Appendix E
Commissioned Papers

The authors are solely responsible for the content of these papers, which do not necessarily represent the views of the National Academies of Sciences, Engineering, and Medicine.

Global Biodiversity Information Facility (GBIF):
Kick-Starting the Biodiversity Data Publication Process for Tajikistan

Samariddin Barotov, Senior Researcher at the Institute of Botany,
Plant Physiology, and Genetics, National Academy of Sciences of
Tajikistan, and Node Manager for GBIF in Tajikistan

Creating a Biological Data Framework: The Global Biodiversity Information Facility

In 1992, the United Nations Conference on Environment and Development, also known as the Rio Earth Summit, culminated in the signing of the Convention on Biological Diversity (CBD). This institutional framework was created for the protection of biological diversity (Bell, 1993). By promoting the sustainable use and equal benefits of sharing genetic materials, its provisions were designed to facilitate better access to genetic resources (Panjabi, 1993). The use of biological resources requires data repositories and distribution nodes, which are a type of resource center that enables the preservation and distribution of biological materials and data information. These biological centers are essential for research and development in the life sciences, and they serve many critical roles, including the preservation of biological resources and biodiversity conservation.

In Tajikistan, a prime example of a biological resource center is the Global Biodiversity Information Facility (GBIF), an international network and data initiative that provides free and open access to biodiversity data (GBIF, 2021). The GBIF network consists of more than 100 participating countries and organizations, including countries in Central Asia, the United States, and participating member states of the European Union. Working through the participant nodes, GBIF is an international coordinating body created to promote and enable the global dissemination and use of the world’s biodiversity data, and to provide data holding institutions with common standards and open-source tools. Using data standards such as those established by the Taxonomic Databases Working Group (n.d.) and the International Union of Biological Sciences (n.d.), GBIF has access to hundreds of millions of biological species occurrence records.

These standards provide straightforward and collaborative frameworks and platforms for scientists from many disciplines and nationalities for promoting research, training, and educational opportunities in the life sciences. In this way, the GBIF network provides scientific researchers with open access to biological data. The data are made accessible under the Creative Commons License, permitting researchers to adapt the data in peer-reviewed publications and policy papers, provided the original work and source are cited appropriately. Many of the life sciences publications from the Central Asia region—which cover a wide range of topics from the impacts of climate change to the spread of invasive and alien

pests to priorities for conservation, food security, and human health—would not be possible without the data provided by the GBIF network (GBIF, 2021).

The Use of GBIF in Central Asia: Tajikistan

Located in the Central Asia region, Tajikistan has a diverse array of flora and fauna, contributing to its rich biodiversity. Given the importance of agricultural crops in the region, a number of measures, programs, and initiatives have been developed to facilitate open access to biological data, operating in accordance with governing laws, conservation, and management (Kotowski, 2022). One such example is the national law on “Conservation and Sustainable Use of Crop Genetic Resources,” which was developed in 2012 to better preserve wild plant species in protected areas (Turok, 2013). This law was also intended to further support and protect farmers and their activities and rights around local plant diversity efforts, as well as access to and benefits sharing of plant genetic resources (Turok, 2013). In its totality, this law helped to maintain the agricultural industry in Tajikistan, ensuring food, environmental, and biological security; enabling scientific research and development; and safeguarding sociocultural and historical heritage for the prosperity of both current and future generations.

Regarding bioprospecting and access to biological data, Tajikistan currently faces limited regulations concerning genetic data resources. Uncertainties exist about the role of biological resources and their rational utilization. Nonetheless, several projects in the country receive support from international organizations, including the Food and Agriculture Organization of the United Nations (FAO), the United Nations Environment Programme, the CBD, and the Global Environment Facility (GEF) (FAO, 2022; Nasyrova, 2011). For example, in 2021, the GEF and FAO colaunched a project in Tajikistan to improve regulations surrounding the use of agrobiodiversity in a 3-year project titled Facilitating Agrobiodiversity Conservation and Sustainable Use to Promote Food and Nutritional Resilience in Tajikistan. This project focused on strengthening the country’s nationally and globally significant biodiversity by maintaining local plants and wildlife crops (FAO, 2022). In addition, the project aimed to create gene banks in specific areas of the region, while ensuring equitable distribution of benefits (FAO, 2022).

The governance of biological data in Tajikistan is primarily overseen by various governmental organizations, such as the Ministry of Agriculture, the Committee for Environmental Protection, the Ministry of Health of Tajikistan, the National Academy of Sciences of Tajikistan, and the Academy of Agricultural Sciences of Tajikistan (WHO, 2020). However, the digitalization of data remains limited, impacting the accessibility of medical and agricultural data in the country. Additionally, the sharing of genetic data presents many challenges as well. According to national law in Tajikistan, for these data types to be shared, one must sign a memorandum of understanding or agreement with the recipient organization. This must follow the Nagoya Protocol on Access and Benefit-Sharing, which Tajikistan signed on September 21, 2011 (Kamau et al., 2010). Under the Nagoya Protocol, participating countries aim to equitably share the benefits arising from the use of genetic resources (Kamau et al., 2010).

While Tajikistan has made strides in regulating and increasing the accessibility of biological data, there are ongoing efforts to address current inadequacies, as not all biological data are accessible for open sharing. Additionally, because it is a young country, there are pressures to develop faster. To keep pace with the rapidly advancing fields of science,

technology, and medicine, actions to digitalize data, establish local platforms for data management, use artificial intelligence for data regulation and management (e.g., OpenAI’s ChatGPT), train young specialists in bioinformatics and bioengineering, provide necessary equipment and laboratory facilities, and promote data transparency are important. Additionally, in the field of medicine, Tajikistan obtains a lot of data; however, it is unfortunate that most of these datasets are not digitized for public users, especially in the Tajik language. Ultimately, Tajikistan, along with other Central Asian countries, should prioritize capacity building in data regulation and management, implement proper data governance methodologies, secure funding support, and foster collaboration among institutions. Cooperative efforts will result in the consolidation of substantial, high-quality data for open sharing, fostering scientific advancements and sustainable development.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

Edited by: Carmen Shaw, U.S. National Academy of Sciences, Engineering, and Medicine.

References

Bell, D. E. 1993. The 1992 Convention on Biological Diversity: The continuing significance of U.S. objections at the Earth Summit. George Washington Journal of International Law and Economics 26(3):479-538.

FAO (Food and Agriculture Organization of the United Nations). 2022. FAO, GEF promote agrobiodiversity and sustainability to improve resilience in Tajikistan. Blog. Family Farming Knowledge Platform. https://www.fao.org/family-farming/detail/en/c/1606372 (accessed January 24, 2024).

GBIF (Global Biodiversity Information Facility). 2021. Strategic framework 2023-2027. GBIF Secretariat: Copenhagen. https://doi.org/10.35035/doc-0kkq-0t82.

International Union of Biological Sciences. n.d. International Union of Biological Sciences (IUBS). https://iubs.org (accessed August 4, 2023).

Kamau, E., B. Fedder, and G. Winter. 2010. The Nagoya Protocol on Access to Genetic Resources and Benefit Sharing: What is New and what are the implications for provider and user countries and the scientific community. Law, Environment and Development Journal 6(3):246.

Kotowski, M. A., S. Świerszcz, C. K. Khoury, M. Laldjebaev, B. Palavonshanbieva, and A. Nowak. 2022. The primal garden: Tajikistan as a biodiversity hotspot of food crop wild relatives. Agronomy for Sustainable Development 42:Article 112. https://doi.org/10.1007/s13593-022-00846-9.

Nasyrova, F. 2011. Legal aspects of bioethics in Tajikistan. In Genomics and bioethics: Interdisciplinary perspectives, technologies and advancements. Hershey, PA: IGI Global. Pp. 220-234.

Panjabi, R. K. L. 1993. International law and the preservation of species: An analysis of the Convention on Biological Diversity signed at the Rio Earth Summit in 1992. Dickinson Journal of International Law 11(2):187-282.

Taxonomic Databases Working Group. n.d. Biodiversity information standards (TDWG). https://www.tdwg.org (accessed August 4, 2023).

Turok, J., M. Begmuratov, K. Akramov, C. Carli, S. Christmann, M. Glazirina, K. Jumaboev, A. Karimov, J. Kazbekov, Z. Khalikulov, R. Mavlyanova, N. Nishanov, A. Nurbekov, N. Saidov, R. Sharma, K. Toderich, M. Turdieva, and T. Yuldashev. 2013. Agricultural research collaboration in Tajikistan. Working Paper No. 14. Beirut, Lebanon: International Center for Agricultural Research in the Dry Areas. https://hdl.handle.net/20.500.11766/7901 (accessed October 15, 2021).

WHO (World Health Organization). 2020. Joint external evaluation of IHR core capacities of the Republic of Tajikistan: Mission report, 21-25 October 2019. License: CC BY-NC-SA 3.0 IGO. Geneva: World Health Organization.

Data Governance Experience in Epidemiological Studies in Kazakhstan:
Insights and Implications

Alexandr Ivankov
Independent Researcher, Almaty, Kazakhstan

Introduction

The rapid rise in the volume of data is driving the importance of analyzing data governance policies related to the health care sector (Raghupathi et al., 2014). Global practice of data governance is characterized by the widespread introduction of data management standards at the interstate and national levels. Additionally, issues related to personal data security in health care are of great sensitivity and significance. In recent years, Kazakhstan has been actively developing the principles of open data governance by expanding the range of data available for open use, including the possibility of open data application programming interface (API), where different end users can use open data provided by private organizations and/or the government.¹ This technology allows developers to utilize ready-made blocks to build their own applications. Currently, open API is successfully employed on the eGov Open Data portal, which provides a single mechanism for interactions between the state, citizens, and other government agencies (eGov, n.d.). The main purposes of this paper are to describe the process of data governance in epidemiological research, identify related problems, and suggest possible development options for Kazakhstan.

Results

The research methodology employed in this paper involved an analysis of the data management and data governance practices utilized in a series of COVID-19 epidemiological studies conducted in Kazakhstan (Dyusupova et al., 2021; Semenova et al., 2020a, 2022). The analysis included a description of personal experiences, internal documentation, and national data governance legislation that ensured the confidentiality of personal data in Kazakhstan. Some of these legislations include the laws titled On Approval

___________________

¹ Approval of the Concept of Digital Transformation, Development of the Industry of Information and Communication Technologies and Cyber Security for 2023–2029. Decree of the Government of the Republic of Kazakhstan. No. 269 (2023) (see https://adilet.zan.kz/rus/docs/P2300000269).

of the Rules for Conducting Clinical Trials of Medicines and Medical Devices,² On Approval of the Rules for Conducting Biomedical Research,³ and On Approval of Good Pharmaceutical Practices.⁴ The methodology employed focused on the understanding of data governance in epidemiological research within Kazakhstan, specifically in the context of the COVID-19 pandemic. The approach included an examination of national legislation and recent laws introduced in 2023 regarding data governance in Kazakhstan.

Additionally, this paper analyzes data management and governance practices employed in various COVID-19 epidemiological studies conducted in the country. This includes studies on disease severity and mortality in COVID-19 patients with diabetes mellitus. Existing procedures that regulate data storage and processing (Dyusupova et al., 2021). The process of data storage and processing was characterized by the classification of data into categories significant and not significant, requiring confidentiality or public access, followed by data storage and a description of processing methods, including statistical analysis in accordance with the study protocol approved by the ethical committee. For example, in the case of a COVID-19 outbreak forecast study (Semenova et al., 2020b), the data were classified as public and were freely discussed and exchanged within the team. When working on the COVID-19-diabetes impact study (Dyusupova et al., 2021), the data were available only after being processed by the anonymization group, which had previously been trained on relevant methods of working with the data, and subsequently stored on university computers. The process of monitoring compliance with the protocol for working with data was carried out by the local committee in accordance with the internal committee processes.

