Unofficial translation
In accordance with subparagraph 62) of article 7 of the Law of the Republic of Kazakhstan dated November 24, 2015 “On Informatization” I hereby ORDER:
1. To approve the attached Rules for classification of state services in electronic form to determine the service recipient authentication method.
2. The Committee for Communications, Informatization and Information of the Ministry of Investment and Development of the Republic of Kazakhstan (T.B.Kazangap) shall:
1) provide the state registration of this order with the Ministry of Justice of the Republic of Kazakhstan;
2) direct a printed and electronic copy of this order for official publication to periodicals and “Adilet” Legal Information system within ten calendar days after its state registration with the Ministry of Justice of the Republic of Kazakhstan, and also to the Republican Center of Legal Information within ten calendar days from the date of receipt of the registered order for inclusion in the Reference Control Bank of Regulatory Legal acts of the Republic of Kazakhstan;
3) place this order on the Internet resource of the Ministry of Investment and Development of the Republic of Kazakhstan and on the intranet portal of the state bodies;
4) within ten working days after the state registration of this order with the Ministry of Justice of the Republic of Kazakhstan, report to the Legal Department of the Ministry of Investment and Development of the Republic of Kazakhstan on execution of the actions provided for in subparagraphs 1), 2) and 3) of paragraph 2 of this order.
3. Control over the execution of this order shall be assigned to the supervising Vice Minister of investment and development of the Republic of Kazakhstan.
4. This order shall take effect upon expiry of ten calendar days after the date of its first official publication.
| Minister | |
| of Investment and Development | |
| of the Republic of Kazakhstan | A. Issekeshev |
| Approved by order No. 10 of the Minister of Investment and Development of the Republic of Kazakhstan dated January 10, 2016 |
Rules
for classification of state services in electronic form to determine the service recipient authentication method
Chapter 1. General Provisions
Footnote. The title of chapter 1 in the wording of order No. 3 of the Minister of Information and Communications of the Republic of Kazakhstan dated 01.01.2019 (shall be enforced after the date of its first official publication).
1. These Rules for classification of state services in electronic form to determine the service recipient authentication method (hereinafter -the Rules) are developed in accordance with subparagraph 62) of Article 7 of the Law of the Republic of Kazakhstan “On Informatization” dated November 24, 2015 and establish the classification procedure of state services provided in electronic form to determine the authentication method of the service recipient.
2. The following concepts and abbreviations shall apply in these Rules:
1) authorized body in the field of informatization - the central executive body that exercises management and cross-sectoral coordination in the field of informatization and "electronic government";
2) one-time password - a password valid for only one authentication session of electronic services receipt subjects;
3) database containing personal data (hereinafter - the database) - a set of orderly arranged personal data;
4) instant message - a data transfer technology that enables interactive interaction between a subscriber of a cellular communication network and a service application in the mode of instant short messages transmission;
5) composite service – a set of interconnected services, for the provision of which request of the subject to receive the service in electronic form is enough and certification by electronic digital signature is required;
6) service recipient - individuals and legal entities, except the central state bodies, foreign institutions of the Republic of Kazakhstan, local executive bodies of oblasts, cities of republican status, the capital, districts, cities of oblast status, akims of districts in a city, cities of regional status, townships, villages, rural districts;
7) service provider - central state bodies, foreign institutions of the Republic of Kazakhstan, local executive bodies of oblasts, cities of republican status, the capital, districts, cities of oblast status, akims of districts in a city, cities of regional status, townships, villages, rural districts, and also individuals and legal entities providing public services in accordance with the legislation of the Republic of Kazakhstan;
8) short text message - a service provided by a mobile operator in the reception and transmission of information via cellular network;
9) login - the name (identifier) of the user account on the portal;
10) state service – a form of implementing certain state functions carried out individually on service recipients’ request and aimed at exercising their rights, freedoms and legitimate interests, providing them with relevant tangible or intangible benefits;
11) authentication - confirmation of the authenticity of the access subject or object by determining whether the presented access details match the existing ones in the system;
12) subscriber’s mobile communication device - means of communication for individual use, generating electrical signals for transmitting or receiving information specified by the subscriber and connected to the network of the cellular operator that does not have a permanent geographically determined location within the served territory, and operates in cellular networks;
13) the “electronic government” web portal (hereinafter - the portal) - information system that represents a single access window to all consolidated government information, including the regulatory legal base, and to state and other services provided in electronic form;
14) mobile application of “electronic government” (hereinafter - mobile application) - a software product installed and running on a subscriber’s cellular communication device and providing access to state services and other services rendered in electronic form via cellular communications and the Internet;
15) electronic digital signature (hereinafter - EDS) - a set of electronic digital symbols created by electronic digital signature and confirming the authenticity of the electronic document, its belonging and invariance of the content.
