Entering Buildings Requires ID Card and Photo, Potentially Violating Law

The practice of handing over identity documents such as KTP to reception desks as a condition for entering buildings or specific areas is common in Indonesia, often mandatory for access. However, ELSAM researcher Parasurama Pamungkas argues this violates personal data protection principles. ‘Collecting personal data irrelevant to the activity, like entering a tower or registering an account, constitutes non-compliance with data protection principles,’ he told CNBC Indonesia on Sunday (24 May 2026).

He added that such practices breach key principles, including limited and relevant data collection purposes, and lack legal basis for processing unrelated data. Indonesia’s Personal Data Protection Law (UU PDP), established in 2022, strictly regulates the rights of Indonesian citizens as data owners and imposes penalties for negligent companies and government institutions. Yet, implementation remains stalled as the government has not established the mandated data protection oversight body, which should have been operational by 17 October 2024.

‘Using data for other purposes also removes the legal basis to process irrelevant information,’ he explained. Building managers should seek alternatives to KTP collection or facial scanning that pose no risk to the public, ensuring access isn’t restricted unnecessarily. Parasurama stressed privacy should be default and by design, with restricted area managers responsible for protection.

Separately, Vaksincom cybersecurity expert Alfons Tanujaya noted that selfies and KTP photos are not recognised identification tools by Dukcapil. He said data security depends on how it’s stored: ‘If data isn’t kept securely, leaks will occur. Once leaked, facial images and selfies can be manipulated using AI,’ he warned.