Insights to develop privacy policy for organization in Indonesia

Nowadays, the increased utilization of shared application in the network needs not only dictate to have enhanced security but also emphasize the need to balance its privacy protection and ease of use. Meanwhile, its accessibility and availability as the demand from organization service put privacy obligations become more complex process to be handled and controlled. Nonetheless, the underlying principles for privacy policy exist in Indonesian current laws, even though they spread across various article regulations. Religions, constitutions, statutes, regulations, custom and culture requirements still become the reference model to control the activity process for data collection and information sharing accordingly. Moreover, as the customer and organization often misinterpret their responsibilities and rights in the business function, process and level, the essential thing to be considered for professionals on how to articulate clearly the rules that manage their information gathering and distribution in a manner that translates into information system specification and requirements for developers and managers. This study focus on providing suggestion and recommendation to develop privacy policy based on descriptive analysis of 791 respondents on personal data protection in accordance with political and economic factor in Indonesia.


Introduction
Currently, 13 jurisdictions in Asia have comprehensive privacy laws namely Australia, Hong Kong, India, Japan, Kazakhstan, Kyrgyzstan, Macao, Malaysia, the Philippines, Singapore, South Korea, Taiwan and New Zealand. The latter is the only jurisdiction in the region that has been recognized by the European Commission as providing adequate protection. Notably absent from this list are countries such as China, Thailand, Vietnam and Indonesia, in which taking a piecemeal or sectorial approach [1]. In Indonesia, communication and information ministry is designed to carry out the law and the president's policies by performing number of different task and assignment, including regulation drafting for parliament consideration. Besides that, it also have legitimation through its administrative agencies mandated by constitution to assign certain bill or legislation called as PERPU to replace current regulation in conjuncture condition temporary. It will apply in certain period until next parliament meeting to discuss permanent regulation law. There are certain issues in the regulation form of language that is intrinsically vague and cannot translate to every factual situation in which it is applied, as well as cause by the political factors. Thus, it dictates the relevant agencies to interpret and decide their own strategy in enforcing regulation. However, any changes to the regulation might lead to drawback in accommodating society caused significant time frame to make changes even the minor one. The right to privacy limit other rights and freedoms such as association, belief and expression, in which the communication skill have critical impact in protecting freedom and assuring political accountability without fear of reprisal [2].

Literature Review
There are debates between participation and transparency with privacy to assure the legitimacy of certain activity especially in the governmental initiatives by overly limiting the rights of citizens in order to protect personal data [2]. Indeed, personal data of employee only disclose by organization through data subject request prior notice, in which under such circumstances, anonymity can be as option unless the organization have higher importance and priority [5]. The scope definition to explain certain terminology in practice often do not translate well in the regulation due to trend changes frequently, thus there is a need to have new mechanism concept to set specific consideration context and taxonomies, in which optimizing the interaction and communication [6]. In developing the privacy policy, it is critical that organizations address information quality in relate to current privacy issues such as accuracy, completeness, currency and reliability of information connected to data subject due to its public availability [7]. Consumers are often placed in a position where they are have to submit their personal data over service offered by organization, where those data will only be used based on agreement, it may be backed up by other promises such as trust mark, membership, discount, etc. Unfortunately, organization tend to break those promise to obtain more profits by sharing to the other or use them for other deceptive purpose [8]. Thus, data subjects must be given control and access to their personal data held by a data controller of course with their recognition, notification and agreement [5]. Meanwhile, the organization should define and develop the domain of consumer privacy, know its ethical dimensions, decide the firm-level drivers of customer privacy protection and more importantly train the employee to appreciate the value of consumers' data more than the others [9].

