Legal and Technical Evaluation of Anonymization, Deletion and Destruction Processes Related to Data Management in the Public Sector: The Case of Aydın Province

Yıl 2025, Sayı: 23, 1 - 20, 26.06.2025

Haktan Yavaş , Türkay Henkoğlu

https://doi.org/10.26650/bba.2025.23.1577974

Öz

Safeguarding personal data in public institutions is becoming increasingly important due to growing risks to individual privacy. This study examines legal and technical challenges in data management within the Turkish public sector, focusing on anonymization, deletion, and destruction processes. Semi5structured interviews were conducted with administrators and personnel from 103 public institutions in Aydın province. Findings reveal that data management policies are largely centralized and rarely implemented effectively in local branches. Technical methods such as k5anonymity, l5diversity, and t5closeness are not employed, and risk analysis procedures are insufficient or undocumented. Data deletion practices are often limited to superficial file system deactivation, increasing the risk of data recovery. Training programs on data governance are infrequent and lack depth. The study highlights the absence of standardized practices for secure data handling at the local level, despite existing national and international legal frameworks. It recommends developing an applicable and auditable data management framework for public sector institutions that aligns with privacy legislation and ensures organizational accountability. By addressing both regulatory and procedural gaps, this research contributes to the advancement of secure, transparent, and rights5respecting data governance in public administration.

Anahtar Kelimeler

Data management , Data anonymization , Data deletion , Data destruction , Personal data

Kamu Sektöründe Veri Yönetimine İlişkin Anonimleştirme, Silme ve Yok Etme Süreçlerinin Hukuki ve Teknik Açıdan Değerlendirilmesi: Aydın İli Örneği

Öz

Bireylerin mahremiyetini korumanın giderek zorlaştığı kamu kurumlarında kişisel verilerin güvenli biçimde saklanması ve işlenmesi için teknik ve idari boyutları içeren politika ve prosedürlere olan ihtiyaç her geçen gün artmaktadır. Bu çalış5 mada kamu kurumlarındaki veri yönetimi süreçleri, hukuki düzenlemeler, teknik gereksinimler ve uygulamada karşılaşılan zorluklar çerçevesinde incelenmiş ve tespit edilen eksikliklere yönelik çözüm önerileri sunulmuştur. Araştırma kapsamında, Aydın ilindeki 103 kamu kurumunun yöneticileri, idari ve teknik personeliyle yüz yüze görüşmeler gerçekleştirilmiş, yarı yapılandırılmış sorular yöneltilmiştir. Bulgular, veri yönetim politikalarının genellikle merkezi yönetimle sınırlı kaldığını, taşra teşkilatlarında etkin uygulanmadığını göstermiştir. Veri anonimleştirme, silme ve yok etme süreçlerinde K5anonimlik, L5çeşitlilik ve T5yakınlık gibi teknik yöntemlerin kullanılmadığı; risk analizleri ve veri eğitimlerinin yetersiz olduğu tespit edilmiştir. Ayrıca, veri silme süreçlerinin çoğunlukla dosya sistemi düzeyinde pasifleştirme ile sınırlı olduğu ve bu durumun güvenlik risklerini artırdığı belirlenmiştir. Çalışmada, teknik prosedürlerin ulusal ve uluslararası düzenlemelerle uyumlu hale getirilmesi ve kamu kurumlarında uygulanabilir bir veri yönetimi çerçevesinin oluşturulması gerekliliği vurgulanmıştır.

Anahtar Kelimeler

Veri yönetimi , Verilerin anonimleştirilmesi , Verilerin silinmesi , Verilerin yok edilmesi , Kişisel veriler

