Entry to Buildings Requiring ID Card Photography Violates Law

Jakarta — Surrendering identity documents such as KTP (national identity cards) at a building’s reception desk when entering is a common practice encountered in various locations. In some places, this has become a mandatory procedure, with visitors prohibited from entry if they fail to provide their identification.

However, Parasurama Pamungkas, a researcher at the Institute for Policy Research and Advocacy (ELSAM), views this practice as potentially violating principles of personal data protection.

“The collection of personal data that is not actually relevant to the activities we undertake, such as entering a building or registering an account, represents a fundamental failure to comply with principles of personal data protection,” Parasurama told CNBC Indonesia on Sunday, 15 March 2026.

According to him, such data collection can be categorised as a violation because it fails to meet several basic principles. One key issue concerns the purpose of data collection, which should be limited and relevant.

He further contended that data controllers do not meet the requirement of lawfulness, as the personal data collected is not always relevant to the stated purpose and may potentially be used for other purposes.

Indonesia has possessed privacy regulations through the Personal Data Protection Law since 2022. This legislation strictly regulates the rights of Indonesian citizens as owners of their personal data and establishes penalties for companies and government institutions that fail to protect personal data.

However, implementation of this law has been hampered because the government has yet to establish the data protection supervisory body as mandated. This supervisory body should have been established one year after the law’s enactment, which fell on 17 October 2024.

“Subsequently using it for other purposes, they also lose the legal basis to continue or process data that is not relevant,” he said.

Building managers should seek alternative methods beyond collecting ID cards or facial scanning—methods that do not pose risks to the public. This should include offering options that do not restrict citizens’ access to such facilities.

Parasurama stressed that privacy should be provided by default and by design. Data protection must also be implemented by managers of restricted areas, including buildings.

“This actually constitutes a violation of data protection. It is similar to digital platforms—for instance, how we might enjoy ad-free platforms by paying a fee,” he explained.

When contacted separately, cybersecurity expert Alfons Tanujaya from Vaksincom explained that selfies and identity card photographs are not recognised identification tools according to Dukcapil (the civil registry office).

Regarding security, Alfons stated that it depends on how the data is managed—specifically how it is stored and whether adequate security measures are in place.

“Whether it is secure depends on the data manager and how they store the data. If they do not store it securely, then if data is breached, that is the end of it,” said Alfons.

“Additionally, leaked data, together with photographs and selfies, can be manipulated using artificial intelligence,” he added.