Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
May 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Indonesia: Health and Pharma Overview

Financial Services
MF3d / Signature collection / istockphoto.com

1. Governing Texts

This note provides a general overview of data protection regulation in the health and pharmaceutical sector under Indonesian law.

At the time of publication, Indonesia does not have general law governing personal data protection, except for the protection of personal data being used in an electronic system, which is governed under Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems ('Kominfo Regulation 20') as issued by the Ministry of Communications and Information Technology ('Kominfo'). Beyond this, provisions regarding data protection are included separately in various sectoral regulations. The Government of Indonesia ('the Government') is currently in the process of discussing a draft bill for a Personal Data Protection Act (only available in Indonesian here) ('the PDP Bill'). Once enacted into law, the PDP Bill will constitute an umbrella regulation for the protection of personal data in Indonesia.

Specific to the health and pharmaceutical sector, general provisions on health issues, including medical and pharmaceutical issues, as well as research and development in the health sector, are generally regulated under Law No. 36 of 2009 on Health, as amended by Law No. 11 of 2020 on Job Creation (only available in Indonesian here) and partially revoked by the Government Regulation in Lieu of Law No. 1 of 2020 on State Financial Policy and Financial System Stability for the Management of Corona Virus Disease 2019 (Covid-19) and/or Encounter the Threat to National Economy and/or Stability of Financial Systems ('the Health Law') and its implementing regulations.

1.1. Legislation

The Health Law, as the umbrella law governing the health and pharmaceutical sector in Indonesia, stipulates a few provisions regarding data protection which, among other things, provide every individual with a right of confidentiality as to their personal health conditions which have been shared with health service providers.

In addition to the Health Law, data management and protection in the health and pharmaceutical sector is governed by many other implementing regulations through general health regulations, regulations that apply to certain health workers (e.g. special provisions for doctors or pharmacists), and special regulations regarding specific processes (e.g. protection of data in clinical trials and pharmacovigilance):

  • Law No. 29 of 2004 on Medical Practice ('the Medical Practice Law'), as partially revoked by Law No. 36 of 2014 on Health Workers (only available to download in Indonesian here) ('the Health Workers Law');
  • Government Regulation No. 46 of 2014 on Health Information System (only available to download in Indonesian here) ('the Health System Regulation');
  • Government Regulation No. 51 of 2009 on Pharmaceutical Works (only available to download in Indonesian here) ('the Pharmaceutical Works Regulation');
  • Government Regulation No. 39 of 1995 on Health Research and Development (only available to download in Indonesian here) ('the Health Research Regulation');
  • Ministry of Health Regulation No. 36 of 2012 on Medical Confidentiality (only available in Indonesian here) ('MOH Regulation 36');
  • Ministry of Health Regulation No. 26 of 2018 on Electronic Integrated Business Licencing Services in Health Sector (only available to download in Indonesian here), as partially revoked by Ministry of Health Regulation No. 3 of 2020 on Hospital Classifications and Licencing (only available in Indonesian here) ('MOH Regulation 26');
  • Ministry of Health Regulation No. 62 of 2013 on Tissue and/or Cell Bank Operations (only available to download in Indonesian here), as partially revoked by MOH Regulation 26 ('MOH Regulation 62');
  • Ministry of Health Regulation No. 48 of 2012 on Cord Blood Stem Cell Bank Operation (only available to download in Indonesian here), as partially revoked by MOH Regulation 26 ('MOH Regulation 48');
  • Ministry of Health Regulation No. 269 of 2008 on Medical Record (only available in Indonesian here) ('MOH Regulation 269');
  • Ministry of Health Regulation No. 4 of 2018 on Hospital and Patients Obligations (only available to download in Indonesian here) ('MOH Regulation 4');
  • Ministry of Health Regulation No. 92 of 2014 on the Implementation of Data Communications in the Integrated Health Information System (only available in Indonesian here) ('MOH Regulation 92');
  • Ministry of Health Regulation No. 20 of 2019 on the Organisation of Telemedicine Services through Health Service Facilities (only available to download in Indonesian here) ('MOH Regulation 20');
  • Ministry of Health Regulation No. 37 of 2019 on the Public Information Management Guidelines in the Ministry of Health (only available to download in Indonesian here) ('MOH Regulation 37');
  • The Head of Indonesia National Agency of Drug and Food Control Regulation No. 21 of 2015 on Procedures for Clinical Trial Approval (only available in Indonesian here) ('BPOM Regulation 21'); and
  • The Head of Indonesia National Agency of Drug and Food Control Regulation No. HK.03.1.23.12.11.10690 of 2011 on the Implementation of Pharmacovigilance for the Pharmaceutical Industry ('BPOM Regulation HK.03').

