14 October 2008

The Department of National Education, Student Data, and Privacy

There has been an interesting phenomenon occur over the past few days that highlights the power that blogging has in getting out a message and seeing changes made. The Treespotter posted a piece on the Department of National Education and their posting on their site of complete sets of student data.

The data itself is important in terms of administering the individual schools and perhaps also in terms of ensuring that the Department has up-to-date data on students so that it can do its job better. Well, at least, potentially more efficiently and effectively. There is no problem in collecting the data, the problem related only to the need to publish this data online.

There are a number of problems with publishing the names and addresses of some 30 million plus students online from primary school through to senior high school. The most likely of these problems would be identity theft and kidnapping. The identity theft would affect only a small number of students and more than likely those in senior high school who are 18 or 19 years old. They might have all manner of accounts and perhaps even credit cards.

Identity theft is pretty easy as the hacking into of Sarah Palin's email account highlights. If a candidate for the office of vice president and potentially the second in-line to the leadership of the free world is not safe, then what chance does some senior high school student in Indonesia have?

The kidnapping angle is also an interesting one and Indonesia, and in particular Jakarta, has had a few kidnappings occur of late. The idea that all of the research can be done online and at one site, in terms of targeting particular children, is frightening.

Kidnapping might only be one of the problems that could arise. Pedophiles might also find the detailed information useful in targeting certain children as well.

It is worth noting that the site and the downloadable files have been altered to remove the dates of birth and the addresses of the children whose names are included in the files. However, what is less clear is whether the Department has contacted Google and other search engines in order for them to have the cached and indexed files removed from their servers. If they have not then the files are still out there in the cyber world and can be recovered and reposted.

If you do not believe this to be so, then look no further than the ongoing fiasco of the Chinese gymnasts who competed in the Beijing Olympics. It was suspected that some of the Chinese gymnasts were under age, but the documentation provided suggested otherwise. Nevertheless, an enterprising individual managed to find cached files on a Chinese server that contained official documents stating that the ages of the gymnasts were not those contained in the passports provided as proof of their age.

The point, quite simply, is that until these files are removed from the search engines of Google and others the data is still out there. This is always going to be the problem of letting the genie out of the bottle. Once the genie is out, it is almost impossible to get it back in.

The privacy issues are also important. The law in Indonesia does not include a specific privacy law. However, there are privacy provisions in a number of laws that might be able to be used as a means of ensuring this kind of breach does not occur again. Some might argue that this disparate collection of provisions is no substitute for a specific law on privacy, and I might tend to agree. Nevertheless, there is enough in these provisions to prove that Indonesia recognizes a right to privacy and there is also enough in these provisions to sustain a case for a breach of privacy.

For example, Indonesia has ratified the International Covenant on Civil and Political Rights as Law No. 12 of 2005. It is clear in Article 17 of the Covenant that there is a right to privacy and that this right is one that cannot be arbitrarily interfered with. Simply, the Department's arbitrary and unilateral decision to post this private and personal data on the Internet without the express permission of the parents of the students involved is a breach.

Privacy also makes an appearance in Law No. 11 of 2008 on Information and Electronic Transactions. In this Law it relates more to investigations, but it must be noted that the principle is that there is a conceptual understanding of privacy and the damage that can be done if private or confidential information is publicly released.

Furthermore, the Supreme Court of Indonesia has also recognized that individuals have a right to privacy and that their personal or confidential information must not be traded in the public domain. In Article 22 of the Decision of the Chief Justice No. 144 of 2007 it is explicitly clear that any court official that is in a position to provide private or personal information must take into consideration any losses that might be sustained by the individual whose information is released.

Privacy has also been a feature of a Joint Decision of the General Election Commission and the Indonesian Broadcasting Commission. The Decision, No. 12 of 2004, states in Article 15 that candidates in broadcast debates cannot attack issues that are private. Once again, this presupposes that some information cannot be brought to the public domain without the express permission of the individual to whom that information relates.

The Child Protection Law, Law No. 23 of 2002, does not expressly deal with privacy. However, it is clear that the rights of the child are paramount and it is reasonable to assume that a sustainable argument can be made that the posting of the Department of National Education files on the Internet is not in the best interests of children.

In human rights terms the right to collect, collate, provide, and access information is set out in Article 14 of the Law No. 39 of 1999 on Human Rights. This provision supports the Department's right to collect the information. However, the provision also requires that the purpose of the collection of the information must be clear and for a valid purpose.

Article 47 and 48 of the Indonesian Criminal Procedure Code provide the power to investigators to open mail and other correspondence in the course of an investigation. However, if the correspondence does not relate to the criminal case that they are investigating then any information that the learn from the correspondence is to be kept secret. Although this provision does not specifically relate to privacy, it does highlight that, at least, conceptually Indonesia recognizes a right to privacy to some degree.

With the passage of the Freedom of Public Information Law (Law No. 14 of 2008) it is clear that some personal and private information is not to be provided to the public and presumably this would include posting it in a public domain such as the Internet.

