Mayapada Tower I, 12th and 14th Floor
Jl. Jend. Sudirman Kav. 28
Jakarta, 12920
Indonesia
Indonesia’s Personal Data Protection (PDP) Law stipulates that personal data is the data of individuals that can be directly or indirectly identified, either on their own or in combination with other information. The PDP Law provides three types of personal data relevant to health data, which are:
- health data and information: individual records or information that relates to physical and mental health and/or health services;
- biometric data: data relating to identifiable physical, physiological or behavioural characteristics of an individual, such as facial images or fingerprints. It encompasses unique traits like fingerprint records, retinal scans and DNA samples, requiring careful maintenance and protection; and
- genetic data: any type of data regarding the characteristics of an individual that are inherited or acquired during early prenatal development.
Anonymised Health Data
Presently, there are no regulations defining anonymised health data. However, anonymised health data is commonly known as health data that cannot identify an individual, hence it does not constitute personally identifiable information.
In addition to the above, the Health Law and Indonesian Code of Medical Ethics generally stipulate the obligation to maintain the confidentiality of all data related to things identified by healthcare facilities or healthcare professionals in the context of medical treatment and recorded in medical records. There are exemptions to such confidentiality for the purpose of treating a patient, a statutory order, a court request or for public order and safety.
Enforcement of Data Protection Laws in Relation to Health Data
There are presently no regulations in Indonesia governing the treatment of health data specifically in the digital health sector. In any case, as health data falls under the scope of personal data, the sanctions within the PDP Law shall apply to non-compliance with the obligations contained therein.
Digital platforms and/or healthcare facilities or healthcare professionals as personal data controllers and/or processors that fail to comply with the obligations stipulated in the PDP Law may be subject to administrative sanctions in the form of a written warning, temporary suspension of personal data processing activities, deletion or destruction of personal data, and/or administrative fines. Such non-compliance includes failure to conduct a data protection impact assessment or to appoint data protection officer(s).
Specifically, regarding administrative sanctions in the form of administrative fines, the PDP Law stipulates that the violating party may be subject to a maximum fine of 2 percent of the party’s annual income or revenue. These administrative sanctions are to be further regulated by a government regulation. The PDP Law also provides that criminal sanctions include imprisonment and criminal fines. Criminal fines for corporate entities can be imposed up to 10 times the maximum fine for individual offenders.
Excerpted from Lexology Panoramic: Digital Health 2024, published by Law Business Research.
Find the Indonesia chapter of Lexology Panoramic: Digital Health 2024 here.
Further reading:
Liability for Digital Health Products and Services in Indonesia
This publication is intended for informational purposes only and does not constitute legal advice. Any reliance on the material contained herein is at the user’s own risk. All SSEK publications are copyrighted and may not be reproduced without the express written consent of SSEK.
