e-KTP and Personal Data Protection: Are We Ready?
Thu, 03 Jan 2019 || By Janitra Haryanto

During the presidency of President Susilo Bambang Yudhoyono, Indonesia initiated the electronic ID card/e-KTP megaproject. E-KTP can be simply defined as conventional Indonesian ID card with the ability to save data, provide readable and writeable data by card reader, carrying microchip as data storage, storing biometric fingerprint as a unique identifier and more importantly, able to store all personal data information needed within various applications[i]. E-KTP project is executed under the Ministry of Internal Affairs (Kemendagri), all together with the integrated national ID number (NIK) project.

            Although the project was initially designed to enhance Indonesian public service, e-KTP project has gone through many controversial cases, such as the illegal trading of e-KTP blank, and corruption case done by the country's infamous politicians. In December 2018, Kompas published its report on the illegal trading of e-KTP blank at Pasar Pramuka Pojok in Central Jakarta to Indonesian e-commerce platform, Tokopedia. According to Kompas' report, the e-KTP blank was illegally traded at Pasar Pramuka Pojok for Rp. 150.000 to Rp. 200.000. On Tokopedia, it is sold in the area of Bandar Lampung for Rp. 50.000 each and must be bought for ten pieces for each transaction[ii].

Regarding the e-KTP procurement corruption case, the case has drawn several names of high-ranking Indonesian officials and determined former Indonesian House Speaker Setya Novanto as the perpetrator of corruption in the e-KTP procurement. Post-Setya Novanto, corruption cases of e-KTP procurement were discussed by also attracting several names of prominent politicians in Indonesia as recipients of the corruption funds generated, such as Central Java Provincial Governor Ganjar Pranowo, Coordinating Minister for Human and Cultural Empowerment Puan Maharani and Cabinet Secretary Pramono Anung[iii]. Even though the investigation is still ongoing and has only succeeded in proving Setya Novanto, the polemic has succeeded in raising internet’s enthusiasm for e-KTP.

In 2018 alone, according to data taken from Google Trends, the keyword 'e-ktp' gets an average value of attraction of 52.2 points[iv]. Besides, the ‘e-ktp’ keyword also has a connection with the topic of 'fingerprint' and 'corruption' topics in the Google search engine. This connection at least reflects two things that often become the core discussion about e-KTP: corruption and personal data.

Regarding the protection of personal data in the e-KTP project, this article examines the status quo of personal data protection explicitly in e-KTP. This topic becomes intriguing to discuss due to the reality that personal data is a vital asset for the privacy of each society and the lack of sufficient understanding from the community and government apparatus regarding the rights and obligations regarding personal data.

 

Q1: How is the state of e-KTP personal data protection today?

A1:      E-KTP includes some public information that can be classified as personal data, such as face photo, full name, NIK, place and date of birth, gender, blood type, residential address, religion, marital status, employment, citizenship, signature, and the expiration date of the e-KTP. In addition to the information contained in the e-KTP, e-KTP also includes other information, such as biometric fingerprints which are used as individually-exclusive identification tools.

Regarding the protection of current personal data, Indonesia currently refers to Law (UU) no. 23/2006 on Population Administration (Adminduk Law), UU no. 14/2008 on Public Information Openness and Minister of Communication and Information Regulation no. 20/2016 on Protection of Personal Data in Electronic Systems. Article 2 of the Adminduk Law states that the public has the right to obtain protection for his personal data[v].

The mechanism e-KTP personal data protection has also been regulated in the Minister of Communication and Information Regulation no. Article 20/2016 Article 3. It is stated that the mechanism for protecting personal data is carried out in five processes: acquisition and collection; processing and analysing; storing; showing, announcing, delivery, distributing, and/or opening of access; and extermination[vi].

Hitherto, several cases have raised questions about the credibility and commitment of the Indonesian government to protect its people's personal data. First of all, the unmatched number of NIKs in government data centres and cellular operators. By the end of 2017, the government issued a policy to re-register mobile phone SIM card numbers using NIK. This policy has become a polemic among the public when the number of NIKs registered within government data centers, and cellular operators differ for around 45 million NIK. The number of NIKs registered at the government data centre is 350.7 million NIKs, while the number of NIKs registered at the cellular operator data centre is 304 million NIK[vii].