For example, Article 6 of this Law is explicit that personal information cannot be provided by a public agency, and the Department of National Education would be classified as such, and therefore the information included in the school children files is conceivably out of play with regards to access by the general public. The type of information contained in the Department files would also seem to be protected from public release by the provisions of Article 17.

The Department has removed the most obvious breaches from their files. Yet, the damage might have already been done with the letting of the genie out of the bottle. This is a valuable lesson in thinking laterally and outside of the box. In this day and age of rapidly developing technology and an ever-smaller world, one must think their actions through from myriad of possibilities before uploading information to the Web.

It would seem that to try and close the chapter on this book the Department of National Education needs to make requests to all search engines that they do whatever they can to ensure that all cached and indexed files relating to this data are removed and / or are made inaccessible.

Information is important, but some information must remain private and this is a case in point.

15 comments:

Anonymous said...

The reason why they make it online - of course not including student's address - is because Indonesian officials find it difficult to get basic primary data regarding Indonesian educational situation AND to reduce data manipulation which may lead to leak of budget.

Still, providing raw data openly like that is questionable.

Rob Baiton said...

Jaka...

I think that I have said in both my posts on this subject that I understand the need to collect the data and I have even said that the data would presumably make it easier for the department to do their job more efficiently and effectively.

I really am questioning the wisdom of posting it online and making it publicly available.

This post goes into a little more detail of what the law says and how I might go about constructing a legal argument if I was briefed in terms of a court case.

boneman said...

Afraid I have to agree with you on this.
Polar Bear sent me a page from somewhere that described me closely, yet, called himself 'Doctor' which I am not.
And, I may very well be the one that got the info out there in the first place.

Some things should never be put on the internet.
And it may seem paranoid, but, using the internet for money dealings especially should be avoided.

In this day of information theft, I can't even imagine a government of ANY country letting that be posted.
But, then, I'm naive in a lot of ways.

Well, plus the fact I'm tyoo poor to transfer money in the world wide web.
Heck...I don't usually have enough money to transfer from one pocket to another!

Anonymous said...

this might be a case of a road to hell is also paved with good intentions, that sort of thing.

it appears that this project has been around for quite some time, yet i don't recall there being an extensive public consultation, meaning not only to educational institutions or educational experts, but the rest of the stakeholders (parents, schools, students, etc).

a simple "have you been consulted by anyone about your child's data being shown online?" question to several parents i know yielded a lot of empty stares. "what do you mean, freely available?!" answer usually came next.

i think, whilst their intentions and effort are good and (most probably) praiseworthy... i wonder whether they've underestimated this project. or whether this is the case of "privacy doesn't have much currency"

Unknown said...

glad you took it up Rob.

just to add a little since you're the lawyer here, do you not agree with my understanding that Article 26 - ITE Law, opens the possibility of a civil suit? (if the gov't institutions are precluded by other laws, i'd still think the private schools included is still liable?)

i'm just thinking if there's any parents out there that would want to consider that course of action.

Anonymous said...

A have a couple of comments, the first being that I am not convinced that this just wasn't some massive cock-up. Until the Ministry comes out and says they intended to make all this information available to the public, its not fair - or particularly helpful - to make accusations.

My second comment is that, even with all the legal provisions you very helpfully cited (thanks for that - VERY useful), they are pretty much useless without a clear definition of what constitutes personal information. Okay, I know that ID has signed a bunch of international treaties, but so has every other country on this planet and the list of breaches is endless. At the end of the day INDONESIANS have to decide what constitues personal information and define THEIR OWN privacy principles.

My suggestion: we (bules) should listen to what people like Treespotter have to say. I specialised in privacy law for 10 years, and the one thing I learned is that we all have VERY different ideas of what constitutes privacy.

Unknown said...

brett, several quick points:
-i'm not a privacy expert - not by any definition - but i think it's almost common sense to assume that DOB and addresses is considered "Private Information". (lacking strict legal framework, i'd always check with what banks require for financial transaction and this is enough).

- for this being a cock up, well, so far the information (i'm pretty certain to be somewhat accurate) is that they planned to do this, but initially didn't plan to have it PUBLIC. i hear from some developers involved and the initial spec actually include access control to the XLS files. that being said, i don't get why they don't remove it right away (now they only move the addresses).

- last, I have never thought that this stupid obsession of who has the right to see what (bule vs non bule and whatshite) is, well, stupid and silly.

First off, my personal views on Privacy is very peculiar (i've long posts somewhere) and i'm not sure that represents any common public anywhere. I seriously doubt that it would be representative of any majority groups in any culture/legal jurisdiction.

second, when you're dealing with children under the legal age of consent, i think it's important that society (and parents) take initiatives - it'll be helpful to read what the parents out there have to say (i used to have a dog, but no more, kids scare me).

third, like i said, making a distinction on who has the right to be concerned, is stupid. We all live in a society - be it as a minority or as ruler (if i have my way) - to say that minority, visitors, etc have no place to initiate change is sad - and antisocial. Society happens by interaction of all within, all too often, it is the minority group that is being sidelined. in cases such as this, it's the other way around and the minority is shielded from the excess. to then excuse ourselves and say that we've 'less' rite to comment - is being exclusive, and well, silly.

fourth, for all its worth, i don't think anyone should be listening to me. it almost always leads to trouble.

now... i hope i don't tickle you the wrong way :D

Rob Baiton said...

