Kazakhstan: Security of personal data within the framework of electronic document management

published on 11 December 2024 | reading time approx. 6 minutes

In today's digital world, where information technology is penetrating every aspect of our lives, the protection of personal data is becoming extremely important. Especially in the context of online transactions, electronic interactions and electronic document management (hereinafter referred to as “EDM”), signatories need effective mechanisms to ensure the privacy and security of their personal data.

EDM has become an integral part of the business environment. By reducing processing time, minimizing paperwork, and saving on copying costs. However, as digital transformation accelerates, ensuring the security of electronic document management has become a pressing issue.

Security encompasses not only protection of personal data from external threats but also ensuring the confidentiality and integrity. Sensitive information and personal data constitutes a valuable asset that demands robust protection.

According to the Law of the Republic of Kazakhstan No. 94-V of May 21, 2013, “On Personal Data and Its Protection” (hereinafter referred to as the “Personal Data Law”), personal data is any information relating to an identified or identifiable individual, recorded on any medium, including electronic, paper, or other material.

This includes identifying data (surname, name, patronymic, year and date of birth, nationality), information about the place of residence (registration), individual identification number (IIN), identity documents (number), and other information.

In the field of EDM, personal data also includes employment records, supply contracts, service contracts, financial data, development plans, commercial agreements and so on.

Personal Data Law places a legal obligations on all parties involved in the processing and storing of personal data to protect the personal data.

EDM often involves interactions with external parties like clients, suppliers, and partners. Safeguarding the security of electronic document management is fundamental to maintaining trust and fostering successful relationships. Moreover, compliance with laws and regulations underscores the importance of protecting personal data, including within EDM systems.

Consequently, inadequate security of electronic document management can lead to severe repercussions, such as data breaches, erosion of partner and customer trust, financial losses, and reputational damage.

In accordance with the Personal Data Law, there is an entity called the “owner” with the right to own, use and dispose of the personal data, and an entity called the “operator” with the right to collect, process and protect the personal data, and there is a personal data subject, referring to the person/entity whose personal data is being processed.

Collection, processing of personal data is carried out by the owner and (or) operator, as well as by a third party with the explicit consent of the subject or his/her legal representative. The Employers, Employees and counter partners give their consent for data processing and storing whenever they use the services of EDM companies for online document signing and sharing.

The EDM companies on their hand, provide the protection of the personal data by means of their countless security and monitoring, per Personal Data Law.

Under the Personal Data Law, owner, operator and other third parties are legally obliged to take the necessary measures to protect personal data, ensuring:

prevention of unauthorized access to personal data
timely detection of the facts of unauthorized access to personal data, if such unauthorized access could not be prevented
minimization of adverse consequences of unauthorized access to personal data
granting access of the state technical service to the informatization objects that use, store, process and disseminate personal data of limited access contained in electronic information resources, in order to carry out the survey of ensuring the security of the processes of storage, processing and dissemination of personal data of limited access contained in electronic information resources in the manner determined by the authorized body

Obligations of the owner and (or) operator, as well as a third party to protect personal data arise from the moment of collection of personal data and are valid until the moment of their destruction or depersonalization.

According to the Law of the Republic of Kazakhstan No. 418-V “On Informatization”, enacted on 24 November 2015, multi-factor authentication is required for accessing electronic information resources that contain restricted personal data. Additionally, there are regulations governing the measures that must be implemented by owners, operators, and third parties to protect personal data. These regulations establish that personal data protection is achieved through a comprehensive set of measures, including legal, organizational, and technical actions, aimed at:

ensuring the right to privacy and personal and family secrets
safeguarding their integrity and security
maintaining their confidentiality
facilitating access to personal data
preventing their unlawful collection and processing

EDM systems face various threats, including DDoS (Distributed Denial-of-Service) attacks that can disrupt system availability and malicious attempts to gain unauthorized access to sensitive data. Phishing and social engineering attacks target users to trick them into revealing confidential information. Inadequate data protection can lead to accidental or intentional breaches, damaging reputation and violating data protection laws. Weak authentication and authorization controls can allow unauthorized individuals to access sensitive data or perform actions on behalf of others. Alteration or falsification of electronic documents can erode trust in the system and damage relationships. Insufficient encryption makes confidential information vulnerable to interception and unauthorized access. Additionally, employees with system access can pose risks due to malicious intent or lack of security awareness.

