Since 2020, the government of Saudi Arabia has stressed the need for dedicated data protection legislation and to enforce it. A growing awareness of individual data protection, access rights, and ownership is giving rise to new challenges affecting businesses in KSA and globally. Consistent with many jurisdictions in the region, the privacy of individuals and the safeguarding of their personal data are provided under general provisions of Saudi Law rather than ones specifically focused on the issue of “data privacy” or “data protection”. These laws place strict obligations on the private sector in relation to how, why and when personal data can be collected, used and stored.
Privacy and Data Protection Legislation
The Kingdom of Saudi Arabia has adopted strong personal data protection laws and policies to secure Users' privacy'. These laws and regulations include the Personal data protection law (Royal Decree No. (M/19) dated 1443/2/9 AH), the Main Principles of Personal Information Protection and the Main Principles and General Rules for Sharing Data issued by the Saudi Data and Artificial Intelligence Authority (SDAIA) and National Data Management Office (NDMO).
Personal Data Protection Law
The Personal Data Protection Law (PDPL) was adopted by Royal Decree on 16 September 2021, approving Resolution No. 98 dated 4 September 2021). The Saudi Data & Artificial Intelligence Authority (SDAIA) will be mandated with the implementation of the new legislation for the first two years, following which a transfer of supervision will be considered to the National Data Management Office (NDMO): the regulatory arm of SDAIA.
The Personal Data Protection Law and its executive regulations set the legal basis for the protection of your rights regarding the processing of personal data by all entities in the Kingdom, as well as all entities outside the Kingdom that process personal data related to individuals residing in the Kingdom using any means, including online personal data processing.
The fundamental principles of our data protection policy include:
- Accountability by the head of the entity (or his designee) for the data controller's privacy policies and procedures.
- Transparency through privacy notice indicating the purposes for which personal data is collected.
- Choice and consent obtained through implicit or explicit approval regarding the collection, use and disclosure of personal data before collection.
- Limiting data collection to minimum data that enables fulfilment of purposes.
- Use, retention and destruction strictly for the purpose, retained as long as necessary to achieve intended purposes or as required by laws and regulations and destroyed safely, preventing leakage, loss, theft, misuse or unauthorized access.
- Access to data by which any data subject can review, update and correct their personal data.
- Data disclosure limitation approved by data subject restricts third parties to the purposes provided in privacy notice.
- Data security by protecting personal data from leakage, damage, loss, theft, misuse, modification, or unauthorized access; according to the controls issued by the National Cybersecurity Authority and other relevant authorities.
- Data quality after verification of its accuracy, completeness and timeliness.
- Monitoring and Compliance with data controller's privacy policies and procedures, and any privacy-related inquiries, complaints, and disputes.
The Anti-Cyber Crime Law aims to prevent cybercrimes by identifying such crimes and defining their punishments. The objective is to ensure information security, protection of public interest, and morals, protection of rights of the legitimate use of computers and information networks, and protection of the national economy.
The National Cybersecurity Authority (NCA) has issued a number of controls, frameworks and guidelines related to cybersecurity at the national level to enhance cybersecurity in the country in order to protect its vital interests, national security, critical infrastructure and government services. Controls, frameworks and guidelines issued by NCA include the following:
- Organizations’ Social Media Accounts Cybersecurity Controls
- Essential Cybersecurity Controls
- Cloud Cybersecurity Controls
- Telework Cybersecurity Controls (TCC)
- Critical Systems Cybersecurity Controls
- Operational Technology Cybersecurity Controls
- Data Cybersecurity Controls
- The Saudi Cybersecurity Workforce Framework (SCyWF)
- The National Cryptographic Standards (NCS)
- The Saudi Cybersecurity Higher Education Framework (SCyber-Edu)
- Cybersecurity Guidelines for e-Commerce
For more information, please visit the National Cybersecurity Authority (NCA) website.
Freedom of Information Regulations
Freedom of Information in Saudi Arabia is a cornerstone of information policies, which stresses the rights to information policy related to confidential public information. Regulations are set for the eligibility of requesting information and the rights of individuals to obtain information based on five conditions while identifying which information can be requested and which can be excluded. There are official steps and procedures for requesting access to information and identifying the platforms on which citizens may apply while also providing contact information of the relevant entities to contact for any inquiries on the freedom of information policy.
