU PDP. “Aligned with digital identity principles upheld by VIDA, including security, consent, and transparency. Users of VIDA identity verification and digital signature services are able to control their crucial information easily. Armed with VIDA digital certificates, the decision to authenticate digital services or digital signatures process rests with the users entirely. VIDA ensure user personal data will be used only for users' needs, and we implement end-to-end encryption for all data transmission.”
As a rooted CA under Kominfo, VIDA has the highest legal evidentiary value in terms of digital signatures. VIDA is also the first Indonesian CA that received WebTrust global accreditation in the implementation of Internet security standards, implementing face biometric and liveness detection in verification and authentication which is easy and convenient for the users. VIDA digital signatures are also recognized in more than 40 countries, because VIDA is the first Indonesian CA that is listed on Adobe Approved Trust List (AATL) or Adobe trusted partner list. In providing online identity verification services, VIDA is also listed with the OJK as Digital Finance Innovation in the e-KYC cluster and OJK regulatory sandbox.
Founder and Chairman Indonesia Cyber Security Forum (ICSF), Ardi Sutedja explains “ICSF sees RUU PDP as one of the policy responses in preventing further data breach in government institutions, state-owned enterprises, and private companies. This is because the business world needs assurance in terms of personal data management. Based on a benchmark study on various personal data protection policies in various countries, we believe that administrative sanctions such as fines formulated by Kominfo to tackle data breach, can lead to a more legally and financially measurable risk management from the management perspective. This regulation complements the presence of Certificate Authority that has been protecting public digital identity security across various industries.”
“Although compliance toward both domestic regulations and global best practices in data protection are able to reduce the risk of identity abuse, VIDA believes in the principle of beyond compliance. In personal data protection, we go the extra mile, by providing comprehensive public education about understanding and protecting the right to privacy in this digital age. We hope that public awareness regarding personal data increases, and this, in turn, will be able to improve public trust toward the digital industry in Indonesia.” Sati concluded.
About VIDA - PT Indonesia Digital Identity
PT Indonesia Digital Identity (VIDA) is a licensed Certificate Authority (CA) under the Indonesian Ministry of ICT, authorized to issue digital certificates that can be applied for digital signatures and web authentication. Established in 2018, VIDA is a digital identity network leveraging multi-factor authentication, digital signatures, and verified identities. VIDA applies world-class data security standards, including Public Key Infrastructure, facial recognition, and endpoint security to provide comprehensive cyber security solutions.
VIDA is also listed as an Digital Financial Innovation (Inovasi Keuangan Digital / IKD) registered with the OJK. The products and solutions offered by VIDA can be adopted by various sectors and industries, including the financial services industry to make it easier to verify direct customers. VIDA also believes in instilling digital trust among its users and by virtue, thus, the company has been registered under the OJK and BI regulatory sandbox.
VIDA also applies world-class technology standards that are certified and recognized internationally. The company became the first Certificate Authority (CA) company that obtained WebTrust certification and listed in the Adobe Approved Trust List (AATL) in Indonesia, and also is ISO 27001 certified.
VIDA - PT Indonesia Digital Identity