Indonesian Political, Business & Finance News

Requiring an ID Card Photo to Enter a Building Breaches the Law

| Source: CNBC Translated from Indonesian | Regulation
Requiring an ID Card Photo to Enter a Building Breaches the Law
Image: CNBC

Entering a building by leaving an ID card at the front desk has become a common practice at several locations, with some sites making it mandatory; without compliance, access is denied. Parasurama Pamungkas, a researcher at the Institute for Studies & Advocacy of Society (ELSAM), described such measures as a breach of the principles of personal data protection. “The collection of personal data that is not actually relevant to the activity we undertake, such as entering a tower or registering accounts, is in fact non-compliance with the principles of protecting personal data,” Parasurama told CNBC Indonesia, quoted on Saturday (7 March 2026).

He also noted it could constitute a violation because several principles are not fulfilled. For example, the purpose of data collection must be limited and relevant. The data controller also fails to meet the element of legality, since the personal data collected is not relevant and is used for other purposes.

Indonesia has had privacy rules through the Personal Data Protection Act since 2022. The Act tightly governs the rights of Indonesian citizens as data subjects and sets penalties for companies and government institutions that fail to protect personal data. However, implementation has stalled because the government has yet to establish the data protection supervisory body as mandated by the Act. The supervisory body should have been established one year after the Act was issued, which fell on 17 October 2024.

“Then using it for other purposes, and it also loses its legal basis to continue or process those irrelevant data,” he added.

Building managers should seek alternatives to collecting NIK (KTP) data or facial scans, in ways that pose minimal risk to the public. This includes providing options that do not restrict public activities for access to the premises.

Parasurama emphasised that privacy should be provided by default and by design. Privacy protection should also be carried out by managers of restricted areas, including buildings.

“This is effectively a data protection breach. It is akin to the issue with digital platforms; how can we enjoy a platform that has no ads but requires payment, for example?” he explained.

Separately, Alfons Tanujaya, a cyber security expert from Vaksincom, explained that a selfie photo and KTP are not identification documents recognised by Dukcapil (the Indonesian Civil Registry).

Regarding security, Alfons said it depends on how the data is managed — how they store the data and whether it is secure.” He added, “If they do not store it securely, a data breach would be possible. Even the photos — faces, selfies — could be exploited or manipulated later with AI.

View JSON | Print