Research Methodology
Based on previous study, it showed that legal framework was inadequate to effectively regulate the development and use of voting machines, especially regarding security safeguards, the certification process and tabulation software [3][10] [11]. The order list of PDP items as follows quick result of tabulation (1), accuracy (2), condition notification (3), reporting mechanism (4), cost reduction (5), user permission (6), physical authentication card (7), data encryption (8), surveillance (9), anonymity value (10), machine credibility (11), interface simplicity (12), lack of cross validated (13), nation proudness (14) and physical attachment removal (15). Internal consistency has a meaning as a psychometric property of test that describes whether the items in the test that are proposed to measure the same construct produce consisten score, which is associated with the degree of general factor saturation and degree of inter-item correlations but irrelevant to test length or simply all the items are parallel in a test or subtest [12]. Here, all item must be positive value, which indicate that all items in one same characteristic. Based on inter-item correlation, the cross-checking between PDP item indicated that PDP6, PDP9, PDP13 and PDP15 have the most negative correlation with the other items. Moreover, another reliability analysis will be conducted to determine the further step in strengthen the decision. Another method to check the internal consistency through a small corrected item-total correlation with value less than 0.2 or 0.3 that indicated the item is not measuring the same construct measured by the other items included. It has a meaning that the corresponding item does not correlate very well with the scale overall, thus, it may be dropped or removed. Therefore, when the item has limited number (less than 10), inter item correlation value will be high within 0.4 to 0.76 [13]. Interestingly, through corrected item-total correlation measurement, the indication has been supported that PDP9 and PDP15 obtain negative values. By using 0.3 as the upper boundaries, the study found PDP10 has 0.226, which shows there is no correlation with other criteria. It also have value under 0.1 in inter-item correlation matrix with PDP1 (0.051), PDP2 (0.06), PDP3 (0.053) and PDP13 (0.001). Thus, those five items is eliminated as they do not show reliability and consistency to measure privacy protection as well redundant with other items. A total of 790 out of 1000 questionnaires were completed and 79% of the respondents returned their completed survey of which 11 or approximately 1.39% was subsequently eliminated. The central tendency is important in data screening to replace missing or invalid value. A measure of central tendency is a single value that describes a set of data by identifying the central position within, in which called measures of central location under summary statistics through mean as the average value, median for middle value and the mode as frequent value. Those are all valid measures of central tendency but some measures become more appropriate to use than others [14]. As this study using likert scale, it is clearly show the average of the squared differences from the mean and how spread out the number are, in which 1 represent very disagreement while 6 as very agreement. Meanwhile, negative values for the skewness indicate data that are skewed left, which mean that the left tail is long relative to the right tail and vice versa. For positive kurtosis indicates a light tailed distribution relative to a normal distribution or lack of outliers. In short, there is no an observation point that is distant from other observation.

Privacy Policy Development
Based on statistic result, it shows that user permission is not relevant for privacy policy, in which it might overlap with special circumstances for notification and the agreement for service use. It also shows that mostly the customer do not want to be attached with physical entity or responsibilities in regarding the security procedure as they expect the data controllers handle relevant activities. As originally enacted, the law imposed requirements for what must be included in a privacy policy [7] such as categories of identified personal data of consumers, third parties with whom the operator may share the personal data, description of activity process for users to update their personal data, user features in control theirs personal data and notification process and effective date of the privacy policy.

Registration Policy
For organization, the registration is the critical phase to gather the personal data where potential customers, employees or projects provide almost all their sensitive information to fulfil the requirement or attract the attention. The website was common used to allow the online registration besides conventional through counter. The security by encryption of the website is the main concern in regards that sensitive data of the potential consumers is transferred and shared. Therefore, data subjects have the right to be told whether the data held on them and the purpose for which the information is used and to obtain a copy of the information about them by making a subject access request. It occurred in various types such as recruitment, admission, enquiries, research, examinations, graduation, accommodation and career. Occasionally, information is passed between different parts of the phase for operational reasons such as for notification, archive or announcement. Partial or full information disclosure can be done through the data subject request or the representative or data controller under authority. In addition, disclosing information about customers to the relevant parties are appropriate until the decision made on their accepted registration, of course with necessary information only. The personal data to be included in the registration must relate to an individual directly (personal request) or indirectly (business matters) [5].

Collection Policy
In collecting personal data from participants or vice versa, the method used should be in accordance with the relevant Act. It means that the following methods should be made clear to anyone who is providing personal data. In regards for the role of organization as data controller or data user and that will hold the data, it should also be clear that the reason why the data is being collected. The data subject can be informed about the purpose at the times when the data that has been collected. The data user must be careful to ensure that there is no disclosure of information to third parties that are not known by the data subject, when the collection take part. Disclosure to a third party must be stated in a written notice to the data subject, to comply with a statutory obligation. Only after the data subject is aware of the existence of the third party and given the relevant approvals. Organization might collect data for the sole purpose of specifically planned, agreed and necessary such as performance report, service and statistic. It is clear that the collection and dissemination of private information will almost always raise issues of relevance to private life [2]. They can retain that personal data as long as those purposes remain valid, especially when relevant data subject is not part of organization business activity anymore. To avoid data leaked without proper control, individuals who have access to personal data should not leave computer screens open. Also, passwords should not be disclosed and email should be used properly.

