Overview on the Data Sharing Act 2025

No.

Matter

Description

Important Definitions

1.     

Definition of “data”

The term “data” has been widely defined under the DSA.

Section 3 of DSA 2025 defines the term “data” as “any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analyzed or processed, whether by an individual or a computer or other means”.

2.     

Definition of “public sector agency”

The term “public sector agency” as defined under Section 3 of DSA 2025 refers to:

(a) the agencies responsible for public services as defined under Article 132(1)(a)-(d) and (h) of the Federal Constitution*, namely:

(i) the armed forces;

(ii) the judicial and legal service;

(iii) the general public service of the Federation;

(iv) the police force; and

(v) the education service; and

(b) statutory authorities that exercise powers conferred upon them by federal legislation.

*The joint public services as referred to in Article 133 of the Federal Constitution, as well as the public services of each States are not subjected to the provisions of DSA 2025.

Procedures for Data Sharing

3.     

Permissible purposes for data sharing

A public sector agency may submit a request to another public sector agency or approve a data sharing request from another public sector agency, where such request is made for the following purposes³:

(a) To enhance the efficiency or effectiveness of policies, programme management, or service planning and delivery by the public sector agencies;

(b) To prevent or reduce threats to an individual’s life, health or safety, or to public health or safety;

(c) To respond to a public emergency;

(d) Where data sharing is in the public interest; or

(e) For any other purpose as determined by the National Data Sharing Committee (“Committee”).

4.     

Request for data sharing

A public sector agency may request data from another public sector agency who control such data* by indicating the following details in its request⁴:

(a) The specific data being requested;

(b) The purpose for requesting the data;

(c) The identities of the public sector agency that will be the recipient and the provider of such data; and

(d) The intended method of handling the requested data.

*A public sector agency is considered to have control of data if the data is in its possession or custody⁵.

* Any open data that is made freely available by any public sector agency may be accessible and shared regardless whether a request is made or not⁶.

5.     

Evaluation by the public sector agency receiving the request

A public sector agency who receives request for data sharing shall conduct evaluation on all of the following points⁷:

(a) Whether the purpose justifies the data sharing;

(b) Whether sharing of the data is contrary to public interest; and

(c) Whether the requesting public sector agency has appropriate security and technical safeguards to protect the data from unauthorized access or use.

6.     

Timeframe to respond to the requesting public sector agency

Once the evaluation process has been completed, the public sector agency must respond within fourteen (14) days from the date of receiving the request, stating whether:

(a) the data requested will be provided (either with or without conditions); or

(b) the request is refused under Section 15 of DSA 2025, as discussed under Paragraph 7 below⁸.

If the response cannot be provided within the aforesaid period, the public sector agency receiving the data sharing request must inform the requesting public sector agency with:

(i) an explanation for the delay in providing the response; and

(ii) the period in which the response will be provided⁹.

7.     

Justifications to refuse data sharing

A public sector agency may refuse to share some or all of the requested data for the following reasons¹⁰:

(a) The requested data could likely reveal, or allow someone to determine, the identity of a confidential source of information relating to the law enforcement or legal administration;

(b) The requested data could likely reveal the identity or existence of someone in a witness protection program;

(c) The requested data could likely disclose investigative methods or procedures, such as intelligence gathering methodologies, investigative technique or technologies, covert practices or information-sharing arrangements between law enforcement agencies;

(d) Sharing the requested data would breach solicitor-client or legal professional privilege and/or a contract or agreement and/or an equitable duty of confidentiality and/or a court or tribunal order;

(e) The requested data involves sensitive matters such as national security or defence and/or investigations into actual or potential breach of any written law and/or inquest or inquiry into a death and/or court or tribunal proceedings;

(f) The public sector agency reasonably believes that sharing the requested data could likely endanger the health, safety or welfare of one or more individuals;

(g) The request is not consistent with the purpose outlined in Section 13 of DSA 2025 (as discussed under Paragraph 3 above) and does not justify data sharing;

(h) The requesting public sector agency lacks appropriate security and technical measures to prevent unauthorized access or use of the data; or

(i) any other reason as the Committee may determine.

8.     

Payment of fees (where applicable)

Public sector agency that shares data is allowed to impose payment of fees for data sharing provided that it is permitted under any other written law¹¹.

Obligations Pertaining to Data Sharing

9.     

Duties imposed on the public sector agency that shares data and the public sector agency that receives the shared data

Both public sector agencies that share data and receive the shared data shall have the following duties in respect of data sharing¹²:

(a) Ensure the shared data is handled in compliance with the applicable legal requirements concerning its custody and control;

(b) Take appropriate steps to safeguard the security and privacy of the data, including:

(i) protecting it from any loss, misuse, unauthorized or accidental modification, access or disclosure, alteration or destruction; and

(ii) preserving individuals’ rights under personal data protection laws;

(c) Maintain records of all details related to the shared data;

(d) Report any unauthorized data sharing to the Director General of the National Digital Department (“Director General”); and

(e) Comply with any other requirements as the Committee may determine.

10.   

Duties imposed on a third party

If the public sector agency that receives the shared data engages a third party to perform data migration, data integration or data analytics using the shared data, the consent of the public sector agency that shares the data must be obtained first before the third party is allowed to handle the shared data¹³.

The third party shall comply with DSA 2025 and adhere to all data security requirements applicable to the shared data¹⁴.

Failure to comply with DSA 2025 and/or data security requirements applicable to the shared data would constitute an offence and if the third party is convicted, it may be liable to a fine of up to RM1 million or imprisonment of up to 5 years or both¹⁵.

11.   

Duty imposed on the officer and servant of the public sector agency that receives the shared data

Any officer or servant of the public sector agency that receives the shared data is prohibited from using or disclosing shared data for any purpose other than the one it was originally shared for¹⁶.

Failure to comply with this obligation would constitute an offence and if the officer or servant of the public sector agency that receives the shared data is convicted, he may be liable to a fine of up to RM1 million or imprisonment of up to 5 years or both¹⁷.

12.   

Duty to report to the Director General

A public sector agency shall, from time to time, provide a written report to the Director General containing¹⁸:

(a) the details of data sharing requests made by another public sector agency;

(b) the responses to those data sharing requests;

(c) the justifications for refusal, if a request for data sharing is refused; and

(d) any other information requested by the Director General.