CONNECTING THE DOTS: LEGAL AND ETHICAL CONSIDERATIONS IN GOVERNMENT DATA SHARING
by Setyawati Fitrianggraeni, Sri Purnama
INTRODUCTION
Data transfer is regulated in Chapter VII Transfer of Personal Data of Law Number 27 of 2022 on Personal Data Protection (PDP Law). Based on PDP Law, a personal data controller may transfer personal data to other personal data controllers or processors within[1] or outside[2] the jurisdiction of the Republic of Indonesia by considering the applicable regulations. Furthermore, before data transfer the personal data controller must inform clearly the purpose of the data transfer and obtain the data subjects’ consent[3] because data transfer is a part of the processing of personal data,[4]
Interoperability, in the broadest sense, is the ability of people, organizations, and systems to interact and interconnect so as to efficiently and effectively exchange and use information.[5] In the public sector interoperability is about enabling connections between ministries, departments, agencies, sectors, government levels, and countries through data, information systems, legal agreements, organizational processes, and shared values and customs.[6] e-Government interoperability has become a crucial issue because recent information communication technology investments have reinforced the old barriers that made government decision-making, not to mention citizen access to public services, difficult.[7] Setting up a basic infrastructure for interoperability may be an important enabler to advance the overall e-government or government technology performance.
LEGAL FRAMEWORK FOR INTEROPERABILITY
In Indonesia, the regulatory framework impacting interoperability is shaped by laws such as Law Number 11 of 2008 jo. Law Number 19 of 2016 on Electronic Information and Transactions ITE Law PDP Law. The ITE Law does not explicitly address interoperability in a detailed manner, but it contains provisions related to cybersecurity and data protection which indirectly impact interoperability.[8] Meanwhile, PDP Law regulates the collection and transfer of personal data, potentially complicating data transfer between different systems.
PDP Law shall be based on the principles of public interest,[9] specifically in Article 20 paragraph (2) letter e PDP Law[10] addresses the handling of personal data in the context of public services, highlighting the importance of safeguarding individuals’ privacy while ensuring efficient and transparent service delivery. Generally, Article 20 of PDP Law mandates that public authorities must implement robust measures to protect personal data from unauthorized access, misuse, or disclosure. This includes obtaining explicit consent from Data Subjects before processing their data[11] and ensuring that data handling practices are transparent and accountable. By establishing these requirements, Article 20 of PDP Law aims to balance the need for effective public administration with the fundamental rights of citizens, promoting trust and compliance in the delivery of essential services.
ETHICAL AND PRIVACY CONCERNS
Non-technical obstacles to effective data transfer within government often occur when public sector entities do not prioritize data sharing strategically. These challenges are further exacerbated by misalignment between organizations regarding data-sharing systems and processes, as well as varying approaches to managing legal and ethical compliance complexities.[12] The ethical implications of data transfer between government bodies are deeply rooted in the principles of consent, transparency, and accountability[13]. Consent is a fundamental issue, as Data Subjects must be informed and agree to the collection and transfer of their personal data with explicit consent.[14] Ethical data transfer practices necessitate that government bodies clearly communicate how data will be used, who will have access, and the purposes behind its transfer. This ensures that Data Subjects are not only aware of but also have control over their personal information, thereby upholding their autonomy and privacy.
Transparency and accountability further bolster ethical standards in data transfer. Government bodies must be transparent for processing Data Subjects’ personal data[15], including the criteria for data transfer and the measures in place to protect personal information. This transparency helps prevent misuse and allows the public to scrutinize how their data is managed. Accountability involves establishing clear protocols and oversight mechanisms to ensure that data transfer is conducted in accordance with legal and ethical standards.[16] Regular audits and reviews can help detect and address any deviations from established practices, fostering trust and demonstrating a commitment to ethical governance. Together, these principles help safeguard individual rights while enabling the efficient use of data for public benefit.