Besides the laws and regulations under the health and pharmaceutical sector, the following laws and regulations are also applicable where the collection or management of personal data involves an electronic system:

  • Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016 (only available to download in Indonesian here) ('the Electronic Information Law');
  • Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (only available to download in Indonesian here) ('the Electronic Systems Regulation'); and
  • Kominfo Regulation 20.

1.2. Supervisory authorities

The implementation of laws and regulations in the health and pharmaceutical sector is supervised by the Ministry of Health of the Republic of Indonesia ('MOH') and the Indonesia National Agency of Drug and Food Control ('BPOM').

The MOH has the authority to oversee the implementation of health laws and regulations, including, but not limited to, the supervision of health facilities (e.g. hospitals, clinics, etc.), health workers (e.g. doctors, pharmacists, etc.), and pharmaceutical and medical device licences, as well as health research and development. The MOH also has set in place the Directorate General of Pharmaceutical and Medical Devices under its authority, which specifically holds the power to regulate, administer, and oversee pharmaceutical and medical devices matters.

BPOM is a government agency formed to supervise matters related to drugs and food including medicinal ingredients, traditional medicines, and health supplements, among others. Licencing and trading for the drug industry are also within the scope of the authority of BPOM.

In addition to the two institutions above, Kominfo also has authority where an electronic system is involved.

1.3. Guidelines

In addition to the laws and regulations mentioned above, the Guidelines for Good Clinical Trials (3rd Edition of 2016) issued by the BPOM are also taken into consideration in this note.

1.4. Definitions

Given that there is no general regulation on personal data in place, there is no definition of personal data that is generally applicable to all sectors in Indonesia. Thus, the meaning of personal data relating to the health and pharmaceutical sector may vary according to specific regulations.

As for personal data which are involved in electronic systems, Kominfo Regulation 20 specifically defines personal data as particular individual data that is stored, maintained, kept for correctness, and protected for confidentiality.

Aside from the definition of personal data, the following terms used in this note shall have the meanings as specified below, as specifically governed under the prevailing laws and regulations regarding the health and pharmaceutical sector:

Health worker: Any person who is devoted to the health sector and has the knowledge and/or skills through education in the health field, for certain types requiring the authority to make health efforts (Article 1 of the Health Workers Law).

Medical confidentiality: Health data and information of an individual obtained by health workers when carrying out their work or profession (Article 1 of the MOH Regulation 36);

Pharmaceutical confidentiality: Pharmaceutical work that involves the production, distribution, and service processes of pharmaceutical preparations that should not be known by the public, in accordance with the provisions of laws and regulations (Article 1(25) of the Pharmaceutical Works Regulation);

Clinical trial: A research activity involving human subjects accompanied by the intervention of a test product, to find or ascertain other clinical, pharmacological and/or pharmacodynamic effects, and/or identify any unwanted reactions, and/or study absorption, distribution, metabolism, and excretion to ensure the safety and/or effectiveness of the product under study (Article 1 of BPOM Regulation 21);

Tissue and/or cell bank: A legal entity that aims to filter, retrieve, process, store, and distribute biological tissue and/or cells for health services (Article 1 of MOH Regulation 62);

