How Telkomsel Protects Its Customer Data in The Big Data Age

In light of high-profile data breach cases we have seen in recent headlines, you might start to wonder what can happen to your own personal data such as your home address, your NIK, KK numbers and other information you provided when you registered your new SIM card with a telecommunication provider such as Telkomsel. How do you know if your data won’t be sold or used by other companies? Will your privacy be respected?

The proliferation of digital platforms has increased people’s awareness to personal data protection. Public perception of privacy rights has, albeit slowly at the beginning, been intensifying in recent years. More and more people think that their contact information might have been traded with advertisers as people get lots of unwanted promotion text messages and unsolicited telemarketing calls. Many also become suspicious that their online activities are constantly being tracked by companies, or even, by the Government. The term ‘Big Data’ has increasingly been associated with surveillance and spying on people’s private lives.

Privacy is a basic human right. No one really wants any private information to be revealed to others. Since many digital platforms have collected our personal data, it is natural to question whether our data would be safe from misuse. People demand their personal data to be protected.

Indonesia does not have a specific personal data protection law, however companies that collect and process customer data have the obligation to protect the data, as it can be found in the infamous ITE Law (Electronic Transaction and Information Law). The law has made it unlawful for a telecom provider like Telkomsel to transfer its customer personal data to a third party, to an advertiser for instance, without customer’s consent.

Consistently, Telkomsel respects customer privacy and data laws. Customer data protection strategy is at the top of mind for us at Telkomsel and we are taking the extra mile to protect sensitive personal data. These are some principles that we regard as the most fundamental:

Data Minimization

It wouldn’t surprise anyone that companies make use of customer data for marketing purposes. However, most companies also practice data minimization policy which limits the collection of personal data to only what is absolutely needed for the purpose of providing service to the customers. Telkomsel adheres to this principle: personal data collected is limited only to what is necessary, and nothing more. Telkomsel may ask you to provide your home address for sending monthly bills, but will never ask for your financial data, or data about your family.

Security and Integrity

Government regulations require all telecommunication service providers to be certified with the widely used information security standards ISO 27001:2013. Telkomsel is no exception to this obligation, and complies by protecting the IT environment with industry-standard security mechanisms to deter unlawful access.

In addition to strengthening the security around the IT infrastructure, a protection mechanism called masking is implemented in Telkomsel Data platform where customers data is stored. In here, customer data is replaced with tokens, which are format-preserving random symbols allowing the data to be processed without revealing the actual data. To illustrate how tokenization affects data, let’s see the example as follows:

As you can see, tokenized data seems completely incomprehensible to human eyes, but is still processable using standard SQL (structured query language) in IT systems because the symbols remain in standard ASCII text format with the same length with the original. This way, even Telkomsel employees cannot view the actual customer personal information, unless requested by the customer.

Storage Limitation

Under this principle, personal data which is no longer needed will be erased from the storage systems within Telkomsel environment. Customers who have terminated contracts with Telkomsel or have used up their prepaid cards are automatically marked and their personal data is deleted from database system within a predefined period of time. Not only to reduce risks, this is also performed to ensure operation efficiency, making sure no computing resource is wasted in processing unused data.

Purpose Limitation

According to this principle, the purposes for what the data is collected from the customers must be clear from the start. Customers must understand (and agree with) the obvious reasons why a company collects their data, for example, for sending information related to the company’s products.

It is Telkomsel’s obligation to be clear and concise in informing the customers about the purpose of data collection in the privacy policy document, which is shown at the sign-up process before customers start using Telkomsel services. New purposes other than what are stated in the document will be communicated with the customers before further processing. Under no circumstances Telkomsel would sell your personal data to other companies without your consent as a customer.

So next time you turn on your phone and you are on Telkomsel network, rest assured that your personal data is in good hands and is safe from abuse, but please make sure you have read the privacy policy in our website.