CASE STUDIES
Interoperability has been implemented in several countries such as Tanzania. Tanzania has successfully implemented a national health information exchange (HIE), enhancing interoperability within its health information systems. From 2014 to 2019, the Tanzanian government, in collaboration with multiple stakeholders and partners, developed the Tanzania Health Information Exchange (Tz-HIE) using the “Mind the GAPS”[17] framework. This initiative integrated various health data systems, enabling seamless data exchange across hospitals, supply chains, and digital data platforms. The implementation included developing a middleware layer, training personnel, and standardizing data protocols. As a result, 15 separate information systems are now interconnected, leading to improved data availability, significant time savings, and better health outcomes. The Tanzanian government has incorporated the HIE into its national health strategy, ensuring its ongoing operation and management by local officials, thus providing a model for other countries aiming to develop their health information systems.[18]
Recently, a disruption at the National Data Centre managed by the Ministry of Communication and Information had significant repercussions for the immigration system.[19] This incident highlights critical failures in interoperability within Indonesia’s governmental digital infrastructure. The lack of integration and standardized protocols among various government databases exacerbated vulnerabilities, making the system susceptible to breaches. The disruption demonstrated how insufficient interoperability and inconsistent security measures across different governmental systems. This case underscores the urgent need for comprehensive improvements in system integration and security standards to safeguard sensitive information and prevent future breaches.
RECOMMENDATIONS FOR POLICY AND PRACTICE
To improve interoperability practices, Indonesia should focus on establishing standardized data transfer protocols and integrating secure technologies across government systems. This would involve developing a unified framework that ensures consistency in data formats and security measures, facilitating smoother and more reliable data transfers between agencies. Enhanced training for IT personnel and regular updates to infrastructure can further support these efforts.[20]
Proposed changes to legal provisions should include strengthening regulations around data privacy to ensure they are in line with the requirements of Article 20 PDP Law. This could involve introducing stricter guidelines on data consent, mandatory encryption for personal data, and comprehensive auditing processes to ensure compliance. By updating legal frameworks to reinforce privacy protections while promoting efficient public services, Indonesia can balance the need for secure data handling with the benefits of effective inter-agency collaboration and data transfer.
CONCLUSION
?Ethical interoperability is crucial for ensuring that data transfer between government institutions aligns with the principles of privacy and security outlined in Article 20 of PDP Law. This article stipulates that personal data must be managed with clear consent and robust safeguards to prevent misuse. By adhering to these ethical standards, we can ensure that data transfer practices respect individual rights and contribute to more efficient and secure public services.
Looking ahead, the future of data transfer between government institutions in Indonesia will need to be guided by the principles established in PDP Law, especially in Article 20 PDP Law. As agencies increasingly integrate their systems to facilitate smoother data transfers, compliance with this article will be critical to protect personal information and uphold privacy standards. Ensuring that these practices are in place will support seamless interoperability while safeguarding individual rights amidst the ongoing digital transformation.
REFERENCES
?Law Number 11 of 2008 jo. Law Number 19 of 2016 on Electronic Information and Transactions.
Law Number 27 of 2022 on Personal Data Protection.
Alpha Nsaghurwe, “One country’s journey to?interoperability: Tanzania’s experience developing and?implementing a?national health information exchange”, BMC Medical Informatics and Decision Making, 21: 139, 2021.
Emmanuel C. Lallana, “e-Government Interoperability”, United Nations Development Programme, https://www.unapcict.org/sites/default/files/2019-01/e-Government%20Interoperability.pdf accessed 4 August 2024.
Gov UK, “Data Sharing Governance Framework”, https://www.gov.uk/government/publications/data-sharing-governance-framework/data-sharing-governance-framework accessed 6 August 2024.
Nabin Chowdhury and Vasileios Gkioulos, “Cyber security training for critical infrastructure protection: A literature review”, Elsevier, Vol. 40, May 2021.
Redaksi, “PDN Diduga Kena Ransomware, Faktor Keamanan Sudah Sampai Mana?”, Bloomberg Technoz, https://www.bloombergtechnoz.com/detail-news/41577/pdn-diduga-kena-ransomware-faktor-keamanan-sudah-sampai-mana accessed dated 8 August 2024.
Stacy A. Baird, “Government Role and the Interoperability Ecosystem”, I/S: A Journal of Law and Policy, 5:2, 2009.
