<![CDATA[The proliferation of digital data processing in Indonesia's public sector has exposed a critical governance gap between institutional data collection practices and the legal protection afforded to citizens whose personal information is compulsorily surrendered to state-mandated bodies. This study examines the legal protection available to victims of personal data misuse by Badan Penyelenggara Jaminan Sosial (BPJS) Kesehatan and evaluates the adequacy of Indonesia's personal data oversight mechanisms, with particular reference to the 2021 data breach involving approximately 279 million participant records. Employing a normative juridical method through statute and conceptual approaches, this study applies the Legal Protection Theory of Philipus M. Hadjon — distinguishing preventive and repressive dimensions — alongside John Rawls' Theory of Justice as Fairness as its analytical framework. The analysis demonstrates that while Law Number 27 of 2022 on Personal Data Protection establishes a formally comprehensive normative regime, both preventive and repressive legal protections remain substantively deficient due to inadequate institutional data governance, the structural dependence of the supervisory body on the executive branch, and the absence of accessible victim redress mechanisms. Justice as fairness demands that oversight guarantees be equally accessible to the most vulnerable participants. Two reforms are urgently required: the establishment of a structurally independent supervisory commission and the issuance of sector-specific data governance standards for public social security institutions.]]>
