Do I need consent to process employee data?

On September 20, 2022, the Indonesian House of Representatives passed the Personal Data Protection Bill (“PDP Bill”), making it the principal regulation on personal data protection in Indonesia. The PDP Bill defines personal data as all data concerning a person which is protected by law to ensure the constitutional rights of the personal data subject. Employee data is also subject to the PDP Bill as it falls under the definition of personal data.

The PDP Bill expressly states the need for valid and explicit consent from employees for an employer, who, in this case, would be acting as a personal data controller, to process their data. This consent must be in writing or recorded, and must be clearly distinguishable from other purposes, made in an understandable and accessible format, and conveyed using simple and clear language. The PDP Bill further regulates that an employer is only able to process employee data if it can show proof of consent from the concerned employees.

Employees, as the personal data subjects, have the right to withdraw their consent at any time, and the employer must then cease processing the personal data.

Emphasis is placed on the need for consent to process employee data. Employers are at liberty to determine how the consent should be obtained; be it through forms, company policies, or other means, as long as it reflects the employees’ full awareness that they have consented to their data being processed by the employer.

Failure to obtain consent from employees would result in the unlawful processing of employee data, which would expose the company to the risk of serious punishment including imprisonment and/or fines.

What are the privacy and data protection issues inherent in alcohol / drug testing?

Alcohol and/or drug testing is typically only required by employers during the recruitment process, though some employers in certain sectors conduct regular testing as part of occupational safety and health. Alcohol and/or drug testing is usually done to ensure employees are able to perform or fulfil the essential duties or requirements of the job and will not cause loss or harm to the company. Furthermore, the current legal framework in Indonesia for drug testing explicitly requires employers to take active measures to prevent and counter the abuse of drugs by testing employees for drugs. If an employee is found to have used illegal substances, the employer is permitted to take disciplinary action against the employee. Also, the sale and distribution of illegal drugs in the workplace must be reported to the police.

However, regardless of the legal framework, it is important to note that the results of an employee’s alcohol and/or drug test is part of their specific personal data as referred to in the PDP Bill, as it contains data and information regarding the employee’s health. In order for an employer lawfully to process the data it acquires from an alcohol and/or drug test, the employer must obtain the employee’s valid and explicit consent to be tested. In practice, many employers in Indonesia seem to be unaware of the data protection aspects of alcohol and/or drug testing. Employers tend to view such testing as mandatory in nature and thus do not take into account the need to obtain the employee’s prior consent before conducting said testing, which is in violation of the PDP Bill.

How can I legitimately monitor employees’ email, internet usage and social media?

Many employers are seeking ways to lawfully monitor their employees’ email and internet usage, often with the intention of preventing the misuse of email and the internet, as well as the leaking of confidential information. Under the PDP Bill, the only way for an employer to legitimately perform such monitoring is to obtain the employee’s consent for the monitoring of their email and internet usage. In addition, the employer may put in place a privacy policy containing terms and conditions for the use of work facilities, property, computers, or internet.

The failure to obtain the needed consent before monitoring an employee’s email and internet usage will result in unlawfully processing the employee’s personal data, exposing the employer to the risk of imprisonment and/or fines, among other punishments.

However, the situation is different in terms of monitoring the activities of employees on social media. It has been established in Indonesia that information obtained from the public domain does not constitute protected personal data that must be kept confidential, as long as the obtained information is not used for any illegal purposes.

While monitoring the activities of employees on social media may be allowed, it does not automatically follow that an employer may terminate an employee for such activities. Termination may only be possible if the misconduct is regulated under the employment contract or company regulation. For instance, if there is a clause obliging the employee to maintain the good reputation of the company, violation of this may constitute misconduct and may subject the employee to disciplinary action, possibly up to termination.

What are the limits of using artificial intelligence in employment?

According to the Electronic Information and Transactions Law (“EIT Law”), artificial intelligence is considered as an electronic agent. The EIT Law sets out that employers may conduct electronic transactions using electronic agents where the legal responsibility for any conduct of the transaction lies with its providers. Furthermore, the implementing regulations of the EIT Law stipulate that the electronic agent provider in an electronic transaction must provide features for the purpose of protecting users’ rights and enabling the users to make changes to their information during the transaction process. However, the law is silent on limitations on the use of artificial intelligence in employment. Therefore, with the lack of regulation, there are as of this report no limitations on the use of artificial intelligence in employment.

What are the data protection issues in whistleblowing?

The whistleblowing system in Indonesia allows employee to report fraud, corruption, or other serious wrongdoings occurring in the workplace. Though some may view the practice as a good way to discover illegal misconduct within the workplace while simultaneously protecting the whistleblower, others question the data protection aspects of whistleblowing, especially considering that the PDP Bill puts an emphasis on protection and confidentiality as one of its core principles.

Whistleblowing is viewed as a system that inherently violates the constitutional right to have your personal data protected. This is because the personal data obtained from the whistleblower will be processed without first acquiring the consent of the personal data subject. This may include not only the whistleblower’s data, but also the personal data of witnesses, reported persons, and other persons whose data may be disclosed after having been unlawfully procured and processed during the whistleblowing process. Therefore, to ensure that no one’s constitutional rights are violated during the whistleblowing process, proper procedures must be put in place by employers to uphold the principles set out in the PDP Bill.

Summary

The recently passed PDP Bill is a major shift in the Indonesian legal framework. It is the first time Indonesia has had a single comprehensive law regarding personal data protection. Looking at the PDP Bill and all the discussion around it, one can conclude that almost every issue related to personal data protection boils down to the fundamental, yet sometimes neglected, idea of consent. Employers must bear in mind that any action they wish to take concerning the personal data of employees requires the prior valid and explicit consent of the employees for such action to be deemed lawful.