Data Protection In Indonesia – Security Requirements
Legal News & Analysis - Asia Pacific - Indonesia - Cybersecurity
28 August, 2018
An electronic system provider (ESP) in Indonesia must maintain the correctness, validity, confidentiality, accuracy, relevance and compatibility with the purpose of the acquisition, collection, processing, analysis, retention, display, publication, transmission, dissemination and destruction of personal data. Additionally, an ESP must also carry out certification of its electronic system to ensure it is in accordance with the applicable laws and regulations.
An ESP engaged in public services must have a data center and disaster recovery center that are used to protect personal data, which must be located within the jurisdiction of the Republic of Indonesia. This data center is a physical facility for the electronic system and its related components for the purpose of the placement, storage, and processing of data. The disaster recovery center must be used to recover data or information and important functions of the electronic system that are interrupted or damaged due to any natural disasters.
Data Security Breaches
In the event of failure to protect the confidentiality of the personal data stored in the related electronic system provider's electronic system, the ESP must provide a notification to the data subject with the reason or cause of the failure to protect the confidentiality of the personal data. The notification may be sent electronically if the data subject has given approval for such electronic notification during the acquisition and collection of their personal data. The ESP must ensure that the notification has been received by the data subject if the data breach has the potential to cause loss to the relevant data subject. The written notification must be sent to the data subject no later than 14 days after the identification of the breach.
In addition, although it is not a requirement, every data subject and ESP can file a complaint to the Minister of Communication and Informatics if no notification of the data breach is given, or a loss has occurred to the data subject or ESP as a result of the failure to protect personal data. This is intended as an effort to resolve a dispute by deliberation or through other alternative resolution efforts.