Cord blood stem cell bank: A unit that meets the requirements to collect and process the cord blood, store and deliver cord blood stem cells for medicinal purposes, by receiving a sum of money as a storage service (Article 1 of MOH Regulation 48);

Pharmacovigilance: All activities regarding the detection, assessment, understanding, and prevention of side effects or other problems related to drug use (Article 1 of BPOM Regulation HK.03);

Sponsor: Individuals, companies, institutions, or organisations responsible for initiating, managing, and/or sponsoring a clinical trial (Article 1 of BPOM Regulation 21); and

Ethic commission: Independent institution, consisting of medical/scientific professionals and members non-medical/non-clinical in the field of clinical trial, which is responsible for protection, rights, security, and the well-being of clinical trial subjects (Article 1 of BPOM Regulation 21).

2. Clinical Research and Clinical Trials

Provisions on clinical trials for pharmacy are regulated under BPOM Regulation 21. Clinical trials are carried out on, among other things, drugs, herbal medicines, and health supplements.

Judging from the time of testing, clinical trials can be divided into two types, namely:

  • pre-market clinical trials, which are conducted to check:
    • products that have not obtained marketing authorisations in Indonesia; or
    • products that already have marketing authorisations, to find out new indications/dosage; and
  • post-market clinical trials, meaning clinical trials of products that have passed pre-market clinical trials and have obtained marketing authorisations in Indonesia, to obtain safety data and/or to confirm approved efficacy/benefits.

Before conducting the pre-market clinical trials, individuals, companies, institutions, or organisations which are responsible for initiating the trial, and the sponsors who will carry out pre-market clinical trials for drugs, must obtain approval from BPOM, while the sponsors that will carry out pre-market clinical trials for herbal medicines are only required to submit a notification to BPOM.

While conducting the clinical trial, the sponsor must submit a report on the implementation of clinical trials to the head of BPOM:

  • every six months;
  • at the end of clinical trial implementation; and/or
  • in the event that there is the premature termination of clinical trials by also explaining the reason.

In addition to the aforementioned reports, the sponsor must also report:

  • any serious adverse drug reaction of the clinical trials of products in Indonesia to the head of BPOM; and
  • any unexpected serious adverse drug reaction of the clinical trials of products from clinical trials in other countries involving clinical trial centres in Indonesia to the ethics commission and the head of BPOM, if any.

2.1. Data collection and retention

Based on the clinical trial guidelines provided by BPOM, clinical trials are conducted in accordance with Good Clinical Practice ('GCP'), a standard for planning, conducting, performing, monitoring, auditing, recording, analysing, and reporting of clinical trials. The GCP governs, among other things, data collection and retention in clinical trials to ensure that:

  • the data collected and the reported results are credible and accurate; and
  • the rights, integrity, and confidentiality of trial subjects are protected.

2.2. Consent

To carry out clinical trials on an individual, the parties conducting the trial must first obtain informed consent from the trial subjects. Informed consent means a process by which a subject voluntarily confirms their willingness to participate in a particular trial after being informed of all aspects of the trial relevant to the subject's decision to participate. The informed consent is documented by means of a written, signed, and dated informed consent form.

The GCP provides detailed provisions regarding the requirements for obtaining informed consent and the arrangement of written informed consent. Some explanations that must be informed to the trial subjects in the discussion prior to obtaining the informed consent are, among others:

  • the purpose of the trial;
  • the subject's responsibilities;
  • that the subject's participation in the trial is voluntary and that the subject may refuse to participate or withdraw from the trial, at any time, without penalty or loss of benefits to which the subject is otherwise entitled;
  • that the monitors, auditor, the institutional review board or ethics committee, and the regulatory authorities will be granted direct access to the subject's original medical records for verification of clinical trial procedures and/or data, without violating the confidentiality of the subject, to the extent permitted by the applicable laws and regulations and that, by signing a written informed consent form, the subject or the subject's legally acceptable representative is authorising such access; and
  • that records identifying the subject will be kept confidential and, to the extent permitted by the applicable laws and/or regulations, will not be made publicly available (if the results of the trial are published, the subject's identity will remain confidential).