The methodology emphasized the creation of internal, unique procedures for each study. Collaboration among researchers was a central part of the study, involving institutional partnerships with the Medical University of Semey City and the In Vitro Laboratory based at Al-Farabi Kazakh National University for large-scale studies using big data. Ethical considerations were also at the forefront, with specific regulations and agreements regarding data handling adapted to the unique conditions of the pandemic. Changes in data management policies are proceeding quickly, and some of the problems have already been eliminated at the legislative level with the introduction of a new 2023 law on data governance, titled the Law on Personal Data and Their Protection (Iskakova and Kadyrzhanova, 2022). Furthermore, the general principles outlined in this law, along with the implementation of the “Data Drive State” strategy and the current e-government efforts on open data, inspire optimism that these trends will also spread to data from the health care sector, thereby increasing the scientific potential for future research, optimizing

___________________

² On Approval of the Rules for Conducting Clinical Trials of Medicines and Medical Devices, Clinical and Laboratory Tests of Medical Devices for Diagnostics Outside a Living Organism (in vitro) and the Requirements for Clinical Bases and the Provision of Public Services, Medicinal Products, and Medical Devices. Order of the Minister of Health of the Republic of Kazakhstan No. 21772 (2020) (see https://adilet.zan.kz/rus/docs/V2000021772).

³ On Approval of the Rules for Conducting Biomedical Research and Requirements for Research Centers. Order of the Minister of Health of the Republic of Kazakhstan No. 21851 (2020) (see https://adilet.zan.kz/rus/docs/V2000021851).

⁴ On Approval of Good Pharmaceutical Practices. Acting Order Minister of Health of the Republic of Kazakhstan No. 22167 (2021) (see https://adilet.zan.kz/rus/docs/V2100022167).

the management of the health care sector, and improving the security of personal data.⁵ All ethical considerations, along with the prerequisite of registering studies involving human subjects, are broadly outlined in national legislation. However, these laws contain only general points on data governance in research, therefore necessitating the creation of a new operational procedure to establish a logical pathway for data collection, safety, storage, processing, and analysis in epidemiological studies.

During the COVID-19 pandemic, this author’s research group conducted several studies, including two studies based on analysis of publicly available data from Our World in Data, an online vaccination dataset, and reports from the National Center for Public Health of the Ministry of Health of Kazakhstan (Mathieu et al., 2020). The unique conditions arising during the pandemic introduced adaptations to the traditional processes of data collection and processing methodologies that were in place before. In the initial two epidemiological studies on the characteristics of coronavirus infection in Kazakhstan and predictive modeling of its spread, publicly available datasets, updated daily, were utilized, thereby fostering proximity to real-time insights for subsequent analytical and research pursuits. The greatest challenge was the inability to copy data from open and local sources in Kazakhstan due to their presentation in noncopyable PDF formats. This resulted in the need for manual data transfer over the course of several months, consequently impeding the speed of work and necessitating the addition of an extra assistant to the data entry team. Typically, data entry tasks are handled by two trained operators; however, due to limited data accessibility and a high risk of systematic input errors, additional assistants were brought in for these studies to oversee data entry and verification.

It is noteworthy that the execution of these studies occurred within a specific ethical framework, permitting an exemption from the usual requirement of study registration in cases not involving interventions. This was primarily driven by the need to expedite obtaining data on the behavior of the coronavirus infection and its management pathways. In the study dedicated to examining the clinical characteristics and risk factors for disease severity and mortality in COVID-19 patients with diabetes mellitus in Kazakhstan, uniquely, data collected by the Ministry of Health of Kazakhstan during the initial waves of the pandemic were analyzed (Dyusupova et al., 2021). The collected information, in the form of excerpts from medical records with the complete removal of any identifying information, such as the individual identification number of citizens of Kazakhstan and their full names, was obtained in raw form by the Medical University of Semey City, recognized as the most experienced in conducting large-scale epidemiological studies in the country (Dyusupova et al., 2021). This is because of the university’s expertise in research related to the impact of adverse environmental conditions and the consequences of nuclear testing at the Semipalatinsk nuclear test site. However, because of unprecedented conditions during the pandemic, the absence of established standard procedures for data transmission and collaborative work, and the unique nature of the study, an internal directive was issued that regulated the university staff’s rights to access the data, the rights to authorship and coauthorship, and restrictions on data sharing with third parties. All university staff members signed a form expressing their agreement to maintain information security, refrain from sharing with third parties, and use the data solely for scientific purposes using only password-protected office computers.

___________________

⁵ About Access to Information. Law of the Republic of Kazakhstan No. 401-V ZRK (2015) (see https://adilet.zan.kz/rus/docs/Z1500000401/z150401.htm).

Another large-scale study using big data was conducted by this author’s research team in collaboration with the IN VITRO Laboratory based at Al-Farabi Kazakh National University (Semenova et al., 2022). Since there was no preexisting standard operating procedure for obtaining and processing large, anonymized datasets from laboratories, an internal procedure was developed that enabled work in a secure mode of data storage and analysis. Within this procedure, data transmission and storage were restricted to an office computer with a password that changed twice a week and was known only to the principal investigator and the data analyst. Unlike the study Clinical Characteristics and Risk Factors for Disease Severity and Mortality of COVID-19 Patients with Diabetes Mellitus, for which data were obtained as a database rather than primary information, the concern about accidental inclusion of identifying data did not arise. However, there was an issue regarding which computer to use for data analysis, as office computers lacked the processing power required for the dataset of 85,346 observations. Consequently, an additional computer was specifically acquired and documented as one of the key components in the technical infrastructure of the study.

During the conduct of all studies, existing procedures that regulate data storage and processing were also examined, providing insights into the general principles of working with data. The creation of internal procedures unique to each study was urgently required. The lack of a previous standardized approach was mainly due to the uniqueness of the pandemic conditions. Simultaneously, challenges such as low data availability, the need to rely on internationally reported data, manual transfer of aggregated publicly available data digitized by the state, and the absence of technical infrastructure for handling big data posed significant obstacles to the speed of conducting research and publishing results. Based on the results of the analysis, it was found that at all levels—national legislation, internal policies of organizations, and data exchange protocols prescribed for a concrete study and approved by the local ethical committee (as part of the approval of the general study protocol)—there are elements that correspond to the norms of international practices. However, the role of supervisory authorities includes prosecutorial authorities, which exercise the highest supervision over the observance of legality in the field of personal data and their protection, as well as the central and local ethics committees, which serve as internal bodies for data control. The functionality of these entities varies among different committees, and it is unclear in the epidemiological studies who provides control over the storage of data and compliance with the principles specified in the relevant documents, along with how they exercise this control.

Some problems identified are the difficulty of accessing open government and medical health data and the quality of the published data. The lack of understanding of how and under what conditions it is possible to access data from health care organizations limits the prospects of obtaining new scientific knowledge. The lack of understanding of who controls the security of data obtained during the research and how they control it inspires concern for the security of these data.

Based on the results of the studies analyzed and current data control practices in health care research, some recommendations might be suggested:

1. Develop Clear Guidelines and Protocols:
   1. Establish transparent and standardized guidelines for accessing government health data and data from large national medical projects.

1. 2. Create protocols that clearly define how and under what conditions researchers and organizations can access health care data.
2. Enhance Data Quality:
   1. Implement strict quality control measures to ensure published data are accurate, consistent, and reliable.
   2. Develop a centralized system for auditing and verifying the quality of data being shared.
3. Educate and Train Stakeholders:
   1. Provide education and training to researchers, policymakers, and other stakeholders to enhance their understanding of data access, quality, and security protocols.
   2. Organize workshops and training sessions to educate about responsible data access and use procedures.
4. Facilitate Collaboration and Communication:
   1. Foster collaboration among government agencies, research institutions, and health care organizations to facilitate seamless access to health data.
   2. Develop communication channels to ensure that concerns and issues related to data access and security are promptly addressed.
5. Build Public–Private Partnerships:
   1. Engage with private-sector organizations that have expertise in data management and security.
   2. Leverage these partnerships to develop innovative solutions for data access, quality, and security challenges.
6. Promote Transparency:
   1. Maintain transparency in the process of data collection, storage, and sharing.
   2. Publicize the procedures and protocols to enhance public trust and encourage responsible usage.
7. Utilize Technology and Innovation:
   1. Develop secure platforms and interfaces that allow seamless access for researchers, while maintaining compliance with ethical and legal standards.
8. Evaluate and Adapt Regularly:
   1. Regularly assess the effectiveness of the implemented solutions.
   2. Make necessary adjustments and refinements to keep the strategies aligned with evolving needs and challenges.

By addressing these areas, it is possible to build a more open, reliable, and secure ecosystem for accessing and utilizing health care data, thereby enhancing the prospects for obtaining new scientific knowledge and maintaining the security of the data.

Conclusion

This paper contributes to the ongoing discourse on data governance in epidemiological research and provides a foundation for future advances in data management practices. It underscores the significance of aligning local data management policies with international standards, fostering responsible data governance, and promoting efficient public health policies in Kazakhstan.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

References

Dyusupova, A., R. Faizova, O. Yurkovskaya, T. Belyaeva, T. Terekhova, A. Khismetova, A. Sarria-Santamera, D. Bokov, A. Ivankov, and N. Glushkova. 2021. Clinical characteristics and risk factors for disease severity and mortality of COVID-19 patients with diabetes mellitus in Kazakhstan: A nationwide study. Heliyon 7(3).

eGov. n.d. Government services and information online of the Republic of Kazakhstan. https://egov.kz/cms/ru (accessed August 14, 2023).

Iskakova, Z. T., and T. S. Kadyrzhanova. 2022. Analysis of problems and challenges in the legislation of the Republic of Kazakhstan on personal data protection and international legal regulation. Bulletin of L. N. Gumilyov Eurasian National University Law Series 4(141):49-60.

Mathieu, E., H. Ritchie, L. Rodés-Guirao, C. Appel, C. Giattino, J. Hasell, B. Macdonald, S. Dattani, D. Beltekian, E. Ortiz-Ospina, and M. Roser. 2020. Coronavirus pandemic (COVID-19). Our World in Data. https://ourworldindata.org/coronavirus (accessed January 24, 2024).

Raghupathi, W., and V. Raghupathi. 2014. Big data analytics in healthcare: Promise and potential. Health Information Science and Systems 2:1-10.

Semenova, Y., N. Glushkova, L. Pivina, Z. Khismetova, Y. Zhunussov, M. Sandybaev, and A. Ivankov. 2020a. Epidemiological characteristics and forecast of COVID-19 outbreak in the Republic of Kazakhstan. Journal of Korean Medical Sciences 35(24):e227. https://doi.org/10.3346/jkms.2020.35.e227.

Semenova, Y., L. Pivina, Z. Khismetova, A. Auyezova, A. Nurbakyt, A. Kauysheva, D. Ospanova, G. Kuziyeva, A. Kushkarova, A. Ivankov, and N. Glushkova. 2020b. Anticipating the need for healthcare resources following the escalation of the COVID-19 outbreak in the Republic of Kazakhstan. Journal of Preventive Medicine and Public Health 53(6):387-396. https://doi.org/10.3961/jpmph.20.395.

Semenova, Y., Z. Kalmatayeva, A. Oshibayeva, S. Mamyrbekova, A. Kudirbekova, A. Nurbakyt, A. Baizhaxynova, P. Colet, N. Glushkova, A. Ivankov, and A. Sarria-Santamera. 2022. Seropositivity of SARS-CoV-2 in the population of Kazakhstan: A nationwide laboratory-based surveillance. International Journal of Environmental Research and Public Health 19(4):2263. https://doi.org/10.3390/ijerph19042263.

