Definitions

Data: A set of facts in their original form or in an unorganized form such as numbers, letters, still images, video, audio recordings, or emojis.

Applicant:

Which government agency or private entity submits a request to share data.

The Source: is the government agency concerned – according to its systematic competencies – to establish technical standards for a specific field or group of data fields, and to verify and maintain their validity.

The Appointed Party: is the party authorized to share data pursuant to an authorization from the source authority in accordance with the procedures outlined in this policy, following the necessary steps to ensure data freshness.

The party from which data sharing is requested: Any governmental entity to which a data sharing request is submitted, whether the source party or the delegating party.

Parties involved in data sharing: Any entity that is a party to the data sharing process, including the requesting party and the party from which the data is requested.

Data Sharing Agreement: A standard agreement signed between two parties - when data is shared by a government entity with a private entity or individual - it defines the roles and responsibilities of the parties involved in the data sharing process according to the provisions and controls specified in this policy.

Data Sharing Model: A standard model that includes the controls necessary to handle data and define roles and responsibilities in the event that parties involved in the data sharing process are government agencies.

The Authority: The Saudi Data and Cyber Laboratory.

Office: Office of the National Data Management.

Office: Office of Data Management in the Government Entity.

Government Integration Channel: A secure channel for sharing data between government agencies to achieve integration and connectivity and enable them to automate their services.

Data Market: A platform aimed at automating all data sharing operations – in accordance with the provisions of this policy – between government entities; the platform allows entities to request subscriptions to published data sharing services (APIs) available on the platform automatically, or to request new services, and the Data Market is one of the data platforms available at the National Data Bank.

Descriptive Data: is detailed information that describes data and its usage characteristics, whether it is business data, technical data, or operational data.

Goal

The purpose of the data sharing policy is to promote data sharing to achieve integration between government entities and to obtain data from its sources. This policy is in line with policies issued by the National Data Management Office – Legislative Arm of the Saudi Data and Artificial Intelligence Authority. It aims to comply with data management and governance requirements, and related legal and regulatory requirements, which is a legislative requirement in Specification No. DG.1.2 of the National Standards for Data Management and Governance and Personal Data Protection (Version 1.5) issued by the National Data Management Office.

scope

These provisions apply to all data generated by the University, regardless of whether it is shared with other government agencies or private entities or individuals, whatever the source, form, or nature of the data, including paper records, email messages, electronic media data, audio, video, maps, photographs, manuscripts, handwritten documents, or any other form of recorded data. These provisions do not apply if the requesting party is a government agency and the request is for security purposes or to comply with judicial requirements.

Principles of data sharing

Principle 1: To promote a culture of sharing, the University must share its key outputs and this is to achieve integration between them and government agencies and adopt the “Single Version” principle to obtain data from its correct sources and reduce its duplication, conflict and multiplicity of sources. In case of a request for data from sources other than its primary source, the University must obtain approval from the main source – the data source – before sharing it with the requesting party.

Principle Two: Legitimate purpose shall be to share data for legitimate purposes based on systematic or practical need, a justified objective aimed at achieving public interest without causing any harm to national interests, or activities of entities or the privacy of individuals or environmental safety – excluding data and entities excluded by royal decrees.

Principle 3: Authorized access shall be granted to all parties participating in the sharing of data, with the right to view, obtain, and use it (which may require security scanning according to the nature and sensitivity of the data), in addition to knowledge, skills, and people properly trained to handle shared data.

Principle Four: Transparency All parties involved in data sharing operations must make available all necessary information for data exchange, including: the required data, the purpose of its collection, the means of its transfer, methods of its storage, the controls used to protect it, and the disposal mechanism.

The Fifth Principle: All parties sharing data must be jointly responsible for data-sharing decisions and processing in accordance with the specified purposes, ensuring the implementation of security controls as stipulated in the data sharing agreement, and relevant systems, legislation, and policies.

The Sixth Principle: Data security shall be applied by all parties involved in sharing data to protect data and share it in a safe and reliable environment in accordance with relevant systems and legislation, and according to the directives of the National Cyber Security Agency.

The seventh principle: Ethical use requires all parties involved in data sharing to implement ethical practices during the data sharing process to ensure its use within a framework of justice, integrity, honesty, and respect, and not to rely solely on compliance with information security policies or compliance with relevant regulatory and legislative requirements.

Steps necessary to conduct a data sharing process

Steps have been identified for the basic process of data sharing by the National Data Management Office to help entities standardize sharing practices and ensure compliance with all requirements – which may not exceed 3 months. And it details as follows:

First:

The applicant – whether governmental, private, or an individual – submits a data sharing request to the University’s Data Management Office, the request being submitted via the applicant’s data management office if the applicant is a governmental entity.

Secondly: The Data Management Office refers the request to the designated Business Data Representative who in turn directs this request to one of the Business Data specialists to evaluate and process this request.

Thirdly:

A. In case of no classification level specified, the Data Management Office of the University shall classify the required data according to the data classification policy.

b. In case of specifying the classification level as "public", a business data specialist can share the required data without evaluating the request according to the main principles of data sharing.

In case the classification level is designated as "Restricted" or "Confidential" or "Highly Confidential", the Business Data Specialist must evaluate the request according to the main principles of data sharing.

Fourthly:

Fifth: It is not permissible for the Business Data Specialist in the University Data Management Office to continue sharing data in cases of not meeting one or more of the data sharing principles. The Business Data Specialist must respond to the request with the notes and provide an opportunity to meet all the incompatible data sharing principles.

Sixth:

Seventh:

Eighth: After agreeing on data sharing controls and committing to their implementation, the business data specialist should clarify them in detail in the agreement, and all parties involved in the sharing process must sign the data sharing agreement.

Ninth: