In Indonesia, as of the date of this publication, there is no general law on data protection. However, there are certain regulations concerning the use of electronic data. These regulations consist of:
- Law No 11 of 2008 on Electronic Information and Transaction as amended by Law No. 19 of 2016.
- Government Regulation No.71 of 2019 on Administration of Electronic Transaction System.
- Minister of Communication and Informatics Regulation No.5 0f 2020 on Private Electronic System Providers.
- Minister of Communication and Informatics Regulation No. 20 of 2016 on Personal Data Protection on Electronic System.
However, for several years, a new draft Bill on the Protection of Private Personal Data ("Bill") is being discussed but to this date, it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy (DLIA Piper, 2021).
Based on Government Regulation No.71 of 2019, Electronic System Provider (ESP) must protect personal data in processing and request approval in processing. The processing of Personal Data must be based on valid approval from the Data Owner. ESP must implement the principle of Personal Data Protection in conducting processing including:
- Collection is carried out in a limited and specific manner, legally valid, fair, and with the knowledge and consent of the Personal Data owner;
- Processing is carried out by intended use;
- Processing is carried out by guaranteeing the Personal Data owner’s right;
- Processing is carried out with accuracy, completeness, not misleading, up to date, can be accounted for, and with due regard to the purpose of the processing;
- Processing is carried out with protecting the security of Personal Data from loss, misuse, unauthorized access and disclosure, and alteration or destruction;
- Processing is carried out by informing the purpose of collecting, processing activity, and the failure in protection;
- Personal Data is destroyed and/or deleted unless still in a retention period by applicable legislation.
Personal Data Processing should meet the requirement of legal consent from the Personal Data owner for one or several specific purposes that have been informed to the Personal Data Owner. In the event of failure in the Personal Data protection it manages, ESP should notify in writing the Personal Data owner. ESP must delete the irrelevant Electronic Information and/or Electronic Documents under its control at the request of the Data Owner. The deletion consists of the right to erasure and the right to delisting from the list of search engines.
To protect user privacy, regulatory efforts around the globe such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been made in recent years which mandate online services to disclose transparently how they handle personal data and grant users crucial data protection rights.
Now, I will summarize the journal about a design space for effective privacy notices. The purpose of a privacy notice is to make a system’s users
or a company’s customers aware of data practices involving
personal information. Schaub, et.al constructed their design space according to the design science principle.
 |
They presented a design space that provides a structured
approach and vocabulary to discuss and compare different
privacy notice designs. This can support the design of privacy notices and controls. The design space should be leveraged as part of a comprehensive design process that focuses
on audience-specific privacy notice requirements and considers a system’s opportunities and constraints, to develop a notice and choice concept that is well integrated
with the respective system, rather than bolted on. Notices
should be evaluated in user studies.
REFERENCE
F. Schaub, R. Balebako , A. Durity, L. Cranor. A Design Space for Effective Privacy Notices. In Proc. 2015 Symposium on Usable Privacy and Security
Komentar