Recent reports of data breach of 1.3 billion SIM Card registration data has incited public debate in Indonesia. The public debate continued following the controversy of a data breach involving 105 million Indonesian citizens, originated from the General Election Commission (KPU),which was illegally sold on an online forum namely  “Breached Forums”.[1]

The controversy provoked the rise of the hashtag #TuntutKominfo (literally sue Kominfo, referring to the Ministry of Communication and Information), which brought the hashtag to be a trending topic on Twitter. The Ministry of Communication and Information has publicly conveyed that the Ministry had nothing to do with the data breach and the case has been under investigation.[2]

The implementation of personal data protection in Indonesia has been a crucial issue for relevant stakeholders. In fact, the Government and the House of Representatives have initiated discussing the Bill on Personal Data Protection (RUU PDP) in 2019 as it was mandated in the 2019 National Legislation Program. The discussion of the bill, however, has yet to conclude up to  mid-2022.

A Law on Personal Data Protection is expected to serve as a guide for the protection of the public’s personal data and to provide certainty for relevant stakeholders, both government and private parties, in treating the personal data they manage.

What should our organization or company do in case of data leak or breach?

Personal Data

The Minister of Communication and Information Technology  Regulaion No. 20/2016 on Personal Data Protection in Electronic Systems defines personal data as certain personal data  (data perseorangan tertentu) that is stored, maintained, and protected its integrity and confidentiality. Based on this regulation, what is referred to as certain personal data (data perseorangan tertentu) is any true and real information that is attached to and can be identified, either directly or indirectly, on each individual whose utilization is in accordance with the provisions of laws and regulations while the owner of personal data (pemilik data pribadi) is the individual whose attached to certain personal data.

The regulation  specifically regulates the protection of specific personal data in electronic systems. However, the provisions of the regulation can be used as a reference in the implementation of personal data protection in Indonesia while the Bill on Personal Data Protection is under discussion.

The Minister of Communication and Information Technology Regulation No. 20/2016 stipulates the scope of personal data protection in electronic systems in the following processes:

1. acquisition of personal data,
2. collection of personal data,
3. processing of personal data,
4. analysis of personal data,
5. storage of personal data,
6. display of personal data,
7. announcement of personal data,
8. transfer of personal data,
9. dissemination of personal data, and
10. destruction of personal data.

Such processes in an electronic system must be based on the principle of good personal data protection. Every process from the acquisition of personal data to its destruction must secure the consent of the owner of the personal data. This approval is in the form of a written statement, both manually and/or electronically, given by the owner of the personal data after obtaining a complete explanation of the process mentioned above.

Electronic system operator (PSE) is any person, state administrator, business entity, and community that provides, manages, and/or operates an electronic system individually or jointly to users of electronic systems for their own needs and/or the needs of other parties. .

As a data controller, PSE is obligated to ensure the protection of the personal data it manages, starting from the stage of monitoring, preventing, to overcoming the occurrence of data leakage.

If there is a failure of protection such as personal data leakage, then PSE as the data controller must notify the owner of the personal data in writing, with the following conditions:[3]

1. must be completed with reasons or causes for the failure to protect confidential personal data;
2. can be done electronically if the owner of the personal data has given his/her consent, which was stated at the time of the acquisition and collection of his/her personal data;
3. must be ensured that it has been received by the owner of the personal data if the failure carries a potential loss for the person concerned; and
4. written notification is sent to the owner of the personal data no later than 14 days after the failure is known.

Managing Personal Data Breach

An organization or company that manages personal data needs to have internal rules that are used as guidelines in dealing with personal data leakage. The internal rules for dealing with data leakage are known as the Data Breach Management Policy (DTMP). DTMP is a guideline that contains a framework that stipulates the roles and responsibilities of each party involved in dealing with data leakage and contains instructions for steps that must be taken by the company in the event of a data leak. The company must also ensure that every employee understands the provisions and how to apply the DTMP in the event of a data leak.

Some of the reasons why an organization or company needs to have a DTMP are:

  1. to fulfill legal obligations based on Article 28 of the Minister of Communication and Information Regulation No. 20/2016 stipulating that PSE is required to have internal rules regarding the protection of personal data in accordance with the provisions of the legislation.
  2. to prevent, limit, and/or reduce the impact of losses due to breach of personal data.
  3. as a form of effort to build the trust of the owner of personal data whose data is managed by the company.

The cases of data breach that continues to happen in Indonesia should be considered as a warning for personal data controllers to continue to improve the personal data protection security system they manage. The prevention of data breach is something that every organization or company must commit to in order to ensure the protection of personal data and legal compliance with applicable laws and regulations.



[3] Pasal 28 Peraturan Menteri Komunikasi dan Informatika No. 20 Tahun 2016



R. Yudha Triarianto Wasono, S.H., M.H.



Mail       :

Phone    : +62-21 799 7973 / +62-21 799 7975