Footnote. Paragraph 2 as amended by order No. 3 of the Minister of Information and Communications of the Republic of Kazakhstan dated 01.01.2019 (shall be enforced after the date of its first official publication).Chapter 2. Procedure for classification of state services in electronic form to determine the service recipient authentication method
Footnote. The title of chapter 2 in the wording of order No. 3 of the Minister of Information and Communications of the Republic of Kazakhstan dated 01.01.2019 (shall be enforced after the date of its first official publication).
3. To determine the service recipient authentication method for each state service provided in electronic form, analysis shall be carried out on the following criteria:
1) risk of potential damage from disclosure of personal data with likelihood of adverse consequences for the service provider and (or) service recipient associated with unlawful receipt by third parties of the state services provision results.
The service provider shall carry out risk probability assessment independently;
2) changes in the information on the service recipient in the database of the service provider resulting from the state service provision;
3) the term of the state service provision from the application filing to the issue of the state service provision result;
4) fee-paying basis of the state service provision in accordance with Article 456 of the Code of the Republic of Kazakhstan “On taxes and other obligatory payments to the budget (Tax Code)” dated December 10, 2008.
4. Service recipients authentication methods for receiving state services in electronic form are specified in Appendix 1 to these Rules.
5. Analysis of state services and determining of the service recipient authentication method shall be carried out in the following order:
1) if the state service at personal data disclosing bears a risk of potential damage to the service recipient and / or service provider, then point 2 score shall be assigned. In the absence of the risk, a score of 1 shall be assigned;
2) if the state service provision leads to change in the information in the database of the service provider, then a score of 2 shall be assigned. If the state service provision does not lead to a change of information in the database, a score of 0 shall be assigned (these services include the services that result in various types of certificates);
3) if the state service provision term exceeds 30 minutes, a score of 1 shall be assigned. If the state service provision term does not exceed 30 minutes, a score of 0 shall be assigned;
4) if the state service is provided for a fee, then a score of 1 shall be assigned. If the state service is provided free of charge, a score of 0 shall be assigned.
The scoring table, according to the classification criteria for state services, is illustrated in Appendix 2 to these Rules.
The result of the state services classification is the total score of the selected criteria and determination on its basis of the service recipient authentication method.
The final score of 0 to 1 shall imply the use of a login / password authentication method.
The final score of 2 to 3 shall imply the use of “login / password + one-time password” authentication method.
The final score from 4 to 6 shall imply the use of “login / password +EDS” authentication method.
6. All the state services rendered in electronic form via the portal and mobile subscriber device shall be subject to classification.
Footnote. Paragraph 6 as amended by order No. 3 of the Minister of Information and Communications of the Republic of Kazakhstan dated 01.01.2019 (shall be enforced after the date of its first official publication).7. Classification of state services in accordance with these Rules shall be carried out independently by each state body responsible for development of the standard and regulation of the state services.
8. After independently determining the authentication method for each state service, each state body shall direct the state services classification results to the authorized body in the field of informatization.
| Appendix 1 to the Rules for classification of state services in electronic form to determine the service recipient authentication method |
Methods
of service recipients authentication for obtaining state services in electronic form
1. To obtain state services in electronic form, the following methods of service recipients authentication shall be applied:
1) with the “login / password” method, the service recipient shall use the login and password on the portal or in the mobile application, select the state service, form a request and send it to the service provider;
2) with the “login / password + EDS” method, the service recipient shall use the login and password on the portal or in the mobile application, select the state service, form a request and confirm the request by the EDS for sending it to the service provider;
3) with the “login / password + one-time password” method, the service recipient shall use the login and password on the portal or in the mobile application, select the state service, form a request, enter a one-time password that is sent to the subscriber’s mobile number and send the request to the service provider.
An alternative to the “login / password + one-time password” authentication method shall be the use of “login / password + EDS” method.
When receiving a state service in electronic form via instant message and in the form of a short text message, a one-time password shall not be applied.
2. Apropos of the state services on issuing permits and composite services, the authentication method “login / password + EDS” shall be used.
Footnote. Paragraph 2 as amended by order No. 372 of the Minister of Information and Communications of the Republic of Kazakhstan dated October 17, 2017 (shall be enforced upon expiry of ten calendar days after the date of its first official publication).| Appendix 2 to the Rules for classification of state services in electronic form to determine the service recipient authentication method |
Scoring table
№ | Name of the criterion | Options | |||
Choice 1 | Score | Choice 2 | Score | ||
1 | Risk of potential damages from disclosure of personal data | risk is present | 2 | risk is absent | 1 |
2 | Influence on change of information in the database | service, leading to changes in the database | 2 | service, not leading to changes in the database | 0 |
3 | Service provision term | service requiring a certain time (more than 30 min) | 1 | Instant service (less than 30 min) | 0 |
4 | Fee-paying sass of the service provision | fee-based services | 1 | other | 0 |
