November 28, 2022

Requirements for protection of personal data in Uzbekistan

1. Introduction

2. Legislative framework

3. General overview

4. Threats to the security of personal data during their processing

5. Levels of protection of personal data and requirements for each level

6. Requirements for the storage of biometric and genetic data in material carriers

7. Requirements for the storage of biometric and genetic data outside of databases of personal data

  1. Introduction

Recently, the government of Uzbekistan has passed two new regulatory documents in the field of personal data protection, which will come into force on 7th January 2023. The new regulatory documents set new requirements regarding the levels of protection of personal data during their processing, the storage of biometric and genetic data in material carriers, the storage of biometric and genetic data outside of databases of personal data.

  1. Legislative framework

The Law of the Republic of Uzbekistan “On Personal Data” dated 02.07.2019 No LRU-547 (the “Law on Personal Data”);

Resolution of the Cabinet of Ministers of the Republic of Uzbekistan dated 05.10.2022 No. 570 “On the Approval of Some Regulatory and Legal Acts in the Field of Personal Data Processing” (the “Resolution”).

  1. General overview

According to the Article 7 of the Law on Personal Data, the government of the Republic of Uzbekistan is authorized to set:

  • security levels of personal data during their processing, depending on security threats;
  • requirements for the protection of personal data during their processing, the implementation of which ensures the established levels of security of personal data;
  • requirements for material consists of biometric and genetic data and technologies for storing such data outside personal data bases.

In realization of the above mentioned authority, the government has passed the Resolution, which approves two Regulations:

  1. Regulation on determining the levels of protection of personal data in their processing (the “Regulation No.1”);
  2. Regulation on requirements for material carriers of biometric and genetic data and technologies for storage of such data outside of databases of personal data (the “Regulation No.2”).

It should be noted that the costs arising from compliance with the requirements set out in the Regulations shall be borne at the expense of own funds of the organizations processing personal data.

  1. Threats to the security of personal data during their processing

According to the Regulation No.1, there are four types of personal data, which are processed in databases: (1) special, (2) biometric, (3) genetic and (4) publicly available data. When processing personal data, the owner and (or) operator shall implement organizational and technical measures for protection of personal data based on threats to their security. Personal data of employees of owner (operator) and personal data of subjects who are not employees of the owner (operator) must be processed in separate databases.

Threats to the security of personal data means a set of conditions and factors that create a risk of unauthorized, including accidental, access to databases, which may result in alteration, addition, use, presentation, distribution, transfer, depersonalization, destruction, copying of personal data, as well as other unlawful actions. There are 3 types of threats as per the Regulation No.1:

type I threats – threats related to the presence of undeclared opportunities in the system software of the database of personal data;

type II threats – threats related to the presence of undeclared opportunities in the application software of the database of personal data;

type III threats – threats related to the presence of undeclared opportunities in the system and application software of the database of personal data.

The application software means a set of programs designed to perform a class of tasks in a particular subject area. Access and Oracle are two examples of application software which are mention in the Regulation No.1. The system software means a set of programs  that ensure operation of a computer and computer networks. The system software includes operating systems, drivers, utilities, archivers, etc.

  1. Levels of protection of personal data and requirements for each level

Based on the above-mentioned threats, one of the four levels of protection must be established when processing personal data. Each level of protection has a certain requirements which must be met by the owner and (or) operator.

Level of protection

 Conditions for each level

(each level of protection is need when at least one of the conditions is present)

Requirements

(to ensure each level of protection the following requirements must be met)
4th level of protection (1)   the presence of type III threats to databases and processing of publicly available data in the database. (a)    organization of the security regime of the premises in which the databases are located, preventing the possibility of uncontrolled break-in or stay in these premises by persons who do not have the right of access to these premises;

(b)   ensuring security of material media of personal data;

(c)    approval by the head of the owner and (or) the operator of the document defining the list of persons whose access to personal data processed in databases is necessary for performance of their official (labor) duties;

(d)   use of means of data protection, which have passed the procedure of evaluation of compliance with the legislation requirements in the field of information security, in case when application of such means is necessary for protection of personal data from existing threats.
3rd level of protection (1)   the existence of type II threats for the databases and processing of publicly available data of the owner and (or) operator’s employees or publicly available data of less than 50,000 subjects who are not employees of the owner and (or) operator;

(2)   the existence of type III threats to databases and processing of special data of the owner’s and/or operator’s employees and/or special data of less than 50,000 subjects who are not employees of the owner and/or operator;

(3)   the existence of type III threats to databases and the processing of biometric and (or) genetic data.