Boneman...

Thanks for dropping by and commenting.

Yeah, saw you came in for a lashing from the polar bear. His site seems to have already gone private or at least I cannot access it anymore.

Agreed, some things should just not be available online.

Henster...

Also, thanks for dropping by and leaving a comment.

I am not disbuting the intentions and I believe that the rationale and the idea behind the collection of the data are valid.

I only question the wisdom of posting that data online in the manner it was posted.

By all accounts it seems as though the idea might not have been to post it in the form that it was. Clerical mistake perhaps?

Tree...

Brett might better answer this question seeing he has considerable experience in privacy law.

My take would be that class actions are possible under Indonesian law and I would argue that a breach of Article 26 of the ITE Law would provide that opportunity.

Brett...

The idea that bules should step back and listen to people such as the Treespotter presupposes that bules are not doing just that, stepping back and listening to fellas like the Treespotter.

I have always listened to the Treespotter and many other Indonesians as well. My current knowledge (perhaps even minimal expertise) is based in a big part on my desire to learn and an ability to listen.

My take is that it was a cock-up. The more people I talk to and the more background I get on it, the more it sounds like that the information was meant to be available to a limited number of people who had clearance to view it.

That said, clerical mistake or otherwise, the data made its way online and that is a problem. The accusations and allegations are reasonable in the circumstances and the process of investigating and determining fault, if any is to be had, will show how reasonable those accusations and allegations are.

On the issue of determining privacy principles. I think that Indonesia is well on the way to doing that. There are plenty of provisions in the diaspora of law in Indonesia that regulate privacy.

So there is a consensus in many ways about what constitutes personal information. The response to this incident suggests that Indonesians from non-legal backgrounds are also clued into what is reasonable in terms of privacy.

Perhaps we do have very different ideas on what constitutes privacy, but I feel fairly confident that when we are talking about the rights of children and their right to privacy, I am sure that many of my Indonesian friends and colleagues hold an opinion very similar to my own.

Nah, whether that is because I have listened to them or they have listened to me may be a moot point.

Just may be some ideas on privacy are not reliant on culture, religion, or upbringing, but rather basic human values of what is right and what is wrong when it comes to privacy.

All...

Then again, that's just me.

I always have to live in this apologist world in Indonesia where I am expected to say, "Sorry, I cannot truly understand the Indonesian way because I am white!" and then make excuses for why things that are not OK are in fact OK.

Those people who know me, and know me well, know that I understand a whole lot more than most. Those people who do not know me, assume that I cannot possibly know the Indonesian way. This more often is my fellow
"bules" rather than Indonesians (an interesting point in itself).

The placing of this data online was not OK. Even if this was a mistake, a mistake does not make it OK. Whether one is brown, balck, red, yellow, or white does not change this.

I am kind of hoping that this particular post attracts more attention as a frank and open discussion on privacy and what constitutes privacy would be well worth the effort.

Rob Baiton said...

Tree...

We seemed to be writing and posting at the same time :D

Funny that!

I think the distinction is silly too and I have written so.

On listening to you, I beg to differ. The conversation is always lively and the passion for the ideas, beliefs, and the desire to see a better Indonesia makes you worth a listen :D

I might not always agree with you, but I am much the wiser for having listened.

Unknown said...

rob, Art. 26, why class action?

Why can't it be a normal civil suit? or do i understand the article wrong? (the elucidation doesn't help and my understanding is there's no precedent on that law yet.

Care to explain?

Anonymous said...

@Rob/Treespotter: I spent 45 mins crafting a response, but then lost it. Honestly, I don't have it in me to rewrite it, so in a nutshell:

1) commonsense principles aren't enough - we need a privacy law
2) i think i was misunderstood - i wasn't saying bules should shut up. i was just saying that, from 10 years of working in privacy, privacy principles are not universal and it is ultimately up to indoneians to decide what works for them. we bules can help by showing how it works in our own countries. but we shouldn't TELL people the say it should be.

Anonymous said...

forgive my typos ;-)

Anonymous said...

And... just to be clear: I totally agree, posting this data on line was NOT ok.

History shows we can't trust our governments, guys.

Rob Baiton said...

Brett...

The crafted response sounds like it would have been a good read :D

I know that you feel that it was not OK to post the data. I also know you were not necessarily saying that Bules should shut up.

I agree, ultimately, that these are decisions Indonesians will have to make for themselves. I also agree that a specific privacy law is warranted.

I also agree that concepts of privacy are not universal. However, there are some things that would seem to transcend these boundaries. One of these would be the specific protection of children from any harm.

Typos as long as they're not fatal; no harm, no foul! I make lots of them too. Normally, my brain is going faster than my fingers.

Rob Baiton said...

Tree...

On the class action front.

Yes, Article 26 characterizes what would be a breach and I would argue that a normal civil suit could be undertaken.

The reason I suggest a class action is that there is likely to be more than one aggrieved party here.