Process of Developing a Center for Applied Artificial Intelligence and Cyber
Security at the Kyrgyz State Technical University in Kyrgyzstan

Gulnara J. Kabaeva, Director, Institute of Information Technologies of
I. Razzakov Kyrgyz State Technical University, Doctor of Physical and
Mathematical Sciences, Professor in Computer Science (certified by Higher
Attestation Commission of Kyrygyzstan), Bishkek, Kyrgyzstan

This article discusses the issues of data management for information technology (IT) companies in Kyrgyzstan, along with tasks accomplished by the Center for Applied

Artificial Intelligence and Cybersecurity at the I. Razzakov Kyrgyz State Technical University. (KSTU).

Introduction

Modern times have become driven by the digital economy and propelled by transformative IT innovations. This has marked the fourth industrial revolution, with intellectual technologies being developed rapidly and used in almost all areas of human activity, including medicine and agriculture. The development and use of intelligent technologies were built on the processing of large datasets. This has led to new attitudes toward data and to the development of policies and strategies for data management, both in individual organizations and at the level of governmental decisions.

For the digital transformation of the Kyrgyzstan economy, an action plan was developed to implement the digitalization of state and municipal government operations, titled the National Development Programme of the Kyrgyzstan until 2026. This plan included the development and management of digital infrastructures, the provision of high-quality digital services, the development of IT education, and the training of highly qualified IT specialists for the industry.⁶ The implementation of the plan includes improving the regulatory framework for data management, including the collection, storage, use, and security of data. The data management strategy is aimed at optimizing the management of companies and their activities, employees, and connected devices, as well as within countries—with policies that are compliant with national and international data frameworks (Dama International, 2017).

Kyrgyzstan’s burgeoning IT sector has been evident in recent years. However, not all enterprises are confined to software development, with other services encompassing IT services, hardware vendors, and equipment component parts. This growth is noted by news outlets, such as tazabek.kg, which provides a list of 80 IT companies (Tazabek, n.d.). There is an absence of large domestic IT companies in Kyrgyzstan currently, which is mitigated by export-related company activities. In 2011, the High Technology Park of Kyrgyzstan was founded, which unites more than 200 IT companies. The park provides its residents with special tax and legal regimes that exempt export-oriented IT companies from certain types of taxes.⁷

Digital data management in software companies includes a wide range of tasks, behind-the-scenes application of policies and actions that ensure competent and secure work with data, and a choice of platforms for implementing their solutions. To analyze the data management strategies of IT companies, an internal audit should be carried out, if necessary. Well-known data management work steps include generating data, data storage, making data publicly available, updating data, and recovering from system failures or

___________________

⁶ National Development Program of the Kyrgyz Republic until 2026. Decree of the President of the Kyrgyz Republic. No. 435 (2021) (see https://cbd.minjust.gov.kg/430700?refId=1096469); Action Plan for Digitalization of Management and Development of Digital Infrastructure in the Kyrgyz Republic for 2022-2023. Order of the Cabinet of the Ministers of the Kyrgyz Republic. No. 2-r (2022) (see http://cbd.minjust.gov.kg/act/view/ru-ru/218797).

⁷ Regulations on the Procedure for Registering Residents of the High Technology Park of the Kyrgyz Republic. Decree of the Government of the Kyrgyz Republic. No. 267 (2012) (see http://cbd.minjust.gov.kg/act/properties/ru-ru/93604/10); On the High Technology Park of the Kyrgyz Republic. Law of the Kyrgyz Republic. No. 84 (2011) (see http://cbd.minjust.gov.kg/act/view/ru-ru/203327).

emergencies, as well as utilizing data in certain applications and computing tasks, and ensuring the confidentiality and security of data.

Regulatory Framework for Data Management in the Kyrgyzstan

Data companies operating in Kyrgyzstan must familiarize themselves with and adhere to the existing regulatory and legal provisions and laws of the country. The list of such documents includes⁸:

• The Constitution of Kyrgyzstan.
• Law of Kyrgyzstan, On Personal Information.
• Law of Kyrgyzstan, On e-Governance.
• Law of Kyrgyzstan, On Personal Data Protection.
• As amended by the Laws of Kyrgyzstan, About Trade Secrets.
• Decree of the Government of Kyrgyzstan, Cybersecurity Strategy of Kyrgyzstan for 2019-2023.
• Decree of the Government of Kyrgyzstan, On Approval of the Requirements for the Protection of Information Contained in Databases of State Information Systems.
• Order of the Cabinet of Ministers of Kyrgyzstan, On Approval of the Concept of Open Data of Kyrgyzstan for the Period 2022-2024.

One can become acquainted with the content of these documents on the Open Data Portal of Kyrgyzstan, which has accessible legal information for various sectors, including education, health care, transport, etc. Additionally, in September of 2022, the government approved the Open Data Concept of Kyrgyzstan, making the country one of the first in Central Asia to join the Open Government Partnership. Kyrgyzstan ranks 58th in the world for level of accessibility of digital content.⁹

It is noteworthy to mention that the Personal Data Protection Law of Kyrgyzstan is in line with the European Union’s General Data Protection Regulation.¹⁰ Within it, the seven key principles for the management and processing of personal data include legality, fairness, transparency, accuracy, integrity, and confidentiality, as well as compliance with restrictions and storage requirements (ISO, 2022a,b). On the website of the State Agency for the Protection of Personal Data (2023) under the Cabinet of Ministers of Kyrgyzstan, there are regulatory documents that relate to the issues of ensuring the protection of human rights and freedoms related to collecting, processing, and using personal data.

Difficulties associated with data management primarily arise from the ever-increasing volumes of data that have different forms of representations and types. Data can

___________________

⁸ See Regulatory and Legal Provisions and Laws of the Kyrgyz Republic following the references list for this paper.

⁹ Open Data Concept for Kyrgyz Republic for the period 2022-2024. Order of the Cabinet of Ministers of the Kyrgyz Republic No. 463-r (2022) (see http://cbd.minjust.gov.kg/act/view/ru-ru/219184?cl=ru-ru).

¹⁰ On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Regulation (EU) 2016/679 of the European Parliament and of the Council (2016) (see https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434).

come from information devices such as sensors, video cameras, medical devices, internet sources, and electronic measuring instruments. In addition, the received data require storage and modern, high-speed data management systems, and backup storage units. As a result, companies must adhere to the requirements of data confidentiality related to national security and international laws, so as not to violate copyrights and property rights. In this way, copyright protection is provided by the State Agency for Intellectual Property and Innovations of Kyrgyzstan¹¹ (Kyrgyzpatent, 2023), which ensures application examinations and issues protection titles in accordance with the legislation of Kyrgyzstan in the field of intellectual property.

Possible Risks and Vulnerabilities in the Kyrgyzstani IT Sector

For actively operating IT companies, there are and always will be risks related to data, as well as processes that may affect the implementation and use of data-related tasks. Undoubtedly, risks associated with software development in the IT sector can lead to both reversible and irreversible consequences, such as information leakage and data loss, personnel errors, and confidentiality violations related to standards and norms for risk management. To prevent and reduce human-induced errors, careful training and work with personnel are necessary. Additionally, IT companies in Kyrgyzstan are engaged in various tasks related to the automation of technological processes, the management of electronic documentation, intelligent solutions in the financial sector, web applications, and automated information systems in educational and medical institutions, as well as e-commerce support systems (ISO, 2009). There are companies that are distributors of hardware and software from large international companies. In addition, cellular operators have their own software development departments, and there are state-owned IT enterprises under the Ministry of Digital Development of Kyrgyzstan that are working on digital solutions for the country’s economy.

Software development is always associated with data processing, data arrays, and competent work with data. With each passing year, the amount of data will accumulate, and the problem of secure data storage will require solutions. For companies to stay in a competitive market, they must adhere to the rules of data protection and comply with international intellectual property and ethical legal standards. Companies that work for export gain access to customer databases and are required to comply with the rules and requirements of the security policy and international data and risk management standards. They define their relationship through contracts, cooperative agreements, and nondisclosure agreements for trade secrets. The presence of international standards greatly contributes to good data management, data quality management planning, and organization risk mitigation.

Tasks of the I. Razzakov Institute of Information Technologies of KSTU

Innovative artificial intelligence technologies based on the development of both software and computer technology have increased in demand for the IT market. IT companies in Kyrgyzstan are potential employers for graduates of the republic’s universities. As is the case all over the world, the demand for IT specialists in Kyrgyzstan

___________________

¹¹ On the Issues of the State Agency Intellectual Property and Innovation. Resolution of the Cabinet of Ministers of the Kyrgyz Republic. No. 111 (2021) (see http://patent.gov.kg/).

is high, and, like everywhere else, developers with knowledge and skills in the latest technologies are needed. The demands of the domestic labor market can be met mainly by graduates of local universities. The I. Razzakov Kyrgyz State Technical University (KSTU) is the only engineering institution of higher education in Kyrgyzstan; KSTU has been training IT specialists in a wide range of specialties since the 1980s. However, the way to remain in the educational services market, where IT companies are oftentimes looking for qualified specialists, is the modernization of educational programs in accordance with the requirements of the IT companies and other emerging global trends.

The Institute of Information Technologies at KSTU offers 11 undergraduate and 6 master’s degree programs in IT areas (IIT, 2023). In 2021, a new undergraduate educational program in big data analytics was launched to provide the domestic market of the country with the missing specialists in the field of data analysis and processing, given the high demand in IT. This program began because of the implementation of the Erasmus + Coordinating Board for Higher Education project: “Establishment of Training and Research Centers and Courses Development on Intelligent Big Data Analysis in CA/ELBA, 2019-2023” (KSTU, 2023). This project created the Laboratory of Data Analysis, equipped with modern computers, with professors trained in European universities of the project partners. KSTU also held training in the field of big data mining with access to highly efficient modern tools based on the experience and technologies of the European Union.

Kyrgyzstan is 94th on the Global Innovation Index 2022. Indicators of low levels of innovation links (13.7%), research collaboration between universities and industry (24.3%), and knowledge impact (15.1%), as well as the need to train specialists with knowledge of artificial intelligence methods and technologies, led to the decision to create the Center for Applied Artificial Intelligence and Cyber Security as the most relevant and knowledge-intensive field today. The goals are to improve the quality of educational services; improve the educational programs of KSTU in IT areas, while regulating educational results; and maintain feedback with employers. Additionally, the development of IT education with the implementation of the education–science–business model, while training highly qualified IT personnel and thereby increasing the employment potential of graduates of IT specialties of KSTU in modern conditions, are also highly prioritized. Thus, the Center for Applied Artificial Intelligence and Cyber Security is designed to study and implement:

• Practical application of artificial intelligence in various fields, including education, health care, emergency situations, and energy.
• Development of new business software products.
• New educational programs for the preparation of bachelor’s and master’s degrees in artificial intelligence and machine learning in Western universities under dual degree programs.

As part of the center, laboratories are being created to develop:

• Artificial intelligence methods and technologies for applied research problem-solving in the fields of science and technology.
• Industrial automation.
• Cybersecurity and information security analysts.

• The Internet of Things.

IT teachers and students are developing the university’s learning management system, as well as the Advisement Verification Number automated information system, originally created at the university. Institute teachers and students carry out scientific work using methods and algorithms of artificial intelligence to study:

• Software and hardware systems in the field of computer vision and augmented and virtual reality.
• Natural language processing technologies on IT (work is underway in this field with the company ULUT soft).
• Recommendatory and intelligent decision support systems in education and medicine.
• Development of digital solutions for health care and social organizations.
• Information security systems for the banking sector.
• Development of a monitoring system with the help of intelligent recognition of the danger of a breakthrough in high mountain lakes.

