Recently, the attention of the FBRK editorial team was drawn to the sharp increase in costs for maintaining road infrastructure in the regions of Kazakhstan. In particular, we reported on how much money is spent on servicing traffic light installations in Kosshy and in Shymkent. While studying government procurement contracts, our editorial team discovered an interesting detail.
It turned out that the company LLP «SMU Astana», specialising in the construction of roads and motorways, published the personal data of its employees, including copies of their identity cards, in the technical specification when concluding a government procurement contract.
The list of published documents included references from the place of work, qualification certificates, educational diplomas, certificates, as well as the identity cards of employees of LLP «SMU Astana» and individual employment contracts.
Notably, under current legislation in such a situation, neither journalists nor competent state bodies can initiate proceedings for an administrative offence by the employer without a personal application from the so-called victims.
The FBRK editorial team has encountered a similar case of dissemination of personal data in its work before.
In September, we reported that as early as April, one of the schools in the East Kazakhstan Region, when concluding a government procurement contract, instead of including requirements for the supplier, published a list of all employees of the institution in the «technical specification» section, indicating their full personal data.
At that time, we asked ourselves: to what extent does such a technical specification meet the requirements for conducting state procurements, and did the school act lawfully by publishing the personal data of the institution's employees? In order to get to the truth, we had to send a series of official enquiries to various state bodies.
As a result, the Department of Education of the East Kazakhstan Region conducted an internal investigation and concluded that the school should not have published the personal data of its employees. Based on this, the school's director and chief accountant were given a reprimand. Meanwhile, the Department of Internal State Audit for the East Kazakhstan Region did not find any violations in the government procurement procedure.
A detailed answer to the question of the legality of publishing personal data was provided to us by the Committee for Information Security of the Ministry of Digitalisation. It was reported that the Law on Personal Data and Their Protection implies that the collection and processing of personal data requires the consent of the citizen themselves or their legal representative.
Meanwhile, according to the Code of Administrative Offences, the reason and basis for initiating proceedings for an administrative offence are statements from individuals or legal entities, as well as the presence of sufficient data indicating signs of an administrative offence.
Thus, either the school's employees themselves must initiate a statement about the unlawful dissemination of their personal data, or third parties can provide irrefutable evidence confirming that the employees did not give consent to the collection and processing of their personal data.
The FBRK editorial team tried to contact the school's employees to inform them of the offence committed against them and, if necessary, help them submit the relevant statements to law enforcement agencies.
But, unfortunately, no one ever got in touch with us. We assume the reason lies in the fact that people are more afraid of losing their jobs than of suffering at the hands of criminals who might misuse their personal data.
Among other things, we found out that on the government procurement portal there is no possibility to delete or replace certain documents. That is, once a document is uploaded, it will remain on the portal forever. This is done to avoid the risk of document manipulation by unscrupulous customers or suppliers during state procurement.
We assume that in both of the mentioned cases, the personal data was published without malicious intent, but rather by mistake and due to ignorance of the law. In this regard, the FBRK editorial team appeals to the Ministry of Finance and the Ministry of Digitalisation with a request to consider the issue of improving the government procurement portal in order to protect citizens of Kazakhstan from the incompetence of participants in state procurements.
Despite the fact that our editorial team is not able to facilitate the initiation of administrative cases regarding the publication of personal data, we remain ready to provide assistance to both the employees of the school in the East Kazakhstan Region and the employees of LLP «SMU Astana» in case any of them decide to file a claim about the violation of their rights by their employer. For contact, write to our bot @fund_kz_bot.