The Indonesian Parliament has approved the long-awaited personal data protection law
After its ratification by parliament on Tuesday, 20 September 2022, Indonesia’s new Personal Data Protection Law (PDP Law) has recently been enforced. This legislation is a special policy that complements an existing, similar policy—in this case, the Personal Information Disclosure Act (KIP law), which was established in 2008.
With the passage of the PDP Law, Indonesia became the fifth ASEAN nation to establish a legal framework for personal data protection. Singapore, the Philippines, Malaysia, and Thailand were the first few to enforce this legal protection.
This Law, which relates to numerous elements of the General Data Protection Regulation (GDPR), governs, among other things, the responsibilities of the Personal Data Controller, the Personal Data Processor, and the Data Subject’s rights.
Who are the controllers and the processors?
Personal data controllers, personal data processors, and data subjects are the three legal subjects bound by the legislation. It can be clearly inferred that the data subject is the owner of the personal data.
The data controller is defined as a person and/or entity with the authority to decide the purpose of and manage the processing of personal data. Meanwhile, a personal data processor is an individual and/or entity that processes personal data on behalf of the personal data controller.
The PDP Law and its relation to the employee background verification process
The stipulation of the PDP Law is definitely a step forward in the preservation of human rights, which in this instance is an autonomous self-identity. On the other hand, a strong synergy is required for stakeholders who have access to collect, store, and process data in accordance with their designation.
Integrity Asia’s utilization of the Prisma platform for employment background screening is a core example of the application of lawful data processing practices.
According to the PDP Law, the company that conducts the recruitment process is the so-called personal data controller, while Integrity Asia, as the entity that conducts background screening services, is the personal data processor. The applicant or the related employee is the subject of personal information.
A letter of consent as a requirement
As the processor, Integrity Asia needs to underline at least two things in this law: consent for personal data processing and the retention of personal data.
Referring to Article 51 Paragraph 1, Integrity, as the data processor, is required to process personal data according to an order or request from a personal data controller. In this case, the personal data controller is the client or company that is conducting recruitment.
Meanwhile, in order to make such a request, the data controller must submit written consent from the Personal Data Subject, as stated in article 24.
Thus, with this law, the practice of verification by Integrity Asia is further strengthened. So far, Integrity Asia has been firm in obtaining consent letters as a requirement for verification requests.
Data processing has a certain retention period. This retention period must be informed by data controllers to data subjects when collecting personal data from them. Integrity, as a data processor, has implemented data retention practices in line with the mandate in Article 16 concerning the Processing of Personal Data, paragraph 2 (g), which states that Personal Data must be destroyed and/or erased after the retention term has expired.
Integrity Asia, with over two decades of expertise in the compliance industry, is dedicated to delivering high-quality services by tailoring the type and degree of services to the demands of its clients. Our screening is done through Prisma, a screening platform that can be integrated with the client’s HR information system.
Contact us to find out more about employee candidate background checking services.