 (a)    the fulfillment of the requirements specified for 4th level of protection;

(b)   appointment of an official (employee) responsible for the ensuring the personal data security in the databases.
2nd level of protection (1)   the existence of type I threats for databases and processing of publicly available personal data in databases;

(2)   the existence of type II threats for databases and processing of special data of employees of the owner and (or) the operator or special data of less than 50,000 subjects who are not employees of the owner and (or) the operator;

(3)   the existence of type II threats to databases and the processing of biometric and/or genetic data in the databases;

(4)   the existence of a type II threat to databases and the processing of publicly available data by more than 50,000 subjects who are not employees of the owner and (or) operator in the databases;

(5)   the existence of type III threats to databases and the processing of special data of more than 50,000 subjects who are not employees of the owner and (or) the operator in databases.

 (a)    the fulfillment of the requirements specified for 3rd level of protection;

(b)   providing access to the electronic journal of messages exclusively to the officials (employees) or to the authorized person who need the information contained in the mentioned journal for performing their job (labor) duties.
1st level of protection (1)   the existence of type I threats for the databases and the processing of special and/or biometric and/or genetic personal data in the databases;

(2)   the existence of type II threats for databases and processing of special personal data of more than 50,000 subjects who are not employees of the owner and (or) the operator.

 (a)    fulfillment of the requirements specified for 2nd level of protection;

(b)   the automatic registration in the electronic security log of the changes in the owner’s and/or operator’s employee’s authorization to access the personal data contained in the databases;

(c)    establishment of structural subdivision, responsible for ensuring security of personal data in databases, or assigning to one of the structural subdivisions the functions for ensuring such security.
  1. Requirements for the storage of biometric and genetic data in material carriers

Regulation No.2 sets out the requirements for material carriers containing biometric and genetic data. First of all, such material carriers must be marked “confidential” or “for professional use” and the owner and (or) operator must keep the records of such material carriers. The Regulation No.2 also requires that when biometric and genetic data are stored electronically, these data should be encrypted and protected cryptographically or in any other manner.

Moreover, the owner and (or) operator should take appropriate security measures to prevent the theft, erasure, destruction, unauthorized acquisition, alteration and uncontrolled abandonment of material carriers on which biometric and genetic data are recorded. When taking such measures, biometric and genetic data must:

  • meet the requirements of fire safety, sanitary norms, rules and hygienic standards, and be guaranteed against flooding.
  • have reliable means of protection that exclude access to them by unauthorized persons;
  • be stored in safes, metal shelves or metal racks;
  • be stored in rooms equipped with security alarms and video surveillance devices, with entrance doors and windows connected to the security service.

Material carriers should be used for the period specified by the owner and/or operator who recorded biometric and genetic data on the material carrier, but no longer than the period of use specified by the manufacturer of the material carrier. When personal data is deleted from material carriers on which biometric and genetic data is recorded, such material carriers shall not be written off. The material carriers that have not been written off may be reused for personal data processing in the future, except for the material carriers intended for one-time use and worn out.

  1. Requirements for the storage of biometric and genetic data outside of databases of personal data

As per the Regulation No. 2, when storing biometric and genetic data outside of databases of personal data, the following conditions must be maintained:

  • access to personal data stored on a material carrier for authorized persons of the owner and (or) the operator;
  • use of electronic signature means or other information technologies that allow preserving the integrity and invariability of biometric and genetic data recorded on a material carrier;
  • verifying whether the subject’s written consent to process biometric and genetic data or other grounds for processing biometric and genetic data stipulated by law exists.

An owner and (or) operator shall have the right to establish additional requirements, not conflicting with legislative requirements, for technologies of storage of biometric and genetic data outside databases of personal data, depending on methods and means of protection of such data in databases of this owner and (or) operator.