In the previous article, I discuss personal data protection in Indonesia and what is the current challenge faced to formalize the regulation.
In this article, I will discuss the problem of personal data that happened several times in Indonesia and elaborate a bit on who is responsible for the data protection.
First, let me explain which party is responsible for the personal data in an organization. There are three sides are related to this based on the personal data protection bill draft:
#1 Data Controller
A data controller is a person, company, or other body that determines the purpose and means of personal data processing. In a simple way, this party controls the use of data in an organization and decides what is the next step to do with the data.
#2 Data Processor
A data processor is a person or company that is responsible to process the data with the data controller’s permission.
#3 Data Subject
A data subject is a person that owned the personal data that attach to ourselves since we were born.
Issue in Indonesia
There is one crucial document that is always discussed among the people if we want to register for the Government service, it is the National Identity Card (Kartu Tanda Penduduk).
The National ID is commonly used in Government or private services as the requirement to activate a service. In many cases, the citizen should bring a copy of their National ID and give it to the authorities.
If we use the role of data protection based on the data protection bill draft, there is an unclear role in the government or private organization that is responsible to control or process the data. As a data subject, they require us to provide our personal data but never have clarity what is the purpose of the data collection. Moreover, the national ID hardcopy is really easy to lose, steal, or even ended in a trash can by intention and when it happened, there is no urgency for the organization to inform the data subject about the data breach.
Indonesian citizens did not see this as a serious threat but ironically they got a real problem from the breach of the National Identity Card. Here is how the breach of personal data on a National Identity Card can be dangerous for the public:
#1 Fictitious Seller
Someone could use your National ID card as a seller in a commerce forum and the buyer could believe that a scammer is a real person based on your National ID card. When the fictitious seller gets the money, they did not send the goods, and guess who is to blame for this case from the buyer’s perspective: you.
#2 Telemarketing Scam
Someone could call you and state that he/she is from a banking service and use your data for your confirmation so that you will think that this is a legitimate call from the bank. And the next act is to use many ways to get your money.
#3 Online Loan
An online loan is a big threat in Indonesia right now since there are many illegal services that offer high interest and easy requirements to the users. The stolen National Identity Card could use as a requirement and you could chase the legal and illegal online services to pay the loan.
There are so many ways to use the stolen National Identity card such as phishing, scam, and social media account hack, but the point is the Indonesian citizen is not safe until we have a strict data protection regulation.
National Identity Card Seller, source : source: https://pers.droneemprit.id/perlindungan-data
But the next question will be: how is the prevention until we have personal data protection regulation? We cannot control the requirement that provides by government or private services but we can do better to protect our personal data.
The easiest thing is always to use a watermark before sending your digital copy of your National Identity Card to an online service. This way does not fully prevent your data from being stolen but if one day your National ID copy is sold by someone in a forum, you know which service is responsible for the case.
The next step is always to check the security of an online site before you submit your National Identity number or card. Commonly, a secure site starts with “http” and also checks how is the privacy policy of the company because it is important to know what is the purpose of the data collection and what is the site responsibility when your data is being stolen.
In the next article, Meta Lab will elaborate what is the impact for Government and Private sector if the Personal Data Protection Law is formalize by the Indonesian Government.
Jati graduated his Master’s in ICT in Business and the Public Sector from Leiden University, the Netherlands. He is now currently pursuing his PhD from Leiden University on the topic of data privacy for the VODAN-Africa project.
