The concept of personal-data portability needs to be encouraged so that the general public can understand and enjoy its benefits.
By
RICO USTHAVIA FRANS
·5 minutes read
Law Number 27 of 2022 concerning Protection of Personal Data or the PDP Law which was passed on 21 Sept. 2022 has become a strong legal basis for personal-data protection. The PDP Law defines three main parties in the context of personal-data protection. First, the subject of personal data as a person to whom personal data is attached. Second, the personal data controller as a party acting in determining the purpose and exercising control over the processing of personal data. Third, the personal-data processor is the party that processes personal data on behalf of the personal-data controller.
As an illustration, if we are customers of a bank, we are the subject of personal data, while the bank is the controller of personal data. If the bank appoints another party to help process personal data, that party becomes the personal-data processor.
This PDP Law regulates the rights of the personal-data subjects to access, terminate processing, delete and destroy personal data stored by personal-data controllers. On the other hand, the obligations of personal-data controllers and personal-data processors are also clearly regulated, including sanctions that can amount to 2 percent of their annual income.
However, beyond the protection and security aspects of personal data, we must also look at the aspects of their utilization. One of the important aspects of utilization is the portability of personal data, namely the right for personal data subjects to access and transfer data from one personal data controller to another.
This concept is supported by Article 13 of the PDP Law which states that personal data subjects have the right to obtain or use their personal data in a format that is commonly used or can be read by electronic systems. In addition, they also have the right to use and send their personal data to other personal data controllers as long as the systems used can communicate with each other safely.
One of the benefits of personal-data portability is to improve credit scoring.
One of the benefits of personal-data portability is to improve credit scoring. If we have a good track record as a customer at a bank, we can get better credit interest, not only at that bank, but wherever we apply for credit. The trick is to send our credit-track record at the bank to other institutions that will provide credit so that they can carry out a more accurate analysis to reduce credit risk.
For that to happen, the bank or financial technology (fintech) lending, as the controller of personal data, must have a system that allows its customers to transfer their personal data electronically to other banks or fintech companies.
1
If this mechanism becomes the industry standard or if it is required by the Financial Service Authority (OJK), banks or fintechs can no longer monopolize the personal-data pools of their customers. They are obliged to share data with each other if the customer requests it. Of course, this will help increase financial inclusion.
Unfortunately, besides the reluctance of banks or fintechs to share data, industry-wise the infrastructure is not fully supported. A number of friends from banks or fintech lending alike have complained about the difficulty of accessing cross-industry credit data.
In banking, credit data is collected and controlled by OJK in a system called the Financial Information Service System (SLIK). As for the lending fintech industry, there is the Fintech Lending Data Center (Pusdafil) managed by the Indonesian Joint Funding Fintech Association (AFPI). The two systems are currently two separate data pools.
With the PDP Law and the concept of personal-data portability, banking debtors should be able to give permission to the OJK so that the loan data stored in SLIK is given to the fintech where they applied for the loan. Conversely, someone who already has a track record in fintech lending can give permission to AFPI, as Pusdafil's data controller, to provide their personal data to the designated banking party.
This concept is not only useful for the financial industry, but also for the real sector. For example, if we want to apply for a visa abroad, generally the embassy concerned asks for our account data. With the supporting infrastructure, we no longer need to come to the bank to print accounts. We only need to provide online instructions to move our account data from the bank to the embassy in question. Of course data security during the process of giving instructions and transferring data must always be maintained properly.
2
From another perspective, the portability of personal data has the potential to become a lucrative business. To cover investment and operational costs, personal-data controllers, such as OJK and AFPI, may charge reasonable personal-data access and transfer fees.
So far, the population and civil-registration service (Dukcapil) has done the same thing in various ways. Banks and fintech are asked to grant server assistance to Dukcapil to be able to access data with the required volume. They also use several aggregators who provide data-checking services to Dukcapil at a cost of Rp 1,000 (U$0.07) to Rp 3,000 for each check. As long as these rates are reasonable, carried out transparently and the process is secure, this implementation of personal-data portability will benefit the industry.
The concept of personal-data portability needs to be encouraged so that the general public can understand and enjoy its benefits. Regulators need to invest in building infrastructure that supports personal-data portability and issue regulations that encourage industry players to implement this personal-data portability properly, safely, efficiently, fairly and transparently.
RICO USTHAVIA FRANS, a member of the Steering Committee of the Indonesia Fintech Society (IFSOC)
This article was translated by Hendarsyah Tarmizi.