The Department of National Education, Student Data, and Privacy

There has been an interesting phenomenon occur over the past few days that highlights the power that blogging has in getting out a message and seeing changes made. The Treespotter posted a piece on the Department of National Education and their posting on their site of complete sets of student data.

The data itself is important in terms of administering the individual schools and perhaps also in terms of ensuring that the Department has up-to-date data on students so that it can do its job better. Well, at least, potentially more efficiently and effectively. There is no problem in collecting the data, the problem related only to the need to publish this data online.

There are a number of problems with publishing the names and addresses of some 30 million plus students online from primary school through to senior high school. The most likely of these problems would be identity theft and kidnapping. The identity theft would affect only a small number of students and more than likely those in senior high school who are 18 or 19 years old. They might have all manner of accounts and perhaps even credit cards.

Identity theft is pretty easy as the hacking into of Sarah Palin's email account highlights. If a candidate for the office of vice president and potentially the second in-line to the leadership of the free world is not safe, then what chance does some senior high school student in Indonesia have?

The kidnapping angle is also an interesting one and Indonesia, and in particular Jakarta, has had a few kidnappings occur of late. The idea that all of the research can be done online and at one site, in terms of targeting particular children, is frightening.

Kidnapping might only be one of the problems that could arise. Pedophiles might also find the detailed information useful in targeting certain children as well.

It is worth noting that the site and the downloadable files have been altered to remove the dates of birth and the addresses of the children whose names are included in the files. However, what is less clear is whether the Department has contacted Google and other search engines in order for them to have the cached and indexed files removed from their servers. If they have not then the files are still out there in the cyber world and can be recovered and reposted.

If you do not believe this to be so, then look no further than the ongoing fiasco of the Chinese gymnasts who competed in the Beijing Olympics. It was suspected that some of the Chinese gymnasts were under age, but the documentation provided suggested otherwise. Nevertheless, an enterprising individual managed to find cached files on a Chinese server that contained official documents stating that the ages of the gymnasts were not those contained in the passports provided as proof of their age.

The point, quite simply, is that until these files are removed from the search engines of Google and others the data is still out there. This is always going to be the problem of letting the genie out of the bottle. Once the genie is out, it is almost impossible to get it back in.

The privacy issues are also important. The law in Indonesia does not include a specific privacy law. However, there are privacy provisions in a number of laws that might be able to be used as a means of ensuring this kind of breach does not occur again. Some might argue that this disparate collection of provisions is no substitute for a specific law on privacy, and I might tend to agree. Nevertheless, there is enough in these provisions to prove that Indonesia recognizes a right to privacy and there is also enough in these provisions to sustain a case for a breach of privacy.

For example, Indonesia has ratified the International Covenant on Civil and Political Rights as Law No. 12 of 2005. It is clear in Article 17 of the Covenant that there is a right to privacy and that this right is one that cannot be arbitrarily interfered with. Simply, the Department's arbitrary and unilateral decision to post this private and personal data on the Internet without the express permission of the parents of the students involved is a breach.

Privacy also makes an appearance in Law No. 11 of 2008 on Information and Electronic Transactions. In this Law it relates more to investigations, but it must be noted that the principle is that there is a conceptual understanding of privacy and the damage that can be done if private or confidential information is publicly released.

Furthermore, the Supreme Court of Indonesia has also recognized that individuals have a right to privacy and that their personal or confidential information must not be traded in the public domain. In Article 22 of the Decision of the Chief Justice No. 144 of 2007 it is explicitly clear that any court official that is in a position to provide private or personal information must take into consideration any losses that might be sustained by the individual whose information is released.

Privacy has also been a feature of a Joint Decision of the General Election Commission and the Indonesian Broadcasting Commission. The Decision, No. 12 of 2004, states in Article 15 that candidates in broadcast debates cannot attack issues that are private. Once again, this presupposes that some information cannot be brought to the public domain without the express permission of the individual to whom that information relates.

The Child Protection Law, Law No. 23 of 2002, does not expressly deal with privacy. However, it is clear that the rights of the child are paramount and it is reasonable to assume that a sustainable argument can be made that the posting of the Department of National Education files on the Internet is not in the best interests of children.

In human rights terms the right to collect, collate, provide, and access information is set out in Article 14 of the Law No. 39 of 1999 on Human Rights. This provision supports the Department's right to collect the information. However, the provision also requires that the purpose of the collection of the information must be clear and for a valid purpose.

Article 47 and 48 of the Indonesian Criminal Procedure Code provide the power to investigators to open mail and other correspondence in the course of an investigation. However, if the correspondence does not relate to the criminal case that they are investigating then any information that the learn from the correspondence is to be kept secret. Although this provision does not specifically relate to privacy, it does highlight that, at least, conceptually Indonesia recognizes a right to privacy to some degree.

With the passage of the Freedom of Public Information Law (Law No. 14 of 2008) it is clear that some personal and private information is not to be provided to the public and presumably this would include posting it in a public domain such as the Internet.

For example, Article 6 of this Law is explicit that personal information cannot be provided by a public agency, and the Department of National Education would be classified as such, and therefore the information included in the school children files is conceivably out of play with regards to access by the general public. The type of information contained in the Department files would also seem to be protected from public release by the provisions of Article 17.

The Department has removed the most obvious breaches from their files. Yet, the damage might have already been done with the letting of the genie out of the bottle. This is a valuable lesson in thinking laterally and outside of the box. In this day and age of rapidly developing technology and an ever-smaller world, one must think their actions through from myriad of possibilities before uploading information to the Web.

It would seem that to try and close the chapter on this book the Department of National Education needs to make requests to all search engines that they do whatever they can to ensure that all cached and indexed files relating to this data are removed and / or are made inaccessible.

Information is important, but some information must remain private and this is a case in point.