Data Sharing Bill 2024
InsiderTAPS 13 January 2025
Introduction
The Data
Sharing Bill 2024 (“the proposed Act”) was passed by the Dewan Rakyat
(House of Representatives) on 12 December 2024 and the Dewan Negara (Senate) on
19 December 2024 and will be presented
for Royal
Assent. The proposed Act will become law upon being gazetted on a date to be
appointed by the Digital Minister. It aims to
govern data sharing between public sector agencies to ensure that data and
information are streamlined, and security, confidentiality and privacy are
safeguarded. The proposed Act is binding upon the Federal Government.[1]
Key Terminology
Public Sector Agency (“PSA”) |
a)
the agency in
charge of the public services referred to in Clause (1) of Article 132
of the Federal Constitution, except the services referred to in
paragraphs (f) and (g); and
b)
any statutory
authority exercising powers vested in it by a federal law. |
Data |
any facts, statistics, instructions,
concepts or other information in a form that is capable of being
communicated, analysed or processed, whether by an individual or a
computer or other means. |
Data Provider |
the public sector agency that shares
data to a data recipient under Part IV. |
Data Recipient |
the public sector agency to which
data is shared under Part IV. |
Bird’s Eye View
The
proposed Act contains 5 parts:
1.
Part I
– preliminaries such as the terminology and pillars of data sharing.
2.
Part II
– composition of the National Data Sharing Committee (“NDSC”) and
outlines the functions of the NDSC.
3.
Part III
– duties and powers of the Director General of the National Digital Department
(“DG”).
4.
Part IV
– mechanisms of data sharing including the request for data sharing, purposes of
data sharing, grounds for refusal and duties of the data provider and data
recipient as well as a third party.
5.
Part V
– general provisions relating to powers of police, powers of Minister and the
liability of management personnel of a statutory body committing an offence.
Pillars of Data Sharing[2]
The proposed Act
shall be read together with existing laws governing data sharing. All data
sharing activities are deemed to be disclosed under provisions of laws in the
Schedule. PSA data shall be handled according to the Official Secrets Act
1972 and any government directives on official document security.
National Data
Sharing Committee
The NDSC
will be chaired by the Secretary General of the Ministry and the DG will act as
the secretary. The members consist of:[3]
a)
representatives from each ministry;
b)
representative from the Prime Minister’s Department;
c)
representative from the National Cyber Security Agency;
d)
representative from the Personal Data Protection Department; and
e)
Chief Government Security Officer
The NDSC
duties and functions include:[4]
a)
formulation of policies and strategies;
b)
supervision on the implementation of the proposed Act;
and
c)
recommendations of steps and administrative actions to
address issues in implementing the proposed Act.
The
policies and strategies formulated by the NDSC shall encompass data sharing
methods and procedures to preserve the privacy and confidentiality of data, and
the relevant safeguards and risk assessment framework in handling and storing
shared data.
The NDSC
may also establish sub-committees to assist in their functions and a NDSC member
shall be the chairman of such sub-committee.[5]
The Director
General of the National Digital Department
The DG implements
policies formulated by the NDSC and holds an advisory role to the NDSC. The DG
also coordinates and facilitates data sharing among relevant parties.
Additionally, the DG has the authority to require the submission of information
and documents and is responsible for issuing circulars and guidelines to ensure
compliance and smooth operations.[6]
Data Sharing
i.
Permissible Purposes of Data Sharing[7]
a)
enhance efficiency and effectiveness of policies, programme management or
service planning and delivery by PSA;
b)
reduce or prevent threats to life, health or safety;
c)
respond to public emergency;
d)
public Interest; or
e)
other purposes determined by the NDSC.
ii.
The Procedure for Data Sharing
1.
Data Sharing Request
A PSA (hereinafter “potential data recipient”)
may request data from another PSA (hereinafter “potential data provider”).
Such request must specify the following:[8]
a)
the data
requested;
b)
the purpose
for data requested (see Clause 13);
c)
the PSA
intended to be the data recipient and data provider; and
d)
manner of
handling the data requested.
Open data may
be shared in the absence of a data sharing request.[9]
2.
Evaluation
The potential data provider shall evaluate the data
sharing request and respond to the potential data recipient within 14 days from
receiving the request.[10]
If a potential data provider needs more time to respond, it must inform the
potential data recipient of the reasons for delay and specify when a response
will be given.[11]
The potential data provider must evaluate:[12]
a)
whether the
specified purpose warrants data sharing;
b)
whether data
sharing is against public interest; and
c)
whether the
potential data recipient has the appropriate security and technical safeguards.
3.
Decision
After the evaluation, the potential data provider shall
accept the data sharing request conditionally or unconditionally or refuse the
data sharing request on the following grounds:[13]
a)
data requested could
reasonably be expected to disclose:
i.
or enable a person to
ascertain the identity of a confidential source of information relating to the
enforcement or administration of law;
ii.
the existence or identity of a person
included in a witness protection programme;
iii.
investigative measures or procedures,
including intelligence gathering methodologies, investigative techniques or
technologies, covert practices or information sharing arrangements between law
enforcement agencies.
b)
data sharing will constitute a breach
of:
i.
solicitor-client privilege or legal
professional privilege;
ii.
agreement of contract;
iii.
equitable obligation of confidence; or
iv.
order of court or tribunal.
c)
data requested involves:
i.
national security or defence;
ii.
investigation of breach or possible
breach of any written law; or
iii.
proceeding before court or tribunal.
d)
the potential data provider believes on
reasonable grounds that data sharing would likely endanger the health, safety or
welfare of one or more individuals;
e)
data requested is inconsistent with the
purpose specified and does not warrant the data to be shared;
f)
the potential data recipient does not
possess appropriate security and technical safeguards; or
g)
other reasons determined by the NDSC.