Conclusion

The digitalization of the economy and the use of intelligent technologies based on the processing of large datasets have led to the need to develop both policies and strategies for data management in individual organizations and the government. In Kyrgyzstan, for the implementation of digital solutions, a legal and regulatory framework related to data management (collection, cleaning, storage, use, and security) is being developed consistently. The number of IT companies is growing in the country, most of which work for export under foreign contracts. When working with data, it is necessary to resolve issues related to data quality, data protection, and copyright, based on international standards. Needs include training specialists with knowledge of the methods and technologies of artificial intelligence at KSTU, while considering the need to regulate educational results, and maintain feedback with the employer-led decision to create a Center for Applied Artificial Intelligence and Cyber Security.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

References

Dama International. 2017. DAMA-DMBOK: Data management body of knowledge. Technics Publications, LLC.

IIT (Institute of Information Technologies) of KSTU named after I. Razzakova. n.d. https://kstu.kg/en/bokovoe-menju/faculties/institute-of-information-technology (accessed February 13, 2024).

ISO (International Organization for Standardization). 2009. Risk management—Principles and guidelines. https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en (accessed January 24, 2024).

ISO. 2022a. Data quality. Part 1: Overview. ISO 8000-1. https://www.iso.org/obp/ui/#iso:std:iso:8000:-1:ed-1:v1:en (accessed January 24, 2024).

ISO. 2022b. Data quality. Part 2: Vocabulary. ISO 8000-2. https://standards.iteh.ai/catalog/standards/iso/2e74ce51-74cf-4b5e-8089-295dfafcb8a2/iso-8000-2-2022 (accessed January 24, 2024).

Kyrgyzpatent. n.d. Official Site of Kyrgyzpatent. http://patent.gov.kg (accessed August 25, 2023).

The State Personal Data Protection Agency. What is personal data? https://dpa.gov.kg/en (accessed August 25, 2023).

KSTU (Kyrgyz State Technical University named after I. Razzakova). n.d. ELBA Project. https://kstu.kg/proekty/tekushchie/proekt-modernizacija-vysshego-obrazovanija-v-centralnoi-azii-cherez-novye-tekhnologii-hiedtec-po-programme-ehrazmus-1 (accessed August 20, 2023).

Tazabek. n.d. 80 It-Компаний Кыргызстана - Владельцы и Учредители - Tazabek. https://www.tazabek.kg/news:1929262 (accessed August 7, 2023).

Regulatory and Legal Provisions and Laws of the Kyrgyz Republic

Constitution of the Kyrgyz Republic. Law of the Kyrgyz Republic. (2021) (see http://cbd.minjust.gov.kg/act/view/ru-ru/112213/10?mode=tekst).

On Personal Information. Law of the Kyrgyz Republic. No. 58 (2008) (see https://dpa.gov.kg/en/npa/4).

On Amendments to the Law of the Kyrgyz Republic “On Personal Information.” No. 129 (2017) (see http://cbd.minjust.gov.kg/act/view/ru-ru/111636?cl=ru-ru).

On Approval of the Procedure for obtaining the consent of the subject of personal data to the collection and processing of his personal data, the procedure and form for notifying subjects of personal data about the transfer of their personal data to a third party. Decree of the Government of the Kyrgyz Republic. No. 759 (2017) (see https://dpa.gov.kg/en/npa/16).

About trade secrets. Law of the Kyrgyz Republic. No. 83 (1998) (see http://cbd.minjust.gov.kg/act/properties/ru-ru/38/50).

On e-governance. Law of the Kyrgyz Republic. No. 127 (2017) (see http://cbd.minjust.gov.kg/act/view/ky-kg/111634).

Cybersecurity Strategy of the Kyrgyz Republic for 2019-2023. Decree of the Government of the Kyrgyz Republic. No. 369 (2019) (see http://cbd.minjust.gov.kg/act/view/ru-ru/15478).

On Approval of the Cybersecurity Strategy of the Kyrgyz Republic for 2019-2023. On amendments to the Decree of the Government of the Kyrgyz Republic. No. 199 (2022) (see http://cbd.minjust.gov.kg/act/view/ru-ru/159115).

On Approval of the requirements for the protection of information contained in databases of state information systems. Decree of the Government of the Kyrgyz Republic. No. 762 (2017) (see https://dpa.gov.kg/en/npa/17).

On Approval of the requirements for the protection of information contained in the database of state information systems. Amendments to the Decree of the Government of the Kyrgyz Republic. No. 45 (2022) (see http://cbd.minjust.gov.kg/act/view/ru-ru/158956?cl=ru-ru).

On some issues related to state information systems. Law of the Kyrgyz Republic. No. 744 (2019) (see http://cbd.minjust.gov.kg/act/view/ru-ru/157404?cl=ru-ru).

On Approval of the Concept of open data of the Kyrgyz Republic for the period 2022-2024. Order of the Cabinet of Ministers of the Kyrgyz Republic. No. 463-r (2022) (see http://cbd.minjust.gov.kg/act/view/ru-ru/219183).

Ensuring Data Governance and Privacy in Cardiology Practice:
Complying with Regulatory Frameworks and Protecting
Sensitive Patient Health Data in Kyrgyzstan

Erkin Mirrakhimov, MD, Professor, Chair of Internal Medicine
at the Kyrgyz State Medical Academy and head of the Atherosclerosis
and Coronary Artery Disease Department of the National Center of Cardiology
and Internal Disease, Bishkek, Kyrgyzstan

Kyrgyzstan is a country located in Central Asia with a population of about 7 million people; the area of the territory is 199,951 km^2. More than three-quarters of the territory of Kyrgyzstan is occupied by mountains, with more than half of its territory located at altitudes from 1,000 to 3,000 m and about a third at altitudes from 3,000 to 4,000 m (Figure 4).

As for its citizenship, about 87% of the population is under the age of 65 years old. Every fifth inhabitant of Kyrgyzstan (20%) may die young (30–69 years old) from noncommunicable diseases, such as those of the cardiovascular system, cancer, respiratory diseases, and diabetes mellitus. More than half of deaths from all causes in Kyrgyzstan are due to cardiovascular disease (CVD). In Kyrgyzstan, more than 18,000 people die from diseases of the circulatory system every year, or about 50 people a day. Given the active digitalization in the medical field, given that patient data are stored digitally on servers, and given the high prevalence of CVD in Kyrgyzstan, control, protection, security, and limitation of unauthorized access to the personal and medical data of cardiac patients is of great importance.

Legislation has been designed to provide a legal framework for handling personal data, following internationally accepted principles and standards and aligning with the Constitution and laws of Kyrgyzstan. The objective is to safeguard individuals’ rights and freedoms pertaining to the collection, processing, and utilization of their personal data. The foundational legal documents, acts, and directives are based on the nation’s Constitution. These include the law on personal data protection; the protocol for acquiring subjects’ consent for personal data collection and processing; the procedure and format for notifying subjects about the transfer of their personal data to third parties; requirements for the security and protection of personal data throughout its processing in information systems;¹² and the procedure for registering the data repository owner, registering the data repositories, and creating listings of the data owner’s personal data in the register.¹³

___________________

¹² Decree of the Government of Kyrgyzstan “On Approval of the Procedure for Obtaining the Consent of the Subject of Personal Data to the Collection and Processing of [Their] Personal Data, the Procedure and Form for Notifying Subjects of Personal Data about the Transfer of their Personal Data to a Third Party.” No. 759 of November 21, 2017 (see https://dpa.gov.kg/en/npa/16).

¹³ Law of the Kyrgyz Republic “On Personal Information” as amended by Law No. 129 of July 20, 2017, and No. 142 of November 29, 2021 (see http://cbd.minjust.gov.kg/act/view/ky-kg/202269).

The main data protection regulator is the State Agency for the Protection of Personal Data, established by a decree by the president of Kyrgyzstan in 2021.¹⁴ This agency was registered on January 10, 2022, and is part of the Cabinet of Ministers of Kyrgyzstan. The decision to share personal information lies with the subjects providing it. When an individual consents to sharing their personal data, they grant permission for its collection and processing. Such consent can be given in writing, either on paper or electronically using a valid electronic signature in accordance with Kyrgyzstani legislation.

In accordance with paragraph 21 of the Law on Personal Data, the entity responsible for the personal data repository is required to use all appropriate legal, organizational, and technical measures to prevent unauthorized, illegal, or accidental access; unauthorized modification of the subject’s data; access blocking; data copying; and data declassification. Noncompliance with personal data protection regulations provides legal liability. In cases where an individual’s confidentiality is breached, the affected person holds the right to compensation for damages and emotional distress. Article No. 127 of October 28, 2021, of the Criminal Code of Kyrgyzstan states that violation of the private life of an individual, in particular, the illegal collection of personal data with the aim of distributing it without the subject’s consent, is punishable by community service and a fine of 20,000–50,000 Kyrgyzstani Soms (equivalent to ~230–570 USD).

___________________

¹⁴ Law of the Kyrgyz Republic “On Personal Information as amended by Law No. 129 of July 20, 2017, and No. 142 of November 29, 2021 (see http://cbd.minjust.gov.kg/act/view/ky-kg/202269).

Cardiology patients can be observed as outpatients or inpatients in medical institutions at the secondary and tertiary levels. Passport data, including last name, first name, patronymic, year of birth, social security number, and residential address, along with medical examination data and laboratory results, are entered into a secure electronic database of the corresponding medical institution. Each medical institution has its own protocol for maintaining the security of patient data with similarities between institutions. Access to the electronic database of the relevant medical institution is available only to doctors working within the institution. Unauthorized access to equipment that stores medical and patient data impossible because it is located in a special, locked office. Lack of access to this equipment prevents illegal data information acquaintance, duplication, changing information about personal data, and/or deletion from the database.

Physicians conducting outpatient or inpatient treatment do not sign special documents on the nondisclosure of patients’ medical information but are guided by the principles of medical ethics, deontology, and the preservation of medical secrecy. Also, during an outpatient visit or hospitalization, patients do not provide consent for a doctor’s examination, since patients came voluntarily to an outpatient appointment or inpatient treatment. Written consent is taken for instrumental invasive studies and surgical treatment. Unauthorized persons cannot access the electronic database. The right of access to the medical information of a particular patient, except for the attending physician, is provided only to the authorized bodies defined in the law On Personal Information. For example, when the patient (or their relatives in the event of the death of the patient) appeals to the Ministry of Health, law enforcement, or judicial authorities, the information is transferred to the official commissions. In addition, the medical information of patients is transferred to the Compulsory Medical Insurance Fund after each outpatient appointment and hospitalization, where patient data is entered into an electronic database, without access for unauthorized persons. Each medical institution of Kyrgyzstan submits annual statistical data on the number of treated patients, laboratory and instrumental interventions performed, and number of deaths to the E-Health Center (CEZ) of the Ministry of Health.¹⁵ Concurrently, only digital data are transmitted to the CEZ without indication of surnames, addresses, and social security numbers. That is, no data are transmitted by which patients can be identified.

The Ministry of Health, as an authorized body of the Government of Kyrgyzstan, has developed and started to implement in pilot mode the Digital Outpatient Card of the Patient and the Digital Health Profile. The Digital Outpatient Patient Record (DAC) is an information system that stores and manages the medical data of patients, providing real-time access to medical personnel. This system improves the efficiency of providing medical care to the population by providing prompt and convenient access to information about the health of patients, as well as reducing the bureaucratic burden on medical personnel spent on searching for and collecting information. DAC includes an electronic record of the history of patients, centralized data storage, integration with laboratory and diagnostic systems, and doctor’s appointment schedules. The system allows one to create reports and analysis of incidence statistics.

