Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Tajikistan: Draft Information Code - Codifying data protection in the infosphere

The Assembly of the Representatives, under the Majlisi Oli of the Republic of Tajikistan, recently published a Draft Information Code ('the Draft Code') to provide legal bases for information activities. In contrast to existing legislation, such as the Law of 3 August 2018 No. 1537 on Protection of Personal Data ('the Law on Personal Data'), the Draft Code aims to establish a wide-ranging framework for information relations, encompassing both personal and non-personal data. OneTrust DataGuidance breaks down the key provisions of the Draft Code, featuring insights from Alisher Hoshimov and Amina Nazaralieva, Partner and Paralegal respectively at Centil Law Firm.

mettus / Essentials collection / istockphoto.com

Scope and aim

In order to regulate all information relations in a comprehensive manner and in line with Tajikistan's information policy, the Draft Code generally aims to (Article 3 of the Draft Code):

  • establish principles applicable to the information sphere;

  • define the legal status of participants in information relations, including their rights and obligations; and
  • focus on the implementation of the right of access and the constitutional right to information, as well as the protection of information and the establishment of legal information regimes.

To this end, Chapters 1 to 4 of the Draft Code provide the following terms which fall within its ambit:

Subjects of information relations

Subjects of information relations are developers, owners, and users of information resources, as well as compilers of documented information systems.

This may include state bodies, local authorities, town and village self-government bodies, individuals, and legal entities.

Notably, foreign states, international organisations, foreign individuals, and foreign legal entities may also qualify as a subject for the purposes of the Draft Code.

Objects of information relations

Objects of information relations include information about a person or events in the field of politics, economics, culture, science and technology, social sciences, ecology, and other fields.

More specifically, objects may be expressed in the following forms and means:

  • oral and written information;
  • documented information;
  • information resources;
  • information technologies;
  • software and hardware; and
  • information network systems.
Types of information

The types of information which are regulated by the Draft Code include:

  • information on state statistics;
  • information disseminated through mass media;
  • information on the activities of government agencies;
  • legal information;
  • personal information (or personal data);
  • information of an encyclopedic nature; and
  • social, cognitive, economic, commercial, environmental, service, consumer, archival, scientific, and technical information, etc.

In this regard, Section II of the Draft Code also establishes sector-specific rules, including in relation to judicial information, mass media, television and radio, advertising, and environmental information.

Forms of information activity

The main 'spheres' of information activities with which the Draft Code is concerned are political, legal, economic, cultural, social, spiritual, environmental, scientific, technical, international, and other spheres of public life.

In particular, the main forms of information activities include the collection, use, dissemination, publication, exchange, and protection of information.

Features of information relations

Information relations arise in the course of the activities of public authorities, individuals, and legal entities (regardless of the form of ownership) in the following cases:

  • the formation and use of information resources on the basis of compilation, receipt, storage, transmission, collection, preparation, publication, and presentation of documented information;
  • the creation, implementation, and operation of systems for the preparation and transmission of information, databases, and information technology tools;
  • the protection of information and the rights of entities involved in the information process through the use of information technology tools; and
  • the management and regulation of information processes, including implementation of state policy in the field of information.

Notably, this does not include relations arising from undocumented information, as well as those regulated by the norms of intellectual property and in the field of mass media.

 

General features

Key principles

To begin with, Article 4 of the Draft Code states that the regulation of information is based on, among other things, the following principles:

  • legality;

  • respect and observance of human rights and freedoms;
  • equality;
  • pluralism;
  • freedom of expression;
  • openness and accessibility of information and the free exchange of the same within the requirements of legislation;
  • accuracy and reliability of the information;
  • prevention of the monopoly of media organisations and protection against financial and political influence; and
  • ensuring the information security of individuals, society, and the State.

Freedom of information

The Draft Code further codifies the freedom of information and the right of access to certain information in Chapter 5.

On the one hand, individuals and legal entities have the right to freely access documented information about themselves and to correct this information for the purpose of completeness and accuracy, as well as the right to know who has used or intends to use the information and for what purpose (Article 39 of the Draft Code).