Data Processing Policy
To conduct the processing of personal data, it should be clear what kind of data would be processed. Data user must provide the consent form to the data subject to be completed and signed as the evidence for approval. It is obligatory to the organization to remind that the relevant data can only be used for those specific reasons, which be signed by the data user with certain terms and condition stated in the document based on organization recognition. An "opt out" the sentence may need to be included so the consumers can have the opportunities to consider whether they want to reject or not. If the organization wants to maintain the relationship to the data subject, so portal, group community or report by the data user can be used to manually realize the type of processing relate to their personal data. Therefore, to put simplicity in the process, the frequent data processing can be categorized differently with the special case, whereby data subject just be informed once in the beginning. Furthermore, by having data user records anonymous are recommended, especially when they shared outside. The employee should be easily gain access to their friends' personal data, some restriction should be considered for certain personal data. Organization must explain exactly the approach they use to avoid personal data being hacked or exposed. The core challenge in IT service out sourcing would be the fact that data user loses a complete control over personal data of their data subjects to whom they are initially answerable [15].

Access Policy
Commonly, data subject is willing to reveal or display their own personal data in order to promote their expertise, capacity and achievement. It will not cause any danger as long as it is used for good purposes and right manner. However, the administrations that keep and administer the data subject's data own a legal duty not to disclose them to unauthorized party. The bottom line is that data users are responsible to the security, integrity and reliability of the personal data that they process. In addition, the relevant data subjects should have full access to their own records, with the ability to correct false, incomplete or inaccurate information to prevent information misleading. Meanwhile, request for access by different party can be made in writing and data controllers are allowed to charge a fee for such requests. The circumstances where the controller may refuse to comply with the data access request especially when data controller is not supplied with relevant information on the identity of the requestor. Therefore, access to data stored on a computer to be controlled by passwords and where appropriate, there are the restriction or limitation to access certain file in regards to the authority. The policy need to cover the standard requirement to create the password while only authorized person know his/her own password whereby it is updated periodically.

Exemption Policy
Personnel files or report that consist personal data should be stored responsibly in a specific place, so any illegal and unauthorized attempts to view and access them will be noticed immediately. They should have default of locked condition when not in use (require password) and could not be removed without authority. An exception in which personal data may be disclosed to third parties, if necessary for the prevention of crime, public interest or as authorized by law or court order. The protection by data user only through a reasonable assurance related to legal right and the consent of the data subject. The different between registration and collection policy stand on the data subject and user, where in registration data subjects submit their own personal data to gain such recognition by data user while in collection, data user ask the permission from data subject to give their personal data to specific purpose.

Deletion Policy
Private data must be erased if the retention period has expired, it has served its purpose, or it is requested by the data owner. The deletion of private data must also be in accordance with prevailing laws and regulations and not be relevant to any case proceeding. Meanwhile, to ensure the awareness amongst the staff member, organization can conduct the campaign, training and special talk about code of practice. In case of any private data leak, the private data administrator must notify the data owner regarding the private data which was revealed, the time and sequence of events that led to the private data leak, efforts by the private data administrator to address the private data leak and contact information of the private data administrator [4]. Any breaches of security should be treated as a disciplinary issue. On the other hand, destroying or disposing of personal data also counts as processing. Such good care should be taken in the disposal of any personal data to ensure that it is appropriate.

Conclusion
To maintain the enforcement of personal data protection, organization is encouraged to create the periodical discussion of privacy policy evaluation among staff members. In general, regulation has many purposes like to provide activity guide to agency or committee body, to grant certain privilege to execute national policy, to declare the principle or strategy, to authorize bureaucracy in performing certain action or measures and many more. It is contrasted with a non-legislative act in the form of government regulation, which is adopted by administrative body under the authority of specific regulation act for implementing certain policy and ensuring uniformity of law application. It should take a note the utilization of personal data might be occurred in various activities such as application, complaint, suggestion, storing, transfer and sharing. Such control by the data user must be strictly enough in anticipating personal data to be improper use.