Good practices for ensuring data protection and privacy in social protection systems – the case of Indonesia
The digital revolution and connected digital transformation processes can bring benefits to social protection systems. But with development in digital and data-driven technologies, the topic of data privacy and protection has become increasingly important in recent years.
This was the background for the webinar “Good practices for ensuring data protection and privacy in Social Protection Systems – the case of Indonesia”, which was held on September 6th, 2022. The session was moderated by Valentina Barca. The speakers were Ben Wagner, Enabling Digital; Jacqueline Stein-Kaempfe, Data Protection Specialist, UNICEF; Maliki, Director of Poverty Alleviation and Community Empowerment BAPPENAS Indonesia; Andre Rahadian and Mika Isac Kriyasa, Dentons HPRP, Indonesia; Subianto, Chief Digital and Technology Officer PricewaterhouseCoopers, Indonesia.
The full recording of the webinar is available here and the slide presentation is here.
Jacqueline Stein-Kaempfe was the first speaker. In general, she focused on giving an overview of why data protection is relevant for social protection and highlighted some key points on terminology.
She started her presentation explaining some main concepts of data protection. Data protection is an intrinsic element of the right of privacy, which is a fundamental human right. This right is contained not only in the Declaration of Human Rights, but also in the Constitution of many states. However, data is different than the private sphere protected by the right to privacy: it travels around the world and is accessible by many people.
That being said, to fully enjoy the right to privacy relating to personal data, processing of personal data needs to be actively protected and regulated. Data protection is the regulation of the processing of personal data by companies, governments, NGOs, and other individuals with the goal to mitigate interference with privacy. It states what entities can and cannot do (obligations of entities) and which are the rights of individuals relating to their personal data. This focus can be shown, for example, in the GDPR, which has the idea of empowering individuals with rights to control their personal data better.
Personal data, by its turn, is any information relating to an identified or an identifiable individual, such as name, address, telephone number, health information, among others. In the social protection field, the protection of this type of data is important, as there are a number of sensitive data needed to implement, monitor, and evaluate social protection programmes. Besides that, most of this data is linked to the most vulnerable in society, which have lesser means to defend their rights.
Other important reasons include the fact that poorly designed social protection programmes may expose individuals to harm, if data falls into the wrong hands (persecution, stigmatization, surveillance) and that transparent data protection can enhance the quality of services and creates trust between beneficiaries and state institutions.
Following the first presentation, Ben Wagner summarized the purpose and key lessons of the Implementation Guide developed by SPIAC-B and highlighted good and bad international practices in terms of social protection and data protection.
The purpose of the Implementation Guide was to encourage and support government in low-and-middle income countries in their efforts to ensure data protection and privacy in social protection systems. Its aim is to be a practical and sector-specific guide that can be used to support people on the ground in the decisions made during the design of delivery structures for national social protection schemes and programmes. This includes guiding practitioners, programme staff of development and humanitarian agencies and the individuals participating in social protection programmes (data subjects) in its efforts to build a solid framework for data protection and social protection.
The guide includes recommendations in areas such as data processing, data subject rights, accountability, oversight and enforcement, data sharing and sensitive personal data. During the presentation, Ben called attention specifically to this last topic, as social protection typically deals with vulnerable groups in society.
One of the key elements to protect sensitive data is the minimization process, when you minimize the data to what is actually needed. There are several risks of not doing that, as it was shown in the case of the loss of United Kingdom child benefit data in 2007. In this situation, a data breach incident happened when 2 CDS containing data such as addresses, birth dates and bank accounts went missing in post, opening up the threat of mass identity fraud and theft from personal bank accounts.
Other bad examples regarding the lack of data protection in social protection systems include the Australia “robo-debt” scandal in 2017 and The Netherlands “Syri” case (2020). Much can be done to avoid these risks and implement data protection on social protection programmes. Some of them include promoting, adopting, and applying data protection standards, conducting data privacy impact assessments (DPIA), and working with providers of digital technology.
Source: Ben Wagner’s presentation.
Data protection legal framework in Indonesia
Andre Rahadian highlighted the status of social protection regulatory framework regarding data protection. Personal data protection is spread through several laws in Indonesia, such as Law n. 11 of 2008 and Law n. 24 of 2013, but they do not have a focus on social protection. Besides that, they are crucial in the sense that the laws specifically define which data is considered personal data and define the responsibility of electronic system providers on data protection.
