The Department of Provincial Administration clarified penalties for the misuse of personal data after the People’s Party discovered hackers attempting to access member information without authorization. It stressed that those concerned can apply for new ID cards.
On 15 March 2026, reporters reported that the Department of Provincial Administration, Ministry of Interior, issued a statement regarding the leakage of personal information such as full names, ID numbers, addresses, birthdates, phone numbers, emails, and other data. The statement referred to news reports that the People’s Party had detected unauthorized attempts by outsiders to access the party’s membership database. To ensure correct understanding, compliance with relevant laws, and build public confidence, the Registration Administration Office of the Department of Provincial Administration issued the following explanation.
Suspension of People’s Party use of authentication program
1. Actions by government agencies
(1) The Department of Provincial Administration, through the Registration Administration Office, has canceled the People’s Party’s access to the digital identity verification system (DOPA-Digital ID) and the program for reading data from multi-purpose ID cards (Smart Card) effective from 14 March 2026 at 12:00 p.m. onward. The party has been instructed to submit details of the personal data leaks to the department to protect citizens’ data and to publicize the importance of data security. Furthermore, the department will review data linkage policies with all agencies according to confidentiality laws, including the Personal Data Protection Act and the Civil Registration Act.
/
Ready to file complaints and press charges
(2) In cases where citizens’ ID card information has been used without consent or beyond legally permitted purposes, or if personal data security measures are inadequate, the Central Registration Office of the Department of Provincial Administration will consider filing complaints with investigators or requesting administrative penalties under the Personal Data Protection Act B.E. 2562 (2019) and related laws against offenders.
Clarification of legal violations for negligence
2. If authorized agencies or organizations neglect data security leading to personal data leaks, this may constitute legal violations. If it is proven that data collection, use, or disclosure of personal data was improper, it may violate multiple laws, including:
(1) The Civil Registration Act B.E. 2535 (1992) and its amendments
- Unauthorized disclosure of civil registration information or numbers
(2) The Identification Card Act B.E. 2526 (1983) and its amendments
- Unauthorized access to or disclosure of data stored in card memory not visible on the card without the cardholder’s consent
/
(3) The Personal Data Protection Act B.E. 2562 (2019) (PDPA)
- Collection, use, or disclosure of personal data without legal basis
- Penalties: civil, administrative, and criminal sanctions
(4) The Computer Crime Act B.E. 2560 (2017)
- Unauthorized input of data into computer systems causing damage to others
(5) Election laws and political party laws
- If data obtained is misused in relation to party membership applications or political activities. Determination of offenses depends on facts and evidence.
3. Citizens’ rights to sue agencies, organizations, or individuals
If someone misuses the front-side data of a person’s ID card—for example, in financial services or opening accounts—causing harm to the data owner, the owner can file criminal complaints with investigators and seek compensation claims, including:
(1) Fraud offenses under Criminal Code Section 341, punishable by up to three years imprisonment, a fine up to 60,000 baht, or both
(2) Document-related offenses under Criminal Code Sections 264-268, punishable by up to 40 years imprisonment and/or fines up to 200,000 baht
(3) Offenses involving input of false or misleading data into computer systems under Section 14(1) of the Computer Crime Act B.E. 2550 (2007), punishable by up to five years imprisonment, a fine up to 100,000 baht, or both
(4) Offenses of unauthorized disclosure of civil registration data under Section 17 and Section 49(1) of the Civil Registration Act B.E. 2534 (1991) and amendments, punishable by up to six months imprisonment, a fine up to 20,000 baht, or both
(5) Unauthorized disclosure of data stored in card memory without consent of the cardholder is an offense
under Section 12 of the Identification Card Act B.E. 2526 (1983) and amendments, punishable by up to five years imprisonment, a fine up to 100,000 baht, or both
(6) Complaints can also be filed with the Personal Data Protection Committee Office, Ministry of Digital Economy and Society, which has authority to investigate data protection violations and seek compensation for data owners.
If concerned, citizens can request new ID cards
4. Procedures for issuing new ID cards
If citizens are concerned that their ID card data may be misused, they can proceed as follows:
(1) Contact the district or local registration office to request a new ID card
(2) If there is a valid reason, such as potential misuse, officials may consider issuing a new card under regulations, with applicable fees (100 baht) still required
/
(3) The citizen’s original ID number will remain the same, but the card’s Laser ID number will be new