Дата публикации
Recently, in the WhatsApp group of the heads of the Faculty of Mechanics and Mathematics of KazNU. Al-Farabi, consisting of 190 people, posted four documents with lists of all female students at the university.
They noted the students who must undergo fluorography, and also indicated the IIN, telephone numbers and data of gynecological examinations.
Based on the results of a preliminary intra-university check, it turned out that a nurse from Smart Health University City LLP sent these documents to the group in Excel format via Whatsapp.
Subsequently, through transfers in instant messengers, sensitive data was distributed among a circle of those persons who did not have the authority to work with them.
The Ministry of Digital Development (MCRIAP) stated that the law on personal data and its protection was violated, and called on those who find their data on the so-called “list of virgins” to contact the Ministry of Digital Development with a corresponding statement.
“It’s sad that there are such facts at the university. Until there is a strict legislative imperative that private and personal data is very confidential information, the culture will not change,” - Minister of Science and Higher Education of Kazakhstan Sayasat Nurbek.
The Almaty prosecutor's office initiated a criminal case. All necessary investigative actions are currently being carried out.
“We are dealing with a blatant leak of sensitive information from citizens. Like the case of the “Aika list” leak, this once again reminded society that the illegal distribution of “sensitive” personal data is, first of all, a violation of the right to privacy. In this case, medical secrecy.
We have repeatedly drawn attention to the lack of a definition of sensitive information in national legislation.
To ensure the right to privacy of citizens, it is necessary to expand the definition of personal data to identifiers specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
It should be noted that the definition of “sensitive” aspects of a person is enshrined in the European GDPR regulation, as well as in the jurisdiction of the Astana International Financial Center.
Last year, as part of the discussion by the Mazhilis of Parliament on amendments to information security, legislators already raised the issue of the need to revise the definition of personal data and include in it such identifiers as IIN.
In turn, EDF experts sent their recommendations to the Mazhilis on expanding the definition of personal data by types of sensitive information. Deputies postponed consideration of this important issue to 2024.
They noted the students who must undergo fluorography, and also indicated the IIN, telephone numbers and data of gynecological examinations.
Based on the results of a preliminary intra-university check, it turned out that a nurse from Smart Health University City LLP sent these documents to the group in Excel format via Whatsapp.
Subsequently, through transfers in instant messengers, sensitive data was distributed among a circle of those persons who did not have the authority to work with them.
Reaction of government agencies
The Ministry of Digital Development (MCRIAP) stated that the law on personal data and its protection was violated, and called on those who find their data on the so-called “list of virgins” to contact the Ministry of Digital Development with a corresponding statement.
“It’s sad that there are such facts at the university. Until there is a strict legislative imperative that private and personal data is very confidential information, the culture will not change,” - Minister of Science and Higher Education of Kazakhstan Sayasat Nurbek.
The Almaty prosecutor's office initiated a criminal case. All necessary investigative actions are currently being carried out.
Comment by Ruslan Dayyrbekov, director of the Eurasian Digital Foundation:
“We are dealing with a blatant leak of sensitive information from citizens. Like the case of the “Aika list” leak, this once again reminded society that the illegal distribution of “sensitive” personal data is, first of all, a violation of the right to privacy. In this case, medical secrecy.
We have repeatedly drawn attention to the lack of a definition of sensitive information in national legislation.
To ensure the right to privacy of citizens, it is necessary to expand the definition of personal data to identifiers specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
It should be noted that the definition of “sensitive” aspects of a person is enshrined in the European GDPR regulation, as well as in the jurisdiction of the Astana International Financial Center.
Last year, as part of the discussion by the Mazhilis of Parliament on amendments to information security, legislators already raised the issue of the need to revise the definition of personal data and include in it such identifiers as IIN.
In turn, EDF experts sent their recommendations to the Mazhilis on expanding the definition of personal data by types of sensitive information. Deputies postponed consideration of this important issue to 2024.
(translation was carried out automatically)