On the other hand, such entities also have the right to access public information and, under certain conditions to be regulated by law, information that is subject to restricted access (e.g. information which is regulated as a state, trade, family, or personal secret, or otherwise restricted in the interests of national, public, and personal security) (Articles 54 and 55 of the Draft Code).

Protection of information and information security

Chapter 6 of the Draft Code goes on to clarify obligations and the protection of information. In general, Article 67 of the Draft Code specifies that any information that may cause harm to the owner, user, or any other person as a result of illegal treatment should be protected. This entails, among other things (Article 68 of the Draft Code):

  • ensuring access to and ownership of information, in addition to preventing unauthorised access, copying, seizure, alteration, distortion, and destruction;

  • complete and accurate storage of documented information, including the ability to manage processing and use in accordance with the conditions established by the owner of this information or by authorised persons; and
  • the protection of the constitutional right of citizens to privacy and confidentiality of personal data in information systems.

While the Draft Code does not indicate the exact requirements and rules for the protection of information, it does refer to norms and rules of an organisational and technical nature, as well as the use of computer hardware and software (Article 70 of the Draft Code). More specifically, information security may take the form of organisational, technical, and physical means (Article 71 of the Draft Code), which may be subject to licensing and certification requirements (Articles 75 to 77 of the Draft Code).

Personal data

As noted above, Section II of the Draft Code contains special provisions for 'sectoral' information. Personal data, as a subset of information that is regulated by the Draft Code, is governed in this Section in Chapter 13 as follows:

General principles
  • The protection of personal data, including the data of deceased persons, is guaranteed by the State.
  • The collection and processing of personal data must be carried out in the presence of a 'certificate of conformity' issued by an authorised state body, and to ensure the security of personal data, measures must be taken to protect the same from accidental or unauthorised leakage, copying, theft, loss, alteration, disclosure, or destruction.
  • The required amount of information about citizens that can be obtained legally should be kept to a minimum and used only for legally prescribed purposes.
Legal bases for processing

The collection and processing of personal data must be carried out with the consent of the data subject or their legal representative, except for:

  • in the cases provided by Article 9 of the Draft Code (e.g. where information is used against the foundations of the constitutional order and security of the State, etc.);
  • the performance by the duties of state bodies, as stipulated by law; or
  • the protection of the constitutional rights and freedoms of citizens.
Rights of data subjectsData subjects must also be informed about the information being collected and provided with access to their information and the right to request correction of inaccurate or misleading information.
Data localisationPersonal data must be stored, whether by the owner, operator, or third parties, within databases located only in the territory of the Republic of Tajikistan, except for the cases agreed with the authorised state body.
Cross-border data transfers

The transfer of personal data to the territory of foreign states that do not provide protection of personal data may be carried out in the following cases:

  • on the basis of consent from the data subject or their legal representative;
  • as stipulated by international treaties recognised by Tajikistan;
  • as stipulated by law, if it is necessary for the purpose of protection of the constitutional order, public order, human and civil rights and freedoms, health and spirituality of the population, or for ensuring national defence and national security; and
  • for the protection of the constitutional rights and freedoms of citizens, if it is impossible to obtain the consent of the data subject or their legal representative.

 

What's next?

According to Hoshimov and Nazaralieva, "The Draft Code is a codification document which includes several laws regulating information regimes in Tajikistan, such as the Law on Personal Data, Law of 25 June 2021 No. 1783 on Access to Information and the Activities of Courts, and other related laws. We suppose that upon the adoption of the Draft Code, the Law on Personal Data will cease to have effect".

Notably, Hoshimov and Nazaralieva further noted, "The Draft Code does not contain significant changes in the legislation of the Republic of Tajikistan that could affect business both in Tajikistan and abroad".

Finally, Hoshimov and Nazaralieva confirmed, "The Draft Code is still a draft law, which has not been officially adopted. Currently, the Draft Code is under consideration by the Parliament of the Republic of Tajikistan. Within a week of adoption, it will be sent for signature to the President of the Republic of Tajikistan. Thereafter, the Draft Code will enter into force upon its publication or on a date as stipulated, if different from the publication date".

Karan Chao Privacy Analyst
 
Comments provided by:
Alisher Hoshimov Partner
Amina Nazaralieva Paralegal
Centil Law Firm, Danshanbe