Social and Legal Studios
ISSN 2617-4162
e-ISSN 2617-4170
Publisher: Lviv State University of Internal Affairs
Abstract
The relevance of this study is conditioned by an increase in the number of cases of leakage of personal data of citizens, which indicates a low level of protection of their fundamental rights. The purpose of the study was to analyse the current legislation in the context of ensuring the protection of information about the personal data of an employee in the Republic of Kazakhstan. For this purpose, several methods were used, such as logical, formal legal comparative analysis, and dogmatic method. The norms that are regulated by the Constitution of the Republic of Kazakhstan, the Labour Code of the Republic of Kazakhstan, the Law of the Republic of Kazakhstan “On Approval of the Rules for the Collection and Processing of Personal Data” were investigated. This provided an opportunity to conduct a comparative legal analysis of the current legislative norms of Kazakhstan and European regulations. It was noted that the legal doctrine of Kazakhstan does not consolidate the fundamental principles that allow settling the issue of collecting, processing, and storing personal data of citizens. In addition, the obligation of the employer and a clear mechanism for maintaining the confidentiality of personal data of employees are not established at the state level. In this regard, recommendations were proposed to improve the current legislation. The practical significance of the results obtained lies in the possibility of using the proposed recommendations to improve the effectiveness of the mechanism for protecting information on personal data of an employee in Kazakhstan, reduce the number of cases of information leakage, and bring legal norms in accordance with international standards
Keywords: privacy; human rights and freedoms; proliferation; threat; digitalisation; security
Suggested citation
[1] 101 of the latest data breach statistics for 2024. (2024). Retrieved from https://secureframe.com/blog/data-breach-statistics
[2] Adeodato, R., & Pournouri, S. (2020). Secure implementation of e-governance: A case study about Estonia. In Cyber defence in the age of AI, smart societies and augmented humanity. Advanced sciences and technologies for security applications (pp. 397-429). Cham: Springer. doi: 10.1007/978-3-030-35746-7_18.
[3] Akhmetova, S.B., Ibrayeva, A.S., Baimakhanova, D.M., Baikenzheyev, A.S., & Tursynkulova, D.A. (2023). Principles of protection of personal data: Comparative analysis of national and foreign legislation. Journal of Actual Problems of Jurisprudence, 106(2) 33-46. doi: 10.26577/JAPJ.2023.v106.i2.04.
[4] Alkhamsi, N.N., & Alqahtani, S.S. (2024). Compliance framework for personal data protection law standards. International Journal of Advanced Computer Science and Applications, 15(7), 512-526. doi: 10.14569/IJACSA.2024.0150751.
[5] Aloisi, A., & Gramano, E. (2019). Artificial intelligence is watching you at work: Digital surveillance, employee monitoring, and regulatory issues in the EU context. Comparative Labor Law & Policy Journal, 41(1), 95-121.
[6] Asainova, L.S. (2021). Protection of personal data in the context of the use of biometric authentication technologies. Astana: Maqsut Narikbayev University.
[7] Borelli, S. (2024). Find great people data breach investigation. Retrieved from http://surl.li/gsjjkd.
[8] Bradford, L., Aboy, M., & Liddell, K. (2020). COVID-19 contact tracing apps: A stress test for privacy, the GDPR, and data protection regimes. Journal of Law and the Biosciences, 7(1), article number lsaa034. doi: 10.1093/jlb/lsaa034.
[9] Buchelnikova, V. (2024). Leakage of personal data: How information about Kazakhstani citizens is lost and what are the risks? Retrieved from https://factcheck.kz/analitika/utechka-personalnyh-dannyh-kak-teryayut-svedeniya-o-kazahstantsah-i-chem-eto-grozit/.
[10] Chang, C., Li, H., Zhang, Y., Du, S., Cao, H., & Zhu, H. (2019). Automated and personalized privacy policy extraction under GDPR consideration. In 14th international conference on wireless algorithms, systems, and applications (pp. 43-54). Cham: Springer.
[11] Code of the Republic of Kazakhstan “On Administrative Offences”. (2014, July). Retrieved from https://online.zakon.kz/ Document/?doc_id=31577399.
[12] Constitution of the Republic of Kazakhstan. (1995, August). Retrieved from https://online.zakon.kz/Document/?doc_ id=1005029.
[13] Custers, B., Sears, A.M., Dechesne, F., Georgieva, I., Tani, T., & Van der Hof, S. (2019). EU personal data protection in policy and practice. Hague: T.M.C. Asser Press. doi: 10.1007/978-94-6265-282-8.
[14] Di Martino, M., Robyns, P., Weyts, W., Quax, P., Lamotte, W., & Andries, K. (2019). Personal information leakage by abusing the GDPR right of access. In Fifteenth symposium on usable privacy and security (SOUPS 2019) (pp. 371-385). Santa Clara, CA: USENIX Association.
