Open menu

New Developments on Information Security in Public Sector

New Developments on Information Security in Public Sector

The Circular on Information Security in Public Institutions and Organizations has been published in the Official Gazette

Circular no 2019/12 on Information and Communication Security Measures specifying a serious of measures to ensure the security of data that may have an impact on public order and national safety was published in the Official Gazette No. 30823, dated July 6, 2019. The Circular that consists of 21 articles has aroused interest with many articles contained therein. We may classify the prominent issues in the said publication as below:


Critical data shall be stored and preserved domestically on the physically-secured networks, by taking measures with Log records against modification. Moreover, cloud storage services shall not be used for such storage process, except for institutions’ own private systems or domestic service providers under the supervision of the institutions.


Development of domestic and national encryption systems shall be encouraged in order to enable the submission of classified correspondence of institutions via these systems. Communication between the servers that are available in our country and under the control of the Institution shall be done in an encrypted manner. In cases where radiolink use is mandatory for critical data communication, data shall be encrypted by using devices featuring national crypto systems.


No classified data sharing or communication shall be made over mobile applications and social media, except for via domestic mobile applications developed by the institutions authorized for encoded or cryptographic correspondence by the legislation. Use of domestic applications belonging to social media and communication applications shall be preferred. Third parties shall give a letter of undertaking, if possible, stating that the software or hardware to be procured by the public institutions and organizations do not have any feature that is unsuitable for the intended use or any security weakness, which may allow access to the systems without the users’ knowledge/permission. Devices storing classified data shall be removed from the institution only upon the encryption of the data stored therein in respect to the hardware or software and the devices used for such purpose shall be registered. The settings of the e-mail systems of the public institutions shall be configured to ensure security and the e-mail servers shall be in our country and under the control of the relevant institution. Corporate communication shall not be made via non-corporate personal e-mail addresses and corporate e-mails shall not be used for personal purposes. Operators shall not transmit the data in the regions where critical institutions are placed, by radiolink or similar methods, and instead fiber optic cables shall be used for their transmission.


Mobile devices or devices with data transfer feature shall not be kept at work environments where critical data are present, or such communications are made. Classified data or data including corporate confidentiality shall not be stored in unauthorized, personal computers. Furthermore, mobile devices of uncertain origin, including personal mobile devices, shall not be connected to the systems of the institution.


Dissemination security (TEMPEST) shall be implemented at places where classified information is processed by the public institutions and organizations, and measures shall be taken in respect of secure software development and the developed or procured software shall be subjected to security tests before being put into use. Institutions and organizations shall take necessary measures against cyber threat notifications and access authorizations shall be given by taking into consideration actual works performed and needs.

It shall be ensured that industrial control systems are kept disconnected from the Internet and in mandatory cases where such systems must be connected to the Internet, necessary security measures, such as firewall, point to point tunnelling methods, authorization and authentication mechanisms, shall be taken. Vetting process or archive research shall be conducted for senior executives of institutions and organizations who may have a direct effect on national security, and for the personnel to be employed in critical infrastructure, facilities and projects. Measures shall be taken in order to prevent the transfer of the domestic communication traffic, which should be exchanged domestically, to abroad.

In order to mitigate and neutralize security risks, and especially, to ensure the security of critical data that may jeopardize national security or disrupt public order when their confidentiality, integrity or accessibility is compromised, “Information and Communication Security Guide” shall be prepared under the leadership of the Presidency of the Republic of Türkiye, Digital Transformation Office, with the contribution of the relevant public institutions and organizations, and the guide to be published at shall be updated in line with the developing technology and the relevant public institutions shall be expected to comply with the issues stipulated therein. Also, with the exception of the duties and activities carried out for the purpose of ensuring national security and protecting confidentiality, the institutions and organizations shall establish inspection mechanisms to ensure the implementation of the guide and inspect the implementation minimum once a year.

Please click here to access the full Circulars, in Turkish published in the Official Gazette.

Author CottGroup Hukuk ve Mevzuat Ekibi, Category Personal Data Protection Law

  • Notification!

    Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

    For each concrete situation, it is strongly advised to seek guidance from a professional advisor. If you are a customer of ours, please consult with your customer representative before taking any action related to the announcement. If you are not a customer, seek advice from an expert.

About The Author


Other Legislation

Bu web sitesi çerez kullanıyor.

Bu internet sitesinde, kullanıcı deneyimini geliştirmek, verimli çalışmasını sağlamak ve istatistiki verileri takip etmek için çerezler kullanılmaktadır. Sitemizi kullanarak çerezleri kabul etmiş olursunuz. Çerezleri nasıl kullandığımız ile ilgili detaylı bilgi için lütfen Çerezler (Cookies) sayfasını okuyunuz. Bu seçim 30 gün süreyle ya da tarayıcınızdaki çerezleri siz silene kadar geçerlidir.

Çerez Tercihleri Cookie Preferences

Çerezleri Ayarla

Çerezler, web sitelerinin kullanıcı deneyimini daha verimli hale getirmek için kullanabileceği küçük metinlerdir. Kanun, bu sitenin işleyişi için kesinlikle gerekli olan çerezlerin cihazınıza saklanabileceğini belirtir. Diğer tüm çerez türleri için izninize ihtiyacımız var. Bu site, çeşitli türde çerezler kullanmaktadır. Bazı çerezler, sayfalarımızda görünen üçüncü taraf hizmetler tarafından yerleştirilir.

Verdiğiniz izinler aşağıda yer alan web siteleri için geçerlidir: