This Newsflash is a part of our Health Omnibus Law Newsflash series, i.e., Law No. 17 of 2023 dated August 8, 2023, on Health (the "Health Law"). The Health Law governs a wide range of topics in the health sector, including health information systems (the "System").

As previously noted, the Health Law was issued using the omnibus method. The Health Law revokes several laws and regulations in the health sector, including Law No. 36 of 2009 dated October 13, 2009 on Health.

♦ Key Definitions

Before we discuss the System, it is important to note the following definitions provided in the Health Law:

  1. System is defined as systems that integrate various stages of processing, reporting, and use of necessary information to increase the effectiveness and efficiency of health administration and directing actions or decisions that are useful in supporting health development;
  2. National System is defined as a System that is managed by the ministry which carries out government affairs in the health sector that integrates and standardizes all Systems in supporting health development.

♦ General Information on the System

Pursuant to Article 345(2) of the Health Law, the System shall be carried out by the (i) the Central Government, (ii) Regional Governments, (iii) health services facilities, and (iv) public community, whether an individual or an organization (collectively be referred to as the "Organizer").

In this regard, Article 345(3) of the Health Law stipulates that the Organizer must integrate the System with the National System.

♦ Health Information Governance

Articles 346(3) and (4) of the Health Law provide that health information governance shall be carried out in accordance with the architecture of the System designed by the Minister of Health.

Based on Article 346(6) of the Health Law, the Organizer must conduct the data processing and health information in Indonesia. Article 347(1) of the Health Law stipulates that the Organizer is required to ensure the reliability of the System, which covers the (i) availability, (ii) security, (iii) maintenance, and (iv) integration.

Furthermore, Article 347(2) of the Health Law provides that the reliability of the System shall be conducted by way of (i) suitability of the system testing, (ii) maintaining the confidentiality of the data, (iii) determining data access rights policies, (iv) owning the system reliability certification, and (v) conducting regular audit.

In addition, Article 348(2) of the Health Law provides that the public shall be able to access public data and/or their own health data via the Organizer of a System that is integrated into the National System in accordance with the provisions of the prevailing laws and regulations.

Further, the Organizer must conduct the data processing and health information, which covers (i) planning, (ii) collection, (iii) storage, (iv) examination, (v) transfer, (vi) utilization, and (vii) demolishment.

According to Article 350(1) of the Health Law, the System shall contain data and information from (i) health services facilities, (ii) the Central Government and Regional Government Agencies, (iii) social security agencies, (iv) other agencies that engage in the health sector, (v) public community activities other than health service facilities, (vi) individual self-reporting, and (vii) other sources.

Article 351(1) of the Health Law provides that the Organizer of the System must ensure the data protection and health information of every individual.

Further, Article 351(2) of the Health Law stipulates that the data processing and health information that uses the health data of an individual must obtain an approval from the data owner and/or fulfill other provisions as the basis of the personal data processing in accordance with the prevailing laws and regulation in the personal data protection sector. This refers to Law No. 27 of 2022 on Personal Data Protection. Please click the following link for our newsflash on the Personal Data Protection Law: The Highly-Awaited Indonesian Personal Data Protection Law Is Passed.

An owner of the data is entitled to (i) obtain information with respect to the purpose of the collection of individual health data, (ii) access and rectify the data and information through the Organizer, (iii) request the Organizer to send his/her data to other Organizer, (iv) obtain the rights of other personal data subjects in accordance with the provisions of laws and regulations invitation in the field of personal data protection.

As mandated by Article 456 of the Health Law, all of the implementing regulations of the Health Law (including the ones relating to Systems) shall be issued at the latest 1 (one) year from the enactment of the Health Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.