Document from CIS Legislation database © 2003-2023 SojuzPravoInform LLC

ORDER OF THE GOVERNMENT OF THE KYRGYZ REPUBLIC

of November 21, 2017 No. 760

About approval of Requirements to safety and personal data protection in case of their processing in personal data information systems which execution provides the established levels of security of personal data

(as amended of the Resolution of the Cabinet of Ministers of the Kyrgyz Republic of 27.09.2022 No. 536)

According to article 21 of the Law of the Kyrgyz Republic "About information of personal nature", articles 10 and 17 of the constitutional Law of the Kyrgyz Republic "About the Government of the Kyrgyz Republic" the Government of the Kyrgyz Republic decides:

1. Approve Requirements to safety and personal data protection in case of their processing in personal data information systems which execution provides the established levels of security of personal data (further - Requirements), according to appendix.

2. To the state personal data protection agency under the Cabinet of Ministers of the Kyrgyz Republic in three-months time to develop and approve:

- The standard list of safety hazards of personal data in case of personal data processing in information systems containing all types and types of expected threats;

- technique of determination of safety hazards in personal data information systems;

- form of the list of types of threats.

3. To the ministries, the state committees, administrative departments, other state bodies, local government bodies (under approval) in a month:

- develop and approve industry lists of safety hazards of personal data in case of personal data processing in the information systems operated when implementing the corresponding types of activity taking into account content of personal data, nature and methods of their processing;

- take exhaustive measures for ensuring accomplishment of this resolution.

4. To impose control of execution of this resolution on department of construction, transport and communications and department of defense, law and order and emergency situations of Government office of the Kyrgyz Republic.

5. This resolution becomes effective from the date of official publication.

Prime Minister of the Kyrgyz Republic

S. Isakov

Appendix

Requirements to safety and personal data protection in case of their processing in personal data information systems which execution provides the established levels of security of personal data

1. General provisions

1. These Requirements establish levels of security of personal data in case of their processing in information systems, criterion of safety hazards of the personal data which entered the list of threats, and also requirements to safety and personal data protection in case of their processing in personal data information systems which execution provides the established levels of security of personal data, according to article 21 of the Law of the Kyrgyz Republic "About information of personal nature".

2. The concepts used in these Requirements are used in the values determined by the laws of the Kyrgyz Republic "About information of personal nature" and "About electronic control".

3. Provisions of these Requirements are obligatory for application by state bodies, local government bodies, legal entities with participation of the state and/or municipalities, and also the organizations financed from republican and local budgets, which are owners and/or operators of state/municipal information systems, and also other elements which are part of the state infrastructure of electronic control in whom personal data, and also all holders (owners) of arrays of personal data are processed.

2. Levels of security of personal data in case of their processing in information systems

4. In case of personal data processing the following levels of security in information systems are established:

1) blue;

2) green;

3) yellow;

4) red.

5. The choice of level of security of personal data which ensuring is necessary in case of their processing in specific personal data information system is performed by the holder (owner) of array of personal data in the following procedure:

The authorized state body on personal data develops 1) and approves the Standard list of safety hazards of personal data in case of personal data processing in information systems (further - the Standard list) containing all types and types of expected threats, and also technique of determination of safety hazards in personal data information systems (further - the Technique of determination of threats) and form of the list of types of threats;

The ministries, the state committees, administrative departments, and also other state bodies, local government bodies based on the Standard list, the Technique of determination of threats develop 2) and approve departmental acts of determination of the list of safety hazards of personal data, obligatory for execution by subordinated holders (owners) of array of personal data, in case of personal data processing in the information systems operated when implementing the corresponding types of activity taking into account content of personal data, nature and methods of their processing;

3) the holder (owner) of array of personal data, proceeding from specific conditions of work with personal data, the value of the protected information and cost of measures for its protection, and also taking into account the level of technical development, approves own list of safety hazards of personal data (further - the list of threats) in the form approved by authorized state body on personal data.

The threats determined in the acts specified in subitems 1 and 2 of this Item and also, according to the decision of the holder (owner) of array of personal data, and other threats are without fail included in the list of threats of the holder (owner) of array of personal data.

The list of threats is subject to revision by the holder (owner) of array of personal data in process of change of structure of the processed personal data, conditions and types of their processing;

4) associations, the unions and other associations of holders (owners) of arrays of personal data the decisions has the right to determine additional safety hazards of personal data in case of personal data processing in the information systems operated when implementing certain types of activity by members of such associations, unions and other associations taking into account content of personal data, nature and methods of their processing, along with the safety hazards of personal data determined in the departmental acts specified in the subitem 2 presents of Item.

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SojuzPravoInform LLC. UI/UX design by Intelliants.