General Rules for Secondary Use of Data

These Rules serve to realize the value of data in creating promising development opportunities that necessitate data processing for purposes other than those initially specified at the time of data collection. To maximize the benefits derived from data produced, collected, or retained by entities, contributing to economic growth, these Rules have been established. They provide a framework to enable responsible data sharing by entities to serve public interest and foster research, development, and innovation. This necessitates the establishment of controls and procedures governing data-sharing requests for the aforementioned purposes within the Kingdom of Saudi Arabia. These Rules complement the Data Sharing Policy issued by the Saudi Data & AI Authority (SDAIA) by providing further clarity on data sharing between government entities concerning public interest objectives and the responsible advancement of research, development, and innovation. Furthermore, they provide clarity on data sharing between government and private entities for the purposes of achieving public interest and fostering research, development, and innovation.​​

​​Except as otherwise provided in Paragraphs (2) and (3) of this Article, the terms and phrases used herein shall have the meanings ascribed to them in the Data Sharing Policy issued by the Saudi Data & AI Authority (SDAIA), as well as the meanings ascribed to them in Article (1) of the Personal Data Protection Law and its amendments. The following terms and phrases, wherever mentioned, shall have the meanings assigned thereto, unless the context requires otherwise:

1. ​Secondary Use of Data: The utilization of data for purposes other than those for which it was initially collected, including its processing in activities pertaining to research, development, or innovation, and the operations and activities conducted by government entities in pursuit of public interest objectives.

2. Data-Sharing Entity: The entity to which a data-sharing request is submitted, whether a government or private entity, for the purposes of secondary use of data.

3. Applicant: The entity submitting a data-sharing request to the entity from which data sharing is requested, whether a government or private entity, for the purposes of secondary use of data.

4. Policy: The Data Sharing Policy issued by the Saudi Data & AI Authority (SDAIA).

5. AI Ethics Principles: The AI Ethics Principles issued by the Saudi Data & AI Authority (SDAIA)

6. Priority Sectors: The sectors identified as priorities in national strategies and strategic directions, encompassing national aspirations and priorities in research, development, and innovation, as well as the energy, health, environment, water, agriculture, and economic sustainability sectors.​​

​1. These Rules apply to data-sharing requests between government entities and private entities for the purposes of secondary use of data.

2. The exceptions stipulated in Paragraphs (2) and (3) of Article (1) of the Policy shall apply to these Rules.

​Third: Objectives

These Rules aim to:

1.Incentivize entities to share data for secondary use purposes, aiming to support research, development, and innovation, and to achieve public interest by enhancing the efficiency of government entities' operations and activities, while leveraging data to support decision-making.

2.Support the implementation of national strategies and objectives by enabling —government or private— entities to access data for the purposes outlined in Paragraph (1) of Article (1) of these Rules.

3.Provide clarity regarding the processing of data-sharing requests between entities as stipulated in Paragraph (1) of Article (1) of the Policy, by specifying the requirements for accessing or obtaining data for secondary use purposes and defining the relevant controls.

​These Rules serve to further establish the principles stipulated in Article (2) of the Policy, the principles outlined in the AI Ethics Principles, and to establish the following principles:

Principle 1: Privacy and Personal Data Protection

The application of these Rules shall not prejudice the provisions and procedures stipulated in the Personal Data Protection Law, its Implementing Regulations, and any documents issued pursuant thereto.

Principle 2: Responsible Secondary Use of Data

The purpose of data sharing shall be related to the purposes stipulated in Paragraph (1) of Article (1) of these Rules, while considering national interests, the activities of entities, and the interests of individuals. Data shall be used responsibly and solely for such purposes.

Principle 3: Data Quality

Sufficient efforts shall be made to ensure the completeness, accuracy, and currency of data. The relevance and suitability of the data content to the purpose specified in the sharing request shall also be considered.

Principle 4: Ethical Data Use

Optimal methods for handling data, including its access, sharing, and use, shall be determined, taking into account fair use and considerations regarding rights restrictions, including, but not limited to, intellectual property rights and commercial confidentiality.

Principle 5: Data Security

Appropriate controls for data protection shall be observed in accordance with standard criteria and other regulatory requirements, including the provision of a secure and reliable environment for data sharing.

Principle 6: Public Interest

The public interest shall prevail over other legitimate interests in the use of data, contributing to the realization of the interests of the general public, and without contravening these Rules and applicable regulatory provisions​.

​1.Prior to initiating any data-sharing process for the purposes of secondary use of data, the Applicant shall comply with the following rules and requirements:

a) The purpose of data sharing shall be legitimate and adhere to the principles established in these Rules, ensuring alignment with objectives aimed at serving the public interest or promoting research, development, and innovation, while explicitly excluding profit-oriented purposes.

b) The content of the requested data shall be strictly confined to the minimum necessary for fulfilling the purpose of the data-sharing request.

c) The submission of a data-sharing request shall, as a general principle, be directed to the Data Source Entity. In cases where the request is submitted to an entity other than the Data Source Entity or its delegated authority, the Applicant shall provide sufficient evidence demonstrating the approval of the Data Source Entity.

2.If the data-sharing request is made between government entities, such requests shall be subject to the procedures outlined in the Data Sharing Policy.

3.If the data-sharing request is made between government entities, and such request is specifically related to conducting analyses or issuing reports without requiring access to raw data, the provisions articulated within the Rules for Governing Data Analysis Laboratories shall be applied.

4.If the request is submitted by a private entity to a government entity, the Applicant and Data-Sharing Entity shall be required to obtain a Usage License from the latter, and the Applicant shall comply with the data usage terms and conditions stipulated therein.

5.In cases where the Applicant is an individual affiliated with a research or academic institution, the request shall be submitted through the Applicant's affiliated institution or the entity sponsoring the research for which data sharing is required. Written evidence of approval from the Applicant's academic authority must be furnished prior to submitting the data-sharing request for the purposes of secondary use of data.

6.The Applicant shall ensure that the content of the request is clearly detailed at the time of submission to avoid any deficiencies or omissions that may result in rejection of the request. The request shall be submitted in accordance with a form prepared by the competent office for such purposes.

7.The Data-Sharing Entity reserves the right to incorporate provisions concerning intellectual property rights and commercial confidentiality within the Usage License, when necessary.

8.The Data-Sharing Entity shall assess the submitted request in accordance with the requirements set forth in Paragraph (1) of this Article.​

​Except as otherwise provided in this Article, the procedures outlined in Article (6) of the Policy shall apply. The data-sharing procedures for secondary use of data constitute a procedural framework for government entities, private entities, and individuals, including entities engaged in research, development, and innovation, as well as researchers and entrepreneurs. These procedures enable compliance with all necessary controls and requirements in accordance with these Rules and other relevant regulatory documents, as follows:

1.If a data-sharing request for the purposes stipulated in Paragraph (1) of Article (1) of these Rules is submitted between two government entities, the request shall be submitted through the Data Marketplace, in accordance with the procedures stipulated in Article (6) of the Policy, including the associated timeframes.

2.If a data-sharing request for the purposes stipulated in Paragraph (1) of Article (1) of these Rules is submitted from a government entity to a private entity or from a private entity to a government entity, and the data is requested through an automated method, the parties involved in the sharing process shall propose a data-sharing method and obtain approval from the Office.

3.If a data-sharing request for the purposes stipulated in Paragraph (1) of Article (1) of these Rules is submitted from a government entity to a private entity or from a private entity to a government entity, and the data is requested through a non-automated method, the parties involved in the sharing process shall share the data through a secure and reliable method, in accordance with the directives issued by the competent authorities.​

​​