The government, through the Ministry of Communication and Information (Kominfo), then clarified the airing issues that there were errors in the system. However, on the other hand, data security expert Damar Juniarto explained that NIK data was stolen and used in a program that could register eleven different SIM card cellphone numbers with one NIK[viii]. Consequentially, this raises more questions among the community: Did data leakage occur at the government data centre? The government has ensured that there is no data leakage[ix], but cases like this sign warning to the people who have grown awareness upon the impact of poor data protection management.

Secondly, the leak of activist Veronica Koman’s personal data by Minister of Home Affairs (Minister of Home Affairs) Tjahyo Kumolo due to her brave and assertive speech which strongly criticized the poor Indonesian law enforcement in the era of President Jokowi's administration after Ahok was arrested[x]. Due to his displeasure with the criticism given by Veronica Koman, Minister of Home Affairs Tjahyo Kumolo disseminated Veronica Koman's personal data to the Whatsapp group of journalists. Minister of Home Affairs Tjahyo Kumolo was also reportedly giving comments via a short message to reporters on the matter, as follows: "Ahok supporters cursed Mr Jokowi because Ahok lost the elections and was detained? I will chase the person (and) I will be the opponent of the volunteer. Mulutmu, harimaumu.[xi]"

The leaked personal data of Veronika Koman by the Minister of Home Affairs, Tjahyo Kumolo, violated the ITE Law article 26 which requires the consent of the data owner regarding the use of personal data[xii]. Also, the leakage is also a form of government violation of its obligation to protect the public's personal data, as stated in the Article 84 and 85 of the Adminduk Law, that the state needs to protect information classified as personal data[xiii].

The two cases above reflect the personal data protection within the current e-KTP. First, there is no sufficient protection system to protect the public's personal data submitted to the government and second, there is not enough understanding either from the government as a processor and data keeper, or the community as the data owner. The lack of understanding of Indonesian people regarding the protection of their personal data is reflected in cases where Indonesian people easily submit their personal data without knowing the consequences of the activity[xiv].

 

Q2: What can the Indonesian government do to enhance personal data protection?

A2:      The Indonesian government has, at least, two unfinished homework: completing the Personal Data Protection Act (PDP Law) which is stuck in the DPR and ensuring that the public and state apparatus have sufficient understanding of the protection of personal data.

 Currently, the discussion on the Personal Data Protection Bill (PDP Bill) is still left hanging. The DPR is still waiting for the government to immediately submit a PDP bill that is currently still being postponed in government level[xv]. According to the Director General of Population and Civil Registration (Dukcapil) of the Ministry of Home Affairs (Kemendagri) Zudan Arif Fakrulloh, the hindrance of government's efforts to submit the PDP bill to the DPR was suspected by the lack of harmonization between the PDP bill and the Adminduk Law.

            The PDP Law is one of the determinants of the future Indonesian personal data protection. Currently, the legislation governing the protection of personal data is spread in various sectoral regulations, such as Minister of Communication and Information Regulation on the Protection of Personal Data in Electronic Systems. According to Deputy Research Director of the Institute for Policy Research and Advocacy (ELSAM) Wahyudi Djafar, the PDP Law must be immediately enacted by the government and the legislature to embody an integral regulation of personal data protection in Indonesia[xvi].

In addition, people's understanding and state apparatus regarding the personal data protection data also needs to be improved. According to ELSAM, Indonesians often still cannot choose which personal data that is safe to be distributed in general[xvii]. For example, when asked to include a telephone number in a restaurant to get a product promotion, some of the Indonesian people often still consciously provide their telephone number without knowing how their information will be processed later. Meanwhile, such scenario is often used by some Indonesian companies to sell information about these telephone numbers as a marketing tool for other companies.

Efforts to increase public understanding and state apparatus regarding the protection of personal data can be done in various ways, such as by sharing information on the importance of protecting personal data in the form of campaigns carried out by digital literacy movements such as Siberkreasi, as well as distributing public service advertisements, mass media and social media. By establishing regulations that actively and integrally regulate personal data protection and increasing public understanding of personal data protection, violations of public privacy can be reduced.