In addition to the GCP guidelines, BPOM Regulation 21 adds that the trial subjects must be notified if the product to be tested contains specific ingredients that could raise concern to certain community groups' beliefs.

The sponsor must also ensure that trial subjects have consented, in writing, to provide direct access to their original medical records for trial-related monitoring, auditing, the institutional review board or ethics committee review, and regulatory inspection. In this case, parties that receive direct access should take all reasonable precautions within the constraints of the applicable regulatory requirements to maintain the confidentiality of the subjects' identity and the sponsor's proprietary information.

2.3. Data obtained from third parties

Access to, or use of, personal data belonging to a subject in a clinical trial can only be done if the subject has given consent. Therefore, the sponsor or researcher cannot use data which is received from third parties for a trial without the consent of the data owner.

3. Pharmacovigilance

Companies that carry out pharmaceutical industry activities to produce drugs and medicinal ingredients are required to conduct pharmacovigilance. Pharmacovigilance activities are regulated under BPOM Regulation HK.03. Pursuant to BPOM Regulation HK.03, pharmacovigilance should be conducted by monitoring and reporting the following matters:

  • safety aspects of the drug in the context of detection, assessment, understanding, and prevention of side effects or other problems related to the use of drugs;
  • changes in drug benefit and risk profile; and/or
  • quality aspects that affect the drug's safety.

If companies find that drugs and/or medicinal ingredients produced from their production do not meet the standards, such companies must report it to the head of BPOM.

In addition to a periodic safety update report, companies must submit spontaneous adverse events report if there are undesirable events that are suspected to be caused by drugs, including vaccines circulated by the pharmaceutical industry companies. Undesirable events can be in the form of serious and non-serious undesirable events. Based on the Technical Guidelines for the Implementation of Pharmacovigilance for the Pharmaceutical Industry, as set out in the Appendix of BPOM Regulation HK.03, serious undesirable events include all medical incidents on drug use, including vaccines that cause:

  • death;
  • life-threatening situation;
  • patients requiring hospitalisation;
  • extension of hospitalisation period;
  • permanent disability;
  • congenital abnormalities; and/or
  • other important medical events.

In delivering spontaneous reports, companies must provide patient information. Nevertheless, the BPOM Regulation HK.03 is silent on whether the patient information can be anonymised (even though we note that the form report provides the opportunity to stipulate the initial of the patient). BPOM Regulation HK.03 only stipulates that the report must include:

  • the characteristic of the patient, including the demographic information among others name/initials, age, occupation, weight, gender, and ethnicity;
  • initial diagnosis before using the suspected drug;
  • use of other medications at the same time;
  • co-morbidity conditions;
  • family history of relevant diseases; and
  • the presence of other risk factors.

4. Biobanking

Indonesian laws regulate the biobanking activities in the form of tissue and/or cell banks and cord blood stem cell banks provision. To be able to carry out such activities, a bank must obtain the tissue and/or stem cell bank operational licence. The requirements to obtain the operational licence are, among others:

  • obtaining notification from the MOH and the regional health office of the relevant province;
  • submitting a profile of the tissue and/or stem cell bank (e.g. vision and mission, activities, strategic plan, and organisational structure of the banks);
  • having cooperation agreements with teaching hospitals with certain classes and/or medical education institutions; and
  • proving the availability of human resources, infrastructure, and equipment pursuant to the standard as required under the regulations.

In order to ensure compliance with these requirements, the authorised institution will visit companies that intend to carry out biobanking activities.

Tissue and/or cell banks

Collection of tissue and/or cells shall only be conducted based on the donor approval. If the donor has passed away, the tissue and/or cell can only be collected if it is in accordance with the donor's testament and based on the approval of their closest family member or legal heir. Family's consent on the collection of tissues and/or cells shall be made in writing.