[15] Diegtiar, O.A., Kravchenko, T.A., Yevmieshkina, O.L., Sych, T.V., & Linetska, Y.M. (2023). Optimisation of information and communication systems of local government. Electronic Government, 19(6), 734-746. doi: 10.1504/EG.2023.134019.
[16] Entrepreneurial Code of the Republic of Kazakhstan. (2015, October). Retrieved from https://adilet.zan.kz/rus/docs/ K1500000375.
[17] European Social Partners Autonomous Framework Agreement on Digitalisation. (2020). Retrieved from https://www.etuc.org/system/files/document/file2020-06/Final%2022%2006%2020_Agreement%20on%20Digitalisation%202020.pdf.
[18] Every third company in Kazakhstan has experienced cyberattacks. (2023). Retrieved from https://bluescreen.kz/news/13148/ kazhdaia-trietia-kompaniia-v-kazakhstanie-stalkivalas-s-kibieratakami.
[19] Finck, M., & Pallas, F. (2020). They who must not be identified – Distinguishing personal from non-personal data under the GDPR. Max Planck Institute for Innovation and Competition Research Paper, 19(14). doi: 10.2139/ssrn.3462948.
[20] Friedewald, M., Schiering, I., Martin, N., & Hallinan, D. (2022). Data protection impact assessments in practice. In Computer security. ESORICS 2021 international workshops (pp. 424-443). Cham: Springer. doi: 10.1007/978-3-030-95484-0_25.
[21] General Data Protection Regulation (GDPR). (2018, May). Retrieved from https://gdpr-info.eu/.
[22] Guo, Z., Hao, J., & Kennedy, L. (2024). Protection path of personal data and privacy in China: Moving from monism to dualism in civil law and then in criminal law. Computer Law & Security Review, 52, article number 105928. doi: 10.1016/j. clsr.2023.105928.
[23] Hina, S., Selvam, D.D.D.P., & Lowry, P.B. (2019). Institutional governance and protection motivation: Theoretical insights into shaping employees’ security compliance behaviour in higher education institutions in the developing world. Computers & Security, 87, article number 101594. doi: 10.1016/j.cose.2019.101594.
[24] Identity Theft Resource Centre. (2024). 2023 data breach report. Retrieved from https://www.idtheftcenter.org/wp-content/ uploads/2024/01/ITRC_2023-Annual-Data-Breach-Report.pdf.
[25] International Covenant on Civil and Political Rights. (1996, December). Retrieved from https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights.
[26] JSC State Technical Service. (2023). Digital shield: 2023 review in cybersecurity. Retrieved from https://sts.kz/wp-content/uploads/2024/01/kiberdajdzhest-2023.pdf.
[27] Kakeshov, B.D., Kanybekova, B.K., Seidakmatov, N.A., Zheenalieva, A.O., & Kokoeva, A.M. (2023). Political and legal aspects of criminal and administrative responsibility for information security offences in the context of national security of the Kyrgyz Republic. Economic Affairs (New Delhi), 68, 987-993. doi: 10.46852/0424-2513.2s.2023.48.
[28] Ke, T.T., & Sudhir, K. (2022). Privacy rights and data security: GDPR and personal data markets. Management Science, 69(8), 4389-4412. doi: 10.1287/mnsc.2022.4614.
[29] Kumar, V.B., Iyengar, R., Nisal, N., Feng, Y., Habib, H., Story, P., Cherivirala, S., Hagan, M., Cranor, L., Wilson, S., Schaub, F., & Sadeh, N. (2020). Finding a choice in a haystack: Automatic extraction of opt-out statements from privacy policy text. In Proceedings of the web conference (pp. 1943-1954). New York: Association for Computing Machinery. doi: 10.1145/3366423.3380262.
[30] Labour Code of the Republic of Kazakhstan. (2015, November). Retrieved from https://online.zakon.kz/Document/?doc_ id=38910832.
[31] Law of the Republic of Kazakhstan No. 115-VIII “On Amendments and Additions to Certain Legislative Acts of the Republic of Kazakhstan on State Control and Statistics, Improvement of the Population Protection System, Data Management, Registration of Legal Entities and Exclusion of Excessive Legislative Regulation”. (2024, July). Retrieved from https://online.zakon.kz/ Document/?doc_id=33690397#sub_id=3200.
[32] Law of the Republic of Kazakhstan No. 94-V “On Personal Data and their Protection”. (2013, May). Retrieved from https://adilet.zan.kz/rus/docs/Z1300000094/z13094.htm.
[33] Li, H., Yu, L., & He, W. (2019). The impact of GDPR on global technology development. Journal of Global Information Technology Management, 22(1). doi: 10.1080/1097198X.2019.1569186.
