Imagine that after a night out with friends, you became ill and required hospitalization. Your head of state announced that you and a family member were the first two confirmed COVID-19 cases, but you did not know about your positive diagnosis until you heard the public announcement.
Your personal details were then leaked in WhatsApp groups and social media platforms, including your initials, age, photos, jobs, medical record, social media accounts and home address. Hoaxes were circulated about you, and reporters swarmed your housing complex.
How would you feel?
This is what happened to a 31-year-old woman and her 64-year-old mother from Depok, West Java, who became known as Case 1 and Case 2. It could happen to any of us.
President Joko “Jokowi” Widodo has since urged government officials to protect the identity and privacy of all COVID-19 patients, while the Alliance of Independent Journalists (AJI) has called on the media to be more considerate in their reporting. But the damage was done.
Cases 1 and 2 said the breaching of their privacy had left them “mentally drained” and stigmatized in their community. These missteps in communicating COVID-19 spread demonstrate why robust personal data protection is urgently needed.
Violating the right to privacy and dignity of cases 1 and 2 negatively affects their wellbeing, which is crucial for their recovery, and potentially undermines the government’s public health efforts. Such incidents may prevent others who are experiencing symptoms from coming forward and getting tested for fear of being publicly harassed if their personal data is breached. People’s reluctance to get tested would only make it harder for the government to contain the virus.
The World Health Organization (WHO) agrees that mass testing, as South Korea, Singapore and Taiwan have done, enables positive cases to be isolated and allows for those who came in contact with them to be identified. Other experts even advocate for the testing and retesting of every single person, regardless of whether they showed any symptoms, to stop the outbreak.
At present, Indonesia has the fourth-worst testing rate among countries with a 50 million population or above, after Ethiopia, Nigeria and Bangladesh. Indonesia has only tested 36 in every million people for COVID-19, compared to Singapore's 6,666, and Malaysia 1,605. The government must do more to increase testing capacity, encourage its population to get tested and provide robust personal data protection that minimizes the risk of breaches.
Disclosing excessive amounts of patients’ personal information, especially without prioritizing public health measures like widespread testing, would cause harm that far outweighs the public health benefits. This is why ensuring patients' confidentiality is a key public health strategy against infectious diseases, particularly when the illness is stigmatized, as is the case with COVID-19.
And even if personal information is critical for public health officials, that does not mean the information is significant for the general public. The balance between protecting individual privacy and disclosing personal data that is important for the public good must therefore be ethically considered.
Governments around the world are collecting and retaining increasing amounts of our personal information. For example, the Indonesian government launched the “PeduliLindungi” app. Similar to Singapore’s “TraceTogether” app, “PeduliLindungi” aims to bolster contact-tracing efforts to track down cases and suspected patients. It claims that user data is encrypted, will not be shared with third parties and will only be accessed if the user is deemed to be at risk of infection, but the app has not been independently analyzed to ensure an acceptable level of data protection.
Focusing on solutions like apps may trivialize other, much-needed answers, including mass testing and the processing of test swabs. For contact tracing efforts to succeed, as in Singapore and South Korea, they must be supported by a well-equipped healthcare infrastructure that is able to test large numbers of people who may have been exposed to the coronavirus.
The government’s use of apps is also concerning because, although according to Government
Regulation No. 71/2019 on the Implementation of Electronic Systems and Transactions, the government is obliged to destroy user data collected by the app after the pandemic is over, this provision is purely administrative in nature and fails to provide the maximum legal protection of user data. Additionally, the government is not legally obliged to inform users what else their data will be used for.
Personal data protection promotes trust in public health, but Indonesia still lacks a general data protection regulation. Data protection in Indonesia is scattered across at least 32 different laws, six of which pertain to the health sector, including access to health data, like the Health Law, the Hospital Law, the Medical Practice Law, the Medical Practitioner Law, the Mental Health Law and the Narcotics Law.
Meanwhile, neighboring Malaysia, Singapore, the Philippines, Thailand, and more than 120 other countries in the world already have comprehensive data privacy laws.
Cases 1 and 2 have shown that misuse and leaks of personal data are no longer just hypothetical and that Indonesia’s disparate laws are insufficient to protect the privacy and security of patient data. To address this gap, the government submitted a general personal data protection bill to the House of Representatives in January, and Communications and Information Minister Johnny G. Plate hopes for it to be passed by October.
In light of recent data breaches, the government must hold itself to the highest standards of transparency and accountability and implement a strong general data protection regulation as soon as possible.
Irene Poetranto is senior researcher at the Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto. Sinta Dewi Rosadi is associate professor at the School of Law, Padjadjaran University in Bandung, with research on cyberlaw. The views expressed are their own.
Disclaimer: The opinions expressed in this article are those of the author and do not reflect the official stance of The Jakarta Post.