Privacy and Personal Data Processing Policy of the Saqbol mobile app

The Saqbol mobile app Privacy and Personal Data Processing Policy (hereinafter: Policy) defines the procedure and conditions for processing of personal data of Saqbol mobile app users and specifies requirements for ensuring the security of users’ personal data.

The mobile application was developed by National Information Technologies JSC at the initiative of the Ministry of Healthcare of the Republic of Kazakhstan.

The following terms are used in this Privacy Policy:

• Exposure Notifications Technology is a joint development of Apple and Google to provide basic app design capabilities to notify users of the possible impact of confirmed COVID-19 cases;
• Saqbol mobile app (hereinafter: Application) is aimed at curbing the spread of coronavirus infection and was developed using the Exposure Notification Technology;
• Application administrator (hereinafter: Administrator) is “National Information Technologies” Joint-Stock Company;
• App owner (hereinafter: Owner) is an authorized body in the field of informatization;
• Contact log is the list of received and random IDs temporarily stored in the operating system storage. This list is read when checking contacts. All random IDs are automatically deleted in 14 days;
• IS MoH is the information system of the Ministry of Healthcare of the Republic of Kazakhstan, which collects and processes the results of PCR testing;
• CODE is a 10-digit code assigned to a user when passing the PCR testing;
• Application components are parts of the Application intended for provision of individual services and/or information;
• Contact: Meeting that lasted for a long time and in close proximity to people with a confirmed COVID-19 diagnosis;
• User of the Application and its components (hereinafter: User) is any individual who has accepted the terms of this Privacy Policy;
• Verification of the contact: Data from the contact log is invoked and synchronized with the registered infections of other users. Contact verification is performed automatically at intervals of about two hours;
• Random IDs (identifiers) are combinations of numbers and letters generated randomly. They are exchanged between devices in close proximity. Random IDs cannot be assigned to a specific person and are automatically deleted after 14 days. People diagnosed with COVID-19 can share random IDs for the last 14 days with other app users.

1.1. Notifications: Receiving of messages about interaction with users who were tested positive on PCR testing.

All other terms and definitions used in this Policy are interpreted in accordance with the current legislation of the Republic of Kazakhstan.

2. General provisions

2.1. Use of the Saqbol mobile app by the User means acceptance of this Privacy Policy and the terms of the User's personal data processing.

2.2. In case of disagreement with the terms of the Privacy Policy, the User shall stop using the Saqbol mobile app.

2.3. This Privacy Policy applies to the Saqbol mobile app. The Saqbol mobile app does not control and is not responsible for third-party websites to which the User can get by following the links available in the Saqbol mobile app.

3. Scope of privacy policy​

3.1. The use of the Saqbol mobile app is completely voluntary.

3.2. If you want to use the "Contact Detection" function, you should provide the Administrator with your consent for the application to process your personal data. You can do this by clicking "Enable Contact Detection" button the first time you open the app. Your consent is required because otherwise the app will not be able to access the "Contact Detection" function of your smartphone. However, you can use the toggle switch in the app to disable the function at any time. This will mean that you will not be able to use the full functionality of the app. Consent is also required for data processing performed for the following functions:

• Getting the test result;
• Exchange of test results.

3.3. The Application is intended for people aged 18 and older who permanently reside on the territory of the Republic of Kazakhstan.

3.4. The application is designed to handle as little as possible personal data. This means, for example, that the Application does not collect any data that would allow the Administrator /the Ministry of Healthcare of the Republic of Kazakhstan or other users to determine your identity, health status or location.

3.5. The data processed by the Application is divided into the following categories:

3.5.1. Access Data. Access data is generated when you use or enable the following features:

• Logging of contacts
• Getting the test result
• Exchange of results.

3.5.2. Contact Detection.

If you enable the "Contact Detection" function in your smartphone, which is intended to record meetings (contacts) with other users, your smartphone will constantly send randomly generated identification numbers ("random IDs") via Bluetooth to other smartphones located in the immediate vicinity, if they have the "Contact Detection" function enabled. Your smartphone, in turn, also gets random IDs of other smartphones.

In addition to random IDs received from other smartphones, your smartphone's contact detection function records and stores the following contact information:

• Date and time of contact
• Duration of contact
• A contact`s Bluetooth signal strength
• Encrypted metadata (protocol version).

