Law of the Republic of Kazakhstan “On personal data and their protection” (139 KB)
The purpose of the “CYBERSCHIELD of Kazakhstan” Concept is to achieve and maintain the level of security of electronic information resources, information systems and information and communication infrastructure from external and internal threats, ensuring sustainable development of the Republic of Kazakhstan in the context of global competition.
The general regulation on data protection (rules for the processing of personal data) is a direct law in 28 countries of the European Union. Based on the general regulations, an organization for the protection of personal data (Data protection agency) in Kazakhstan will operate.
In accordance with subparagraph 2 of Article 1 of the Law of the Republic of Kazakhstan dated May 21, 2013 No. 94-V “On the protection of personal data and their protection” (hereinafter referred to as the Law), personal data is information relating to a personal data subject defined or determined on their basis fixed on electronic, paper and (or) other tangible media. The subject of personal data, from the point of view of the Law (paragraph 16, paragraph 1, article 1), is an individual to whom personal data relates. Moreover, the list of information that is recognized as personal data is not regulated by the Law itself. Decree of the Government of the Republic of Kazakhstan dated November 12, 2013 No. 1214 “On approval of the Rules for determining by the owner and (or) operator the list of personal data necessary and sufficient to perform their tasks” approved lists of personal data of state bodies. The unified list of personal data is not approved by Resolution. Also, according to paragraphs. 1) clause 2 of article 25 of the Law, the owner and (or) operator are obliged to approve the list of personal data necessary and sufficient to perform the tasks they perform.
Thus, each owner and (or) operator independently determines the list of personal data necessary and sufficient to fulfill their tasks (for example, the list of the Ministry of Justice of the Republic of Kazakhstan consists of 68 items, and the Ministry of Agriculture of 18).
The Labor Code of the Republic of Kazakhstan dated November 23, 2015 No. 414-V (hereinafter referred to as the Code) contains a number of documents that are necessary for concluding an employment contract (Article 32), which include:
1) identity card or passport (birth certificate for persons under the age of sixteen). Oralmans present an oralman certificate issued by local executive bodies;
2) a residence permit or stateless person certificate (for foreigners and stateless persons permanently residing in the territory of the Republic of Kazakhstan) or a refugee certificate;
3) a document on education, qualifications, the availability of special knowledge or professional training when concluding an employment contract for a job requiring relevant knowledge, skills;
4) a document confirming employment (for persons with seniority);
5) a document on the passage of a preliminary medical examination (for persons obliged to undergo such an examination in accordance with this Code and other regulatory legal acts of the Republic of Kazakhstan), etc. The requirement for these documents is the responsibility of the employer (paragraph 3), paragraph 2 of Art. 23 of the Code), as well as the collection, processing and protection of personal data of the employee. However, the collection and processing of personal data is carried out with the consent (in writing, in the form of an electronic document or in another way using the elements of protective actions) of the subject or his legal representative. Therefore, the employer must obtain the written consent of the employee to collect and process personal data.
The law distinguishes between publicly available personal data and restricted data. However, only examples of sources of publicly available data are provided, but does not list such data. Publicly available sources include biographical directories, telephone and address books, publicly available electronic information resources, and the media.
In accordance with the Law of the Republic of Kazakhstan dated November 24, 2015 No. 418-V “On Informatization” (hereinafter – the Law on Informatization), electronic information resources containing publicly available personal data include electronic information resources containing personal data that can be accessed free with the consent of the subject of personal data or to which, in accordance with the laws of the Republic of Kazakhstan, confidentiality requirements do not apply. By the Decree of the Government of the Republic of Kazakhstan dated February 26, 2016 No. 117, the List of personal data of individuals included in the state electronic information resources was approved, which includes the last name, first name, middle name (transcription of the last name and first name), birth data (date and place of birth), nationality, gender, marital status, citizenship data (citizenship (former citizenship); date of acquisition / loss of citizenship of the Republic of Kazakhstan), individual identification number (IIN), portrait image of the (digitized photograph), signature, legal address, date of registration (deregistration) the legal address, the data of the identity document (name, number, date of issue, validity of the document, the issuing authority).
Access to state electronic information resources containing:
1) normative legal acts, with the exception of those containing state secrets or other secret protected by law;
2) information on emergency situations, natural and technological disasters, weather, sanitary-epidemiological and other conditions necessary for life and ensuring the safety of citizens, settlements and production facilities;
3) official information on the activities of state bodies;
4) information accumulated in open information systems of state bodies, libraries, archives and other organizations (paragraph 5 of article 35 of the Law on Informatization).
In accordance with the Law of the Republic of Kazakhstan dated November 16, 2015 No. 401-V “On Access to Information”, information with limited access is information classified as state secrets, personal, family, medical, banking, commercial and other secrets protected by law, and also service information marked “For official use”.
Based on the foregoing, it can be concluded that publicly available personal data recognizes information that is and / or may be in public sources of government bodies, libraries, archives and other organizations and access to which is not limited by the owner of personal data, but with personal data of limited access are information that has become known during the implementation by other persons of professional and official activity, and not subject to distribution.
The Information Security Committee of the Ministry of Defense and Aerospace Industry of the Republic of Kazakhstan clarified the rights of individuals and legal entities in Kazakhstan in case of violation of the legislation on the protection of personal data.
The Information Security Committee of the IAPC of the Republic of Kazakhstan clarifies that in accordance with paragraph 2 of Article 20 of the Law of the Republic of Kazakhstan “On personal data and their protection”, the collection and processing of personal data is carried out only in cases where they are protected.
In addition, in accordance with Art. 56 of the Law of the Republic of Kazakhstan “On Informatization”, owners and owners of information systems who have received electronic information resources containing personal data are required to take measures to protect them in accordance with this law and standards in force in the Republic of Kazakhstan. This obligation arises from the moment of receipt of electronic information resources containing personal data, and until their destruction or depersonalization.
It is noted that according to paragraphs. 1 h. 1 tbsp. 641 of the Code of the Republic of Kazakhstan “On Administrative Offenses” for the failure or improper implementation by the owner or owner of information systems containing personal data of measures to protect them provides for administrative responsibility (jurisdiction of the Ministry of Information and Communications of the Republic of Kazakhstan).
Also, the Criminal Code of the Republic of Kazakhstan provides for a number of criminal offenses for non-compliance with measures to protect personal data by a person charged with the obligation to take such measures if this act caused substantial harm to the rights and legitimate interests of individuals, unlawful distribution of electronic information resources containing personal data of citizens or other information access to which is limited by the laws of the Republic of Kazakhstan or by their owner or owner (Articles 147 and 211).
In accordance with paragraph 3 of Art. 144 of the Entrepreneurial Code of the Republic of Kazakhstan, the basis for an unscheduled inspection of the audited entities are appeals of individuals and legal entities (consumers) whose rights are violated, appeals of individuals and legal entities on specific facts about the occurrence of a threat of harm to life, human health, the environment and the legitimate interests of individuals and legal entities , of the state, with the exception of appeals by individuals and legal entities (consumers) whose rights are violated, and appeals by state bodies.
Thus, individuals and legal entities whose rights have been violated in connection with the distribution of personal data are entitled to apply to the Ministry of Information and Communications and Internal Affairs of the Republic of Kazakhstan with a corresponding application.
To protect data (including personal data) in state bodies and the quasi-public sector, uniform requirements are applied in the field of information and communication technologies and ensuring information security (hereinafter – ET).
Private life takes on new dimensions in our hyper-connected world. The new IEC, ISO and ITU guidelines, one of the three leading international standards in the world, have been developed to protect personal data.
The increase in the spread of high-quality data leaks has led countries around the world to engage in policy and regulatory reform. One of the best-known examples is the European Union’s General Data Protection Regulation, which entered into force in May 2018.
The need for personal data protection is growing urgently with the digital transformation of sectors such as healthcare and financial services. More and more organizations are engaged in the processing of personal data and are dealing with an increase in their volume.
ISO / IEC 29151 | ITU-T X.1058 is the starting point for governments and trade, as it guarantees enhanced protection of personal data. The document contains information on the goals regarding data protection, determining the necessary control and management measures for data protection, as well as recommendations for their implementation. The standard also shows how measures of such control comply with the requirements, certain risk assessments and the impact of organizations related to the protection of personal data.
The standard is based on ISO / IEC 27002 (a set of rules on information security measures) with additional recommendations regarding the protection of personal data. Examples include proposed management structures for employees who process personal data, proposed management structures for employees who process personal data, in accordance with the intention of effectively collaborating with legal groups to interpret relevant laws and regulations.
In addition, in the appendix to ISO / IEC 29151 | ITU-T X.1058 contains an expanded list of personal data, including control objectives, consistent with “consent and choice” and the associated “participation of personal data managers”, i.e. people with whom data can be identified. It looks like “legitimate goals”, providing recommendations on the appropriateness of storing personal data and encouraging the desire to “limit collection”, as well as “minimize data” and “openness and transparency” of the organizational policy regarding personal data.
ISO / IEC 29151 | ITU-T X.1058 was developed in collaboration with ISO / IEC JTC 1 / SC 27, the ISO / IEC expert group on security practices and the ITU-T 17 research group, which is responsible for creating an atmosphere of trust and security in the use of communication technologies.
ISO / IEC 29151 can be purchased from your national ISO member or IEC member.