Several technical measures can be implemented to enhance the security of EDM systems. Continuous security monitoring and analysis are crucial for identifying anomalies and preventing potential threats. By implementing these measures, organizations can significantly reduce the risk of data breaches, protect their reputation, and comply with data protection regulations.

EDS systems most commonly ensure security of their platforms by ongoing information security audits, as well as acquire security certifications from various international security and risk assessing companies such as CyberGRX, CyberVadis, certificates of meeting ISO standards related to information security and etc.

With the digitalization of the documentation in the recent years, the electronic digital signature was used as means of verifying the authenticity of the signature of the signatory. One of the main advantages of EDS is that it ensures that an electronic document cannot be forged or altered without detection. When a consumer signs an electronic document using their EDS, it creates a unique cryptographic fingerprint that is linked to their personal identity. Thus, if the document has been tampered with or altered, the digital signature will be invalid and the recipient will be able to detect the substitution or data breach.

In Kazakhstan, EDS is regulated by the Law “On Electronic Digital Signature”, which establishes the legal basis for the use of EDS in various spheres of activity. The Law also establishes requirements for certification centers that issue certificates for the use of EDS. This ensures trust in the EDS system and confirms the authenticity and integrity of electronic documents and messages.

Electronic digital signature is equivalent to the autograph signature of signed person and entail the same legal consequences upon execution of the following conditions:

certified the authenticity of electronic digital signature using the public key, having the registration certificate
a person signed the electronic document, lawfully in possession of private key of electronic digital signature
electronic digital signature is used in accordance with details, specified in the registration certificate
the electronic digital signature is created and the registration certificate is issued by the accredited certifying centre of the Republic of Kazakhstan or foreign certifying centre registered in the trusted third party of the Republic of Kazakhstan

Electronic documents signed with a certified electronic digital signature (EDS) are legally equivalent to paper documents with a handwritten signature, as outlined in Article 7 and Article 10 of the Law on Electronic Signature. This provides clarity and assurance to individuals and businesses that electronic signatures carry the same legal weight as traditional signatures.

The law also accommodates the use of electronic signatures from foreign certification centres, provided they are registered with a trusted third party in Kazakhstan. This facilitates international transactions and ensures that foreign electronic signatures are recognized and treated with the same legal validity as domestic ones.

The Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan is to impose specific restrictions on the use of simple electronic signatures for certain types of transactions. These restrictions are outlined in a detailed list that includes, but is not limited to, transactions involving public procurement, state assets, quasi-state sector entities, defense, and critical infrastructure. Such transactions often require higher levels of security and verification, necessitating more stringent authentication methods than a simple electronic signature can provide.

EDS can be used for document signing using iDocs and other online signing platforms, such as DocuSign and etc. These platforms have access to the highly confidential EDS’s as well as all the documents’ people and legal entities sign via these platforms. All of this information fall under personal data, that under the laws of the Republic of Kazakhstan must be protected, as stated above.

The increasing reliance on electronic document management (EDM) in our digital landscape underscores the critical need for robust personal data protection mechanisms. As businesses navigate online transactions and electronic interactions, they must prioritize the confidentiality, integrity, and security of sensitive information. The legal frameworks established by the Republic of Kazakhstan, particularly the Personal Data Law and regulations surrounding electronic digital signatures, provide essential guidelines for safeguarding personal data against unauthorized access and breaches.

As the threats to EDM systems continue to evolve, organizations must implement comprehensive security measures, including multi-factor authentication and continuous monitoring, to mitigate risks. By adhering to legal requirements and employing advanced security practices, businesses can foster trust with clients and partners, ensuring compliance with data protection laws while enhancing their operational efficiency.