Tay & Partners

Data Sharing Bill 2024

InsiderTAPS 13 January 2025

Download PDF File

Untitled 1

Introduction

The Data Sharing Bill 2024 (“the proposed Act”) was passed by the Dewan Rakyat (House of Representatives) on 12 December 2024 and the Dewan Negara (Senate) on 19 December 2024 and will be presented for Royal Assent. The proposed Act will become law upon being gazetted on a date to be appointed by the Digital Minister. It aims to govern data sharing between public sector agencies to ensure that data and information are streamlined, and security, confidentiality and privacy are safeguarded. The proposed Act is binding upon the Federal Government.[1]

Key Terminology

Public Sector Agency (“PSA”)

a)    the agency in charge of the public services referred to in Clause (1) of Article 132 of the Federal Constitution, except the services referred to in paragraphs (f) and (g); and

b)    any statutory authority exercising powers vested in it by a federal law.

Data

any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analysed or processed, whether by an individual or a computer or other means.

Data Provider

the public sector agency that shares data to a data recipient under Part IV.

Data Recipient

the public sector agency to which data is shared under Part IV.

 

Bird’s Eye View

The proposed Act contains 5 parts:

1.    Part I – preliminaries such as the terminology and pillars of data sharing.

2.    Part II – composition of the National Data Sharing Committee (“NDSC”) and outlines the functions of the NDSC.

3.    Part III – duties and powers of the Director General of the National Digital Department (“DG”).

4.    Part IV – mechanisms of data sharing including the request for data sharing, purposes of data sharing, grounds for refusal and duties of the data provider and data recipient as well as a third party.

5.    Part V – general provisions relating to powers of police, powers of Minister and the liability of management personnel of a statutory body committing an offence.

 

Pillars of Data Sharing[2]

The proposed Act shall be read together with existing laws governing data sharing. All data sharing activities are deemed to be disclosed under provisions of laws in the Schedule. PSA data shall be handled according to the Official Secrets Act 1972 and any government directives on official document security.

 

National Data Sharing Committee

The NDSC will be chaired by the Secretary General of the Ministry and the DG will act as the secretary. The members consist of:[3]

a)    representatives from each ministry;

b)    representative from the Prime Minister’s Department;

c)    representative from the National Cyber Security Agency;

d)    representative from the Personal Data Protection Department; and

e)    Chief Government Security Officer

 

The NDSC duties and functions include:[4]

a)    formulation of policies and strategies;

b)    supervision on the implementation of the proposed Act; and

c)    recommendations of steps and administrative actions to address issues in implementing the proposed Act.

 

The policies and strategies formulated by the NDSC shall encompass data sharing methods and procedures to preserve the privacy and confidentiality of data, and the relevant safeguards and risk assessment framework in handling and storing shared data.

 

The NDSC may also establish sub-committees to assist in their functions and a NDSC member shall be the chairman of such sub-committee.[5]

 

The Director General of the National Digital Department

The DG implements policies formulated by the NDSC and holds an advisory role to the NDSC. The DG also coordinates and facilitates data sharing among relevant parties. Additionally, the DG has the authority to require the submission of information and documents and is responsible for issuing circulars and guidelines to ensure compliance and smooth operations.[6]

 

Data Sharing

i.          Permissible Purposes of Data Sharing[7]

a)    enhance efficiency and effectiveness of policies, programme management or service planning and delivery by PSA;

b)    reduce or prevent threats to life, health or safety;

c)    respond to public emergency;

d)    public Interest; or

e)    other purposes determined by the NDSC.

 

ii.         The Procedure for Data Sharing

1.    Data Sharing Request

A PSA (hereinafter “potential data recipient”) may request data from another PSA (hereinafter “potential data provider”).

Such request must specify the following:[8]

a)    the data requested;

b)    the purpose for data requested (see Clause 13);

c)    the PSA intended to be the data recipient and data provider; and

d)    manner of handling the data requested.

 

Open data may be shared in the absence of a data sharing request.[9]

 

2.    Evaluation

The potential data provider shall evaluate the data sharing request and respond to the potential data recipient within 14 days from receiving the request.[10] If a potential data provider needs more time to respond, it must inform the potential data recipient of the reasons for delay and specify when a response will be given.[11]

 

The potential data provider must evaluate:[12]

a)    whether the specified purpose warrants data sharing;

b)    whether data sharing is against public interest; and

c)    whether the potential data recipient has the appropriate security and technical safeguards.

 

3.    Decision

After the evaluation, the potential data provider shall accept the data sharing request conditionally or unconditionally or refuse the data sharing request on the following grounds:[13]

a)    data requested could reasonably be expected to disclose:

                              i.        or enable a person to ascertain the identity of a confidential source of information relating to the enforcement or administration of law;

                             ii.        the existence or identity of a person included in a witness protection programme;

                            iii.        investigative measures or procedures, including intelligence gathering methodologies, investigative techniques or technologies, covert practices or information sharing arrangements between law enforcement agencies.

b)    data sharing will constitute a breach of:

                              i.        solicitor-client privilege or legal professional privilege;

                             ii.        agreement of contract;

                            iii.        equitable obligation of confidence; or

                           iv.        order of court or tribunal.

c)    data requested involves:

                              i.        national security or defence;

                             ii.        investigation of breach or possible breach of any written law; or

                            iii.        proceeding before court or tribunal.

d)    the potential data provider believes on reasonable grounds that data sharing would likely endanger the health, safety or welfare of one or more individuals;

e)    data requested is inconsistent with the purpose specified and does not warrant the data to be shared;

f)     the potential data recipient does not possess appropriate security and technical safeguards; or

g)    other reasons determined by the NDSC.

 

Data sharing may be subject to a fee imposed by the data provider.[14]

 

iii.        Duties of the Data Provider and Data Recipient

Provision

Highlights

Clause 16

Duty towards shared data

1.    Ensure the management and maintenance of shared data complies with legal requirements;

2.    Implement measures to ensure the security and privacy of shared data including protection from loss, misuse etc. and for personal data, safeguarding the individual’s rights;

3.    Keep records of all particulars relating to shared data;

4.    Report any unauthorised sharing to the DG; and

5.    Other requirements determined by the NDSC.

Clause 21

Duty to report

Furnish a written report to the DG from time to time as the DG may require on: –

a)    particulars of data sharing request;

b)    response to data sharing request;

c)    reasons for refusal; and

d)    other information the DG may require.

Clause 23

Duty of secrecy

Officers or servants shall not, either during or after their tenure, disclose information obtained during their duties, except for any of the purposes of the proposed Act or for the purposes of any civil or criminal proceedings under any written law.

Contravention of this Clause is an offence punishable by:

a)    fine not exceeding RM1 million;

b)    imprisonment not exceeding 5 years; or

c)    both.

Clause18

Duty to non-disclosure

The officers or servants of the data recipient shall use or disclose the shared data for the specified purpose only.

Contravention of this Clause is an offence punishable by:

a)    fine not exceeding RM1 million;

b)    imprisonment not exceeding 5 years; or

c)    both

Clause 17 (1)

Duty to obtain consent

a)    The data recipient must obtain the data provider’s consent before engaging a third party to conduct data migration, integration[15] or analytics work[16].

 

iv.        Third-Party Obligations

The third party in Clause 17(1) shall comply with the proposed Act and requirements relating to the security of shared data.[17] Non-compliance with the proposed Act is an offence punishable by:[18]

a)    fine not exceeding RM 1 million;

b)    imprisonment not exceeding 5 years; or

c)    both.

 

General Provisions

General provisions of the proposed Act:

a)    police’s powers to commence inspection or investigations for offences under the proposed Act;[19]

b)    power to prosecute or consent to prosecution vest in the Public Prosecutor;[20]

c)    Minister’s power to impose on or exempt persons or class of persons from the application of the proposed Act;[21]

d)    Minister’s power to give directions to the DG; [22]

e)    Minister’s power to amend the Schedule;[23]

f)     exemption from liability for the Minister, any member of the NDSC, the DG or officers and servants of PSA;[24] and

g)    liability of a person who at the time of commission by a statutory body of an offence under the proposed Act was a director, compliance officer, manager, secretary or other similar officer or was purporting to act in the capacity or was in any manner or to any extent responsible for the management of any of the affairs of the statutory body or was assisting in its management.[25]

 

Commentary

The Digital Minister said the passing of the law is essential towards creating an ecosystem for innovation to thrive, allowing digital services and solutions to be put into effect quickly and efficiently. It requires the NDSC to determine if the PSA requesting the data has “sufficient cyber security measures in place” before a decision can be made to release the data. The NDSC will assess the nature of the data, the purpose for which the data is requested, the manner in which the data requested will be handled, as well as the safeguards that will preserve “the privacy and confidentiality” of the said data.[26] Apart from data security, confidentiality and privacy, the proposed Act is intended to regulate data sharing and cloud storage among government agencies, reduce the cost of data storage and prevent the duplication of data storage in the public sector, among others.[27] The proposed Act is timely to facilitate the country’s digital transformation.


This article is authored by our Partner, Ms Lee Lin Li, Partner, Mr Ng Kim Poh and our pupil, Ms Wong Yun Xin. The information in this article is intended only for general information and is not a legal opinion or professional advice.

 

 



[1] Clause 2

[2] Clause 4

[3] Clause 6(1)

[4] Clause 6(2)

[5] Clause 10

[6] Clause 11

[7] Clause 13

[8] Clause 12 (2)

[9] Clause 20

[10] Clause 14 (2)

[11] Clause 14 (3)

[12] Clause 14 (1)

[13] Clause 15

[14] Clause 19

[15] Clause 3. The process of combination of data.

[16] Clause 3. The examination and analysis of data for the purpose of drawing conclusions as a result of that examination and analysis.

[17] Clause 17(2)

[18] Clause 17(3)

[19] Clause 22

[20] Clause 25

[21] Clause 27

[22] Clause 28

[23] Clause 29

[24] Clause 24. Unless it can be proven the act, neglect or default was done or omitted in bad faith and without reasonable cause.

[25] Clause 26. Unless it can be proven that the offence was committed (i) without his knowledge or (ii) without his consent or connivance and he had taken all reasonable precautions and exercised due diligence to prevent the commission of the offence.

[27] https://www.thestar.com.my/news/nation/2024/07/03/omnibus-bill-will-regulate-data-sharing-among-govt-agencies-says-gobind

 


 

This article is authored by our Partner, Ms Lee Lin Li, Partner, Mr Ng Kim Poh and our pupil, Ms Wong Yun Xin. The information in this article is intended only for general information and is not a legal opinion or professional advice.

Written by:


Lee Lin Li
Partner
T: +603 2050 1898
linli.lee@taypartners.com.my


Ng Kim Poh
Partner
T: +603 2050 1870
kimpoh.ng@taypartners.com.my


Wong Yun Xin
Pupil
yunxin.wong@taypartners.com.my