“Zuunii Medee” invites industry leaders and innovators to its “Leaderships Forum” to discuss Mongolia’s development opportunities and share their interesting solutions and ideas with its readers. This time, we invited Kh. Surenkhorol, Director of the Legal Division of the Ministry of Digital Development and Communications, to discuss the Law on the Personal Data Protection, which came into force on the 1st of this month.
IT BECAME DIFFICULT TO REGULATE PUBLIC RELATIONS BY LAW ON INDIVIDUAL SECRECY
The Law on Individual Secrecy was adopted in 1995. It became almost 30 years since the adoption. It was a law that suited the social, economic and legal relations of that time, but now we can see how society is changing and how electronic communication is affecting our lives. In other words, the law of 30 years ago makes it difficult to regulate every relationship related to personal secrecy. Statistics show that in the last five years, there have been 2-5 crimes of disclosure of personal secrets. This indicates that the relationship governed by the Law on Individual Secrecy is limited. It also classifies four types of personal information such as health, family, property, and correspondence information as confidential, and according to the regulations the owners protect confidentiality of information themselves. There are many types of information that can be used to identify an individual. For example, individual’s ethnicity, religion, beliefs, genetic and biometric information, whether or not they are serving a sentence, sexual and gender orientation, expression, and sexuality etc.,
There are many cases where personal information is collected, processed, and used for any purpose, especially on social media, without any specific control or permission. According to international standards, the collection of personal information requires the consent of the owner of the information, except as required by law. Due to these circumstances, there was a need to revise the Law on Individual Secrecy, and the Law on the Protection of Personal Data was developed and approved by the State Great Hural.
THE PURPOSE OF THE LAW IS TO PROTECT ALL INFORMATION THAT CAN DETERMINE THE INDIVIDUAL
Brief Info:
Education
♦ 2006 School of Law, National University of Mongolia
♦ In 2016, she received a master’s degree in law from the University of Melbourne, Australia.
Work experience:
♦ From 2007 to 2022, she worked as a specialist, senior specialist and expert in the Ministry of Justice and Home Affairs.
♦ Since March 2022, she has been working as the Director of the Legal Division at the Ministry of Digital Development and Communications.
During the drafting process, the Working Group conducted a number of studies on how personal secrecy is regulated and protected in other countries, and received many comments from citizens, legal entities, and researchers. The basic provisions of the Law on the Protection of Personal Data are based on the European Union General Protection Regulation. Some specific regulations of Estonia, Slovenia, Japan, Korea, China, Taiwan, and Israel which can be implemented in our country have been taken into account in drafting the law. The Law on the Protection of Personal Data regulates a number of relationships. Information which identifies the individual has been expanded. While the Law on Individual Secrecy protects four types of personal secrets, sensitive information such as a person’s last name, first name, date of birth, whether he or she is serving a sentence, sexual and gender orientation, expression, and sexuality, genetic and biometric information is protected under the new Law. In particular, the purpose of this law is to protect all information that may identify an individual.
The collection, processing and use of personal information must be approved by the owner of the information, except as required by law.
This law guarantees the rights of the owner of the information and obliges the person responsible for the information. For example, the owner of the information has the right to give or refuse permission, to know, demand and comment on the purpose for which the information is collected.
On the other hand, the information respondent is responsible for obtaining permission, collecting, processing and using the information, explaining the grounds for issuing the information, and providing information security.
One of the specific regulations of the law is the placement of audio, video and audio-visual recording devices. The device may be located in the entrance and exit areas of public housing and in common areas to protect the safety of residents, to ensure the integrity of common property, to protect human and information security in the workplace, and to ensure the integrity of organizational property. But, in places where the person’s right to liberty and security is clearly infringed, video cameras will not be installed facing the bathroom, VIP room, hospital room or resident’s door.
EMPHASIZED LEGAL ENFORCEMENT MECHANISMS
The law clearly states the law enforcement agencies. By law, one member of the National Human Rights Commission is responsible for protecting the personal information of the individuals. There is also a special unit to carry out this function. This unit will be required to employ legal and information technology professionals. The Commission shall monitor the implementation of the law, receive and resolve complaints related to the collection, processing and use of information by the respondent, and provide recommendations and demands. Other government organizations also play an important role in enforcing the law. The Ministry of Digital Development and Communications is responsible for publicity of the implementation of legislation, developing and approving universally applicable regulations, and responding to breaches of information security. Our Ministry is cooperating with the National Human Rights Commission on the regulations to be approved under this law. A total of three regulations will be approved under the law.
Although the law sets out the responsibilities of the government organizations to ensure implementation, every organization, regardless of whether it is a public or private sector, must be aware of its responsibility to protect personal information as a respondent. On the other hand, it is important to monitor and enforce the law step by step, as the law gives every citizen the right to monitor whether his or her information is being used with permission, except in cases provided by law.
NO PERMISSION IS REQUIRED TO USE SOME INFORMATION FOR JOURNALISM PURPOSES
The Law on the Protection of Personal Data provides for the collection, processing and use of personal information for journalism purposes. The consent of the owner of the information is not required for the collection, processing or use of information other than health, correspondence, genetic and biometric information, sexual and gender orientation, expression and sexual information for the protection of journalism or public interests. Journalism is an organization with a responsible editorial staff that disseminates news and information to protect the public interest. Dissemination of personal information, not for journalism purposes, requires the consent of the owner of the information. Any person or entity who violates the law, collects, processes and uses personal information shall be liable in accordance with the Criminal Law and the Law on Violations. These laws have been amended in accordance with the Law on the Protection of Personal Data.
NOTIFICATION WILL BE PROVIDED IN THE CASE OF USING THE INFORMATION
The law regulates that public and private organizations and individuals must notify the owner of the information as a person responsible for the use or transmission of sensitive information. Of course, the form of notification can be various. For example, notifications can be delivered via text messages, personal emails, and the creation of a specific system. In the event that information is transferred from a government organization connected to the XYP system, the respondent will notify the owner that to which organization the information was transferred. The private sector, on the other hand, is responsible for deciding how to deliver the notification. In general, it is important for citizens to monitor the unauthorized use of personal information.
FIVE PACKAGE LAWS CAME IN THE FORCE
The State Great Hural (Parliament) adopted the Law on Public Information Transparency, the Law on Electronic Signatures, the Law on Cyber Security, and the Law on Virtual Property Providers along with the Law on the Protection of Personal Data. With the exception of the Law on Virtual Property Service Providers, four other laws came into force on 1st May. The Law on Public Information Transparency generally regulates how government organizations use the information they collect for citizens and legal entities, how they process and disclose open data to the public, and what systems they use to exchange information. The law also regulates the notification must be delivered to the owner when the information collected by the government is exchanged between the government organizations.
The Law on Electronic Signatures is a law that allows you to receive any services using electronic signatures, to conclude contracts and agreements regardless of time and place, and to evaluate documents signed with electronic signatures as evidence.
One of the specific provisions of this law is that every citizen of Mongolia over the age of 16 can be issued an electronic signature free of charge by the State Registration Authority. With the help of electronic signatures, you can identify yourself from anywhere in the world and get certain services. This will solve the problem that Mongolians living abroad could not access E-Mongolia. Citizens living abroad do not have a bank account or mobile phone number registered in Mongolia, which makes it difficult for them to obtain certain government services, inquiries, certificates, and order documents. The Law on Cyber Security is inseparable with the Law on the Protection of Personal Data. Regulations are important to ensure the security of personal information gathered in public and private organizations.
Doljinjav
Source: “Zuunii medee” newspaper