1. LEGAL REQUIREMENT | OFFICIAL RECOMMENDATION
Data protection in Kazakhstan is mainly regulated by the Law of 21 May 2013 No. 94-V ZRK on Personal Data and its Protection ('the Personal Data Law'), Law of 24 November 2015 No. 418-V on Informatisation ('the Informatisation Law') and relevant subsidiary laws. The Personal Data Law contains a general legal framework for personal data protection, whereas the Informatisation Law regulates, inter alia, the protection of data contained in so-called 'informatisation objects.' Informatisation objects include electronic information resources (e.g. websites), programme software, internet-resources and information and communication infrastructure (Article 1.4 of the Informatisation Law).
The relevant authority in the sphere of personal data protection is the Ministry of Internal Affairs of the Republic of Kazakhstan ('MIA').
The relevant authority in the sphere of information safety is the Committee for Information Safety of the Ministry of Defense and Aerospace Industry of the Republic of Kazakhstan ('MDAI').
The Personal Data Law does not contain a requirement to notify a personal data breach. However, the Informatisation Law contains a general notification requirement about so-called 'information security incidents.' Information security incident means separately or serially occurring failures in the operation of the information and communication infrastructure or its individual objects, which threaten their proper functioning and/or the conditions for illegally obtaining, copying, distributing, modifying, destroying or blocking electronic information resources.
Our interpretation of the law suggests that a general requirement to notify breaches of information security incidents entails, inter alia, a requirement to notify on data breaches.
The Informatisation Law contains the following requirements:
- the Operational Information Security Center ('OISC') (a legal entity or a structural subdivi-sion of a legal entity that carries out activities to protect electronic information resources,information systems, telecommunications networks and other information facilities) shallimmediately notify the owner of the information and communication infrastructure and theNational Information Security Coordination Center ('NISCC') (a legal entity that coordinatesexchange of information among OISCs) about an information security incident (Article 7-2.1.2 of the Informatisation Law);
- the Information Security Incident Response Service ('ISIRS') (a legal entity or a structuralsubdivision of a legal entity providing analysis of information on information securityevents in order to provide advisory and technical assistance in eliminating the conse-quences of information security incidents) shall notify the owners and possessors of infor-mation objects and NISCC about known incidents and threats to information security (Arti-cle 7-3.1.3 of the Informatisation Law); and
- owners or possessors of 'electronic government' objects or 'critically important' objects of information and communication infrastructure shall take measures ensuring immediatenotifi cation to the NISCC of an occurred information security incident (Article 54.2.6 of theInformatisation Law).
To summarise, Kazakh law provides for notifi cation on data breaches (as a part of an information se-curity incident) only in cases where such data is contained in electronic information resources.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.