The Digital Human Health Profile (DPH) is an information system that aggregates and displays data related to a person collected by public health organizations. The purpose of the creation of the DPH is to improve the quality and efficiency of medical care for the population through quick and convenient access to information about the health of patients,

___________________

¹⁵ Center for Electronic Healthcare. Ministry of Health Kyrgyzstan (see http://cez.med.kg/).

reducing the time to search and collect information about the patient’s health. Today, with the help of a digital solution for the population, the following data are available: the health care organization providing primary health care to which the person is attached, insurance status, history of visits to health organizations providing primary health care, history of hospitalizations, history of laboratory test results, and vaccination history. In the future, integration of all other health services into the system, such as making doctor’s appointments, electronic prescription documents, access to extracts from medical records, various certificate types, and others, is planned. Continuing work to integrate this information will allow the public to access patients’ medical history, laboratory test results, and diagnostic tests in one place. Continuing work to integrate this information will allow the public to access patients’ medical history, laboratory test results, and diagnostic tests in one place. The integration of these systems on the state portal of electronic services, Tunduk, will provide a more convenient and complete provision of the information necessary to monitor and maintain one’s health.

Given the high prevalence of CVD in Kyrgyzstan, scientific research is being actively concducted in the country. When conducting scientific research in the field of cardiology in Kyrgyzstan, researchers adhere to international rules and requirements. First of all, informed written consent is obtained from the patient, having previously familiarized the patient with the planned study. The patient is provided with the purpose of the study, what data will be collected, the possible transfer of data to a third party, and the use of medical data for publication in scientific articles. At the same time, the patient’s right to withdraw from the study at any time, without giving a reason, and the anonymity of the patient’s data are guaranteed. The patient data included in the studies are entered into a separate secure database, access to which is available only to the researchers participating in the study. Unlike the electronic database of medical institutions, where patients are registered for outpatient or inpatient treatment, each patient participating in the study is assigned a code, by which the patient cannot be identified. Access to the patient code and identification, along with signed informed consent forms, are stored in a separate safe, the key to which is kept by the principal investigator. Researchers sign a nondisclosure document. Patient data are stored for 15–25 years, depending on the conditions of the study. The patient who plans to be included in the study independently decides whether to participate in the trial and grants the right to researchers to collect the necessary data, process and analyze them, and include the results in study reports and publication in scientific journals. In case of participation in international studies and the need to send medical information, only those medical indicators required by the study protocol are transmitted, without sending personal data by which the patient can be identified.

Digitalization is increasingly being introduced into all spheres of everyday life in Kyrgyzstan. In recent years, the country’s authorities have been paying more attention to digitalization processes. The government sets the task of introducing information and communication technologies into the activities of state bodies. Thus, within the framework of the National Development Strategy of Kyrgyzstan for 2018-2040, the task of forming an open digital society is defined and organized to implement a number of activities, including:

• Provision of digital public services, including digital government, digital local government, digital parliament, and the digital justice system in all regions of the country.

• Provision of digital social services (health, education).

Since 2021, with funding from the European Union, the project “Supporting Digitalization in Kyrgyzstan” has been implemented by a consortium led by the eGA Academy of Electronic Governance (Estonia), with the participation of HAUS (Finland), CSIPiemonte (Italy) and the Ministry of Digital Development of Kyrgyzstan. Within the framework of this project, computer literacy is being improved among residents of the country, and digital skills are being developed to use digital solutions through the development and implementation of materials for e-learning. They are increasing the availability of digital competencies and literacy, with special attention given to young people, women, people living in disadvantaged conditions, rural residents, vulnerable social groups, socially unprotected, and low-income segments of the population.

The development and implementation of e-services continue to achieve sustainable development and community empowerment. Thus, access to public services constantly expands because of their transfer to a digital platform. Many polyclinics have introduced digital records for outpatient examinations. Patients do not need to come to the clinic and wait in line for an appointment but come right at the appointment time. As part of this project, to increase the confidentiality of personal data, the Agency for the Protection of Personal Data was created, which constantly improves cybersecurity measures for the protection of personal data, risk management, and sustainability of the digitalization system. Continuous improvement of the data protection system is needed to climb the global cybersecurity rankings.

The regulatory and legal framework relating to information technology continues to improve, including issues of cybersecurity. Personal data protection and digital potential is developing. With widespread digitalization involving sectors such as the medical field, it is necessary to constantly ensure the confidentiality and protection of the population database via online platforms for raising awareness, as well as by strengthening the government’s capacity in personal data protection. Furthermore, efforts are being made to increase public confidence in the security of the storage of their personal data by introducing effective data protection and confidentiality mechanisms, such as improving procedural standards and supervisory mechanisms for controlling the processing, storage and protection of personal data and ensuring confidentiality, as well as implementing a system of sanctions for violations and negligence in accordance with international human rights standards. Additionally, a key factor for a more resilient and sustainable data protection system is to improve national cybersecurity through widespread implementation. This also helps to ensure that the current government cybersecurity strategy for the coming years and security operations are focused on the main threats and risks.

Additional work is needed to create artificial intelligence capabilities and implement them in all sectors. Artificial intelligence algorithms will help in early disease diagnosis, treatment planning, and drug development. Training health care workers on digital solutions aimed at early detection and response to events in various areas of health care continues. In modern realities, digital sovereignty of Kyrgyzstan is important to remember; that is, the country’s right to determine its information policy, designate its information security, and develop national software. However, we should not think of this as digital isolation. If those involved the information resources of Kyrgyzstan do not exchange data, they will not have the capabilities that the digital world represents. Further digitalization is a

key factor in the growth of many sectors of the economy, the health care system, education, and many other areas of everyday human life.

Conclusion

Kyrgyzstan is actively implementing digitalization in all spheres of life, including health care. The country has created a regulatory framework on the collection of personal information, its storage, and mechanisms for protecting confidential data, and identified responsible state structures responsible for the storage and security of the database. The Ministry of Health of Kyrgyzstan is actively implementing digitalization tools in medicine and the health care field. “Digital Outpatient Card of the Patient” and “Digital Health Profile” frameworks have been created, improved, and actively integrated into the practical activities of medical institutions. Their integration will allow the population to have online access to their medical history, the results of laboratory tests, and diagnostic tests. Information about the number of treated and deceased patients, clinical diagnoses, and other medical information flows to the E-Health Center and the Compulsory Medical Insurance Fund. At the same time, patient data are protected from unauthorized access. Work continues to improve the digital literacy of medical workers and patients with more complete coverage of medical institutions by digitalization. A procedure for electronic medical document management has been developed, which excludes the maintenance of medical documents in paper form in cases when of digital solutions can replace them. This step will allow the health care system to actively implement digital solutions, reduce duplication of information, save finances, and direct them to the development of digital infrastructure health care systems. Trainings are regularly held for health care workers to improve computer and digital literacy. The Ministry of Health is constantly monitoring compliance with the security of storing confidential information and improving the methods of protecting the database.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

Transformation of Health Information System Regulation in Kazakhstan with the
Development and Widespread Use of Digital Solutions

Zhaniya Nurgaliyeva, MD, is a medical professional with more than 10 years of
experience in health information systems implementation in Kazakhstan,
where she has been a driving force in e-health standardization efforts in the country.

In recent years, Kazakhstan has demonstrated consistent growth in telecommunications infrastructure, the provision of digital services, and the existing human potential. Kazakhstan secured 29th place among 193 participating United Nations countries, emphasizing its well-developed information and communications technology market, with active participation from both domestic and foreign entities (UN Department of Economic and Social Affairs, 2020). Health management information systems, electronic medical records (EMR) systems, and national databases are in operation across all medical facilities. Additionally, Kazakhstan has successfully established a national telemedicine network, embraced and began developing the Internet of Things, and introduced applications for remote

patient monitoring. To maintain stability and promote widespread digitalization, regulatory pressure in the form of legislation and standards plays a vital role. The process of improving legislation is time and resource intensive, necessitating a well-defined conceptual vision of development and an understanding of the necessary regulatory steps for implementation.

In the predigital era, Kazakhstan’s health care sector operated under strict legislation regulating the paper-based documentation of the medical care provided to inpatients and outpatients. This encompassed patient medical records, referrals to services or hospitalization, ambulance sheets, and other primary records of medical and administrative information. The advent of information and communication technologies in health care in the 1990s initiated the generation of aggregated reports based on the main indicators of health and health care. In general, the development of information databases in various sectors of Kazakhstan developed in accordance with requirements given by the governing state body. Kazakhstan’s journey toward regulated digitalization began with a state program for the formation and development of the national information infrastructure of the Republic of Kazakhstan from 2001 to 2005, alongside the first law on informatization adopted around the same time¹⁶ (“About informatization,” 2003). These foundational documents defined a regulatory framework for the information and communication technology industry and established relationships between software vendors and government agencies. Concepts such as information processes, information services, and confidential information were also introduced for the first time.

After the adoption of the strategic program for health care development in 2005, Kazakhstan embarked on the introduction of a unified health information system (HIS), the paradigm of which was to cover the processes and reporting of medical organizations in Kazakhstan with one state computer system.¹⁷ The next few years were devoted to the development of this solution. The next step in the development of e-health in Kazakhstan was to support a large-scale reform that enabled citizens to receive medical services in any health care organization in Kazakhstan. To enable the new health care financing system, based on the “funding following the patient” principle, numerous vertical systems have been introduced since 2009, covering the process of providing care for nosology (e.g., cancer registry, tuberculosis registry, acute coronary syndrome) as have horizontal systems, responsible for individual health care functions (e.g., hospitalization, drug provision, inpatient register).

In 2012, an audit was conducted, with the involvement of experts from the Swiss Tropical and Public Health Institute, some of the results of which were reflected in the Concept for the Development of e-health in Kazakhstan in 2013–2020.¹⁸ The main technical gap in the state computer system was that, in addition to the existing modules of the

___________________

¹⁶ On the State Program for the Formation and Development of the National Information Infrastructure of the Republic of Kazakhstan. Decree of the President of the Republic of Kazakhstan No. 573 (2001) (see https://adilet.zan.kz/rus/docs/U010000573_#z0); About Informatization. Law of the Republic of Kazakhstan No. 412 (2003) (see https://adilet.zan.kz/rus/docs/Z030000412).

¹⁷ On the State Program for the Reform and Development of Healthcare of the Republic of Kazakhstan for 2005-2010. Decree of the President of the Republic of Kazakhstan No. 1438 (2004) (see https://adilet.zan.kz/rus/docs/U040001438).

¹⁸ Concept for the Development of Electronic Healthcare of the Republic of Kazakhstan for 2013-2020. Decree of the President of the Republic of Kazakhstan No. 464 (2013) (see https://nrchd.kz/files/ez/%D0%9A%D0%BE%D0%BD%D1%86%D0%B5%D0%BF%D1%86%D0%B8%D1%8F%20%D0%AD%D0%97.pdf).

system based on the “thick client,” web applications were additionally developed and put into operation, which led to a violation of the principle of a single database and a single data dictionary, and to an explosive increase in the need for ensuring interoperability between systems. The absence of a strategic vision and methodological and technical standards (e.g., architectural, processes, terminology) further hindered progress; the approach was eventually abandoned.

The development of health care data systems was influenced heavily by regulatory legislative acts, which focused on regulating specific functions within the health care field. For example, vertical databases were created in accordance with the standards and clinical guidelines for organizing and providing care for a particular nosology. However, as time progressed, it became evident that the primary focus was on obtaining financial statements and generating reports on the services provided by health care organizations. This emphasis on reporting improved the quality of secondary data available. Nevertheless, a significant challenge emerged as the lack of interaction between systems necessitated that doctors simultaneously work across multiple vertical and horizontal information databases. This fragmentation of patient information across different databases hindered seamless data exchange. Furthermore, the continued reliance on paper medical records for patients paralleled the advent of electronic portals and the provision of electronic financial and statistical reporting for health care services. These disconnects posed obstacles in the journey toward a fully integrated and digitalized health care ecosystem.