The tissue and/or cells that have been collected must be packaged, labelled, and delivered to the bank. The delivery of the tissue and/or cell must be accompanied by a donor form stipulating donor data which includes the type of tissue, name, age, gender, address, registration number, and cause of death (if relevant). Then, the tissues shall be stored in a bank and processed. The processed tissues shall be packaged and labelled without including information about the donor and the tissues will be distributed for the benefit of health services or research.

The identity of the donor, their family, and the prospective recipient must be kept confidential. The identity can only be accessed by authorised parties through the identification of the registration number. Nevertheless, it must be traceable for audit purposes in improving quality through the identification of the registration number.

One other thing to note is that the donor of tissue and/or cell cannot be traded. Therefore, the donor and the donor's family will not receive any compensation in relation to the collection of the donor's tissue and/or cell.

Cord blood stem cell banks

Cord blood stem cell banks provide cord blood stem cell storage for clients as well as donors. The client means the mother of the baby whose umbilical cord blood is taken during the delivery process that stores the umbilical cord blood stem cells to be used to cure illness or help in health recovery. Meanwhile, donors are those who donate cells to be used to cure illness.

To be able to collect cells, the bank must obtain informed consent from the client/donor. The bank must first explain to the client/donor certain information, including but not limited to the following:

  • storage purposes for cord blood stem cells;
  • potential benefits and risks, both medically and ethically, including indications and results;
  • storage of blood samples for later examination;
  • possible use of cord blood stem cells for quality or validation tests; and
  • possible use of cord blood stem cells for research based on client or donor consent.

After obtaining the information, the client/donor must enter into a written agreement with the bank regarding the storage of cord blood stem cell.

Cell processing is carried out according to service standards, professional standards, and operational procedure standards. The bank must record the cell processing and provide the processing summary to the client/donor. The bank must maintain records on the storage of these cells and must have procedures to maintain the confidentiality of information regarding donors, officers, and clients. The bank is also required to maintain the relationship with the donor's family as well as the doctor in charge to notify them if there are abnormalities, genetic disorders, or disease transmissions while maintaining confidentiality.

5. Data Management

As Indonesia currently does not have a specific law governing personal data protection, there are no provisions on either the role of personal data processors and personal data controllers, or that of the data protection officer ('DPO') yet. However, as mentioned above, the Government is currently in the process of drafting the PDP Bill. Based on a review of the PDP Bill, the roles of personal data processors, personal data controllers, and the DPO will be regulated thereunder.

Article 1 of the PDP Bill states that the controller of personal data is the party who determines the purpose of, and controls the processing of, personal data. Under its provisions, the controller is required to, among others:

  • obtain approval from the personal data owner before processing the personal data;
  • stop processing personal data in the event that the owner withdraws its authorisation;
  • prevent personal data from being illegally accessed; and
  • record all personal data processing activities.

Meanwhile, the processor of personal data is defined as the party that processes personal data on behalf of and based on instructions from the controller.

Further, the PDP Bill provides that the controller and processor can appoint a DPO under certain circumstances. The DPO must be appointed based on professional quality, knowledge of the law, and practice of protecting personal data, and the ability to conduct their duties.

Health data management and confidentiality

Indonesian law does not provide general rules regarding health data management that apply to all activities in the health sector. Provisions regarding data management are regulated separately in various laws and regulations, for example under clinical trial and biobanking regulations as covered in the previous sections. The relevant laws and regulations on such matters provide fairly comprehensive guidelines on how data should be collected, processed, stored, and disclosed.

In relation to data confidentiality, the Health Law provides that everyone has the right to the confidentiality of their personal health information that has been revealed to the health service provider. The provision of the right to confidential health information shall be exempted if it is required to be disclosed based on:

  • the provisions of laws and regulations;
  • the court order;
  • the relevant licences;
  • the community interests; or
  • for the benefit of the person concerned.

This provision has become the basic rule regarding the confidentiality of data in the implementing regulations of the Health Law.

