Data Privacy Landscape

Since 2020, the government of Saudi Arabi has stressed the need for dedicated data protection, legislation and enforce it. A growing awareness of individual data protection, its access rights and ownership are giving rise to new challenges affecting businesses in KSA and indeed globally. Consistent with a lot of jurisdictions in the region, the privacy of individuals and the safeguarding of their personal data are provided under general provisions of Saudi Law, rather than ones specifically focused on the issue of “data privacy” or “data protection”. These laws place strict obligations on the private sector in relation to how, why and when personal data can be collected, used and stored. 
Amon g these laws, the following form core of the landscape of Saudi legislation that govern digital transformation.
Although there is no specific mention of personal data, the Electronic Transactions Law (Royal Decree No M/18) imposes certain obligations on internet service providers (ISPs), stating that ISPs and their staff must maintain the confidentiality of information obtained in the course of business. This would, presumably, include all personal data collected. The law also states that personal data must only be obtained, whether directly or indirectly, with the individual’s written consent.
The Anti-Cyber Crime Law (Royal Decree No M/17) aims to ensure information security, protection of rights pertaining to the legitimate use of computers and information networks, protection of public interest, morals, and protection of the national economy. The law contains limited provisions in relation to cyber data protection.
The KSA Cloud Computing Regulatory Framework (CCF) is based on international best practices and governs the rights and obligations of cloud service providers (CSPs), individual customers, government entities and businesses. CCF is one of only a few examples of cloud-specific regulatory frameworks around the world and includes principles of data protection. 
Some of the most important features of the CCF from a data protection perspective, are the cloud security requirements CSPs must adhere to cloud customer information can be subject to different levels of information security, depending on the required level of preservation of the information’s confidentiality, integrity, and availability.  These Security Level Categories of Customer Data are classified as follows:
Level 1:  Non-sensitive customer content of individuals, or private sector companies, not subject to any sector-specific restrictions on the outsourcing of data.
Level 2: Sensitive customer content of individuals, private sector companies, not subject to any sector-specific restrictions on the outsourcing of data; and non-sensitive customer content from public authorities.
Level 3 Any customer content from private sector-regulated industries, subject to Level 3 categorization under sector-specific rules or regulatory decision; and sensitive customer content from public authorities.
Level 4 Highly sensitive or secret customer content belonging to relevant governmental agencies or institutions.
E-commerce uses a lot of personal data, so privacy is of essential concern. In October 2019, Royal Decree No. M/126, the E-Commerce Law, came into force. The law applies to e-commerce service providers, including those who are located outside of Saudi Arabia who offer goods/services to customers based in Kingdom. 
  • Sharia Law:
Under the KSA Basic Law of Governance, the privacy rights of individuals are protected in accordance with Sharia law to the extent that telegraphic, postal, telephone and other means of communications are safeguarded and cannot be confiscated, delayed, read or breached.

Data Interoperability

The need to adopt an interoperability framework has been addressed by the government formally as early as 2006, within the first national digital strategy of the Saudi Government. 
An Interoperability Framework was developed and adopted. It included the definition of common data and technical standards, YEFI (Yesser Framework for Interoperability) and had the objective of allowing ministries and government agencies to exchange data and provide services through the shared integration infrastructure. The excellent facilitation of e-service delivery with ease and coordinated technical features made operability of high priority in digital transformation plans.
Current plans for interoperability focused on the following:
  • Common data standards will define data at business and logical levels, and data schemas will describe the structures used in communication between systems.
  • Metadata standards will define attributes and dictionaries used to catalogue electronic content.
  • Technical standards and policies will ensure interoperability at a technical level, and include connectivity and networking standards, an integration standard and security standards.
Interoperability framework development is not run as a one-time effort but as an ongoing initiative. The digital transformation includes detailed specifications such as those relating to data, metadata, and technical standards. It defines common data structures and data elements as indispensable for ensuring seamless integration of systems and sharing of data across government agencies. The National Interoperability Standard is a much needed document that provides the necessary guidance and data structure definitions to guarantee interoperability, integration, portability and reusability of systems. It defines clearly the standards and regulations enabling them to share and consume services on government technology infrastructure. It also removes ambiguities and inconsistencies in the use of data by mandating an agreed set of data elements and data structures for integration.
The Ministry of Health of the Saudi Government has keen focus on interoperability for the sensitivity of sharing data among different sites and entities. A set of interoperability-related documents were developed outlining the basic guidelines and regulations to secure interoperable data sharing. This Core Interoperability Specification is applicable to existing and new information systems that will exchange Health Information. In particular this Interoperability Specification applies to the deployment of eHealth Information Exchange Platforms. Examples can be found at the National Health Information Center (NHIC) such as:
  • Enabling Standards-Based eHealth Interoperability IS0003 Saudi eHealth Core Interoperability Specification for Sharing Coded Laboratory Results April 21, 2016

Data Policies Regarding Data Exchange

  • Data storage does not exist alone, together with its content and structure of storage other information must be attached to it. Such information must include instructions to issues that are mandatory for the validity of data and its usage. For example, all information stored should have defined the duration of the storage or validity of this data, as a period of time should identify when this data is obsolete or should not be shared anymore. This is called data retention period. Other issues include the following:
  • Information regarding who should keep what data, how long, when, and if it is a maximum or minimum period
  • Legal references and links to the official legal source
  • Up to date data and a schedule of updating frequently
  • Access is protected and controlled 
  • Data shared should be flexible in usage, i.e. in routing, or capturing for individual analytics or report generation
The purpose of collecting personal data is directly related to the objectives of the GOV.SA and shall not conflict with any prescribed provision. The methods and means of collecting personal information be appropriate to the owner's circumstances, direct, clear and secure, and free from deception, misinformation or extortion. If it turns out that the personal data collected is no longer necessary to achieve the purpose of its collection, GOV.SA will stop hoarding it and destroy the previously collected data immediately
The agreement on such standards have been adopted and in use. In addition, the Data Management and Personal Data Protection Standards (as of January 2021) defines these standards. 

Data Management and usage policies

The privacy and data protection policies and regulations of the Kingdom of Saudi Arabia have to be accepted by all authorized users. All data platforms should provide control ability and privileges though the Platform and its application. This agreement becomes effective immediately upon first using or accessing the Platform.  
All collected personal data is directly related to the purposes of the digital government in order to provide easier more efficient online services, which does not conflict with any prescribed provision of data privacy and security regulations and policies. Different methods and means used in collecting personal information must be appropriate to the owner's circumstances, direct, clear, and secure, and free from deception, misinformation or extortion. All data that is no longer necessary to achieve the purpose of its capture and storage by the relevant authority will stop hoarding it and destroy the previously collected data immediately. The following criteria will be insured by the digital government (GOV.SA) before collecting personal data:
  • The justification for collecting personal data.
  • The purpose of collecting the personal data, whether all or part of its collection, is mandatory or optional, with further information about processing the data which is not contrary to the purpose of its collection or otherwise provided by the Law.
  • The identity and reference address of the collector of personal data when appropriate unless it is for security purposes.
  • The entity or entities to which the personal data will be disclosed, described, and whether the personal data will be transferred, disclosed, or processed outside the Kingdom.
  • Other elements as determined by the regulations depend on the nature of the activity exercised by this entity.