Personal data in the healthcare industry is not limited to patients’ medical records but also includes patients’ genetic data, which contains their biological information. This data is unique and immutable, so it poses a high risk if misused. In the modern era, patients’ genetic data plays a significant role, especially in determining the appropriate healthcare services and providing insights into the risks of diseases patients may face in the future.
The increasing use of patient genetic data signifies that healthcare facilities, such as hospitals, bear an ever-greater legal responsibility. This raises questions, such as: what are the hospital’s obligations in protecting patient genetic data? To answer these questions, read the following article!
Characteristics of Genetic Data
The constitutional foundation of the State of Indonesia is the 1945 Constitution of the Republic of Indonesia (“1945 Constitution”). This provision establishes that all laws and regulations in Indonesia derive from the 1945 Constitution. Article 28G paragraph (1) of the 1945 Constitution states that:
“Every person has the right to protection of their person, family, honor, dignity, and property under their control, as well as the right to a sense of security and protection from the threat of fear of doing or not doing something that constitutes a fundamental right.”
The element of “personal protection” as set forth in Article 28G(1) of the 1945 Constitution implies that every individual has the right to protection against any form of action that may cause harm or endanger them. One of the individual rights to such protection is the right to protection of personal data.
According to Article 1(1) of Law No. 27 of 2022 on Personal Data Protection (“PDPA”), personal data refers to data concerning an identified or identifiable natural person, either on its own or in combination with other information, whether directly or indirectly, through electronic or non-electronic systems.
In the health industry, one specific type of personal data is genetic data. Genetic data is personal data related to a person’s genetic characteristics—whether inherited or acquired during early developmental stages before birth—that can be determined through DNA or RNA analysis to identify a person’s biological conditions and genetic traits.
Unlike general medical data, genetic data is highly personal, permanent, and unchangeable throughout a person’s lifetime. These characteristics make genetic data far more sensitive than other types of data. If misused, the impact is not limited to a single individual but risks affecting genetically related family members.
As the primary regulation governing the health sector in Indonesia, Law No. 17 of 2023 on Health (“Health Law”), in Article 4(1)(i), affirms that every person has the right to the confidentiality of their personal health data and information. Although this regulation does not explicitly mention the term “genetic data,” the scope of protected health information encompasses all data related to a patient’s physical and biological condition. Therefore, a patient’s genetic data is part of personal health information whose confidentiality, security, and use must be safeguarded by hospitals, medical personnel, and healthcare workers.
Read to : Rights and Responsibilities of the Parties in the Case of Medical Disputes
Hospitals’ Responsibility to Maintain the Confidentiality and Security of Patient Data
Hospitals are among the healthcare facilities that have an obligation to maintain the confidentiality and security of patient data, including generic data, as part of the provision of professional and responsible healthcare services. This obligation is stipulated in Article 177(1) of the Health Law, which states that:
“Every healthcare facility must keep patients’ personal health information confidential.”
Furthermore, Government Regulation No. 28 of 2024 on the Implementing Regulations of Law No. 17 of 2023 on Health (“Health Government Regulation”) emphasizes that the management of health data must be conducted in accordance with the principles of security and confidentiality. In this regard, hospitals are required to ensure that data storage systems, whether electronic or manual, have adequate protection against unauthorized access, leaks, or misuse of data.
In order to fulfill its obligation to ensure the confidentiality and security of patient data at the Hospital, the Hospital must technically implement an information security system, such as the application of privacy by design, explicit consent, access management, security audits, and the obligation to notify in the event of a data breach.
In addition, administratively, the hospital is required to have an internal policy that regulates the management of patient data, including data disclosure procedures that can only be carried out with the patient’s consent or based on the provisions of laws and regulations.
The implementation of patient data protection in hospitals is not only an ethical obligation to maintain medical confidentiality, but also a legal obligation that must be fulfilled to guarantee patients’ right to privacy and prevent the misuse or leakage of health data, including sensitive patient genetic data.
Read to : A Guide to Clinical Trials in Indonesia: Legal Framework and Risks
The Relationship Between Genetic Data Protection and Medical Service Standards
Genetic data protection is closely related to high-quality medical service standards. In the delivery of healthcare services, the patient is the top priority, making patient trust the cornerstone of the relationship between patients and healthcare providers. If patients feel that their personal data is not secure, that trust may diminish, ultimately impacting the quality of healthcare services.
According to the Health Law, medical service standards encompass not only clinical aspects but also the protection of patients’ rights. One such right is the right to confidentiality regarding their health condition. Therefore, the protection of genetic data is an integral part of meeting medical service standards.
Furthermore, the protection of genetic data is also linked to the principle of informed consent. When genetic data is used for research or specific therapeutic purposes, the hospital is required to obtain explicit consent from the patient and/or the patient’s family. Without such consent, the use of genetic data may be considered a legal violation.
Then, from a service quality perspective, the implementation of a robust data protection system also reflects the hospital’s professionalism. This aligns with the principles of good clinical governance, which emphasize the importance of accountability, transparency, and patient protection in every aspect of healthcare services.
Failure to protect genetic data can result in significant legal and reputational consequences for hospitals. The occurrence of patient health data breaches, which have been reported in various media outlets, demonstrates that data security is a serious public concern. Therefore, the protection of genetic data is inseparable from efforts to improve the overall quality of healthcare services.
The protection of patients’ genetic data is both a legal obligation and an ethical responsibility that must be fulfilled by hospitals in Indonesia. The highly sensitive nature of genetic data demands stricter protection compared to other health data. Through provisions in the 1945 Constitution, the Health Law, the Government Regulation on Health, and the Personal Data Protection Law, the state has provided a clear legal framework for hospitals to maintain the confidentiality and security of patient data. These regulations make it clear that the protection of genetic data must be viewed as part of professional healthcare standards that prioritize the protection of patients’ rights.***
Daftar Hukum:
- Undang-Undang Dasar Negara Republik Indonesia Tahun 1945 (“UUD 1945”).
- Undang-Undang Nomor 17 Tahun 2023 tentang Kesehatan (“UU Kesehatan”).
- Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (“UU PDP”).
- Peraturan Pemerintah Nomor 28 Tahun 2024 tentang Peraturan Pelaksanaan Undang-Undang Nomor 17 Tahun 2023 tentang Kesehatan (“PP Kesehatan”).
Referensi:
- DNA and Genetic Data. Privacy International. (Diakses pada 13 Mei 2026 Pukul 13.21 WIB).
- Simatupang, A. M., & Siregar, R. A. (2026). Hak atas Keamanan dan Kerahasiaan Data Medis pasien dalam Konsultasi Kesehatan Online. J-CEKI : Jurnal Cendekia Ilmiah, Vol.5, No.2, Hal. 1407. (Diakses pada 13 Mei 2026 Pukul 14.37 WIB).
About Author