The Health Workers Law requires that health workers must maintain the confidentiality of the recipients of health services information. Furthermore, MOH Regulation 36 stipulates that all parties involved in providing medical services and/or using patients data and information are required to maintain privacy and medical confidentiality. Medical confidentiality can only be disclosed for the benefit of the patient's health, fulfilling the request of law enforcement officials in the context of law enforcement, at the patient's request, or based on statutory provisions. Disclosure of medical confidentiality for a patient's health can only be done with the consent of the patient. If the patient is not legally capable of giving consent, it can be given by the closest family member or their guardian. In addition, hospitals, as health facilities, must also maintain the privacy and confidentiality of their patient's medical data based on MOH Regulation 4.

In line with the above, pharmaceutical workers also have the obligation to maintain medical confidentiality as well as pharmaceutical confidentiality. Based on the Pharmaceutical Works Regulation, pharmaceutical confidentiality can only be disclosed for the benefit of patients, fulfilling judges' requests for law enforcement, patient's requests, and/or based on the provisions of laws and regulations.

Provisions regarding the confidentiality of health data, especially those directly related to personal data, are also regulated in various laws and regulations relating to specific health sector activities. For example, Indonesian law regulates the confidentiality of data in medical records based on MOH Regulation 269 and MOH Regulation 37, as well as on research and development in the health sector based on the Health Research Regulation.

Data management on the health information system

The Health Law requires that, for the development of a health information system in, the Government shall facilitate the society to have access to health information. This information system must be managed by each health service facility as well as by the regional and national government authorities. Health information in the health information system is sourced from public and private health facilities as well as from the general public. The data is processed using an electronic health system connected to the MOH electronic system, or, if the electronic system is not available, using a non-electronic system is also practicable. Data processing may only be conducted within the territory of Indonesia unless the MOH gives permission otherwise in certain circumstances.

Health information must be stored in a domestic database. Information storage is carried out for a minimum of 10 years for non-electronic information and 25 years for electronic information, subject to the archive retention schedule. Storage of health information can be conducted by using the services and facilities of other parties, provided that the information owner must remain responsible for the confidentiality of the information and submit the information retention report to the MOH.

Judging from its accessibility, the data content of health information system is divided into:

  • open data content (i.e. data that has been processed and can be accessed by the public); and
  • closed data content (i.e. data that has not been processed and can only be accessed by the government authorities).

Data managers have an obligation to maintain the confidentiality of closed data. Private entities can access closed data only if they have obtained official approval from the MOH, while open data can be presented through electronic and non-electronic means for the general public.

Personal data protection in the electronic system

In the event that personal data related to health issues are managed by an electronic system, the management must follow the provisions of personal data protection in the electronic system as regulated under Kominfo Regulation 20. Kominfo Regulation 20 regulation defines the electronic system as a series of devices and electronic procedures which functions to prepare, collect, process, analyse, store, display, announce, transmit, and/or disseminate electronic information. This electronic system shall be managed by electronic system providers ('ESP') registered with Kominfo. This provision is relevant if a company provides a site, application, portal, or the like, for example, for the provision of health consultations or online drug store.

Kominfo Regulation 20 specifies provisions on personal data protection in:

  • acquisition and collection;
  • processing and analysing;
  • storage;
  • display, announcement, delivery, dissemination, and/or opening of access; and
  • removal.

The ESP must have internal regulations regarding personal data protection to ensure that they can implement such personal data protection processes.

Pursuant to Kominfo Regulation 20, the ESP shall ensure that the acquisition and collection of personal data are carried out on the basis of the owner's consent. Personal data can only be processed for purposes that have been clearly conveyed to the owner at the time of data acquisition and collection. The ESP must also make sure that there is no unauthorised disclosure and/or delivery of personal data. It must also comply with the provisions regarding reporting obligations to government institutions.

6. Outsourcing

Indonesian law does not regulate outsourcing activities for health data management. It should be noted that outsourcing schemes may be more relevant if the prevailing laws regulate personal data controllers and personal data processors. In such cases, the cooperation scheme between the controller and processor might be considered as outsourcing. However, as mentioned in the previous section, the concept of controller and processor is not regulated under Indonesian law. In addition, outsourcing activities are also limited by the prevailing laws and regulations, especially the labour regulations.

