Data At KPAI Is Tampered With, ELSAM Asks For The PDP Bill To Regulate The Protection Of Children's Personal Data

Executive Director of the Institute for Community Studies and Advocacy (ELSAM) Wahyudi Djafar (ANTARA)

JAKARTA - Executive Director of the Institute for Community Studies and Advocacy (ELSAM) Wahyudi Djafar said the Personal Data Protection Bill (PDP) must regulate the protection of children's personal data.

"The DPR and the government need to ensure that there are special arrangements for protecting children's personal data in the PDP Bill by referring to a child rights-based approach," Wahyudi said in a press statement received in Jakarta, Antara, Friday, October 22.

The recommendation is Wahyudi's response to the alleged leak of complaint data managed by the Indonesian Child Protection Commission (KPAI).

The discovery of the leak was first reported by a Twitter account with the username txtdarionlshop after finding one of the accounts named C77 selling two KPAI complaint database files with the name KPAI Leaked Database on the RaidForums website which was uploaded on October 13, 2021.

Based on the uploaded data sample, the data that is suspected to have leaked includes 13 elements of personal data, namely name, identity number, email, telephone, occupation, education, place and date of birth, address, city, province, and nationality, as well as a number of personal data collected sensitive, namely religion and gender.

On the alleged leak incident, members of KPAI Jasra Putra have confirmed it. Even now, the National Cyber and Crypto Agency (BSSN) is conducting an investigation.

Leakage of personal data from the KPAI complaint database is only less than 3 months from the case of leakage of personal data on the e-HAC application managed by the Ministry of Health.

"The repeated incidents of data leakage show the weakness of the personal data protection system and enforcement mechanism," said Wahyudi.

Therefore, Wahyudi stressed that the PDP Bill is important to be immediately ratified by the DPR and the government in order to regulate the obligations of data controllers and data processors more firmly, including what actions must be taken to ensure the protection of the rights of data subjects.

The PDP Bill which is currently being discussed in the DPR, he said, still fails to regulate special protection standards for the processing of children's personal data.

The bill actually places children's data as sensitive data, whereas in principle, processing of sensitive data is prohibited, unless it meets certain requirements, one of which is through the explicit consent of the data subject.

"The problem is, is it possible to get explicit consent from children whose status is still under the care of their parents or guardians? In fact, processing children's personal data is something that must be done at this time, for example for the sake of education," he said.

As a data controller, according to him, KPAI has at least six main obligations, namely responsibility and compliance, ensuring processing security, recording processing activities, confidentiality of personal data, notification when a breach occurs, and assessing the impact of data protection.

"KPAI is also obliged to implement special protective measures to ensure the security of children's personal data," Wahyudi said.