The idea of patient centricity gained prominence with the adoption of the first Concept for the Development of Electronic Healthcare in Kazakhstan in 2013. The reform aimed to develop an information model that empowers medical personnel to deliver safe, high-quality, and timely services.¹⁹ Emphasizing the significance of aligning with international standards, the integration of primary health and health care data collection emerged as a natural process (European Observatory on Health Systems and Policies et al., 2019). The construction of this model remains pending, since the primary task is the formation of a single repository with clinical data of national electronic health records in accordance with the strategic document for the development of health care until 2026.²⁰ However, a significant outcome of the first Concept’s implementation was the demonopolization of the software vendor monopoly market. Previously, the Ministry of Health solely procured health care information databases. With the adoption of the Concept, medical facilities began to acquire these systems themselves, thereby stimulating the development of the software market tailored to meet their specific needs.

Moreover, the concept highlighted the importance of establishing an e-health standardization system, encompassing the national electronic health record (EHR) information model, regulating key classification standards, as well as defining technical norms for iden-

___________________

¹⁹ Concept for the Development of Electronic Healthcare of the Republic of Kazakhstan for 2013-2020. Decree of the President of the Republic of Kazakhstan No. 464 (2013) (see https://nrchd.kz/files/ez/%D0%9A%D0%BE%D0%BD%D1%86%D0%B5%D0%BF%D1%86%D0%B8%D1%8F%20%D0%AD%D0%97.pdf).

²⁰ On Approval of the Concept for the Development of Healthcare in the Republic of Kazakhstan until 2026. Decree of the Government of the Republic of Kazakhstan No. 945 (2022) (see https://adilet.zan.kz/rus/docs/P2200000945).

tification and interaction. Despite these advancements, the existing regulations for recording and maintaining clinical and administrative data, as well as secondary reporting, remained relatively unchanged, failing to consider the already advanced HIS digital infrastructure. Thus, e-health standards were developed based on the EHR model, adhering to ISO 13940. Additionally, the standards for main health processes, including electronic referrals, prescriptions, prevention strategies, patient data exchange, diagnostic test results, and electronic consultation data management, were defined. In Kazakhstan, clinical information classification standards, such as the International Classification of Diseases 9 and 10 for coding diseases, conditions, and services, as well as Anatomical Therapeutic Classification system for medicines, are well-defined and adhered to. In 2017, the implementation of health insurance reform in Kazakhstan expedited the acquisition of EMR systems by all health care providers and currently, EMR systems are operational in all health facilities across the country.

In 2020, Kazakhstan took a significant step forward with the development of the “Code on the Health of the People and the Healthcare System.”²¹ Prior to this law, there were difficulties in approving digitalization standards and regulating information systems and remote medical services, as the Ministry of Health, a major coordinating body governing digital health, lacked the competence to endorse these regulations. This legislation solidified the principles of digitalization, emphasizing the primacy of standards and adherence to strategic courses in the field of digital health and protection of personal data. It served to protect and enable personal medical data, remote medical services, mobile health care, medical information systems, national EHRs, and EMRs.

With the recent development of the HIS, it is important to work to revise and improve the methodology, now more than ever. As it stands now, the country continues to operate vertical and horizontal information systems, although the concept of national EHR remains unattained. Additionally, the requirements and standards for recording and collecting medical and administrative data remain the same as they were before the introduction of information systems, thereby slowing down the modern digital data collection practice and further expansion of the digital applications. For further development, it is crucial to revise and reformat the regulation related to medical and administrative records collection and health reporting and secondary use of data in health care facilities. Lastly, it is important to build requirements for target data models with a description of all relevant attributes.

Registration of events and processes within health care facilities adheres to the Ministry of Health’s guidelines on the approval of forms (templates) for health care accounting.²² An analysis of these guidelines reveals a misalignment between the prescribed paper-based format and the current level of digitalization in health care processes. Moreover, the requirements for recorded data vary across different types of services and levels of care, necessitating a more coherent approach. To address this issue, the Ministry of Health has established a working group dedicated to reviewing existing approaches in the development of standardized minimum datasets and their corresponding requirements. This strategic shift aims to introduce a targeted health care information model that is no longer based on specific accounting forms but rather centers around the essential digital data that must-

___________________

²¹ About the Health of the People and the Health Care System. Code of the Republic of Kazakhstan No. 360-VI ZRK (2020) (see https://adilet.zan.kz/rus/docs/K2000000360).

²² On Approval of Forms of Accounting Documentation in the Field of Healthcare. Acting order Ministry of Health of Kazakhstan No. 21579 (2020) (see https://adilet.zan.kz/rus/docs/V2000021579).

be documented within medical organizations. Such an approach would facilitate the secondary use of health care data, contingent upon the standardization of medical and administrative data, their systematic comparison, and the maintenance of these within information systems.

Additionally, the current requirements for secondary (aggregated) data necessitate alignment with international standards.²³ To enhance the credibility and utility of aggregated health care data, a more comprehensive metadata framework is vital. This entails referencing the data sources and the tools employed for data collection, be it through information systems or routine collection methods. With such enhanced metadata, the computation of health indicators becomes more accurate, enabling better-informed decision-making. As part of its commitment to fostering a robust health care ecosystem, the Ministry of Health places particular emphasis on enhancing the regulatory framework governing data structure and requirements. By implementing a health care reference data model, bolstered by digital tools at the national level, the groundwork for a highly function HIS will be laid. This model-driven approach seeks to optimize data integrity, accessibility, and interoperability, ultimately contributing to the improvement of health care services and outcomes on a broader scale.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

References

European Observatory on Health Systems and Policies, Abishev, O., and Y. Spatayev. 2019. The future development of digital health in Kazakhstan. Eurohealth 25(2): 24-26. Geneva: World Health Organization. https://apps.who.int/iris/handle/10665/332524 (accessed January 24, 2024).

UN (United Nations) Department of Economic and Social Affairs. 2020. E-government survey 2020—Digital government in the Decade of Action for Sustainable Development with addendum on COVID-19 response. New York: United Nations. https://publicadministration.un.org/egovkb/Portals/egovkb/Documents/un/2020-Survey/2020%20UN%20E-Government%20Survey%20(Full%20Report).pdf (accessed January 24, 2024).

About the System of Protection and Exchange of
Epidemiological Data in Kazakhstan

Zhanna Shapieva, Elmira Utegenova, and Ulyana Kirpicheva
All authors are currently affiliated with the Scientific-Practical Center for
Sanitary-Epidemiological Expertise and Monitoring (SPC SEEM), a branch of
the National Center for Public Health at the Ministry of Health in Kazakhstan.
Dr. Zhanna Shapiyeva works as a Chief Specialist and Associate Professor, Ulyana
Kirpicheva is an Epidemiologist, and Elmira Utegenova is Deputy Director.

___________________

²³ On Approval of Forms of Accounting Documentation in the Field of Healthcare. Acting order Ministry of Health of Kazakhstan No. 21579 (2020) (see https://adilet.zan.kz/rus/docs/V2000021579).

The Importance of Epidemiological Data in the Fight Against Infectious Diseases

Epidemiological data are crucial for evidence-based strategies in managing infectious and parasitic diseases. Establishing a national system for the protection and exchange of epidemiological data is vital for effectively combating diseases, promoting public health, and fostering global scientific cooperation. In Kazakhstan, this system holds strategic importance for identifying and mitigating epidemiological threats, early detecting and controlling of epidemics, conducting scientific research, and shaping public health policy. Maintaining a state information system for biological protection facilitates data exchanges and coordinated biosafety measures. Developing a national biosafety database necessitates meticulous planning, infrastructure development, and regulatory frameworks.²⁴

In Kazakhstan, collaboration among various organizations, including the Ministry of Health and the National Center for Public Health, among other institutions, is pivotal. Kazakhstan has implemented measures for safeguarding personal data information (i.e., data security and confidentiality) that follows relevant laws, such as On Personal Data and Their Protection, On the Health of the People and the Healthcare System, and the Law on Biological Safety of the Republic of Kazakhstan.²⁵ These laws help to establish protocols and policies, data access control, information encryption, and other technical measures. For example, the law On Personal Data and Their Protection regulates the field of personal data, determines the legal framework for activities related to the collection, processing, and protection of personal data, defines violations of the law and provides requirements for electronic systems. These are carried out in accordance with the principles of 1) Respect for the constitutional rights and freedoms of individuals; 2) Legality; 3) Confidentiality of personal data with restricted access; 4) Equality of rights of subjects, owners, and operators; and 5) Ensuring the security of individuals, society, and the state. Additionally, the law On the Health of the People and the Healthcare System regulates the protection of personal medical data of individuals, whereas the law On the Biological Safety of the Republic of Kazakhstan defines the legal basis for state regulation in the field of biosafety, and aims to prevent biological threats. These laws speak to the importance of accurate, reliable, and timely data for preventing disease transmission. Specialized information systems such as these in Kazakhstan gather and store disease-related data, health indicators, and research outcomes, including morbidity cases, patient data, and medical research data.

Current Status of the Disease Surveillance System in Kazakhstan

Kazakhstan’s epidemiological surveillance has been crucial for the monitoring of infectious diseases in the public health sector. Rooted in legal regulations, this intricate framework orchestrates data collection, analysis, storage, and dissemination, empowering decision-makers to design and implement public health initiatives.²⁶ Various entities are

___________________

²⁴ On Biological Safety of the Republic of Kazakhstan. Law of the Republic of Kazakhstan No. 122-VII LRK (2022) (see https://adilet.zan.kz/eng/docs/Z2200000122/links).

²⁵ On Biological Safety of the Republic of Kazakhstan. Law of the Republic of Kazakhstan No. 122-VII LRK (2022) (see https://adilet.zan.kz/eng/docs/Z2200000122/links); On the National Security of the Republic of Kazakhstan. Law of the Republic of Kazakhstan No. 527-IV (2012).

²⁶ About the Health of the People and the Health Care System. Code of the Republic of Kazakhstan No. 360-VI ZRK (2020) (see https://adilet.zan.kz/rus/docs/K2000000360).

involved in the surveillance system, including medical, laboratory, and sanitary-epidemiological services in both the public and private sectors. Subdivisions such as the Committee for Sanitary and Epidemiological Control (CSEC) of the Ministry of Health oversee data collection at different levels (e.g., district, city, regional), while the Scientific-Practical Center for Sanitary-Epidemiological Expertise and Monitoring (SPC SEEM) analyzes and transmits data to the CSEC and others for higher-level decision-making (SPC SEEM, 2023). Other organizations within the Ministry of Health, such as the Republic-Level AIDS Center and the National Scientific Center for Phthisiopulmonology, conduct disease surveillance. The scope of monitored health events includes communicable and noncommunicable diseases, mortality, pregnancy-related conditions and childbirth, and injuries. The country has 17 oblasts and 3 cities of republic-level significance, including Astana, Almaty, and Shymkent, that function as administrative territories for reporting purposes.

In recent years, significant resources have been invested in Kazakhstan to strengthen the surveillance system and enhance public health threat responses. Funding comes primarily from state and local budgets and is supplemented by research grants and support from international organizations, such as the U.S. Centers for Disease Control and Prevention and the Defense Threat Reduction Agency. However, there are challenges due to an outflow of qualified personnel to nonstate medical organizations and a shortage of competent personnel in state organizations, especially at the district level.

