Indonesia's Electronic Information Law, Government Regulation 82 regarding the Implementation of Electronic Systems and Transactions, and MOCI Regulation 20 regarding the Protection of Personal Data in Electronic Systems (jointly referred to as the PDP Regulations) do not provide a specific definition of sensitive data, and consequently no special issues apply. There are, however, several laws in a number of specific areas that indirectly deal with data privacy relating to financial, health and communications data.
Financial service providers are prohibited by Article 31 of Financial Services Authority (Otoritas Jasa Keuangan or "OJK") Regulation No. 1/POJK.07/2013 regarding financial consumer protection ("POJK No. 1/2013") from disclosing customer data and/or information to third parties, unless they receive written consent from the customer or are required to by lawful authority. If a financial service-provider obtains the personal data and/or information of a person and/or a group of persons from a third party it is required to obtain written confirmation from the third party that the person or group of persons has agreed to the disclosure.
Additionally, the protection of consumers' personal data and/or information in relation to the payment transaction process conducted by payment service providers is provided for under Article 25 of Bank Indonesia Regulation No. 18/40/PBI/2016 regarding the provision of payment transaction processing.
Article 57 of Law No. 36 of 2009 regarding health stipulates that in principle every person is entitled to the confidentiality of their personal health information that has been provided to, or collected by, healthcare-providers.
Article 40 of Law No. 36 of 1999 regarding telecommunications prohibits the "tapping" of information transmitted through telecommunications networks. Telecommunications service operators must keep confidential any information transmitted, and/or received by a telecommunications service subscriber, through a telecommunications network and/or telecommunications services provided by the relevant operator.
As specified above, the PDP Regulations do not contain any provision regarding sensitive data. This will likely be included in the draft law on personal data protection being discussed at the Indonesian House of Representatives.
This first appeared in the 2019 Chambers Data Protection and Cyber Security Guide, published by Chambers and Partners.
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user's own risk. You should contact a lawyer in your jurisdiction if you require legal advice. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.