Freedom of Information that is unprotected or confidential public information that the platform processes regardless of its source, form, or nature - open data fall under public information. The process of providing individuals with public data for a fee is called "freedom of information," or as it is known, "the policy of the right to information."
Freedom of Information Regulation
The Freedom of Information Interim Regulations sets the legal basis for the rights of individuals to access public sector information and obligations of public entities for all requests coming from any individual to access or obtain public information that is not protected and – produced or held by public entities, regardless of the source, form or nature. This includes paper records, emails, information stored on computers, audio or video cassettes, microfiche, maps, photographs, handwritten notes or any other form of recorded information. In addition, the Regulation defines the roles and responsibilities of the Saudi Data and Artificial Intelligence Authority (SDAIA) and its sub-entities, as well as the obligations of the National Data Management Office (NDMO), and National Information Center (NIC).
Every individual has the right to request and obtain information related to the platform's activities and has the right to view such unprotected public information in exchange for a financial fee. The applicant doesn't need to have a certain quality or interest in this information to obtain it, nor will it not expose the person to any legal accountability related to this right, which strengthens the system of integrity, transparency, and accountability. Individuals' rights to obtain information:
- The individual has the right to submit a request to obtain or access any information not protected by public authorities.
- The individual has the right to know the reason for the rejection of the request for access or to see the requested information.
- The individual has the right to file a grievance against the decision to reject the request to obtain or access the requested information.
- That all requests to access or obtain public information are dealt with based on equality and non-discrimination between individuals.
- Any restrictions on requesting access to protected information that you receive, produce or deal with the platform should be justified clearly and explicitly.
The policy applies to all requests to access "unprotected and open data" information, for a fee or free, regardless of its source, form, or nature, to improve the performance and efficiency of work and benefit from the data. Information that is excluded information to which the provisions of this policy do not apply is classified as "protected information" such as:
- Information that the disclosure of harms the state's national security, policy, interests, or rights.
- Information that includes recommendations, suggestions, or consultations for the issuance of legislation or government decision has not yet been issued.
- Information of a commercial, industrial, financial or economic nature, the disclosure of which would lead to profit achievement or encounter loss in an illegal manner.
- Scientific or technical research or rights that contain an intellectual property right whose disclosure leads to an infringement of a moral right.
- Information related to bids, bids and auctions, the disclosure of which would prejudice competition's fairness.
- Information confidential or personal under another system requires specific legal procedures to access or obtain it.
- Military and security information.
- Information and documents obtained by an agreement with another country and classified as protected.
- Investigations, seizures, inspections, and surveillance related to a crime, violation, or threat.
Open Data Regulations
Open Government Data is the data that anyone can freely use without technical, financial or legal constraints. The open data can also be re-used and redistributed, taking into account the requirements of the Open Data License under which such data was distributed. Government Open Data helps bridge the gap between governments and citizens.
To achieve the principle of transparency and to enable citizens in the Kingdom to have access to a large base of government data, the Kingdom has launched related policies and guidelines.
The national regulator of data in Saudi Arabia is the Saudi Data and Artificial Intelligence Authority (SDAIA). SDAIA has developed the framework for national data governance to set the policies and regulations required for data classification, data sharing, data privacy, freedom of information, open data and others in anticipation of necessary legislation.
Open Data Interim Regulations
The Open Data Interim Regulations set the legal basis and obligations for all data and public information produced by public entities regardless of source, form, or nature. It sets the legal grounds and minimum standards for government agencies to publish their datasets. The Open Data Interim Regulation also defines the roles and responsibilities of the Saudi Data and Artificial Intelligence Authority (SDAIA) and its sub-entities, the National Data Management Office (NDMO) and National Information Center (NIC). All other government entities have obligations regarding open data planning, identification, publishing, maintenance, performance tracking and compliance.
Data Interoperability Regulations
The need to adopt an interoperability framework was addressed by the government formally as early as 2006, within the first national digital strategy of the Saudi Government.
An Interoperability Framework was developed and adopted. It included the definition of common data and technical standards, YEFI (Yesser Framework for Interoperability) and had the objective of allowing ministries and government agencies to exchange data and provide services through the shared integration infrastructure. The excellent facilitation of e-service delivery with ease and coordinated technical features made operability of high priority in digital transformation plans.