The main tasks of surveillance are:

• Timely and accurate registration of disease cases.
• Operational epidemiological analysis of population incidence.
• Detection and investigation of disease outbreaks.
• Planning, evaluating, and implementing preventive measures.
• Diagnosis, treatment, and monitoring of patients.
• Epidemiological evaluation of regions to identify high-risk populations.
• Monitoring of reservoir hosts and carriers of infectious diseases.
• Population-wide vaccination and targeted seroprophylaxis for diseases.

A tiered reporting system employs e-mail, paper, and telephone communication. Notably, Kazakhstan lacks a standardized list of case definitions for notifiable conditions, relying on clinicians’ diagnoses based on disease-specific criteria. Patients meeting the criteria undergo laboratory diagnostics at designated centers, such as the National Center of Expertise. Suspected cases of infectious and parasitic diseases trigger an emergency notification to the territorial subdivision of CSEC, prompting investigations. An epidemiological survey card is completed, with findings then reported to both CSEC and SPC SEEM.²⁷ Kazakhstan has been embracing a digital health care system, with 31 medical and 15 laboratory information systems registered that meet quality standards such as the system of guaranteed volume of free medical care and compulsory social health insurance. These systems facilitate efficient electronic document management, data integration from various

___________________

²⁷ Rules for Registration, Keeping Records of Cases of Infectious, Parasitic, Occupational Diseases and Poisoning, and the Rules for Reporting on Them. Order of the Ministry of Health of Kazakhstan No. ҚR DSM-127 (2019); Standards in the Field of Medical Activity for Determining Cases of Especially Dangerous Human Infections During their Registration. Acting Order of the Ministry of Health of Kazakhstan No. 623 (2006).

sectors and fields, flexible patient interactions, staff oversight, and financial and organizational control. However, the absence of a unified electronic surveillance system in the CSEC system hinders the rapid acquisition of health data and identification of infectious disease clusters.

Effectiveness of the System of Protection and Exchange of Epidemiological Data in the Surveillance of Infectious Diseases

Through a well-established surveillance system, Kazakhstan can have a more proactive stance in monitoring and disease outbreak detection. The surveillance system facilitated effective strategies for case detection, treatment, and preventive measures, culminating in successful disease control. The country has encountered periodic outbreaks, such as malaria, cutaneous leishmaniasis, and measles (WHO, 2020). Notably, Kazakhstan was recognized by the World Health Organization (WHO) as a malaria-free country in 2012 (Baranova et al., 2013). In recent times, Kazakhstan, akin to other countries, has grappled with the global COVID-19 pandemic.

The surveillance system has played a key role in controlling the spread of the SARSCoV-2 virus, and its effectiveness has been proven by several success stories. Swift responses, facilitated by real-time data exchange; included laboratory tests, contact tracing, and morbidity forecasting. Additionally, prioritizing mass vaccinations became essential. Due to detailed monitoring and data processing on registered disease cases, vulnerable population groups meriting priority access to vaccines were identified, minimizing the number of hospitalizations and fatalities (Afroogh et al., 2022). The system’s success manifested in the introduction of digital platforms for contact tracing of infected individuals. While leveraging mobile applications and QR codes, it was possible to quickly identify and isolate contact persons, breaking the chain of viral transmission and reducing spread. These instances underscore the effectiveness of the surveillance system in Kazakhstan in preventing and controlling infectious disease outbreaks.

While these strides have been made, the surveillance system is not without imperfections. While the introduction of information security has expedited data transfer between medical organizations, integration with public health and the veterinary service remains incomplete. Enhanced integration would expedite data exchange within the health care system and enable prompt response to emerging public health threats. Data collection and protection in Kazakhstan are governed by regulations, ensuring the confidentiality and security of personal and epidemiological data processing. Data access is restricted to authorized persons only and encryption and tamper protection measures are in place. Yet, an absence of a unified approach and data storage system impedes the seamless integration of all the surveillance system components.

Advantages and Prospects for the Development of a Data Protection and Exchange System

The system for safeguarding and exchanging epidemiological data presents a host of advantages and prospects compared with traditional methods of data collection and processing. Real-time data transmission, for example, enables one to efficiently receive information and take timely action on epidemiological threats. Furthermore, there is also the ability to exchange data from various sources and combine them into a cohesive system. This integration results in a diminished likelihood of errors, especially those stemming

from human factors, while simultaneously providing avenues for comprehensive analysis and forecasting to strengthen control and prevention measures.

Among the advantages, it is necessary to note the possibility of cross-border data exchange, bolstered by data confidentiality and security safeguards. Kazakhstan also actively collaborates with international health organizations such as WHO and CDC in the field of epidemiological data exchange. This allows Kazakhstan to access international databases, transfer its data for analysis and assessment, and participate in international research projects. Today, many of the existing systems in Kazakhstan are adequately compliant with safety requirements. However, the fact that the systems are well protected is more the merit of the developers than the standards, since there is no single vision of information security. In this regard, a single regulation on the requirements for information security within the framework of e-health of Kazakhstan will be developed. This will improve quality and lead to the unification of information security. When developing the regulations, information security specialists, suppliers, and system developers will be involved.

Obstacles and Solutions

The digitalization of health care in Kazakhstan encounters challenges such as personnel shortages, an increase in medical information, and underfunding of the health care sector. There is a lack of qualified specialists, insufficient information technology equipment and infrastructure, an excess of providers of medical information systems, and many integrations with the Ministry of Health, with many work interruptions. The lack of a single space for health care information exacerbates the situation. These problems can be solved by introducing a service model, which involves equipment and software rental (“About the Health of the People and the Health Care System,” 2020; “On the National Security of the Republic of Kazakhstan,” 2012; “On the Concept of Information Security of the Republic of Kazakhstan until 2016,” 2011).²⁸ Additionally, along with the introduction of information technology in the public health service, there is still the transmission of data on cases of registration of diseases by paper (emergency notification) or by telephone. Undoubtedly, the accepted practice complicates data transfer and takes up the working time of performers for analysis and taking timely measures.

Kazakhstan has proactive and effective measures for health care digitalization, including seamless combination of e-health passport data, regardless of location. The eGov mechanism, an interface between the state and citizens, offers access to a variety of information, including vaccination records, clinical service history, electronic prescriptions, and hospitalization details. Furthermore, remote health monitoring, which was launched during the COVID-19 pandemic, is operational and developing, complemented by citizens’ use of mobile applications and advancements in telemedicine. Ambulance services are also moving toward digitalization, with information going directly to e-health passports and doctors. This is augmented using artificial intelligence systems, laboratory information systems, picture archiving and communication system, and virtual reality.

___________________

²⁸ About the Health of the People and the Health Care System. Code of the Republic of Kazakhstan No. 360-VI ZRK (2020) (see https://adilet.zan.kz/rus/docs/K2000000360); On the National Security of the Republic of Kazakhstan. Law of the Republic of Kazakhstan No. 527-IV (2012); On the Concept of Information Security of the Republic of Kazakhstan until 2016. Decree of the President of the Republic of Kazakhstan No. 174 (2011).

In parallel, the Ministry of Health is working to improve the requirements to ensure the security of personal medical data. The regulatory legal acts preside over the responsibility of health care subjects, ensuring the confidentiality of medical personal data, delimiting access rights to medical information in systems, and revisions for the use of artificial intelligence technologies. Additionally, the Ministry of Health is working to integrate its own information systems with that of private medical entities to correctly generate accounting and reporting documentation, monitor and analyze information, and make effective management and clinical decisions. In addition, work is underway to integrate with the information systems of other government agencies for rapid data exchange. Now all systems have been transferred to the cloud, and integration is underway between them. This is not yet the integration that doctors would like, but some part of it is already in place, and work continues. As reality shows, the introduction of IS in health care has practically reduced paperwork and increased efficiency. In 2019, the introduction of health information systems in Kazakhstani health care organizations amounted to 65.1% and this figure is growing every year (Gulis et al., 2021). The main ways to solve the identified obstacles that the system of protection and exchange of epidemiological data in the country faces, in the authors’ opinion, are ensuring confidentiality and cybersecurity, developing common standards, integrating existing information systems, and increasing investment in developing the effectiveness of the epidemiological information protection system.

Conclusion

The system of protection and exchange of epidemiological data in Kazakhstan is an important tool in the fight against infectious and parasitic diseases and in the protection of public health. Its effectiveness and development prospects testify to the importance of information technologies and systematic approaches in this area. Further development and improvement of the system will contribute to more effective control of epidemics and improve the quality of health care in the country. Currently, work continues on the regulation of health care digitalization, including issues of data access, storage, privacy protection, and quality assurance of technologies and software products used. Qualitative, reliable, complete, and timely digital data will become important resources of the health system.

To improve and develop the system of protection and exchange of epidemiological data in Kazakhstan, it is necessary to increase investments in the digitalization of health care, strengthen human resources, improve the regulatory framework, and develop partnerships with international organizations. This will help improve data quality and management, surveillance and laboratory information systems, response to epidemic threats, disease forecasting; it will also promote research and development of effective public health interventions. Continuous improvement of the data protection and exchange system and its integration with the international scientific community will contribute to more effective epidemic control, disease prevention, and public health protection in Kazakhstan.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

References

Afroogh, S., A Esmalian, A. Mostafavi, A. Akbari, K. Rasoulkhani, S. Esmaeili, and E. Hajiramezanali. 2002. Tracing app technology: An ethical review in the COVID-19 era and directions for post-COVID-19. Ethics and Information Technology 24(3): 30. https://doi.org/10.1007/s10676-022-09659-6.

Baranova, A. M., M. N. Ezhov, T. M. Guzeeva, and L. F. Morozova LF. 2013. [The current malaria situation in the CIS countries (2011-2012)]. Med Parazitol (Mosk) 4:7-10. Russian. PMID: 24640123.

Gulis, G., A. Aringazina, Z. Sangilbayeva, K. Zhan, E. de Leeuw, and J. P. Allegrante. 2021. Population health status of the republic of Kazakhstan: Trends and implications for public health policy. International Journal of Environmental Research and Public Health 18(22):12235.

SPC SEEM (Scientific and Practical Center of Sanitary-Epidemiological Examination and Monitoring). n.d. Ministry of Health. https://rk-ncph.kz.

WHO (World Health Organization). 2020. Cross-border collaboration on malaria between countries of the WHO Eastern Mediterranean and European regions: Report of the 98ioregional coordination meeting Dushanbe, Tajikistan. WHO/EURO No. 2020-1030-40776-55007. Geneva: World Health Organization.

Data Management in Life Sciences in Kazakhstan: Balancing Privacy,
Security, and the Development of Open Science

Pavel Tarlykov, Head of Proteomics and Mass Spectrometry Laboratory,
National Center for Biotechnology (Astana, Kazakhstan)

Introduction and Overview of the Problem

Throughout history, human curiosity has driven the systematic collection of information about the world around us. From ancient rock paintings to modern writings, the accumulation of knowledge in the form of clay tablets, papyri, and finally books has led to the establishment of libraries and archives (Schmandt-Besserat, 1979). Moreover, access to certain information storage centers had its limitations; for example, those who could not read, or did not have the proper qualifications, could not access these spaces. However, millennia later, the problem of using and disseminating information has become much more complicated, facilitated by the advent of technology and groundbreaking scientific discoveries.