Your own IDs and IDs received from other smartphones, as well as other contact information (contact date and time, contact duration, contact signal strength, and encrypted metadata) are recorded by your smartphone in the contact log and stored for 14 days.

The app will handle only the contact data that is generated and stored in your smartphone, if you enable the "Contact Detection" function.

3.5.3. Data on the health status

Medical data is data that contains information about the results of a PCR testing.

The following is related to the processing of medical data:

• If the "Contact Detection" function detects that you may have been in contact with a person who was infected with a coronavirus.
• If you are checking the test result.
• If you are sharing a positive test result.

3.6. "Contact Log". The main functionality of the app is logging contacts. The contact log serves:

• to track possible contacts with other users of the app who are infected with the coronavirus,
• to assess the risk that you yourself have been infected, and based on the identified risk to provide you with medical advice and recommendations on what to do next.

If you enable the "Contact Detection" function, then several times a day, when the app is running in the background mode (or when you click "Update" button), the app will receive a list of IDs from users who have tested positive and shared their own IDs through the app's back-end. The app shares these IDs with your smartphone's "Contact Detection" function, which then compares them with the IDs stored in your smartphone's contact log. If your smartphone's contact log detects a match, it sends contact information (date, duration, signal strength) to the app, but not the ID of a corresponding contact.

3.7. Getting the test result.

If you have been tested for coronavirus, you can find out the test result by entering the 10-digit code received after passing the test.

Thus, the medical laboratory should be connected to the Unified Database of Medical Tests for COVID-19 of the Ministry of Healthcare of the Republic of Kazakhstan. Test results from laboratories that are not connected to the Unified Database of Medical Tests for COVID-19 of the Ministry of Healthcare of the Republic of Kazakhstan cannot be displayed in the application.

3.8. Exchange of test results

If you use this function to share test results in order to notify other users, the app will transmit the IDs generated and saved by your smartphone over the past 14 days and the 10-digit code entered in the app to the Unified Database of Medical Tests for COVID-19 of the Ministry of Healthcare of the Republic of Kazakhstan. First, a check will be performed on whether the 10-digit code is valid, and then the mobile app database will add your ID to the list of IDs of users who shared a positive test result. Your ID can now be uploaded by other users as part of the "Contact Verification" process.

3.9. Use of the application for informational purposes only

As long as you do not activate any of the functions of the app mentioned above and do not enter any data, you use the app only for informational purposes, i.e. processing takes place only locally on your smartphone, and no personal data is generated.

3.10. All data stored in the app is deleted as soon as it is no longer needed for the app functions:

3.11. "Contact Detection"

• The list of random IDs of users who shared a positive test result will be immediately deleted from the app, as well as automatically deleted from your smartphone's contact log after 14 days.
• The risk status displayed in the app will be deleted as soon as the new risk status is determined. The new risk status is usually determined after the app has received a new list of random IDs.

3.12. Exchange of test results

• Your smartphone's own random IDs that are shared in the app will be removed from the app's back-end after 14 days.
• The token stored in the app will be deleted after the test result is published.

3.13. If you share the test result to warn other users, your random ID will be sent to the app on other users’ smartphones, which store your ID in the contacts log for the last 14 days.

To revoke your consent to sharing test results, you should delete the app. All your random IDs stored in the app will be deleted and can no longer be assigned to your smartphone. If you want to report a different test result, you can re-install the app and give your consent again. You can also delete your own random IDs in the contact log in your smartphone's system settings. Please note that after the transfer, the Administrator can't delete your random IDs from the lists or from other users  smartphones.

3.14. A user's personal data may be requested by the Administrator when a User contacts the Administrator for support service to register the request. In this case, the Administrator undertakes to use personal data in accordance with the Law of the Republic of Kazakhstan "On Personal Data" and in-house documents of the Administrator.

4. Additional conditions

​4.1. This Privacy Policy and the relations between the User and the Administrator arising in connection with the application of the Privacy Policy are subject to the law of the Republic of Kazakhstan.

4.2. The Administrator has the right to make changes to this Privacy Policy without the User's consent.

4.3. The new Privacy Policy takes effect from the moment it is published on the egov.kz website unless otherwise provided in the new version of the Privacy Policy.

4.4. The User undertakes to independently monitor changes to the Privacy Policy by reviewing the current version.

4.5. Any suggestions or questions regarding this Privacy Policy should be sent to: egov@nitec.kz.