Editor: Anisa Pratita Mantovani

Read another article written by Janitra Haryanto

 

[i] e-KTP. (2018). Perbedaan KTP Lama, KTP Nasional, KTP Elektronik (e-KTP). [online] Available at: http://www.e-ktp.com/2011/05/perbedaan-ktp-lama-ktp-nasional-ktp-elektronik-e-ktp/ [Accessed 23 Dec. 2018].

[ii] KOMPAS.com. (2018). Temuan Tim Kompas, Blangko E-KTP Dijual di Pasar Pramuka hingga Tokopedia - Kompas.com. [online] Available at: https://nasional.kompas.com/read/2018/12/06/11474921/temuan-tim-kompas-blangko-e-ktp-dijual-di-pasar-pramuka-hingga-tokopedia [Accessed 24 Dec. 2018].

[iii] Chairunnisa, N. (2018). Nama-nama ini Disebut Setya Novanto Terima Uang E-KTP. [online] Tempo. Available at: https://nasional.tempo.co/read/1072386/nama-nama-ini-disebut-setya-novanto-terima-uang-e-ktp/full&view=ok [Accessed 24 Dec. 2018].

[iv] Google Trend. (2018). e-ktp. [online] Available at: https://trends.google.com/trends/explore?geo=ID&q=e-ktp [Accessed 24 Dec. 2018].

[v] UU no. 23 Tahun 2006 mengenai Administrasi Kependudukan, pasal 2.

[vi] Peraturan Menteri Komunikasi dan Informasi no. 20 Tahun 2016 tentang Perlindungan Data Pribadi dalam Sistem Elektronik, pasal 3.

[vii] Witjaksono, A. (2018). Misteri Bocor Data e-KTP - Kompas.com. [online] KOMPAS.com. Available at: https://nasional.kompas.com/read/2018/03/26/08101681/misteri-bocor-data-e-ktp [Accessed 24 Dec. 2018].

[viii] Ibid.

[ix] Widiartanto, Y.H. (2018). Kemenkominfo: Tak Ada Kebocoran Data NIK dan KK - Kompas.com. [online] KOMPAS.com. Available at: https://ekonomi.kompas.com/read/2018/03/05/190100526/kemenkominfo--tak-ada-kebocoran-data-nik-dan-kk [Accessed 24 Dec. 2018].

[x] Saputri, M. (2018). AJI: Pembocoran Data E-KTP oleh Mendagri Langgar Privasi - Tirto.ID. [online] tirto.id. Available at: https://tirto.id/aji-pembocoran-data-e-ktp-oleh-mendagri-langgar-privasi-coAF [Accessed 24 Dec. 2018].

[xi] Akbar, J. (2018). Mendagri Sebar E-KTP Orator yang Mengkritik Jokowi - Tirto.ID. [online] tirto.id. Available at: https://tirto.id/mendagri-sebar-e-ktp-orator-yang-mengkritik-jokowi-coxy [Accessed 24 Dec. 2018].

[xii] Ibid.

[xiii] UU no. 23 Tahun 2006 mengenai Administrasi Kependudukan, pasal 84 dan 85.

[xiv] Kurnianto, K. (2018). Masyarakat Indonesia Terlalu Mudah Menyerahkan Data Pribadi. [online] kumparan. Available at: https://kumparan.com/@kumparannews/masyarakat-indonesia-terlalu-mudah-menyerahkan-data-pribadi [Accessed 24 Dec. 2018].

[xv] Agung, B. (2018). DPR Ancam 'Rebut' RUU Perlindungan Data Pribadi dari Kominfo. [online] teknologi. Available at: https://www.cnnindonesia.com/teknologi/20180410182356-185-289791/dpr-ancam-rebut-ruu-perlindungan-data-pribadi-dari-kominfo [Accessed 24 Dec. 2018].

[xvi] BBC News Indonesia. (2018). Pemerintah kebut RUU Perlindungan Data Pribadi. [online] Available at: https://www.bbc.com/indonesia/majalah-46633652 [Accessed 24 Dec. 2018].

[xvii] Ibid.