One significant development in the health sector in Indonesia is the use of information technology and communication in the implementation of health efforts—particularly digital health services such as telehealth and telemedicine integrated into the country’s National Health Information System.
This development was addressed in a major new piece of legislation for the healthcare sector in Indonesia. Enacted in August 2023, Law No. 17 of 2023 concerning Health (the “Health Law”) provides the updates needed to support the development of healthcare services in Indonesia.
Under the Health Law, health information system (HIS) providers must:
- Carry out processing of data and health information in the territory of Indonesia, except for certain limited and specific processing activities that may be conducted outside Indonesia when permitted by the relevant authorities and in compliance with relevant regulations.
- Ensure the reliability of its HIS, including availability, security, maintenance, and integration with Indonesia’s National Health Information System.
- Provide quality health data and information.
- Process data and health information, which includes planning, collection, storage, inspection, transfer, utilization, and destruction.
- Record its data- and information-processing history.
- Protect every person’s data and health information.
- Obtain approval from the relevant personal data subject or comply with relevant regulations if the processing of data and health information involves an individual’s health data.
- Inform the data owner if there is a failure to protect data and individual health information.
The Health Law’s personal data protection requirements listed above appear to be aligned with the provisions in Law No. 27 of 2022 concerning Personal Data Protection (the “PDP Law”). Under this law, data and information relating to health are identified as “specific personal data,” the processing of which carries a high potential risk of impacting the relevant personal data subject.
In the implementation of digital health services, patients’ personal data or medical records must be generated by a health service facility. Health service facilities are responsible for the maintenance of the security, integrity, confidentiality, and availability of the data in Medical Records.
Regulatory Implementation of the PDP Law
In preparation for the implementation of the PDP Law, in September 2023 Indonesia’s Ministry of Communication and Information published the Draft Government Regulation regarding Implementation of PDP Law (the “Draft GR PDP”).
The provisions in the Draft GR PDP most relevant to digital health services and medical records are described below.
Personal Data Subject Rights
According to the Draft GR PDP, personal data subjects have the right to:
- Terminate processing of personal data about themselves in accordance with relevant laws and regulations.
- Delete personal data about themselves in accordance with relevant laws and regulations.
- Destroy personal data about themselves in accordance with relevant laws and regulations.
- Withdraw their previously given consent to the processing of personal data.
- Object to decision-making actions based solely on automated processing (including profiling) that have legal consequences or a significant impact on the personal data subject.
- Suspend or limit the processing of personal data proportionately in accordance with the purpose of processing the personal data.
- Obtain and use personal data about themselves from the personal data controller in a form that fits a structure or format commonly used or readable by electronic systems.
- Use and transmit personal data about themselves to other personal data controllers if the systems used can communicate with each other securely in accordance with the personal data protection principles.
Personal Data Controller Obligations
Among personal data controllers’ many obligations related to the protection of personal data in general, there are two related to health. Under the Draft GR PDP, personal data subjects have the right to complete, update, and correct errors or inaccuracies in personal data about them through the means provided by the personal data controller, either independently or by submitting a written request to the personal data controller, who must reject such a request if it:
- Jeopardizes the security or physical or mental health of the personal data subject or others;
- Impacts the disclosure of personal data belonging to others; or
- Is contrary to the interests of national defense and security.
Personal data controllers must assess the impact of their processing of personal data related to health, because processing this type of data carries a high potential risk of impacting the relevant personal data subject.
Other than the obligations mentioned above, personal data controllers are also required to do the following, among others:
- Have a basis for processing personal data;
- Present evidence of personal data subjects’ consent to the processing of their personal data;
- Carry out the processing of personal data in a limited, specific, legally valid, and transparent manner;
- Carry out the processing of personal data in accordance with the declared purpose for processing the personal data;
- Ensure the accuracy, completeness, and consistency of personal data in accordance with the provisions of laws and regulations;
- Update or fix any errors or inaccuracies in personal data under their control;
- Record all personal data processing activities; and
- Provide personal data subjects with access to the processed personal data along with a record of processing activities during the period for which the personal data is retained.
Personal Data Processing
Besides identifying personal data subjects and personal data controllers as relevant parties in the processing of personal data, the Draft GR PDP also details the role of personal data processors. A personal data processor is a party who carries out personal data processing activities, appointed by through an agreement with the personal data controller.
The Draft GR PDP lays out criteria that must be followed in processing personal data. The collection of personal data must be done in a limited, specific, lawful, and transparent manner, and the processing of personal data must be conducted:
- In accordance with the declared purpose for processing the personal data;
- In a manner that guarantees the rights of the personal data subject;
- In a manner that is accurate, complete, not misleading, up-to-date, and reliable.
- In a manner that protects the security of personal data by preventing unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and erasure of the personal data;
- By informing the personal data subject of its purpose and activities of processing, as well as any failure in protecting the personal data; and
- Responsibly, as supported by clear evidence of the personal data processing activities.
Personal data must be destroyed or erased after the retention period ends or upon the request of the personal data subject, unless otherwise stipulated by laws or regulations.
Cross-Border Transfers of Personal Data
According to the Draft GR PDP, personal data controllers are allowed to transfer personal data to another personal data controller or personal data processor outside of Indonesia only after the personal data controller ensures that the intended receiver of the personal data has an equivalent or higher level of personal data protection. Personal data controllers must also ensure that there are adequate and binding personal data protection mechanisms in the receiver’s country. If the receiver’s country does not meet the requirements mentioned in Indonesia’s data protection laws and regulations, the personal data controller must obtain the personal data subject’s approval to transfer the data.
The publication of the Draft GR PDP suggests that the final implementing regulation will align with the Health Law and its implementing regulation in relation to the storage, processing, and transfer of health and medical data. This alignment is essential in order to enforce the protection of personal data in healthcare services in Indonesia. With these strong protections in place, patients and providers will benefit from greater security and privacy, leading to an overall better standard of care in Indonesia’s rapidly advancing digital and other health services.