Aside from outsourcing, provisions regarding cooperation with other parties relating to health data management are regulated explicitly in certain laws and regulations. For example, in the operation of a health information system, as specified under Section 5 of the Health System Regulation, the storage of health information on a health information system can be carried out by using the services of other parties in Indonesia, with the following conditions:

  • the owner of the stored health data and information cannot release its responsibility for the confidentiality of the information;
  • the owner of the health data and information must submit a report on the storage of the health data and information to the MOH; and
  • the storage must be done in accordance with statutory provisions related to archive accessibility.

7. Data Transfers

Indonesian laws do not provide general provisions on the transfer of sensitive personal data relating to health. However, bearing in mind that under the Health Law, everyone is entitled to the confidentiality of their health data (subject to certain limitations), it is notable that the personal data transfer shall be conducted with due regard to the protection of the right to the health data confidentiality.

Specific to personal data that is contained in an electronic system, Kominfo Regulation 20 regulates that any transfer of personal data managed by the ESP in Indonesia to other locations outside Indonesian territory must be carried out in coordination with the Kominfo or the authorised officials/institutions. The coordination shall be carried out by submitting relevant reports to Kominfo, as follows:

  • reporting on the plan for the transfer of personal data which shall be submitted before the transmission of such data; and
  • reporting on the results of personal data transfer, which shall be submitted upon completion of the personal data transfer.

8. Breach Notification

There are no general provisions regarding notifications for failures in maintaining personal data in the health sector, except for the personal data that is contained in an electronic system.

For the personal data that is contained in an electronic system, the Electronic Information Law and Kominfo Regulation 20 stipulate that ESPs must notify the personal data owner, in writing, if there is a failure in protecting the confidentiality of the personal data in the electronic system. The breach notification shall take into account the following:

  • the notification shall include reasons for the failure to protect the confidentiality of personal data;
  • the notification may be made electronically if the data owner has given consent for that purpose when acquiring and collecting their personal data;
  • the ESP must ensure that the notice has been received by the personal data owner if the failure contains potential loss to the relevant personal data owner; and
  • the written notification shall be sent to the data owner within 14 days of acquiring knowledge of such failure.

9. Data Subject Rights

The Health Law determines that every person has the right to obtain information about their health data, including actions and treatments that they have, or will, receive from health workers. Everyone also has the right to the confidentiality of personal health conditions that have been revealed to the health service provider, subject to restrictions outlined under the legislation. Based on MOH Regulation 4, each patient has the right to the confidentiality of the illness suffered and of their medical data, as well as the right to gain access to the contents of their medical records.

Provisions regarding ownership and rights of the owner data may vary in specific regulations in the health and pharmaceutical fields. For example, in relation to the medical records, these medical record files are the property of the health facility. Meanwhile, the substance of the medical record belongs to the patient. The patient can get a summary of the medical records provided by the health facility.

For data in electronic systems, Kominfo Regulation 20 determines that data subject shall have the following rights:

  • right to the confidentiality of their personal data;
  • right to file a complaint to the Kominfo to resolve a personal data dispute for the failure of an ESP to protect the confidentiality of their personal data;
  • right to access, or opportunity to alter or update, their personal data without interfering the personal data management system, unless provided otherwise by the laws and regulations;
  • right to access, or opportunity to claim, their personal data history they once delivered to the electronic system provider as long as within the laws and regulations; and
  • right to request that their own data in the electronic system managed by the ESP be destroyed, unless provided otherwise by the laws and regulations.

10. Penalties

Sector-specific penalties

The Medical Practice Law stipulates that any doctor or dentist who deliberately does not fulfil the obligation to keep confidential everything he knows about the patient, even after the patient has passed away, can be convicted with a criminal fine of up to IDR 50 million (approx. €3,280). The Health Law provides that everyone has the right to file compensation claims against individuals, health workers, and/or health providers who cause losses due to errors or negligence in the health services they received. Such damages include, for example, losses caused by leakage of medical confidentiality.

