As INA Digital rolls out services, data protection must be key focus area
By Mochamad Azhar
The three digital services INA Pas, INA Ku, and INA Gov will help accelerate digital government in Indonesia and data protection has to be the top priority to ensure citizen trust.
The Ministry of State Apparatus and Bureaucratic Reform, Ministry of Communication and Information, Ministry of State-owned Enterprises, and Peruri, launched a limited release of INA Digital services at Peruri City, Jakarta, on September 30. INA Digital is expected to ensure the security of citizens' personal data. Image: Peruri
While the limited release of the three main INA Digital services, INA Pas, INA Ku, and INA Gov, is welcome news and part of the effort to accelerate digital government in the country, there is a need to ensure that guardrails are in place for data security when INA Digital services become widely available to the public.
A data breach, in which personal data is compromised, will erode citizen trust in the digital services.
In the first phase of limited release, INA Digital services will be tested by 40,000 public users and 10,000 civil servant users to get feedback and improvements. The second phase follows the testing of the app by 136 central and regional government agencies. The public release will take place in early 2025.
INA Pas is a national digital identity platform that will be used by the public as a single sign-on to access various government digital services in INA Ku and INA Gov which INA Ku is a public service portal that provides various government digital services, such as population administration services, health, education, social assistance, and police services. INA Gov is an administrative service portal for civil servants that provides them with easy access to various personnel management applications.
To subscribe to the GovInsider bulletin click here.
Data protection has to be the top priority because INA Digital will be managing the data of tens of millions of citizens. The June cyberattack on the government's National Data Centre facility and several cases of personal data leaks in recent years are stark reminders of why data protection has to be the key focus while rolling out digital government services.
In addition, the Personal Data Protection Act will be fully implemented on October 17, and this will ensure that data managers and those who handle personal data would be subject to legal sanctions if a data breach occurs.
INA Digital – currently under the public spotlight for spearheading the country's efforts to integrate its digital services – is expected to become a role model for how government agencies protect the personal data of their citizens.
Security by design approach
Gadjah Mada University’s Centre for Digital Society (CfDS) Researcher, Faiz Rahman, told GovInsider that INA Digital should adopt a security by design approach in managing citizens’ personal data, which includes data collection, data processing, data storage, and data transfer.
This approach ensures that the security aspects are a priority from the start, which includes guarantees of data subject rights, limited use of personal data and in accordance with its purpose for the delivery of public services.
“The most important thing is how to ensure that technological tools are able to protect personal data,” he says.
Next, INA Digital must make a data protection impact assessment when processing data that is classified as high risk, which includes health data, financial transaction data, and biometric data, as well as processing data on a large scale.
Furthermore, INA Digital can assign a personal data protection officer as a supervisor who works independently to ensure citizens' personal data is protected.
To subscribe to the GovInsider bulletin click here.
Involving BSSN
Minister of State Apparatus Empowerment and Bureaucratic Reform, Abdullah Azwar Anas, has said that the government was seeking various ways to secure people's personal data managed by INA Digital.
"The first thing is to involve various parties who are experts and experienced in data security aspects, including a team from the National Cyber and Crypto Agency (BSSN), to assist INA Digital in processing data," said Anas as quoted by RRI.
In addition, the government has also conducted security trials through penetration tests on systems managed by INA Digital.
According to Faiz, the Personal Data Protection Law gives BSSN the responsibility to maintain information security on electronic systems. In the context of INA Digital, BSSN can be involved at every layer, from the onboarding process to service development.
"BSSN's involvement in the development of INA Digital applications is important as a form of organisational compliance with government regulations," he said.
Multi-layered security audit
Peruri's President Director, Dwina Septiani Wijaya, during the Townhall Meeting last August, emphasised that the three INA Digital services developed had gone through a multi-layered security audit that was carried out in accordance with the standards set by Peruri as a digital security company and in compliance with government legislation.
"The application of multi-factor authentication allows data and identity verification to run safely. Users have full authority in using their personal data when accessing public services electronically," she said.
Although this integration involves many ministries and agencies, data transfer and data exchange processes are guaranteed to be safe. Peruri, under which INA Digital’s operates, has proven that digital security is the most important asset in a company’s business, she added.
This article was originally published in Bahasa Indonesia