Kaynakça

• Anderson, D., & Von Seck, R. (2020). The GDPR and its impact on the web. doi:10.2313/NET-2020-11-1_01 google scholar
• APEC Privacy Framework. (2005). Singapore: APEC Secretariat. google scholar
• Appelbaum, P., Beattie, E., Boutin, M., W. Croghan, T., W. Crosley, S., J. Horning, S., . W. Yancy, C. (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. (S. J. Nass, L. A. Levit ve L. O. Gostin, Ed.). Washington, D.C.: The National Academies Press. http://www.nap.edu/catalog/12458.html adresinden erişildi. google scholar
• Attaallah, A., Alsuhabi, H., Shukla, S., Kumar, R., Kumar Gupta, B., & Khan, R. A. (2022). analyzing the big data security through a unified decision-making approach. Intelligent Automation & Soft Computing, 32(2), 1071-1088. doi:10.32604/iasc.2022.022569 google scholar
• Avllazagaj, E., Ayday, E., & Çiçek, A. E. (2016). privacy-related consequences of Turkish citizen database leak. arXiv (Cornell University). doi:10.48550/arxiv.1605.05847 google scholar
• Avrupa Konseyi. (2016). Regulation (EU) 2016/679 Of The European Parliament and Of The Council. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN adresinden erişildi. google scholar
• Bates, D. W., Heitmueller, A., Kakad, M., & Saria, S. (2018). Why policymakers should care about “big data” in healthcare. Health Policy and Technology, 7(2), 211-216. doi:10.1016/j.hlpt.2018.04.006 google scholar
• Bayardo, R. J. ve Agrawal, R. (2005). Data privacy through optimal k-anonymization. 21st International Conference on Data Engineering (ICDE’05). doi:10.1109/icde.2005.42 google scholar
• Bolognini, L., & Bistolfi, C. (2017). Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation. Computer Law & Security Review, 33(2), 171-181. doi:10.1016/ J.CLSR.2016.11.002 google scholar
• Bradford, L., Aboy, M., & Liddell, K. (2021). Standard contractual clauses for cross-border transfers of health data after Schrems II. Journal of Law and the Biosciences, 8(1). doi:10.1093/jlb/lsab007 google scholar
• Burenok, D. S. (2023). The mandatory state digital register of personal data processing consents. 2023 Seminar on Information Computing and Processing (ICP) içinde (ss. 11-17). doi:10.1109/ICP60417.2023.10397191 google scholar
• Cate, F. H., Cullen, P., & Mayer-Schonberger, V. (2013). Data Protection Principles for the 21st Century. Redmond, WA: Books & Book Chapters by Maurer Faculty. https://www.repository.law.indiana.edu/facbooks adresinden erişildi. google scholar
• Cheng, L., Liu, F., & Yao, D. (Daphne). (2017). Enterprise data breach: causes, challenges, prevention, and future directions. WIREs Data Mining and Knowledge Discovery, 7(5), e1211. doi:10.1002/widm.1211 google scholar
• Cormode, G., & Srivastava, D. (2010). Anonymized Data: Generation, models, usage. 2010 IEEE 26th International Conference on Data Engineering (ICDE 2010) içinde (ss. 1211-1212). doi:10.1109/ICDE.2010.5447721 google scholar
• DataBreaches LLC. (2016, 3 Nisan). Turkish Citizenship Database Leak (Update 2). 29 Ekim 2023 tarihinde https://www.databreaches.net/ turkish-citizenship-database-leak/ adresinden erişildi. google scholar
• Datenschutz-Wiki. (2016). Bundesdatenschutzgesetz (1977) - Datenschutz-Wiki. 29 Ekim 2023 tarihinde https://www.datenschutz-wiki.de/BDSG_1977 adresinden erişildi. google scholar
• DSV Stockholm University. (2000, 9 Haziran). The Swedish Personal Information Act. Dsv.su.se. 29 Ekim 2023 tarihinde https://people. dsv.su.se/~jpalme/society/eu-data-directive-freedom.html adresinden erişildi. google scholar
• Dülger, M. V. (2021). Kişisel Verileri Koruma Kurulu’nun 18 Ağustos 2018 Tarihli Resmi Gazete’de Yayınlanan Kararlarına İlişkin Değerlendirme. SSRN Electronic Journal. doi:10.2139/ssrn.3792274 google scholar
• Dülger, M. V., Kahraman, C. C., & Yalçın, S. (2021). GDPR ve KVKK bakımından çocukların kişisel verilerinin korunması ve konuya ilişkin kurul kararının değerlendirilmesi. SSRN Electronic Journal. doi:10.2139/ssrn.3792410 google scholar
• Ersoy, E. C. (2019). Examining Turkish law on data protection. Computer Fraud & Security, 2019(9), 9-11. doi:10.1016/S1361-3723(19)30095-8 google scholar
• European Center for Digital Rights. (2017). Data Protection in Austria - GDPRhub. GDPRhub. 29 Ekim 2023 tarihinde https://gdprhub.eu/ Data_Protection_in_Austria adresinden erişildi. google scholar