Data sharing may be subject to a fee imposed by the
data provider.[14]
iii.
Duties of the Data Provider and Data Recipient
Provision |
Highlights |
Clause 16
Duty towards shared data |
1.
Ensure the management and maintenance of shared data
complies with legal requirements;
2.
Implement measures to ensure the security and privacy
of shared data including protection from loss, misuse etc. and for
personal data, safeguarding the individual’s rights;
3.
Keep records of all particulars relating to shared
data;
4.
Report any unauthorised sharing to the DG; and
5.
Other requirements determined by the NDSC. |
Clause 21
Duty to report |
Furnish a written report
to the DG from time to time as the DG may require on: –
a)
particulars of data sharing request;
b)
response to data sharing request;
c)
reasons for refusal; and
d)
other information the DG may require. |
Clause 23
Duty of secrecy |
Officers or servants shall not,
either during or after their tenure, disclose information obtained
during their duties, except for any of the purposes of the proposed Act
or for the purposes of any civil or criminal proceedings under any
written law.
Contravention of this
Clause is an offence punishable by:
a)
fine not exceeding RM1 million;
b)
imprisonment not exceeding 5 years; or
c)
both. |
Clause18
Duty to non-disclosure |
The officers or servants
of the data recipient shall use or disclose the shared data for
the specified purpose only.
Contravention of this
Clause is an offence punishable by:
a)
fine not exceeding RM1 million;
b)
imprisonment not exceeding 5 years; or
c)
both |
Clause 17 (1)
Duty to obtain consent |
a)
The data recipient must obtain the data
provider’s consent before engaging a third party to
conduct data migration, integration[15] or
analytics work[16]. |
iv.
Third-Party Obligations
The third party in
Clause 17(1) shall comply with the proposed Act and requirements relating to the
security of shared data.[17]
Non-compliance with the proposed Act is an offence punishable by:[18]
a)
fine not exceeding RM 1 million;
b)
imprisonment not exceeding 5 years; or
c)
both.
General
Provisions
General
provisions of the proposed Act:
a)
police’s powers to commence inspection or
investigations for offences under the proposed Act;[19]
b)
power to prosecute or consent to prosecution vest in
the Public Prosecutor;[20]
c)
Minister’s power to impose on or exempt persons or
class of persons from the application of the proposed Act;[21]
d)
Minister’s power to give directions to the DG;
[22]
e)
Minister’s power to amend the Schedule;[23]
f)
exemption from liability for the Minister, any member
of the NDSC, the DG or officers and servants of PSA;[24] and
g)
liability of a person who at the time of commission by
a statutory body of an offence under the proposed Act was a director, compliance
officer, manager, secretary or other similar officer
or was purporting to act in the capacity or was in any manner or to any extent
responsible for the management of any of the affairs of the statutory body or
was assisting in its management.[25]
Commentary
The Digital Minister
said the passing of the law is essential towards creating an ecosystem for
innovation to thrive, allowing digital services and solutions to be put into
effect quickly and efficiently. It requires the NDSC to determine if the PSA
requesting the data has “sufficient cyber security measures in place” before a
decision can be made to release the data. The NDSC will assess the nature of the
data, the purpose for which the data is requested, the manner in which the data
requested will be handled, as well as the safeguards that will preserve “the
privacy and confidentiality” of the said data.[26] Apart
from data security, confidentiality and privacy, the proposed Act is intended to
regulate data sharing and cloud storage among government agencies, reduce the
cost of data storage and prevent the duplication of data storage in the public
sector, among others.[27] The
proposed Act is timely to facilitate the country’s digital transformation.
This article is authored by our Partner, Ms Lee Lin Li, Partner, Mr Ng Kim
Poh and our pupil, Ms Wong Yun Xin. The information in this article is intended
only for general information and is not a legal opinion or professional advice.
[1]
Clause 2
[2]
Clause 4
[3]
Clause 6(1)
[4]
Clause 6(2)
[5]
Clause 10
[6]
Clause 11
[7]
Clause 13
[8]
Clause 12 (2)
[9]
Clause 20
[10]
Clause 14 (2)
[11]
Clause 14 (3)
[12]
Clause 14 (1)
[13]
Clause 15
[14]
Clause 19
[15]
Clause 3. The process of combination of data.
[16]
Clause 3. The examination and analysis of data for the purpose of
drawing conclusions as a result of that examination and analysis.
[17]
Clause 17(2)
[18]
Clause 17(3)
[19]
Clause 22
[20]
Clause 25
[21]
Clause 27
[22]
Clause 28
[23]
Clause 29
[24]
Clause 24. Unless it can be
proven the act, neglect or default
was done or omitted in bad faith and without reasonable cause.
[25]
Clause 26. Unless it can be
proven that the offence was committed (i) without his knowledge or (ii)
without his consent or connivance and he had taken all reasonable
precautions and exercised due diligence to prevent the commission of the
offence.
[27]
https://www.thestar.com.my/news/nation/2024/07/03/omnibus-bill-will-regulate-data-sharing-among-govt-agencies-says-gobind
This article is authored by our Partner, Ms Lee Lin Li, Partner, Mr Ng Kim Poh and our pupil, Ms Wong Yun Xin. The information in this article is intended only for general information and is not a legal opinion or professional advice.
Written by:
Lee Lin Li
Partner
T: +603 2050 1898
linli.lee@taypartners.com.my
Ng Kim Poh
Partner
T: +603 2050 1870
kimpoh.ng@taypartners.com.my
Wong Yun Xin
Pupil
yunxin.wong@taypartners.com.my