Security and Privacy Regulations

Freedom of Information Policy and Regulation

Freedom of Information in Saudi Arabis is a corner stone of information policies, which stresses the rights to information policy related to confidential public information. Regulations are set for the eligibility of requesting information and the rights of individuals to obtain information based on five conditions, while identifying which information can be requested and which can be excluded. There are official steps and procedures for requesting access to information and with identifying the platforms on which citizens may apply, while also providing contact information of the relevant entities to contact for any inquires on freedom of information policy.

Freedom of Information that is unprotected or confidential public information that the platform processes regardless of its source, form, or nature - open data falls under public information. The process of providing individuals with public data for a fee is called "freedom of information," or as it is known, a "the policy of the right to information."

Freedom of Information Regulation

The Freedom of Information Interim Regulations sets the legal basis for the rights of Individuals to access public sector information and obligations of public entities for all requests coming from any individual to access or obtain public information that are not protected and – produced or held by public entities, regardless of the source, form or nature. This includes paper records, emails, information stored on computers, audio or video cassettes, microfiche, maps, photographs, handwritten notes or any other form of recorded information. In addition, the Regulation defines the roles and responsibilities of the Saudi Data and Artificial Intelligence Authority (SDAIA) and its sub-entities, as well as the obligations of the National Data Management Office (NDMO), National Information Center (NIC).

Every individual has the right to request and obtain information related to the platform's activities and has the right to view such unprotected public information in exchange for a financial fee. The applicant doesn't need to have a certain quality or interest in this information to obtain it, nor will it not expose the person to any legal accountability related to this right, which strengthens the system of integrity, transparency, and accountability.
Individuals' rights to obtain information

  • The individual has the right to submit a request to obtain or access any information not protected by public authorities.
  • The individual has the right to know the reason for the rejection of the request for access or to see the requested information.
  • The individual has the right to file a grievance against the decision to reject the request to obtain or access the requested information.
  • That all requests to access or obtain public information are dealt with based on equality and non-discrimination between individuals. 
  • Any restrictions on requesting access to protected information that you receive, produce or deal with the platform should be justified clearly and explicitly.

The policy applies to all requests to access "unprotected and open data" information, for a fee or free, regardless of its source, form, or nature, to improve the performance and efficiency of work and benefit from the data. Information that is  excluded information to which the provisions of this policy do not apply is classified as "protected information" such as:

  • Information that the disclosure of harms the state's national security, policy, interests, or rights.
  • Information that includes recommendations, suggestions, or consultations for the issuance of legislation or government decision has not yet been issued.
  • Information of a commercial, industrial, financial or economic nature, the disclosure of which would lead to profit achievement or encounter loss in an illegal manner.
  • Scientific or technical research, or rights that contain an intellectual property right whose disclosure leads to an infringement of a moral right.
  • Information related to bids, bids and auctions, the disclosure of which would prejudice competition's fairness.
  • Information confidential or personal under another system requires specific legal procedures to access or obtain it.
  • Military and security information.
  • Information and documents obtained by an agreement with another country and classified as protected.
  • Investigations, seizures, inspections, and surveillance related to a crime, violation, or threat.

For more information regarding commitment of public entities and general provisions please check here

Additional information can be found here: 

Privacy and Data Protection Regulation

The Kingdom of Saudi Arabia has adopted strong personal data protection laws and policies to secure Users' privacy'.
In fact, National Data Management Office has introduced very detailed data protection standards in January 2021 which sets clearly complete standards for protection of Data Management and Personal Data.

Protection Standards

The Personal Data Protection Law and its executive regulations set the legal basis for the protection of citizen’s rights regarding the processing of personal data by all entities inside the Kingdom, as well as all entities abroad that process personal data related to individuals residing in the Kingdom using any means, including online personal data processing. The fundamental principles of the national data protection policy include Accountability, Transparency, Choice and Consent, Limiting Data Collection, Use, Retention and Destruction of data, Access to data, Data Disclosure Limitation, data quality, and other detailed principles.
The first comprehensive national data protection law in Saudi Arabia has been issued to regulate the
collection and processing of personal information. This law will accelerate Saudi Arabia’s digitization efforts while helping to create a digital information-based society.
The Personal Data Protection Law (PDPL) was adopted by Royal Decree on16 September 2021 approving Resolution No. 98 dated 4 September 2021). The Saudi Data & Artificial Intelligence Authority (SDAIA) will be mandated the implementation of the new legislation for the first two years, following which a transfer of supervision will be considered to the National Data Management Office (NDMO): the regulatory arm of SDAIA

