Indonesian Employee Monitoring Laws: What Are Employers Allowed and not Allowed Doing in the Workplace?
Q: Do employers have the right to monitor employees’ computers, such as desktops, laptops, and servers?
A: Yes, employers have this right, but with certain limitations.
There are no specific labor regulations in Indonesia, which would prohibit employee monitoring. But the local laws and regulations in Indonesia do not distinguish personal data of an employee from personal data of other persons, that makes it possible to implement the monitoring (data collection, use and processing) in the workplace only in case employers following next provisions (according to Law No. 11 of 2008 regarding Electronic Information and Transaction (‘EIT Law’) and the Government Regulation No. 82 of 2012 regarding Provision of Electronic System and Transaction (Reg. 82′), that came into force on 15 October 2012):
• «Before an Electronic System is implemented, the provider of an Electronic System has to obtain an Electronic certificate from the Ministry of Communication, Information and Technology (‘MCIT’)
• In providing the provision of an Electronic System, the provider should ensure secrecy, totality and the availability of the Personal Data it manages. The provider should also ensure that the obtaining, the consumption, and usage of Personal Data is based on the consent of the Personal Data owner, except if regulated otherwise1 Further the provider should ensure that the usage or disclosure of data is done based on the consent of Personal Data and is in line with the objectives as disclosed to the relevant owner at the time of obtaining the data2, and
• The provider of the Electronic System is also obliged to provide audit track records.
(1 Article 15 (1) (b) of Reg. 82. 2 Article 15 (1) (c) of Reg. 82.)» (By Kate Lucente and John Townsend in ‘Data Protection Laws of the World’, May 2015).
Q: Do employers have the right to monitor keystrokes, email’s content, and screens?
A: Yes, employers have this right, but again only if acting in conformity with the law (see above).
Employers have the right (with some limitations) to monitor their employees’ activity, only if holding to local legislations:
«Article 15 Paragraph 2 of Reg. 82 provides that the provider of an Electronic System must provide written notification to the owner of personal data, upon its failure to protect the personal data. Article 20 Paragraph 3 of Reg. 82 provides that the provider of an Electronic System must make the utmost effort to protect personal data and to immediately report any failure/serious system interference/disturbance to a law enforcement official or Supervising Authority of the telecommunications sector.
Reg. 82 regulates the transfer of data in Article 22 paragraph 2 which provides in any case that in the implementation of Electronic System aimed to transfer Electronic Information and/or Electronic Document, the Electronic Information and/or Electronic Document must be unique and (the provider shall) explain the control and possession of the Electronic Information and/or Electronic Document.
The obligations of Electronic System Providers are regulated under Reg. 82 and amongst other things shall:
• Guarantee the confidentiality of the source code of the software
• Ensure agreements on minimum service level and information security as well as security and facility of internal communication security it implements
• Protect and ensure the privacy and personal data protection of users
• Ensure the appropriate lawful use and disclosure of the personal data
• Provide data center and disaster recovery center
• Provide the audit records on all Provision of Electronic Systems activities, and
• Provide information in the Electronic System based on legitimate request from investigators for certain crimes». (By Kate Lucente and John Townsend in ‘Data Protection Laws of the World’, May 2015).
Q: How employees are protected in this situation?
A: There are ‘EIT Law’ and Government Regulations, which protect employees’ personal data.
According to the ‘EIT Law’ and Government Regulations employees are protected by law in the situations when they: were not informed about the monitoring in the workspace, did not give their consent; and/or such clause was not stipulated by contract.
«In Indonesia, the sanctions for breaches of data privacy are found under the relevant legislation and are essentially fines. Imprisonment may be imposed in severe instances such as in the event of intentional infringement.
• The EIT Law provides criminal penalties ranging from; Rp. 600,000,000 fine to Rp. 800,000,000 and/or 6 to 8 years imprisonment for unlawful access; Rp. 800,000,000 fine and/ or 10 years imprisonment for interception/wiretapping of transmission; Rp. 2,000,000,000 to Rp. 5,000,000,000 and/or 8 to 10 years imprisonment for alteration, addition, reduction, transmission, tampering, deletion, moving, hiding Electronic Information and/or Electronic Records.
• Failure to comply with Reg. 82 is subject to administrative sanctions (which do not eliminate any civil and criminal liability). These administration sanctions are in the forms of:
– Written warning
– Administrative fines
– Temporary dismissal, or
– Expelled from the list of registrations (as required under the regulation)». (By Kate Lucente and John Townsend in ‘Data Protection Laws of the World’, May 2015).
Q: What professional lawyers suggest?
A: They suggest keep to the ‘EIT Law’ and the Government Regulations in order not to violate human rights.
Professional lawyers suggest stay close to the mentioned above laws, meet the conditions of contract and keep monitoring work-related.
«While there is no specific legal restriction, we recommend that the employer’s right to do so should be set forth in the Company Regulation.»(By Simpson Grierson in ‘Employee Data Privacy – A Regional Overview’)
«…we still suggest that data privacy clauses be included in employment agreements, company regulations, or collective labor agreements. Separate data privacy policies may also be put in place. We also suggest that such clauses or policies include:
a) The definition of private or personal data (typically, various types of information relating to the employee and the employee’s dependents);
b) The employee’s consent to the employer accessing, collecting, using, transferring, or otherwise processing the employee’s personal data;
c) The employee’s right to access his or her own personal data (but not others); and
d) The employee’s obligation to notify the employer of any changes or updates to his or her personal data.»(By Baker & McKenzie’s Global Employment Practice Group in ‘Data Privacy and Protection in the Workplace’)
More Information per Country
For more information about it please refer to Info Centre – Legal Aspects, where you can find more information for:
United Arab Emirates
WorkTime – Respectful Employee Performance Monitoring – www.worktime.com
This article provides general information only. This information is for general understanding only and not to be used as legal advice. To receive professional legal advice, please consult your lawyer.