8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The Personal Data Protection Law No. 27 was introduced in 2022, with a transition period of 2 years. Persons controlling or processing data must comply with the regulations starting October 2024. The regulations are largely based on the EU GDPR system and apply to the management of personal data from a clinical trial.

8.2 What are the data locality rules within each jurisdiction?

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

There are no restrictions placed on systems managed by private entities. However, data contained within public/government systems must remain in Indonesia.

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

There is no specific guidance on this matter.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

If personal data related to health issues are managed by an electronic system, the management must follow the provisions of personal data protection in the electronic system as regulated under Kominfo Regulation 20. Kominfo Regulation 20 defines the electronic system as a series of devices and electronic procedures that function to prepare, collect, process, analyze, store, display, announce, transmit, and/or disseminate electronic information. This electronic system shall be managed by electronic system providers (‘ESP’) registered with Kominfo. This provision is relevant if a company provides a site, application, portal, or the like, for example, for the provision of health consultations or an online drug store.

Kominfo Regulation 20 specifies provisions on personal data protection in:

• Acquisition and collection
• Processing and analyzing
• Storage
• Display, announcement, delivery, dissemination, and/or opening of access
• Removal

The ESP must have internal regulations regarding personal data protection to ensure that it can implement such personal data protection processes.

Pursuant to Kominfo Regulation 20, the ESP shall ensure that the acquisition and collection of personal data are carried out on the basis of the owner’s consent. Personal data can only be processed for purposes that have been clearly conveyed to the owner at the time of data acquisition and collection. The ESP must also make sure that there is no unauthorized disclosure and/or delivery of personal data. It must also comply with the provisions regarding reporting obligations to government institutions.

• Does data need to be collected in the country? Do the servers need to be in the country?

See above; this depends on whether it is a private or public/government system.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Yes. Under the Personal Data Protection Law, a data controller may transfer personal data to other data controllers and/or data processors outside of Indonesia only if the following conditions can be fulfilled:

1. The country of domicile of the data controller and/or data processor that received the transfer of personal data has a personal data protection level that is equal to or higher than those in Indonesia.
2. The data controller must ensure that there is an adequate and binding personal data protection measure by the offshore data recipient.
3. The data controller must obtain approval of the data subject.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

1. Approved adequate/whitelisted country.
2. Derogations, such as consent, contract performance, necessity to establish or defend legal claims.

• Are there any exceptions made for research to the local privacy regulations?

No. The highest level of data protection applies to personal health data.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The ‘Main Researcher’ is responsible for deciding who has access to view the data.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

CRO systems and software platforms should be validated in GCP.