World Bank Group, “Interoperability: Towards a Data-Driven Public Sector”, https://documents1.worldbank.org/curated/en/099550101092318102/pdf/P1694820242a9c041083900346bab0910eb.pdf accessed 4 August 2024.
[1] ????? See, Article 55 of Law Number 27 of 2022 on Personal Data Protection.
[2] ????? See, Article 56 of Law Number 27 of 2022 on Personal Data Protection.
[3] ????? See, Article 22 of Law Number 27 of 2022 on Personal Data Protection.
[4] ????? See, Article 16 paragraph (1) letter e Law Number 27 of 2022 on Personal Data Protection.
[5] ????? Stacy A. Baird, “Government Role and the Interoperability Ecosystem”, I/S: A Journal of Law and Policy, 5:2, 2009, p. 223.
[6] World Bank Group, “Interoperability: Towards a Data-Driven Public Sector”, https://documents1.worldbank.org/curated/en/099550101092318102/pdf/P1694820242a9c041083900346bab0910eb.pdf accessed 4 August 2024.
[7] ????? Emmanuel C. Lallana, “e-Government Interoperability”, United Nations Development Programme, https://www.unapcict.org/sites/default/files/2019-01/e-Government%20Interoperability.pdf accessed 4 August 2024.
[8] ????? See, Article 31 of Law Number 11 of 2008 jo. Law Number 19 of 2016 on Electronic Information and Transactions.
领英推荐
[9] ????? Article 3 letter c of Law Number 27 of 2022 on Personal Data Protection stated:
“Principle of public interest” shall mean that in enforcing Personal Data Protection, it must take into account the interests of the public or society at large. These public interests shall include the interests of state administration and national defense and security”
[10] ???? Article 20 paragraph (2) letter e of Law Number 27 of 2022 on Personal Data Protection stated:
“The basis for Personal Data processing as referred to in paragraph (1) shall include:
[11] ???? See, Article 20 paragraph (2) letter a of Law Number 27 of 2022 on Personal Data Protection.
[12] ???? Gov UK, “Data Sharing Governance Framework”, https://www.gov.uk/government/publications/data-sharing-governance-framework/data-sharing-governance-framework accessed 6 August 2024.
[13] ???? “Principle of accountability” shall mean that all parties related to Personal Data processing and supervision shall act responsibly so as to ensure the balance of rights and obligations of the parties concerned, including Personal Data Subjects. See, Article 3 letter g of Law Number 27 of 2022 on Personal Data Protection.
[14] ???? See, Article 20 paragraph (2) letter a of Law Number 27 of 2022 on Personal Data Protection.
[15] ???? Article 27 of Law Number 27 of 2022 on Personal Data Protection stated:
“The Personal Data Controller must process Personal Data in a limited and specific manner, lawfully and transparently”
[16] ???? Article 47 of Law Number 27 of 2022 on Personal Data Protection stated:
“The Personal Data Controller must be responsible for the Personal Data processing and must demonstrate accountability in fulfilling the obligations of implementing the Personal Data Protection principles.”
[17] ???? Mind the GAPS is governance, architecture, program management, and standards framework. See, Alpha Nsaghurwe, “One country’s journey to?interoperability: Tanzania’s experience developing and?implementing a?national health information exchange”, BMC Medical Informatics and Decision Making, 21: 139, 2021.
[18] ???? Ibid.
[19] ???? Redaksi, “PDN Diduga Kena Ransomware, Faktor Keamanan Sudah Sampai Mana?”, Bloomberg Technoz, https://www.bloombergtechnoz.com/detail-news/41577/pdn-diduga-kena-ransomware-faktor-keamanan-sudah-sampai-mana accessed dated 8 August 2024.
[20] ???? Nabin Chowdhury and Vasileios Gkioulos, “Cyber security training for critical infrastructure protection: A literature review”, Elsevier, Vol. 40, May 2021.
?
DISCLAIMER :
This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:
No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.
Accuracy and Completeness: Anggraeni and Partners strives to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaims any liability for any errors or omissions in the articles.
No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.
No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.
No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.
By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.
For further information, please contact:
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
?
S.F. Anggraeni
Managing Partner
?
Sri Purnama
Junior Legal Research Analyst
Research Group Transnational Litigation and Tort Law