Malaysian Data Sharing Act 2025

February 2025

View the original document

National Regulations

The Data Sharing Act 2025 is a Malaysian law enacted to regulate how data controlled by public sector agencies is shared with other public sector agencies. It establishes the National Data Sharing Committee and defines the duties and powers of the Director General of the National Digital Department. The Act provides a legal framework to ensure efficient, secure, and privacy-conscious data sharing between government entities while safeguarding sensitive information.

The Act received Royal Assent on 5 February 2025 and was published in the Gazette on 20 February 2025.

Objectives of the act

The Act aims to:

  • Facilitate efficient sharing of data between government agencies.
  • Ensure data security and privacy protections.
  • Establish clear procedures for data requests, approvals, and refusals.
  • Introduce accountability mechanisms, including penalties for data misuse.
  • Strengthen Malaysia’s digital governance by integrating data policies with existing laws.

Key components of the act

1. Scope and applicability

  • The Act binds the Federal Government and applies to all public sector agencies.
  • It focuses exclusively on data sharing between government bodies, not with private entities.
  • It integrates with other written laws and does not override them — particularly the Official Secrets Act 1972 and other statutes listed in its Schedule.

2. Pillars of data sharing

The Act is built on three main principles:

  • Complementarity with existing laws: Data sharing is allowed under current written laws, but this Act provides an additional legal framework.
  • Legal compliance: Shared data remains subject to relevant legislation, especially where classified or sensitive information is concerned.
  • Security alignment: Official documents must comply with government security directives.

3. National data sharing committee (ndsc)

The Act establishes the NDSC to oversee implementation and governance.

Composition:

  • Chaired by the Secretary General of the Ministry responsible for digital affairs.
  • Includes representatives from:
    • All ministries
    • The Prime Minister’s Department
    • Chief Government Security Office
    • National Cyber Security Agency (NACSA)
    • Personal Data Protection Department (PDPD)

Functions:

  • Formulate policies and strategies on data sharing.
  • Oversee implementation and resolve administrative challenges.
  • Develop database policies and data-sharing methods.
  • Ensure privacy, security safeguards, and risk assessment frameworks.

4. Powers and duties of the director general

The Director General of the National Digital Department is the key executive authority.
Responsibilities include:

  • Implementing policies and strategies set by the NDSC.
  • Coordinating and facilitating data sharing between agencies.
  • Issuing guidelines and circulars.
  • Requiring agencies to provide relevant documents or information.
  • Advising the NDSC on operational issues.

5. Data sharing process

requesting data

  • Only public sector agencies may request data.
  • Requests must specify:
    • The data required.
    • The purpose of use.
    • The roles of data provider and data recipient.
    • Handling procedures for the requested data.

valid purposes (Section 13):

  • Improving policy, programme, or service delivery efficiency.
  • Responding to emergencies and public health/safety threats.
  • Acting in the public interest.
  • Other purposes as determined by the NDSC.

evaluation and response (Section 14):

  • The receiving agency must assess:
    • Relevance of the purpose.
    • Public interest implications.
    • Availability of sufficient security safeguards.
  • Responses must be provided within 14 days, with possible extensions if justified.

6. Grounds for refusal

Agencies may refuse data sharing if:

  • It exposes confidential sources or witness protection identities.
  • It reveals national security information or investigative procedures.
  • It violates legal privileges, contracts, or court orders.
  • It endangers health, safety, or welfare.
  • The requesting agency lacks adequate security safeguards.
  • The request conflicts with the purposes defined under Section 13.

7. Data protection and third-party involvement

Responsibilities of providers and recipients (Section 16):

  • Maintain compliance with all legal requirements.
  • Implement measures to protect data against loss, misuse, or unauthorised access.
  • Preserve personal data protection rights.
  • Keep detailed records and report unauthorised sharing.

Third-party handling (Section 17):

  • Third parties may process data only with the provider’s consent.
  • Third parties must comply with all security obligations.
  • Non-compliance can result in penalties of up to RM1 million or 5 years’ imprisonment.

8. Restrictions on use and disclosure

  • Shared data cannot be used for purposes beyond those approved.
  • Unauthorised disclosure carries fines up to RM1 million or imprisonment of up to 5 years, or both (Section 18).

9. Open data provisions

  • Open data made freely available by public agencies can be shared without formal requests (Section 20).
  • This aligns with Malaysia’s broader open data policies.

10. Enforcement and penalties

  • Police officers (rank sergeant and above) are authorised to investigate offences under this Act (Section 22).
  • Violations include:
    • Unauthorised disclosure.
    • Failure to safeguard shared data.
    • Non-compliance by third parties.
  • Offenders may face fines up to RM1 million, imprisonment up to 5 years, or both.

11. Ministerial powers

  • The Minister for Digital Affairs has the authority to:
    • Exempt certain agencies or individuals from provisions of the Act (Section 27).
    • Issue binding directions to the Director General (Section 28).
    • Amend the Act’s Schedule of referenced written laws (Section 29).