• European Center for Digital Rights. (2020). Data Protection in Denmark - GDPRhub. GDPRhub. 29 Ekim 2023 tarihinde https://gdprhub. eu/Data_Protection_in_Denmark adresinden erişildi. google scholar
• European Union Agency for Fundamental Rights. (2018, 25 Ekim). Act n°78-17 of 6 January 1978 on Data Processing, Data Files and Indi-vidual Liberties. 29 Ekim 2023 tarihinde https://fra.europa.eu/en/law-reference/act-ndeg78-17-6-january-1978-data-processing-data-files-and-individual-liberties adresinden erişildi. google scholar
• Ganesh, P., Tran, C., Shokri, R., & Fioretto, F. (2024). The Data Minimization Principle in Machine Learning. http://arxiv.org/abs/2405.19471 adresinden erişildi. google scholar
• Garfinkel, S. L. (2015). De-identification of personal information. National Institute of Standards and Technology Internal Report, 8053. doi:10.6028/nist.ir.8053 google scholar
• Garg, S., Verma, K. K., & Kumar, G. (2024). An Analysis on the Threats on Public Data Collection. 2024 International Conference on Intelligent Systems for Cybersecurity (ISCS) içinde (ss. 1-6). doi:10.1109/ISCS61804.2024.10581271 google scholar
• Goldsteen, A., Ezov, G., Shmelkin, R., Moffie, M., & Farkash, A. (2022). Data minimization for GDPR compliance in machine learning models. AI and Ethics, 2(3), 477-491. doi:10.1007/s43681-021-00095-8 google scholar
• Gonzalez, E. G., De Hert, P., & Papakonstantinou, V. (2020). The proposed ePrivacy regulation: The commission’s and the parliament’s draft s at a crossroads? D. Hallinan, R. Leenes, S. Gutwirth ve P. De Hert (Ed.), Data protection and privacy içinde (ss. 267-298). Hart Publishers. google scholar
• Gutmann, P. (1996). Secure Deletion of Data from Magnetic and Solid-State Memory. Sixth USENIX Security Symposium Proceedings içinde . https://web.archive.org/web/20230927105247/https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html adresinden erişildi. google scholar
• Güler, C. (2020). Elektronik belgelerin imhası: Teori ve uygulama. Hiperyayın, 2020. google scholar
• Helvacıoğlu, A. D., & Stakheyeva, H. (2017). The tale of two data protection regimes: The analysis of the recent law reform in Turkey in the light of EU novelties. Computer Law & Security Review, 33(6), 811-824. doi:10.1016/j.clsr.2017.05.014 google scholar
• Kissel, R., Regenscheid, A., Scholl, M., & Stine, K. (2014). Guidelines for Media Sanitization. Gaithersburg, MD. doi:10.6028/NIST.SP.800-88r1 google scholar
• Knapp, K. J., Denney, G. D., & Barner, M. E. (2011). Key issues in data center security: An investigation of government audit reports. Government Information Quarterly, 28(4), 533-541. doi:10.1016/j.giq.2010.10.008 google scholar
• Kuner, C., Bygrave, L. A., Docksey, C., Drechsler, L, & Tosoni, L. (2021). The EU General Data Protection Regulation: A Commentary/Update of Selected Articles. SSRN Electronic Journal. doi:10.2139/SSRN.3839645 google scholar
• Li, N., Li, T., & Venkatasubramanian, S. (2007). t-Closeness: Privacy Beyond k-Anonymity and l-Diversity. 2007 IEEE 23rd International Conference on Data Engineering içinde (ss. 106-115). doi:10.1109/ICDE.2007.367856 google scholar
• Liu, L. (2021). The Rise of Data Politics: Digital China and the World. Studies in Comparative International Development, 56, 45-67. doi:10.1007/s12116-021-09319-8 google scholar
• Machanavajjhala, A., Kifer, D., Gehrke, J., & Venkitasubramaniam, M. (2007). L-diversity: Privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data, 1(1), 3-es. doi:10.1145/1217299.1217302 google scholar
• Miller, M. R., Herrera, F., Jun, H., Landay, J. A., & Bailenson, J. N. (2020). Personal identifiability of user tracking data during observation of 360-degree VR video. Scientific Reports, 10(1), 17404. doi:10.1038/s41598-020-74486-y google scholar
• National Research Council. (1993). Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics. Private Lives and Public Policies. Washington, DC: The National Academies Press. doi:10.17226/2122 google scholar
• Nergiz, M E, Clifton, C., & Nergiz, A. E. (2009). Multirelational k-Anonymity. IEEE Transactions on Knowledge and Data Engineering, 21(8), 1104-1117. doi:10.1109/TKDE.2008.210 google scholar