Scientific progress led to the emergence of computers, the discovery of the DNA structure (Watson and Crick, 1953), and the acceptance of the central dogma of molecular biology (Crick, 1970). Over the past 40 years, new scientific fields such as genomics and proteomics emerged, now better known as -omics technologies (Yadav, 2007), generating vast amounts of data. The classification of data is based on several parameter types, including biomolecule type (e.g., DNA, RNA, proteins, metabolites), organism (e.g., bacteria, archaea, eukaryotes), pathogenicity, and application (e.g., clinical data, environmental sample data), among others. Some data types have more restrictions on their use and dissemination than others, as the exposure of some represents potential risks, while other data types may be personal, with prohibited distribution unless proper consent from the data subject is obtained. This has highlighted the need for different levels of privacy, security,

and openness in data management, depending on the data type and its potential implications.

Although the data types obtained are similar across countries, the mechanisms governing their use and dissemination oftentimes vary. The specific regulations for processing and handling data depends largely on the state’s level of development. Typically, the more developed the state, the better regulated the data management processes. Central Asian countries, including Kazakhstan, are currently still in the process of development, having gained independence relatively recently. This has resulted in gaps in data management infrastructure, hindering data exchange, standardization, and quality control. Another drawback is the issue of compliance with existing legislations. This often occurs when there are ambiguities in the law or provisions that can be interpreted in different ways. It takes time and resources to tune these processes, especially in the case of low to moderate economic income in Central Asian countries. However, there are existing legislative frameworks that may serve as the basis for the development of subsequent, more specific, regulations in these countries.

Balancing Privacy, Security, and Open Science Advancements

Data Privacy

Since 2013, Kazakhstan has enacted the law On Personal Data and Their Protection, which defines personal and biometric data and outlines their use, storage, and dissemination principles.²⁹ Article 7 of the law specifically addresses the conditions for the collection and processing of personal data, allowing data dissemination in public sources with the consent of the data subject or their legal representative. This point safeguards personal information and establishes guidelines for processing personal data in scientific research.

Furthermore, the law On Public Health and Healthcare Systems details personal medical data. This legislation regulates the collection and management of health-related data, ensuring their confidentiality and proper use through procedures such as informed consent, which is a procedure for a person to voluntarily confirm their consent to receive medical care or participate in a research study. The adoption of this code, regulating ethical and legal conduct within medical and biological research, was an important step for the biomedical science field in Kazakhstan as it directly protected patients’ rights. This existing law established a foundation for data management regulation, primarily safeguarding the confidentiality of human and patient data. Another relevant law, the Law on Access to Information, adopted in 2015, addresses information with restricted access, including state secrets, personal, and legally protected data. This law enhances data transparency and accessibility in biomedical research, striking a balance between information availability and privacy protection by restricting access to information that could cause harm if exposed, such as information related to national security and defense and public health, among other interests.

___________________

²⁹ On Personal Data and Their Protection. The Law of the Republic of Kazakhstan No. 94-V (2013) (see https://adilet.zan.kz/eng/docs/Z1300000094#:~:text=The%20Law%20of%20the%20Republic,94%2DV.&text=This%20Law%20regulates%20the%20public,and%20protection%20of%20personal%20data).

Data Security

Given the diverse range of research subjects, including potential pathogenic biological agents, along with the increasing threats to biosecurity, such as the COVID-19 pandemic caused by the spread of the SARS-CoV-2 virus, Kazakhstan recognized the need for increased biosecurity regulations. In 2022, the law On Biological Safety of the Republic of Kazakhstan was adopted to establish heightened control for work related to pathogenic biological agents for nonmilitary purposes.³⁰ The law requires researchers to comply with legal requirements when working with restricted information related to pathogens. Additionally, it establishes the roles and responsibilities of certain governing bodies, such as the Ministry of Defense of Kazakhstan’s responsibility for interdepartmental coordination of measures to ensure biological safety and the Ministry of Health’s responsibility for the health, sanitary, and epidemiological welfare of the population. Additionally, the law promotes international data exchange, in accordance with international treaties, to prevent biological threats. This point is especially important considering the COVID-19 pandemic, where timely and consistent exchange of biomedical information at the international level was essential.

In the cases where a scientific researcher works with nonpathogenic biological organisms not regulated by these national laws, the use and dissemination of the data obtained should be regulated by the internal organization in which the study is being conducted. The regulations pertaining to data classification, in part, come from the state funding body (e.g., the Ministry of Defense or the Ministry of Health of Kazakhstan). Oftentimes, one of the requirements of the funding body is the publication of results in peer-reviewed journals indexed by international databases (e.g., Web of Science and Scopus). This implies data use and dissemination in biomedical research with living organisms. While publishing in peer-reviewed journals is considered generally accessible to some in Kazakhstan, researchers with concerns about the publication of sensitive information should seek approval from the ethics committee, the academic council of the research institute or university, and/or other governing body.

Data in the Age of Open Science

In line with presenting the principles of open science, we present two research studies on proteomics and mass spectrometry conducted by the National Center for Biotechnology (NCB) in Astana, Kazakhstan. These studies offer insights into the prevailing directions of the medical and biological research fields in the Central Asian region, particularly emphasizing the paramount considerations of data confidentiality and security.

The first study encompasses whole-genome sequencing of clinical isolates of Mycobacterium tuberculosis in Kazakhstan (Tarlykov et al., 2020). The research centered on M. tuberculosis DNA isolates obtained from the City Center for Phthisiopulmonology in Astana, Kazakhstan. To obtain the biomaterial, a memorandum of cooperation between the City Center for Phthisiopulmonology and the NCB was signed, and permission was obtained from the local ethical commission to conduct the study. Measures were undertaken to depersonalize patient data, withholding any personally identifiable information from the researchers. An interesting feature of the M. tuberculosis isolates under study was their

___________________

³⁰ On Biological Safety of the Republic of Kazakhstan. Law of the Republic of Kazakhstan No. 122-VII LRK (2022) (see https://adilet.zan.kz/eng/docs/Z2200000122/links).

belonging to a subfamily of the L4 genetic line called LAM-RUS, which is endemic for the Commonwealth of Independent States countries. Understanding the genomes from this subgroup was important from an epidemiological standpoint, as it relates to the rapid acquisition of antibiotic resistance among LAM-RUS isolates. The completed genome sequences were uploaded to GenBank databases (https://www.ncbi.nlm.nih.gov/genbank/) and Sequence Read Archive (https://www.ncbi.nlm.nih.gov/sra) (Tarlykov et al., 2020).

The second study delved into the analysis of interactions among pluripotent transcription factors, including the SRY-Box Transcription Factor 2 (Sox2), octamer-binding protein-4 (Oct4), and Homeobox protein (Nanog), utilizing mass spectrometry–based proteomic data (Kulyyassov and Ogryzko, 2020). A quantitative analysis of the interactions of the Sox2, Oct4, and Nanog transcription factors was carried out through in vivo mass spectrometry. The raw data were uploaded to the Proteomics Identifications Database: PRIDE repository (https://www.ebi.ac.uk/pride/). This aligned with the requirement to publish data in an open repository for consideration in peer-reviewed scientific journals (Kulyyassov and Ogryzko, 2020). The study focused on the commercial cell line HEK293T, obtained from human embryonic kidney cells in the early 1970s, warranting no ethical approval or permits for the investigation. Mass spectrometric analysis was conducted at the NCB. Notably, the experiments offered a novel approach based on a biotinylation technique, involving a target-enzyme, BAP/BirA, system to label target proteins in their proximal interactions, presenting a valuable alternative to conventional methods for analyzing protein interaction. Furthermore, additional biomedical information, such as ChIP-Seq data and human STR data, has been uploaded into open repositories at the NCB (Jurisic et al., 2018; Zhabagin et al., 2020).

Kazakhstan As It Relates to International Data Governance

Considering current trends toward both political and economic globalization, fostering international cooperation for data use and dissemination, underpinned by international treaties, emerges as the favorable path for Kazakhstan. The Cartagena Protocol serves as a prominent example of successful cooperation. Kazakhstan’s engagement with the Cartagena Protocol began with its accession to the Convention on Biological Diversity in 1994, followed by the ratification of the Cartagena Protocol in 2008. Subsequently, in 2008, the government of Kazakhstan appointed the Ministry of Agriculture at the coordinating center, and the Ministry of Education and Science as the competent national body.³¹

Moreover, in 2009, by order of the Ministry of Education and Science, the NCB was designated to serve as a focal point for the Biosafety Clearing-House, a mechanism under the Cartagena Protocol on Biosafety.³² This platform facilitates the exchange of scientific, technical, environmental, and legal information related to living modified organisms (LMOs) and genetically modified objects (GMOs). The NCB also provides valuable knowledge on the Cartagena Protocol on Biosafety to the Convention on Biological Diversity, including regulations, strategic plans for the protocol, guidelines for risk assessment of LMOs, and an information global database on GMOs.

___________________

³¹ On Measures to Ensure the Fulfillment by the Republic of Kazakhstan of Obligations Arising from the Cartagena Protocol on Biosafety to the Convention on Biological Diversity. Decree of the Government of the Republic of Kazakhstan No. 1282 (2008) (see https://bch.cbd.int/en/database/102592).

³² Order of the Ministry of Education and Science of the Republic of Kazakhstan No. 579 (2009).

Drawing from this experience, the establishment of a collaborative working group among key stakeholders, such as the Ministry of Health and the Ministry of Science and Higher Education, the National Academy of Sciences of Kazakhstan, the Pugwash Committee, and other interested organizations, represents the initial stride toward engaging with the international community on data use, privacy, security concerns, and dissemination. It is of the utmost importance for scientists involved in medical and biological research in Kazakhstan to vigilantly stay abreast of legislative changes. Additionally, adhering to international ethical standards and best practices in life sciences data management is fundamental. By embracing international cooperation and aligning with established national and international protocols, Kazakhstan can foster an environment that ensures responsible and transparent use and dissemination of data.

Disclaimer: The author is solely responsible for the content of this paper, which does not necessarily represent the views of the U.S. National Academies of Sciences, Engineering, and Medicine.

References

Crick, F. 1970. Central dogma of molecular biology. Nature 227(5258):561-563. https://doi.org/10.1038/227561a0.

Jurisic, A., C. Robin, P. Tarlykov, L. Siggens, B. Schoell, A. Jauch, . . . and V. Ogryzko. 2018. Topokaryotyping demonstrates single cell variability and stress dependent variations in nuclear envelop associated domains. Nucleic Acids Research 46(22): e135. https://doi.org/10.1093/nar/gky818.

Kulyyassov, A., and V. Ogryzko. 2020. In vivo quantitative estimation of DNA-dependent interaction of sox2 and oct4 using bira-catalyzed site-specific biotinylation. Biomolecules 10(1). https://doi.org/10.3390/biom10010142.

Schmandt-Besserat, D. 1979. An archaic recording system in the Uruk-Jemdet Nasr Period. American Journal of Archaeology 83(1):19-48. https://doi.org/10.2307/504234.

Tarlykov, P., S. Atavliyeva, A. Alenova, and Y. Ramankulov. 2020. Genomic analysis of Latin American-Mediterranean family of mycobacterium tuberculosis clinical strains from Kazakhstan. Memorias do Instituto Oswaldo Cruz 115(8):1-6. https://doi.org/10.1590/0074-02760200215.

Watson, J. D., and F. H. Crick. 1953. Molecular structure of nucleic acids; A structure for deoxyribose nucleic acid. Nature 1719(4356):737-738. https://doi.org/10.1038/171737a0.

Yadav, S. P. 2007. The wholeness in suffix –omics, -omes, and the word om. Journal of Biomolecular Techniques 18(5):277. https://doi.org/10.3390/ijms20194781.

Zhabagin, M., Z. Sabitov, P. Tarlykov, I. Tazhigulova, Z. Junissova, D. Yerezhepov, . . . and E. Balanovska. 2020. The medieval Mongolian roots of Y-chromosomal lineages from South Kazakhstan. BMC Genetics 21(87):87. https://doi.org/10.1186/s12863020-00897-5.