Data Sharing Policy

 

Data Sharing Policy

Introduction

Data sharing among various sectors within the Saudi Space Agency, as well as with external entities, is both essential and sensitive. In support of integration and facilitation of service delivery, and in order to achieve a balance between enabling data sharing and ensuring data confidentiality and protection, this Policy has been established to define the principles governing data sharing.

Purpose

This Policy aims to define the standards governing the sharing of all data processed or controlled by the Agency, ensuring the highest levels of data protection. Agency data shall only be shared through the Data Management Office, using authorized users and approved systems.

Scope and Applicability

• This Policy applies to Agency data shared with government entities, private entities, or individuals, regardless of its source, format, or nature. This includes paper records, emails, electronic data, audio and video recordings, maps, photographs, manuscripts, handwritten documents, or any other form of recorded data.
• This Policy does not apply to private sector data or data owned by individuals. It also does not apply where the requesting entity is a government entity seeking data for security purposes, judicial requirements, or in implementation of an international agreement to which the Kingdom is a party.

Policy Owner

The Data Management Office at the Saudi Space Agency is the owner of this Policy and is responsible for its update and publication.

Data Sharing Request Procedures

• First: Data sharing requests shall be submitted by contacting the Agency’s Data Management Office to obtain the Data Sharing Request Form via email at DMO@SSA.GOV.SA. The requester shall complete the form and submit it to the Office to initiate the required procedures.
• Second: The request shall be assessed to ensure the existence of a legitimate purpose and that the requested data is limited to the minimum necessary. The requester shall be notified of the data sharing decision accordingly.
• Third: In the event that the data sharing request is not approved, the requester shall have the right to fulfill the required conditions to comply with all applicable principles and submit an appeal for re-evaluation of the request.
• Fourth: Upon fulfillment of all data sharing requirements, the appropriate controls shall be determined to ensure compliance with data sharing principles and to achieve the defined objectives.
• Fifth: A Data Sharing Agreement shall be executed if the requester is a non-governmental entity. If the requester is a governmental entity, the applicable data sharing controls shall be fulfilled in accordance with approved procedures.
• Sixth: Once all data sharing requirements are met, the requested data shall be shared with the requester in accordance with the specified timelines.

Relevant Legislation and Policies

• Personal Data Protection Law – Saudi Data & AI Authority (SDAIA)
• National Data Governance Policies – Saudi Data & AI Authority (SDAIA)
• National Data Management Office Standards and Specifications – Saudi Data & AI Authority (SDAIA)
• National Data Index – Saudi Data & AI Authority (SDAIA)
• Data Governance Platform – Saudi Data & AI Authority (SDAIA)
• Anti-Cybercrime Law – Saudi Data & AI Authority (SDAIA)

Main Principles of Data Sharing

First: Promoting a Data Sharing Culture

The Agency shares key data it produces to achieve integration with other entities in accordance with this Policy.

Second: Once-Only Principle

Data shall be collected once, with the ability to reuse and share it to reduce duplication and ensure data quality and timeliness.

Third: Legitimate Purpose

Data shall be shared for legitimate purposes based on a legal basis or justified operational need.

Fourth: Authorized Access

Access and use shall be limited to authorized individuals in accordance with the Data Classification Policy.

Fifth: Transparency

Clarifying the requested data, its classification level, purpose of use, and protection controls.

Sixth: Shared Responsibility

All parties involved shall share responsibility for data sharing and processing decisions.

Seventh: Data Security

Applying approved security controls in accordance with applicable laws and regulations.

Eighth: Ethical Use

Ensuring data is used in accordance with principles of integrity, fairness, and accountability.

Data Sharing Controls

• Legal Basis: Defining the legal or operational basis for data sharing.
• Authorization: Identifying authorized entities and individuals requesting and receiving data.
• Data Type: Defining the minimum required data, its format, and level of detail.
• Data Pre-processing: Identifying the need for anonymization, masking, or aggregation.
• Data Sharing Methods: Defining secure physical and digital data sharing channels.
• Data Use and Retention: Defining usage restrictions, protection requirements, and disposal mechanisms.
• Duration of Sharing: Defining sharing duration, review mechanisms, and termination procedures.
• Liability Provisions: Defining responsibilities, corrective actions, and dispute resolution mechanisms.