• Nergiz, M. E.; Atzori, M., & Clifton, C. (2007). Hiding the presence of individuals from shared databases. Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data içinde , SIGMOD ’07 (ss. 665-676). New York, NY, USA: Association for Computing Machinery. doi:10.1145/1247480.1247554 google scholar
• Osmaneli Sosyal Yardımlaşma ve Dayanışma Vakfı. (2023). Osmaneli Sosyal Yardımlaşma ve Dayanışma Vakfı. 27 Ekim 2024 tarihinde https://osmanelisydv.gov.tr/upload/docs/5_Hane_Beyan_Formu.pdf adresinden erişildi. google scholar
• Richards, N. M., & King, J. H. (2014). Big Data Ethics. Wake Forest Law Review. http://strata.oreilly.com/2012/01/what-is- adresinden erişildi. google scholar
• Rubin, A., & Babbie, E. R. (2016). Essential research methods for social work (4. bs.). Cengage Learning. google scholar
• Shanmugam, D., Diaz, F., Shabanian, S., Finck, M., & Biega, A. (2022). Learning to Limit Data Collection via Scaling Laws: A Computational In-terpretation for the Legal Principle of Data Minimization. Proceedings of the 2022 ACM Conference on Fairness, Accountability, and Transparency içinde , FAccT ’22 (ss. 839-849). New York, NY, USA: Association for Computing Machinery. doi:10.1145/3531146.3533148 google scholar
• Shu, X., Zhang, J., Yao, D. D. ve Feng, W.-C. (2016). Fast Detection of Transformed Data Leaks. IEEE Transactions on Information Forensics and Security, 11(3), 528-542. doi:10.1109/TIFS.2015.2503271 google scholar
• Siedlecki, S. L. (2020). Understanding Descriptive Research Designs and Methods. Clinical Nurse Specialist, 34(1), 8-12. doi:10.1097/NUR.0000000000000493 google scholar
• State Chancellery of Hessen - Minister for Digital Strategy and Innovation. (2023). Digital Hesse Where the future begins. digitales.hessen.de. https://digitales.hessen.de/sites/digitales.hessen.de/files/2023-01/Digitalstrategie%20englisch_ barrierefrei.pdf adresinden erişildi. google scholar
• Swanson, M. ve Guttman, B. (1996). Generally accepted principles and practices for securing information technology systems. Gaithers-burg, MD. doi:10.6028/NIST.SP.800-14 google scholar
• T. C. Aile ve Sosyal Hizmetler Bakanlığı. (2022). Sosyal Yardımlaşma ve Dayanışma Vakıfları. 29 Ekim 2023 tarihinde https://www.aile.gov. tr/sygm/genel-mudurluk/sosyal-yardimlasma-ve-dayanisma-vakiflari/ adresinden erişildi. google scholar
• T.C. Resmî Gazete. (2008). Vakıflar Kanunu. 29 Ekim 2023 tarihinde https://www.mevzuat.gov.tr/mevzuatmetin/1.5.5737.pdf adresinden erişildi. google scholar
• T.C. Resmî Gazete. (2019, 18 Ekim). Devlet Arşiv Hizmetleri Hakkında Yönetmelik. 29 Ekim 2023 tarihinde https://www.mevzuat.gov.tr/ mevzuat?MevzuatNo=33899&MevzuatTur=7&MevzuatTertip=5 adresinden erişildi. google scholar
• T.C. Resmî Gazete. (2022). Gizlilik Dereceli Belgelerde Uygulanacak Usul ve Esaslar Hakkında Yönetmelik. 29 Ekim 2023 tarihinde https:// www.mevzuat.gov.tr/MevzuatMetin/21.5.5529.pdf adresinden erişildi. google scholar
• The United State Department of Justice. (2014, 17 Haziran). Privacy Act of 1974. Justice.gov. 29 Ekim 2023 tarihinde https://www.justice. gov/opcl/privacy-act-1974 adresinden erişildi. google scholar
• University of Cambridge. (2020). Norway | Centre for Intellectual Property and Information Law. Cam.ac.uk. 29 Ekim 2023 tarihinde https://www.cipil.law.cam.ac.uk/projectseuropean-data-protection-laws-and-freedom-expression/norway adresinden erişildi. google scholar
• U.S. Department of Defense. (1995). National Industrial Security Program Operating Manual (NISPOM). U.S. Department of Defense. www. reginfo.gov/public/do/PRAMain. adresinden erişildi. google scholar
• Wong, R. (2012). The Data Protection Directive 95/46/EC: Idealisms and realisms. International Review of Law, Computers & Technology, 26(2-3), 229-244. doi:10.1080/13600869.2012.698453 google scholar
• Wouters, B., Shaw, D., Sun, C., Ippel, L., van Soest, J., van den Berg, B., . Townend, D. (2021). Putting the GDPR into Practice: Difficulties and Uncertainties Experienced in the Conduct of Big Data Health Research. European Data Protection Law Review, 7(2), 206-216. doi:10.21552/edpl/2021/2/9 google scholar
• Yılmaz, T., Arıkan, S. M., Su, F. & Yürekten, Ö. (2020). Protecting Personal Information in Enterprise Applications. 2020 Turkish National Software Engineering Symposium (UYMS) içinde (ss. 1-4). doi:10.1109/UYMS50627.2020.9247020 google scholar