1. LEGAL REQUIREMENT | OFFICIAL RECOMMENDATION
Data protection in Kazakhstan is mainly regulated by the Law of 21 May 2013 No. 94-V ZRK on Personal Data and its Protection ('the Personal Data Law'), Law of 24 November 2015 No. 418-V on Informatisation ('the Informatisation Law') and relevant subsidiary laws. The Personal Data Law contains a general legal framework for personal data protection, whereas the Informatisation Law regulates, inter alia, the protection of data contained in so-called 'informatisation objects.' Informatisation objects include electronic information resources (e.g. websites), programme software, internet-resources and information and communication infrastructure (Article 1.4 of the Informatisation Law).
The relevant authority in the sphere of personal data protection and information safety is the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (' MDDIAI').
The Personal Data Law does not contain a requirement to notify a personal data breach. However, the Informatisation Law contains a general notification requirement about so-called 'information security incidents.' Information security incident means separately or serially occurring failures in the operation of the information and communication infrastructure or its individual objects, which threaten their proper functioning and/or the conditions for illegally obtaining, copying, distributing, modifying, destroying or blocking electronic information resources.
Our interpretation of the law suggests that a general requirement to notify breaches of information security incidents entails, inter alia, a requirement to notify on data breaches.
The Informatisation Law contains the following requirements:
- the Operational Information Security Center ('OISC') (a legal entity or a structural subdivision of a legal entity that carries out activities to protect electronic information resources, information systems, telecommunications networks and other information facilities) shall immediately notify the owner of the information and communication infrastructure and the National Information Security Coordination Center ('NISCC') (a legal entity that coordinates exchange of information among OISCs) about an information security incident (Article 7-2.1.2 of the Informatisation Law);
- the Information Security Incident Response Service ('ISIRS') (a legal entity or a structural subdivision of a legal entity providing analysis of information on information security events in order to provide advisory and technical assistance in eliminating the consequences of information security incidents) shall notify the owners and possessors of information objects and NISCC about known incidents and threats to information security (Article 7-3.1.3 of the Informatisation Law); and
- owners or possessors of 'electronic government' objects or 'critically important' objects of information and communication infrastructure shall take measures ensuring immediate notification to the NISCC of an occurred information security incident (Article 54.2.6 of the Informatisation Law).
To summarise, Kazakh law provides for notifi cation on data breaches (as a part of an information security incident) only in cases where such data is contained in electronic information resources.
Authors: Marina Kahiani, Partner; Lola Abdukhalykova, Counsel of GRATA International, Kazakhstan.