Overview
General Rules for Secondary Use of Data – Fourth: Principles of Secondary Use of Data explains the foundational principles that govern secondary use of data in Saudi Arabia. It highlights privacy protection, responsible use, data quality, ethical standards, security requirements, and prioritizing public interest when sharing or using data beyond its original purpose.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Fourth: Principles of Secondary Use of Data
This document seeks to adopt and apply the principles set forth in national data governance policies, including data availability and the promotion of a data-sharing culture. It further contributes to reinforcing the principles contained in the AI Ethics Principles document, in addition to the following principles:
Principle 1: Privacy and Personal Data Protection
This document supports the adoption of privacy as a key principle when handling personal data, and affirms adherence to the provisions and procedures stipulated in the Personal Data Protection Law, its Implementing Regulations, and any documents issued pursuant thereto.
Principle 2: Responsible Secondary Use of Data
The purpose of data sharing shall be related to the purposes stipulated in Paragraph (1) of Article (1) of these Rules, while considering national interests, the activities of entities, and the interests of individuals. Data shall be used responsibly and solely for such purposes.
Principle 3: Data Quality
Sufficient efforts shall be made to ensure the completeness, accuracy, and currency of data. The relevance and suitability of the data content to the purpose specified in the sharing request shall also be considered.
Principle 4: Ethical Data Use
The optimal and commonly recognized methods for handling data, including accessing, sharing, and using such data, shall be identified taking into account fair use and considerations regarding rights restrictions, including, but not limited to, intellectual property rights and commercial confidentiality.
Principle 5: Data Security
Regulatory requirements for data protection as established by the National Cybersecurity Authority shall be followed to ensure a secure and reliable environment for data sharing.
Principle 6: Public Interest
The public interest shall prevail over other legitimate interests in the use of data, contributing to the realization of the interests of the general public, and without contravening these Rules and applicable regulatory provisions.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Alignment with National Governance Policies
The principles reinforce existing national frameworks on data governance and promote a culture where data is responsibly made available and shared. They also align with the AI Ethics Principles to ensure responsible and compliant data practices.
Privacy and Legal Compliance
Privacy is treated as a foundational requirement. Any personal data used in secondary contexts must follow the PDPL, its Implementing Regulation, and all related documents without exception.
Responsible Purpose-Based Use
Secondary data use must always align with the specific permissible purposes stated in Article 1. Entities must also consider national interests, operational needs, and individual interests when using shared data.
Data Accuracy and Relevance
Entities must ensure that the data they use is complete, accurate, up to date, and suitable for the purpose stated in the sharing request.
Ethical and Fair Use Standards
Data must be managed using accepted ethical practices, especially when accessing, sharing, or using it. Restrictions such as intellectual property rights and commercial confidentiality must be respected.
Cybersecurity and Protection Measures
Data sharing must follow the National Cybersecurity Authority’s requirements to maintain secure and trustworthy data processing environments.
Prioritizing Public Interest
When data is shared or reused, public interest should take precedence over other legitimate interests as long as the Rules and applicable regulations are followed.
