JAKARTA (The Straits Times/ANN): Health experts and rights groups have criticised a new draft law in Indonesia, saying it puts citizens’ health data at risk.

The Health Bill, when passed into law, will allow the authorities to collect and use a wide range of Indonesians’ health data, including their genomic data, and process it outside the country.

But this means the trove of data will be rendered more vulnerable to abuse and exploitation by malicious parties, the experts say.

The collection of genomic data may enable researchers to analyse types of diseases in a population and find ways to cure them, but the data could also be misused for business purposes or other intentions that might put national security at risk, according to the experts.

Dr Dicky Budiman, an Indonesian doctoral researcher in global health security at Australia’s Griffith University, said that Indonesia comprises numerous ethnic groups and has rich biodiversity, and such assets can make it vulnerable to exploitation for various interests, including commercial and bioterrorism ones.

“For instance, Indonesian health data (may) show a potential major non-communicable disease in the next five to 10 years. Insurance or pharmaceutical companies may use this for their business interests, which may clash with the interests of our people,” he told The Straits Times.

He pointed out that insurance companies may reject applications for insurance coverage from Indonesians based on their genomic data and their predicted health risks, while pharmaceutical companies could exploit such information to sell drugs.

Dr Dicky noted that based on past incidents, data protection in Indonesia is still weak.

One major incident in May 2021 involved the leakage of social security details – including identity cards and family cards – of more than 200 million citizens from the Healthcare and Social Security Agency’s database.

Not only was there a lack of adequate response from the authorities to the data breach but the perpetrators of the leak also got away lightly.

In October 2022, Indonesia’s Parliament passed into law a personal data protection Bill that imposes corporate fines and jail terms of up to six years on those who mishandle data. The law adopts some principles and aspects of the European Union’s 2018 General Data Protection Regulation.

However, Indonesia’s Personal Data Protection Law is not enough to guarantee the protection of Indonesia’s health data, said Dr Dicky. Australia, for instance, has at least three laws to protect health biosecurity data, he added.

Apart from concern over personal health data, critics of the Health Bill also want a 5 per cent minimum mandatory health spending in the annual state budget to be kept.

Rights groups say the elimination of the minimum mandatory spending, which is part of the Health Bill, will worsen healthcare services to the poor and vulnerable groups.

Health workers, including doctors, nurses and midwives, meanwhile, worry about legal uncertainties of their professional organisations. They see the Bill as reducing the role of their professional organisations, while giving more authority to the Health Ministry.

The majority of political party factions in Parliament agreed on June 19 to bring the Bill to a plenary session in July. Usually, when a Bill is brought before a plenary session, it is passed into law.

Another criticism of the Bill relates to its allowing the transfer and use of materials, such as clinical specimens, biological materials, information and data, in territories outside Indonesia.

There is high potential for the abuse of these materials, said Dr Agung Sapta Adi, a spokesman for the Indonesian Doctors Union.

He explained that such materials will be sent to overseas research facilities that use research methods not yet available in Indonesia.

In August 2022, the Health Ministry launched the Biomedical and Genomic Science Initiative (BGSi), an integrated biomedical initiative that encourages the use of genomic data to promote precision medicine.

BGSi aims to collect 10,000 genome sequences from Indonesians with diseases, including cancer and metabolic diseases, for research purposes. It receives support from overseas collaborators, such as Britain’s Oxford Nanopore Technologies, the United States’ Illumina and China’s BGI.

While Indonesia cannot process the data, the sequences will likely become “meaningful” for other parties or countries that control the technology, noted Dr Agung.

With the transfer overseas, the genomic data from Indonesia is vulnerable to leaks and abuses, he added.

“As for the data from the whole genome sequencing, the government should avert data abuses, instead of facilitating or opening up the chances of abuse,” he said.

A biobank – like the one to be developed by BGSi – is lucrative for the health industry as the specimens can serve as data points for artificial intelligence, said Dr Agung.

In the past, Indonesia’s Health Ministry had hosted a joint research laboratory with the US.

The lab, run together with the US Navy, began operating in 1970 to study viruses linked to communicable diseases. Its contract ended in 2000, but it continued operating until 2009 when it was officially shut down due to Indonesia’s security concerns. The lab, which had sent specimens of Indonesia’s strain of avian flu viruses overseas, among other things, had been criticised as compromising national security while giving little benefit to Indonesia.

Human rights lawyer Wahyudi Djafar said that as stipulated in the Personal Data Protection Law, genetic, biometric and other data concerning health is “sensitive data”, and there are several conditions governing its use, including explicit consent from people who own the data.

The processing and transfer of the data, especially across the country’s border, must meet strict requirements and uphold the principles of the law, he added.

“We must acknowledge that the Health Bill has yet to accommodate the supposed role of the state in protecting the personal data of citizens, especially concerning health,” said Mr Wahyudi, executive director of the Institute of Policy Research and Advocacy, a rights group.

He added that the government should have better engaged members of the public to allow their meaningful participation in the deliberation of the Bill.

Responding to the concerns, the head of the Health Ministry’s legal division, Ms Indah Febrianti, said that the Health Bill guarantees the protection of patients’ data.

The principles of data protection in line with the Personal Data Protection Law, including by requiring one’s consent and the notification of the purposes of data collection, will be upheld in the processing of personal data, she added.

“The owner of the data knows for what purpose the data will be used, and the security and the protection of the data are guaranteed,” she said. - The Straits Times/ANN