At the moment, a new bill (Personal Data Protection Bill, PDP) is being drafted in order to embed all these laws and create a Data Protection Officer. As Mika Isac Kriyasa pointed out, this bill will have several impacts on social protection programmes and be probably enacted by the government until the end of September. By that time, from Indonesian regulation side, the mandate is to implement the first paragraph of the article 28g of the Indonesian constitution, which stipulates that every person has the right to get protection of its privacy.
The Indonesian social protection regulatory framework regarding data protection is just in its first steps. For Subianto, there is still a lot to be done in the next few months in terms of communicating with stakeholders about the new law, in particular to the data subjects.
Another fundamental question in Indonesia is that every Line Ministry in Indonesia has its own way to address data. Maliki highlighted that the COVID-19 pandemic has provided good lessons in terms of integration and interoperability, but also showed that Indonesia needs to have an integrated data registry to act in shock-responsive situations. The overarching laws which were already presented before are challenges to fulfil this goal, but the new bill could facilitate it even though there is no specific discussion on social protection issues.
Data consent and the politics dimension of data protection
Following the discussion, Andre raised a debate over informed consent and the extent to which people are truly giving informed consent. As Jacqueline highlighted, there is a need to acknowledge the difference between the legal basis to process the data and the information of the individual in the private and public sphere. In the case of the governments, the legal basis to process the data is usually not the consent, but mostly the public interest. The government uses personal data when it is necessary to perform a task for the public interest, according to the purposes stipulated in the local or national regulations. The consent, however, should be clear in both cases.
An example of this happened during the COVID-19 pandemic. As mentioned by Valentina and Ben, in many cases governments used data from various sources to improve their social protection programmes even though it was not its original intended use. That, however, may also generate difficulties to build trust with the public when you collect data again in the future.
In Indonesia, there is an expectation in the new law that the consent needs to be clear enough for the data subjects to know what the purpose of their data is and who is collecting them. As Subianto highlighted, there is also the acknowledgement of the importance for the collectors to set up mechanisms to facilitate communication between all the stakeholders.
In terms of collaboration and sharing data between different organisations, trust is another prominent issue. For Maliki, a way to solve this problem is by including all the stakeholders during the planning and development phase of the public policy. For Valentina, the figure of the Data Protection Officer in Indonesia will also be helpful from this perspective after the PDP bill is approved.
Going further, she also raised a debate over the allegations that data protection and privacy is a European obsession being exported to other countries or, in other words, a new type of colonialism in new forms. In her words, leapfrog technologies in low and middle countries are increasing the need for data protection in all places. Adding to the discussion, Mika emphasized the need for data privacy as a human right.
To conclude, the panelists discussed the political dimensions of data protection. Debating the ethics of automation in social protection targeting, Jacqueline highlighted that this question is centered on the ethics debate over who is deciding when there should be a machine answering. By his turn, Ben added that over the time data protection authorities and other agencies expand their remit to be sort of “digital regulators” just because there is nobody else competent and qualified to do it. That turns the debate over data protection into a debate about the future of democratic governance and constitutional governance.
This webinar discussed with international experts and stakeholder(s) from Indonesia on (1) the importance of the right to privacy and protection of personal data particularly for some of the most vulnerable population and (2) the application of the practical Implementation Guideline into Indonesian contexts. For the Indonesian context, even though the government has yet to pass a comprehensive national law that specifically regulates the right to privacy and ensure the protection of personal data, this webinar provided some interesting insights towards the link between data protection and social protection, as well as the specific opportunities and challenges that can arise in the country.
This was the eighth session of the ASPects Practice Exchange on Adaptive Social Protection Webinar Series and within this framework is particularly related to the Building Block “Data and Information Systems” of the WB’s Adaptive Social Protection framework. These webinars are dedicated to bringing together practitioners, leading experts, and policy makers to share and exchange perspectives on Adaptive Social Protection (ASP). Each webinar within the series will focus on specific practically relevant aspects of one related ASP Building Block (Institutional arrangements and partnerships - Programs - Data and information - Finance). The series, organised by the GIZ Global Program Social Protection Innovation and Learning (SPIL) on behalf of the German Federal Ministry for Economic Cooperation and Development (BMZ) in cooperation with socialprotection.org and other partners, aims at informing the global public policy dialogue on building back better systems and better preparedness for future shocks.