Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
add to folder:
Questions? Please contact [email protected] 
Data protection and management
What constitutes ‘health data’? Is there a definition of ‘anonymised’ health data?
Health data within the context of health information system legislation in Indonesia is a type of patient health metadata used for health development. Health data in this context is collected by the health services facilities and government institutions, to be further processed by the Ministry of Health into ‘health information’. The aim of collecting health data is to enhance knowledge to support health development.
In addition, the legislation also stipulates that ‘health information’, means health data processed to be of value and meaning for enhancing knowledge to support health development.
Indonesian legislation does not stipulate the definition of ‘anonymised data’ as well as ‘anonymised health data’. Nevertheless, the common understanding is that ‘anonymised’ data means data stripped of person-identifiable information and therefore cannot be used for identifying certain individuals).
What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?
In the health sector, the Health Law (Law No. 36 of 2009 on Health, as amended by Law No. 11 of 2020 on Job Creation) and its implementing regulation protect information on patients contained in medical records. Except in certain circumstances, information in the medical records must be kept confidential by doctors, dentists, certain health workers, management officers and heads of health service facilities (the head of the place where the medical practice is performed) and may not be shared with other parties without the approval of the patients themselves. The medical records can be accessed only in the following limited circumstances:
Any disclosure of medical records must be submitted in writing to the head of health service facilities.
Other than the above, legal protection of personal data should follow the general provisions on personal data protection under Law No. 27 of 2022 on Personal Data Protection (the PDP Law) and the Electronic Information and Transactions Law (Law No. 11 of 2008 on Electronic Information and Transactions (the EIT Law), as amended by Law No. 19 of 2016) and its implementing regulations.
An organisation that functions as an electronic services provider (eg, a digital platform company that establishes apps, websites and others) in Indonesia must:
Pursuant to the PDP Law and Government Regulation No. 71 of 2019 on the Provision of Electronic Systems and Transactions (GR 71/2019), personal data is defined as data on a person that is identified or identifiable, either separately or in combination with other information, either directly or indirectly, through an electronic system or via non-electronic means. Given this definition, the term ‘personal data’ has a broad interpretation, and would include any data attributable to an individual and could be used to identify an individual. Accordingly, the health data of an individual would constitute personal data under this definition.
The PDP Law acknowledges several lawful bases for personal data processing:
Processing of personal data must be based on the above.
Further, the recently issued PDP Law classifies health data as ‘specific personal data’. In this case, the PDP Law does not specify a compliance requirement for processing ‘specific personal data’ as compared with ‘general personal data’. Nevertheless, a data controller processing ‘specific personal data’ is subject to the following obligations:
Further, data controllers must maintain confidentiality, completeness, authenticity, accessibility, availability and traceability of electronic information or electronic documents pursuant to the prevailing laws and regulations. A party may submit a claim against the data controller that results in a loss to that party.
Is anonymised health data subject to specific regulations or guidelines?
Indonesian legislation does not stipulate the definition of ‘anonymised’ data or ‘anonymised’ health data. Nevertheless, in general, as long as the ‘anonymised’ data is stripped of any-identifiable information and therefore such data cannot be used to identify a certain individual either on its own or in combination with other data using any means whatsoever, it is our understanding that ‘anonymised’ data or ‘anonymised’ health data would not constitute personal data. Thus, the collection, use, storage, dissemination and deletion thereof is not subject to personal data protection requirements under the law and regulations.
How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?
Currently, Indonesia does not have rules or regulations for digital healthcare systems. Regulations on patient confidentiality and safety have not yet been issued. Apart from medical records, data protection in the health sector should be enforced in accordance with general data protection for electronic systems. There is no specific regulation on data protection for digital healthcare technologies.
Within the context of personal data, upon the occurrence of a data breach, a data controller is required to notify the regulator and the affected data subjects within 72 hours.
Further, failure to comply with the obligation to comply with the personal data protection requirements is subject to the following sanctions:
A data controller may be held accountable or sued by the affected data subject in the event of a loss arising suffered by the data subject from a failure to comply with the personal data protection requirements.
Nevertheless, to this date, we are not aware of any enforcement of criminal sanction, administrative sanction, or a civil claim for damages with regard to digital healthcare technologies in the private sector. In the public sector, a data breach involved health data maintained by the Social Security Agency. However, the enforcement action following this incident has not been disclosed to the public.
What cybersecurity laws and best practices are relevant for digital health offerings?
In general, GR 71/2019 requires electronic systems operators to maintain and implement procedures and facilities to secure their electronic systems to mitigate any interference, failure, and damages.
The Indonesia cybersecurity regulatory framework is currently still under development. The National Cyber Encryption Agency (BSSN) has set out a general requirement for information security management under BSSN Regulation No. 8 of 2020 on Security Systems in the Operation of Electronic Systems. Under this regulation, subject to the risk level of an electronic system, certain security standards must be implemented by the electronic system’s operator, including SNI ISO/IEC 27001 and other security standards implemented by the BSSN or other ministries or institutions.
Although there is no standalone cybersecurity law in Indonesia, the EIT has included general provisions touching on cybersecurity issues.
The EIT Law includes restrictions on the following:
What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymised data, as well as the output of digital health solutions?
The use and management of anonymised data are exempt from personal data protection requirements, as long as the data cannot be used to identify an individual in any way whatsoever. However, in handling raw data and any other data that constitute personal data, the collection, use, and sharing thereof through electronic media must be processed lawfully in accordance with the PDP Law, as well as take into consideration the requirements for medical records, as applicable.
With regard to the sharing of data, it is possible to share personal data provided that it complies with the PDP Law.
add to folder:
If you would like to learn how Lexology can drive your content marketing strategy forward, please email [email protected].
© Copyright 2006 – 2023 Law Business Research