[34] Maksutov, B.M. (2019). The legal mechanism for the protection of personal data in Kazakhstan on the basis of the General Data Protection Regulation (GDPR). In XI international correspondence scientific specialized conference “International scientific review of the problems of law, sociology and political science” (pp. 23-35). Boston: Problems of Science.
[35] McGraw, D., & Mandl, K.D. (2021). Privacy protections to encourage use of health-relevant digital data in a learning health system. NPJ Digital Medicine, 4, article number 2. doi: 10.1038/s41746-020-00362-8
[36] Mentukh, N., & Shevchuk, O. (2023). Protection of information in electronic registers: Comparative and legal aspect. Law, Policy and Security, 1(1), 4-17.
[37] National public data breach: What you need to know. (2024). Retrieved from https://support.microsoft.com/en-us/topic/ national-public-data-breach-what-you-need-to-know-843686f7-06e2-4e91-8a3f-ae30b7213535#:~:text=In%20early%20 2024,%20National%20Public%20Data,%20an%20online%20background%20check.
[38] Nurgalieva, E.N., & Syrlybaeva, F.M. (2020). Information legal relations in Kazakhstan labour law. Science, 64(1), 25-29.
[39] Order of the Minister of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan No. 395 “On Approval of the Rules for the Collection and Processing of Personal Data”. (2023, April). Retrieved from https://adilet.zan.kz/ rus/docs/V2000021498.
[40] Personal data protection in Kazakhstan 2022: Statutory changes and the cases of liability for violations. (2022). Retrieved from https://www2.deloitte.com/kz/en/pages/legal/articles/Personal_data_protection_in_Kazakhstan.html.
[41] Podoprigora, R., Apakhayev, N., Zhatkanbayeva, A., Baimakhanova, D., Kim, E.P., & Sartayeva, K.R. (2019). Religious freedom and human rights in Kazakhstan. Statute Law Review, 40(2), 113-127. doi: 10.1093/slr/hmx024.
[42] Protection of personal information. (2023). Retrieved from https://www.gov.kz/memleket/entities/mdai/ activities/9552?lang=ru&parentId=6.
[43] Rieger, A., Guggenmos, F., Lockl, J., Fridgen, G., & Urbach, N. (2019). Building a blockchain application that complies with the EU general data protection regulation. MIS Quarterly Executive, 18(4), 7.
[44] Semeniuk, S., & Horbach-Kudria, I. (2024). Administrative legal principles of human rights-based approach by the police. Law Journal of the National Academy of Internal Affairs, 14(3), 87-97. doi: 10.56215/naia-chasopis/3.2024.87.
[45] Shahrullah, R.S., Park, J., & Irwansyah, I. (2024). Examining personal data protection law of Indonesia and South Korea: The privacy rights fulfilment. Hasanuddin Law Review, 10(1), 1-20. doi: 10.20956/halrev.v10i1.5016.
[46] Sherif, A. (2024). Work from home: Remote & hybrid work – statistics & facts. Retrieved from https://www.statista.com/topics/6565/work-from-home-and-remote-work/#topicOverview.
[47] Sicurella, S. (2024). AT&T and Ticketmaster breaches show hackers can attack from many angles. Retrieved from https://www.adn.com/nation-world/2024/07/26/att-and-ticketmaster-breaches-show-hackers-can-attack-from-many- angles/#:~:text=When%20cybercriminals%20stole%20five%20months%20of%20customers%E2%80%99%20call%20logs%20from.
[48] Special Eurobarometer 487a: Summary. (2019). Retrieved from https://cnpd.public.lu/dam-assets/fr/actualites/ international/2019/ebs487a-GDPR-sum-en.pdf#:~:text=This%20Special%20Eurobarometer%20survey%20was%20 commission%20ed%20by%20European%20Commission.
[49] Syrlybaeva, F.M. (2022). Some issues of protection of employee information rights. Bulletin of L.N. Gumilyov Eurasian National University. Law Series, 140(3), 72-80.
[50] Truong, N., Sun, K., Wang, S., Guitton, F., & Guo, Y. (2021). Privacy preservation in federated learning: An insightful survey from the GDPR perspective. Computers & Security, 110, article number 102402. doi: 10.1016/j.cose.2021.102402.
[51] Yakymenko, B. (2023). Formation of the institute of personal data protection and experience of its implementation in the countries of the EU. Scientific Journal of the National Academy of Internal Affairs, 28(4), 68-79. doi: 10.56215/naia-herald/4.2023.68.
[52] Yerbolatov, E., Kubenov, G., Zhetpisov, S., Alibaeva, G., & Boretskiy, A. (2020). Personal data in the Republic of Kazakhstan: Problems of ensuring confidentiality in the context of digitalization. Bulletin of the Innovative University of Eurasia, 79(3), 49-58.
[53] Zaeem, R.N., & Barber, K.S. (2020). The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems, 12(1), article number 2. doi: 10.1145/3389685.