Current plans for interoperability focused on the following:
- Common data standards will define data at business and logical levels, and data schemas will describe the structures used in communication between systems.
- Metadata standards will define attributes and dictionaries used to catalogue electronic content.
- Technical standards and policies will ensure interoperability at a technical level, and include connectivity and networking standards, an integration standard and security standards.
Interoperability framework development is not run as a one-time effort but as an ongoing initiative. The digital transformation includes detailed specifications such as those relating to data, metadata, and technical standards. It defines common data structures and data elements as indispensable for ensuring seamless integration of systems and sharing of data across government agencies. The National Interoperability Standard is a much needed document that provides the necessary guidance and data structure definitions to guarantee interoperability, integration, portability and reusability of systems. It defines clearly the standards and regulations enabling them to share and consume services on government technology infrastructure. It also removes ambiguities and inconsistencies in the use of data by mandating an agreed set of data elements and data structures for integration.
The Ministry of Health of the Saudi Government has keen focus on interoperability for the sensitivity of sharing data among different sites and entities. A set of interoperability-related documents were developed outlining the basic guidelines and regulations to secure interoperable data sharing. This Core Interoperability Specification is applicable to existing and new information systems that will exchange Health Information. In particular this Interoperability Specification applies to the deployment of eHealth Information Exchange Platforms. Examples can be found at the National Health Information Center (NHIC) such as:
- Enabling Standards-Based eHealth Interoperability IS0010 Saudi eHealth Core Interoperability Specification for Immunization Version 1.0 April 21, 2016
- Enabling Standards-Based eHealth Interoperability IS0003 Saudi eHealth Core Interoperability Specification for Sharing Coded Laboratory Results April 21, 2016
Data Policies Regarding Data Exchange
Data storage does not exist alone, together with its content and structure of storage, other information must be attached to it. Such information must include instructions on issues that are mandatory for the validity of data and its usage. For example, all information stored should have defined the duration of the storage or validity of this data, as a period of time should identify when this data is obsolete or should not be shared anymore. This is called the data retention period. Other issues include the following:
- Information regarding who should keep what data, how long, when, and if it is a maximum or minimum period.
- Legal references and links to the official legal source.
- Up-to-date data and a schedule of updating frequently.
- Access is protected and controlled.
- Data shared should be flexible in usage, i.e., routing or capturing for individual analytics or report generation.
The purpose of collecting personal data is directly related to the objectives of the GOV.SA and shall not conflict with any prescribed provision. The methods and means of collecting personal information be appropriate to the owner's circumstances, direct, clear and secure and free from deception, misinformation, or extortion. If it turns out that the personal data collected is no longer necessary to achieve the purpose of its collection, GOV.SA will stop hoarding it and destroy the previously collected data immediately.
The agreement on such standards has been adopted and is in use. In addition, the Data Management and Personal Data Protection Standards (as of January 2021) define these standards.
Data Management and usage policies
The privacy and data protection policies and regulations of the Kingdom of Saudi Arabia have to be accepted by all authorized users. All data platforms should provide control ability and privileges through the Platform and its application. This agreement becomes effective immediately upon first using or accessing the Platform.
All collected personal data is directly related to the purposes of the digital government in order to provide easier, more efficient online services, which do not conflict with any prescribed provision of data privacy and security regulations and policies. Different methods and means used in collecting personal information must be appropriate to the owner's circumstances, direct, clear, secure, and free from deception, misinformation or extortion. All data that is no longer necessary to achieve the purpose of its capture and storage by the relevant authority will stop hoarding and destroy the previously collected data immediately. The following criteria will be ensured by the digital government (GOV.SA) before collecting personal data:
- The justification for collecting personal data.
- The purpose of collecting the personal data, whether all or part of its collection, is mandatory or optional, with further information about processing the data which is not contrary to the purpose of its collection or otherwise provided by the Law.
- The identity and reference address of the collector of personal data when appropriate unless it is for security purposes.
- The entity or entities to which the personal data will be disclosed, described, and whether the personal data will be transferred, disclosed, or processed outside the Kingdom.
- Other elements, as determined by the regulations, depend on the nature of the activity exercised by this entity.