The main objective of this law is to protect “personal data”, i.e., any information, in whatever form, through which a person may be directly or indirectly identified, such as individual’s name, identification number, addresses and contact, numbers, photographs, and video recordings of the person.
Many of the features of this law are consistent with concepts and principles contained in other international data protection laws, such as data subject rights, data controller registration and obligations, data subjects’ consent and withdrawals, privacy policy, managing the purpose limitation and data minimization of use. 
In other scenes of Data Privacy Landscape in Saudi Arabia 

Other relevant legislation and regulations

Universal Service Policy

The Government of the Kingdom of Saudi Arabia considers access to voice telephony and internet services for all segments of society to be an essential element of its development strategy. The information and communications technologies sector (ICT) is a driving force for the economy as a whole, and contributor to the social, cultural, and national development.
While significant progress has been made in the development and liberalization of the ICT sector, more efforts should be done to bring the benefits of ICTs to all populations of the Kingdom of Saudi Arabia. To achieve this, the Ministry of Communications and Information Technology approved the Universal Access and Universal Service Policy on 17/06/2006. The Policy sets out the basis, principles and conditions relating to the provision of Universal Access and Universal Service in the Kingdom. The policy further directs the Communications and Information Technology Commission (CITC) to issue a decision to establish the Universal Service Fund (USF).
Accordingly, Decision 165/1428 was issued on 04/06/2007. The Decision further specifies the legal and procedural nature of the USF and other necessary ancillary matters. The mechanism promote a fair bidding process among invited parties for the corresponding USF Project. The USF focus exclusively on financing new networks and/or services to provide Universal Access and Universal Services to geographic areas that are in the commercially unprofitable underserved zones. The financing of the USF projects have been funded by the government since the beginning of its operation. 
The USF started to prepare its strategic and annual operating plans, including the programs and projects that will be implemented to provide voice and internet services. The formal operation of the USF was in 2010 when the first operating plan was approved. Subject to availability of funds, the USF continued annually in the preparation of operating plans, tendering and awarding projects.

KSA Cloud-First Policy

A government’s policy that is referred to as KSA’s” Cloud First Policy”,(CFP), is a policy that covers Governmental entities which is introduced to accelerate the adoption of Cloud computing services through directing these entities to consider Cloud options when making new IT investment decisions. The private sector is encouraged to follow the same exercise by having an internal CFP. This policy was defined in line with the key pillars of KSA’s ambitious Vision 2030. The policy hence caters for the National Information Center’s (NIC) strategy – the entity that will serve as the primary Cloud Service Provider (CSP) for Government related data. The Kingdom of Saudi Arabia is one of the leading countries in the ICT sector in a wide region of the world including the Middle East and North Africa (MENA) region. It is well positioned to make the most of on this Cloud computing opportunity, through becoming one of the best integrated infrastructure services and technically advanced in the Cloud computing industry and the ICT industry in general. This document complements the Cloud computing regulations issued or to be issued by other governmental entities.

In its inherent definition, a Cloud First Policy is meant to define and typically stimulate public sector migration from traditional IT solutions to Cloud-based models. Major reasons for adopting such a policy is to enhance Efficiency in different ways, such as to use cloud computing for resource pooling and sharing across different applications and entities, leading to an increased utilization of the assets. It is widely noticed that migration of infrastructure to Cloud typically results in ~30% savings in terms of total cost of ownership. Additionally, Cloud computing serves as a catalyst which can accelerate the implementation of Data Center Consolidation initiatives.

Cloud computing provides a more interoperable and portable environment for data and systems that would help achieve seamless communication between the different entities. 
Another importance of using this policy is that it provides more robust cyber security: Beyond achieving a more efficient, innovative, and agile environment, cloud computing helps to improve overall cyber security. The government realizes that employees of cloud computing platforms in the government and commercial government be qualified Saudis and that the hosting is in the Kingdom without the ability to access it remotely from outside the Kingdom. 
The Cloud First Policy of Saudi Arabia is adopted due to the extensive benefits of cloud computing. This policy is intended to accelerate the pace at which Governmental entities are migrating from traditional IT solutions to cloud solutions, which will serve as a key pillar in supporting and driving the digital transformation in KSA. Entities covered by the scope of this policy are required to consider cloud computing options when making new IT investment decisions, with the goal to achieve the following:

  • Increase the quality of service by using more agile, innovative solutions in the Government services sector (e-services).
  • Reduce total cost of ownership by improving IT utilization, aggregating demand and removing duplications in Governmental IT spend.
  • Improve cyber security robustness by using accredited platforms with best-in-class cyber security standards and leveraging Cloud service providers’ expertise in this domain.
  • Enable interoperability with other entities. 

This policy is applicable to all governmental entities with the exception of the Saudi Arabian Monetary Authority and other entities primarily responsible for the national security and defense, such as Ministry of Defense (MoD), Presidency of State Security (PSS), Ministry of Interior (MoI) and National Cybersecurity Authority (NCA).