Data Sharing Policy and Procedures

Definitions

  • Data: A set of facts in its raw form or in an unorganized format such as numbers, letters, still images, videos, audio recordings, or emojis.
  • Requester: Any governmental or private entity, or individual, submitting a request for data sharing.
  • Source Entity: The government entity responsible for setting technical standards, data verification, and retention.
  • Authorized Entity: The entity authorized to share data by the source entity, according to the procedures outlined in this policy.
  • Recipient Entity: Any governmental entity to which a data sharing request is submitted, whether it is the source or authorized entity.
  • Data Sharing Parties: Any entity that is a party to the data sharing process, including the requester and the recipient entity.
  • Data Sharing Agreement: A standard agreement signed between two parties when government entities share data with private entities or individuals, outlining roles and responsibilities as per this policy.
  • Data Sharing Controls Template: A standard template including necessary controls for handling data and determining roles and responsibilities if data sharing parties are governmental entities.
  • The Authority: The Saudi Data and Artificial Intelligence Authority (SDAIA).
  • The Office: National Data Management Office (NDMO).
  • Entity’s Office: The Data Management Office within the governmental entity.
  • Government Integration Channel: A secure channel for data sharing between government entities to achieve integration and enable service automation.
  • Data Marketplace: A platform that automates all data sharing operations—according to this policy—among government entities. The platform enables entities to subscribe to published data sharing services (APIs) or request new services.
  • Metadata: Detailed information describing data and its usage characteristics, whether business, technical, or operational data.

Objective

The purpose of the Data Sharing Policy is to promote data sharing for achieving integration between government entities and obtaining data from its original sources. This policy aligns with national data and AI authority standards.

Scope

This policy applies to all data produced by the university for sharing with other government entities, private entities, or individuals, regardless of the data's source, form, or nature.

The provisions of this policy do not apply if the requester is a government entity and the request is for security or judicial purposes.

Main Principles of Data Sharing

  • Promoting a Culture of Sharing: The university shares its key data to achieve integration and adopts the "once-only" principle to obtain data from correct sources and reduce duplication.
  • Legitimacy of Purpose: Data is shared for legitimate purposes, based on legal or practical need for public interest, without harming national interests or individuals.
  • Authorized Access: All sharing parties must have authorized access to the data, with the necessary skills and training, as well as security clearance if needed.
  • Transparency: All sharing parties must provide all necessary information for exchanging data, including data required, purpose of collection, means of transfer and storage, and applied protection controls.
  • Shared Responsibility: All parties involved in data sharing are jointly responsible for sharing and processing decisions and for applying the security controls stipulated in agreements and relevant policies.
  • Data Security: All parties must apply appropriate security controls to protect shared data in a secure and trusted environment.
  • Ethical Use: All parties must adhere to ethical practices during the data sharing process to ensure fairness, honesty, respect, and integrity—not merely compliance with security or regulatory requirements.

Steps Required for Data Sharing

  • First: The requester (government, private entity, or individual) sends a data sharing request to the university's Data Management Office, through the requester's Data Management Office if the requester is a government entity.
  • Second: The university's Data Management Office refers the request to the relevant business data representative, who directs it to a business data specialist for evaluation and processing.
  • Third: The specialist verifies the classification level of the requested data. If not specified, the university's Data Management Office classifies the data as per the Data Classification Policy. If clas