Requesting KTP and Photos for Building Entry Violates Indonesian Law, Experts Warn
The practice of exchanging identity cards (KTP) and taking photographs upon entering office buildings, apartments, and certain areas is still commonly encountered in Indonesia. Although considered a standard security procedure, privacy advocates warn that this practice cannot be carried out carelessly as it potentially violates legal provisions.
Parasurama Pamungkas, a researcher at the Institute for Policy Research and Advocacy (ELSAM), views such policies as a form of non-compliance with personal data protection principles. He stated that collecting personal data irrelevant to the activity being undertaken, such as entering a tower and registering an account, constitutes a failure by the controller to adhere to data protection principles. He added that it could be considered a violation because several principles are not met, including the requirement that the purpose of data collection must be limited and relevant.
The data controller also fails to satisfy the element of legality, as the personal data collected is not relevant and is used for other purposes. Indonesia has had privacy regulations through the Personal Data Protection Law since 2022. This law strictly regulates the rights of Indonesian citizens as data owners and stipulates sanctions for companies and government institutions that are negligent in protecting personal data. However, the implementation of this law remains hampered because the government has not yet established the personal data protection supervisory authority as mandated by the law. The supervisory body should have been established one year after the law was enacted, by 17 October 2024.
Parasurama further explained that using the data for other purposes causes the controller to lose the legal basis to continue or process the irrelevant data. Building managers should be able to find alternative methods besides collecting KTPs or facial scans—methods that do not pose risks to the public—including providing options that do not restrict people’s access to the premises. He emphasised that privacy should be granted by default and by design, and that the protection of privacy must also be carried out by managers of restricted areas, including buildings.
Separately, cybersecurity expert Alfons Tanujaya from Vaksincom explained that selfie photos and KTPs are not recognised identification tools according to the Population and Civil Registration Agency (Dukcapil). Regarding security, Alfons stated that it depends on the data management, specifically how the data is stored and whether it is secure. He noted that if data is not stored securely and leaks occur, the consequences are severe, as the leaked photos and selfies can be manipulated using AI.