Overview
General Rules for Secondary Use of Data – Sixth: Steps for Data Sharing for Secondary Use of Data outlines the procedural steps that entities must follow when sharing data for secondary use in Saudi Arabia. It provides a structured framework for government entities, private entities, researchers, and innovators to ensure that every data sharing activity complies with SDAIA’s rules, the Data Sharing Policy, and confidentiality requirements for government data.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Sixth: Steps for Data Sharing for Secondary Use of Data
These steps shall consider all steps prescribed under the Policy, as well as the restrictions pertaining to the confidentiality of government data. Furthermore, the steps set forth in this Article constitute a procedural framework governing data sharing for secondary use by government entities, private entities, and individuals, including entities engaged in research, development, and innovation, as well as researchers and entrepreneurs. Such procedures are intended to ensure full compliance with all controls and requirements stipulated in these Rules and other relevant regulatory documents, as follows:
- If a data sharing request for the purposes stipulated in Paragraph (1) of Article (1) of these Rules is submitted between two government entities, the request shall be submitted through the Data Marketplace platform in accordance with the procedures stipulated in Article (6) of the Policy, including the associated timeframes.
- If a data sharing request for the purposes stipulated in Paragraph (1) of Article (1) of these Rules is submitted from a government entity to a private entity or from a private entity to a government entity, and the data is requested through an automated method, the parties involved in the sharing process shall propose a data sharing method and obtain approval from the Office.
- If a data sharing request for the purposes stipulated in Paragraph (1) of Article (1) of these Rules is submitted from a government entity to a private entity or from a private entity to a government entity, and the data is requested through a non automated method, the parties involved in the sharing process shall share the data through a secure and reliable method, in accordance with the directives issued by the competent authorities.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Framework Based on Existing Policies and Confidentiality Requirements
The steps build on the procedures already defined in the Data Sharing Policy while ensuring that confidentiality requirements for government data are respected. The framework governs how government and private entities, researchers, innovators, and individuals conduct secondary-use data sharing.
Government-to-Government Data Sharing via Data Marketplace
When two government entities share data for secondary use, the request must go through the Data Marketplace platform. It must follow the procedures and timelines set out in Article (6) of the Data Sharing Policy.
Automated Data Sharing Between Government and Private Entities
If the data is requested using an automated method, both parties must jointly propose how the data will be shared. The Office must approve the proposed method before sharing can take place.
Non-Automated Data Sharing Between Government and Private Entities
If the data is requested using a non-automated method, sharing must occur through a secure and reliable method. The method must comply with directives issued by the relevant competent authorities.
