In February 2024, a part of the amendments to the Law of the Republic of Kazakhstan “On Personal Data and Protection” (“Personal Data Law”) came into force. As we wrote earlier, the Personal Data Law was supplemented with a provision prohibiting the collection of copies of identity documents.
The new provision of the Personal Data Law hit the front pages of the media in December 2023, and prompted many questions from us. Almost all consultants reported on changes in law, but no one gave recommendations on how to apply the said rule.
We attempted to understand the issue, including by sending a request to the Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (“MDDIAI”) and received written and oral comments on our request.
In this alert, we share the comments we received regarding the ban on collecting copies of identification documents.
What copies cannot be collected?
The ban on collecting and processing copies of identity documents extends solely to paper media. This is a situation where an entrepreneur makes a copy of a document on paper, stores and processes copies in folders on the premises of its enterprise.
There are exceptions when such collection of hard copies is acceptable:
1) the lack of integration with the objects of informatization of state bodies and/or state enterprises;
2) the impossibility of identifying the subject using technological means (for example, lack of access to the Internet.
2) the impossibility of identifying the subject using technological means (for example, lack of access to the Internet.
The list of exceptions is open and other acts of the Republic of Kazakhstan may provide for situations when identity documents can be collected and processed on paper. For example, a number of situations within the framework of labor relations.
What about digital documents?
It is allowed to collect and process copies of identity documents in electronic format. This means that it is allowed to collect and process digital documents that are generated by eGov.kz, a government service.
According to the response from the MDDIAI, the electronic format also involves copying an identity document onto paper, making a scanned copy and subsequent storage thereof in the entrepreneur’s information system. Paper media should be destroyed.
We should certainly remember that almost every collection and processing of personal data may be done at the consent of the data subject.
State database of digital documents
Let's get back to the issue of digital documents in state databases. We would like to talk about the possibility of businesses using the government digital document service. We believe that this is a useful tool that can solve certain difficulties with obtaining the subject’s consent to the collection and processing of personal data.
A business may connect to the state database of digital documents (as well as other databases with personal data). The legal basis for this is enshrined in Article 10 of the Personal Data Law.
The Article provides that subjects may receive personal data contained in the information systems of the state bodies and/or state entities through the e-government web portal, of course, subject to the consent of the data owner, which must also be obtained through the government service.
Below is a summary guide on how to connect to government databases.
The state information system is to be connected through National Information Technologies JSC (“NIT”).
The connection algorithm is as follows:
1) submitting an application to NIT;
2) NIT issues technical conditions for connection;
3) the applicant ensures compliance with the technical conditions of NIT;
4) the applicant conducts tests for the information security of its system (tests can be made by private companies);
5) The Information Security Committee of the MDDIAI issues a test certificate based on the information security testing protocols of the applicant’s system;
6) the integration of the applicant’s information system with the state database is carried out.
2) NIT issues technical conditions for connection;
3) the applicant ensures compliance with the technical conditions of NIT;
4) the applicant conducts tests for the information security of its system (tests can be made by private companies);
5) The Information Security Committee of the MDDIAI issues a test certificate based on the information security testing protocols of the applicant’s system;
6) the integration of the applicant’s information system with the state database is carried out.
The applicant should also integrate with the State Service for Controlling Access to Personal Data. This service ensures obtaining a consent from a citizen to access his/her personal data via SMS messages.
The described government service solves certain problems with obtaining consents when, for example, an entrepreneur has no direct contact with the data subject and the subject’s data is collected by the entrepreneur’s counterparties. The service eliminates the risks associated with non-obtainments of consents from data owners.
For more information, please send a request to Ulzhan Ashimbay (lawyer of 3i) by email at u.ashimbay@3ilaw.kz.
If you need contacts of the companies that assist in the integration with government databases, please write to us, and we will be happy to share the contacts.