HAMAHAMA
UZ RU EN
KNOWLEDGE BASE

Data security in the public sector

Government bodies handle the most sensitive information about citizens and the state. Protecting it requires a system of technical controls, organizational processes and legal requirements working together.

In short

Data security in the public sector rests on encryption in transit and at rest, strict access control, auditability and keeping data inside the country (sovereignty). Compliance with ISO/IEC 27001 and PP-167, plus avoiding foreign clouds, are the key steps.

Why data security in the public sector is especially important

Data security in the public sector differs fundamentally from ordinary corporate protection. Government bodies process the personal data of millions of citizens, tax and medical records, state secrets and information about critical infrastructure. A leak of such data causes not only financial damage but also a loss of public trust and a direct threat to national security.

That is why the requirements placed on government bodies are far stricter than those for business: where data is stored, who can access it and how every action is logged are all regulated at the level of law.

The main threats

You cannot build a defense without understanding the threats. For government bodies the most pressing risks are:

  • Targeted cyberattacks (APT) — long-term, well-funded, often state-sponsored groups.
  • Insider threats — employees who abuse their privileges or act negligently.
  • Communication interception — eavesdropping on unencrypted or weakly encrypted traffic.
  • Jurisdictional risk — when data is stored on another country's servers and falls under its laws.
  • Supply chain attacks — intrusion through third-party software.

Core data protection principles

Reliable protection rests on several complementary principles:

Encryption in transit and at rest

Data traveling across the network must be protected by modern transport encryption (such as TLS 1.3), while on the server and the device it must be stored encrypted (at rest). The highest level of protection is end-to-end (E2E) encryption, where only the correspondents can read a message — not even the server.

Access control and least privilege

Each employee should access only the data needed for their tasks (least privilege). Role-based access control (RBAC) and multi-factor authentication put this principle into practice.

Auditability

Who accessed which data and when must be recorded. Audit logs are essential for investigating incidents and establishing accountability.

Data sovereignty

Government data should be stored within the national jurisdiction — on servers located in Uzbekistan. Sovereignty shields it from the reach of foreign legislation.

Standards and requirements: ISO/IEC 27001 and PP-167

Technical measures must be reinforced by organizational discipline. Two key anchor points:

  • O'z DSt ISO/IEC 27001:2023 — the international standard for an information security management system (ISMS). It defines risk assessment, policies, controls and continuous improvement.
  • PP-167 — the Republic of Uzbekistan's national requirements for protecting critical information infrastructure. It sets concrete technical and organizational requirements for state systems.

Compliance with a standard is not a one-off audit but a continuous process. Even after certification, risk re-assessment and updating of controls are required.

Why foreign clouds are risky

Foreign cloud services look convenient, but they create serious risks for the public sector. The data is stored on servers in another country and is subject to its laws — foreign courts or intelligence services may demand access. The provider may unilaterally discontinue the service, raise prices or hand data to third parties. This conflicts with both the principle of data sovereignty and PP-167 requirements.

For government bodies the only reliable path is to store data inside the country, in controlled infrastructure.

Practical checklist

  • Are all communication channels encrypted with TLS 1.3 or stronger?
  • Is E2E encryption applied to sensitive messages?
  • Is data stored inside the country (or on-premise)?
  • Is access managed through RBAC and multi-factor authentication?
  • Are complete, tamper-evident audit logs maintained?
  • Is the local database on the device encrypted?
  • Is compliance with ISO/IEC 27001 and PP-167 documented?
  • Has the vendor's security posture been verified?

How HAMA handles this

HAMA is a unified secure platform for organizations in Uzbekistan, including government bodies. Data security is built into it at the architecture level:

  • E2E encryption: the Signal protocol (X3DH + Double Ratchet), AES-256-GCM for groups.
  • Transport: TLS 1.3 only — no legacy or weak protocols.
  • Storage: the local database is encrypted with SQLCipher; keys live in the OS secure store.
  • Access control: role-based permissions via RBAC and detailed auditing.
  • Sovereignty: servers in Uzbekistan or on-premise within the organization's infrastructure; data stays inside the country.
  • Compliance: preparation for O'z DSt ISO/IEC 27001:2023 and alignment with PP-167.

All of this unites the messenger, video conferencing, monitoring, time tracking, HR and helpdesk in a single controlled environment.

Frequently asked questions

Why is data security especially important in the public sector?

Government bodies process citizens' personal data, state secrets and information about critical infrastructure. A leak or compromise threatens national security, so protection requirements are far stricter than in business.

Why are foreign clouds risky for government?

The data is stored on servers in a foreign jurisdiction and is subject to that country's laws. The provider may hand data to third parties or discontinue the service, which conflicts with data sovereignty and PP-167 requirements.

What is the difference between ISO/IEC 27001 and PP-167?

ISO/IEC 27001 is an international information security management standard (a set of processes and controls). PP-167 sets the Republic of Uzbekistan's national requirements for protecting critical information infrastructure. They are usually applied together.

How does HAMA secure data for government organizations?

HAMA uses E2E encryption based on the Signal protocol, TLS 1.3-only transport, a local database encrypted with SQLCipher, and RBAC access control. Servers are hosted in Uzbekistan or on-premise within the organization's infrastructure, and data stays inside the country.

Related articles

HAMA

What is data sovereignty?

 HAMA

Secure communication for government organizations

 HAMA

On-premise vs Cloud: which is more secure?

Ready to protect your organization's data?

HAMA offers government bodies a secure, in-country communication platform. Let us show you what it can do.

Contact us