The Health Law determines that authorised institutions can carry out administrative actions on health personnel and health service facilities that are in violation of the provisions of the Health Law, including in connection with confidentiality obligations. Based on the Health Law, administrative actions can be carried out in the form of written warnings and revocation of temporary or permanent licences. The same approach is also determined in several relevant laws and regulations, such as in MOH Regulation 62, in connection with tissue and/or cell banks, and MOH Regulation 269, in connection with medical records.

Penalties for electronic systems

For data in the electronic system, the Electronic Information Law determines that anyone who intentionally and without rights or against the law in any way alters, adds, subtracts, transmits, damages, removes, moves, or hides electronic information and/or documents belonging to other people or the public shall be sentenced to a maximum of eight years imprisonment and/or a maximum of IDR 2 billion (approx. €130,940) fine. If such actions cause confidential electronic information and/or documents to be publicly accessible, then the sanctions that can be imposed is a maximum of ten years imprisonment and/or a maximum of IDR 5 billion (approx. €327,360) fine.

In connection with the protection of personal data, the Electronic Information Law also stipulates that the use of any information through electronic media that involves a person's personal data must be done with the consent of the person concerned. The owner of personal data can file a claim for damages arising from violations of such provision. Furthermore, Kominfo Regulation 20 states that any person who acquires, collects, processes, analyses, stores, displays, publishes, transmits, and/or disseminates personal data in an unauthorised manner or other than in accordance with the provisions of laws and regulations shall be imposed administrative sanctions the form of:

  • verbal warnings;
  • written warnings;
  • suspension of activities; and/or
  • announcement on a website online.

11. Other Areas of Interest

Telemedicine

In order to upgrade the quality of healthcare services in Indonesia, especially with regards to services for patients in remote area, the government opens up a possibility of telemedicine healthcare service by issuing MOH Regulation 20. Pursuant to MOH Regulation 20, telemedicine services can be organised on the basis of collaboration between health service facilities ('HSF').

MOH Regulation 20 defines telemedicine as the provision of long-distance health services by health professionals by utilising information and communication technology, consisting of information exchange on diagnosis, medication, disease and injury prevention, research and evaluation, and sustainable education of health service providers in order to improve individual and public health.

The telemedicine services shall consist of teleradiology, tele-electrocardiography, tele-ultrasonography, teleconsultation clinic service, and other services in accordance with the development of science and technology. The telemedicine services are implemented by health workers who hold practice licence in the organising HSF.

Telemedicine services are carried out based on cooperation between organising HSF, which shall be differentiated into:

  • consultancy-providing HSF which receives a request and provides telemedicine consultancy services; and
  • consultancy-requesting HSF which sends a request for telemedicine consultancy.

The organising HSF must meet the requirements for human resources, facilities, infrastructure, devices, and applications. The organising HSF must also be registered with the director-general in the field of health services at the MOH. MOH Regulation 20 also emphasises the obligation of organising HSF to maintain the confidentiality of patient data.

During the COVID-19, the MOH further issued guidelines for healthcare services through telemedicine under Decree of the Minister of Health of the Republic of Indonesia No. HK.01.07/MENKES/4829/2021 of 2021 (only available in Indonesian here) ('the MOH Decree on Covid-19 and Telemedicine') to support the provision of telemedicine services to prevent the spread of the COVID-19 virus. The MOH Decree on Covid-19 and Telemedicine provides among other things, the rules for the implementation of telemedicine services during the COVID-19 pandemic, the implementation of online monitoring for COVID-19 patients in self-quarantine. The telemedicine services should be carried out by using an application provided by the government or an application that is developed by private institutions but has been registered with the government, as regulated under the prevailing laws and regulations.

Freddy Karyadi Partner
[email protected]
ABNR, Jakarta

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback