Key Takeaways of the Data Sharing Act 2025

Key Takeaways of the Data Sharing Act 2025

Introduction

The Data Sharing Act 2025 (“Act”), which was passed by the House of Representatives on 12 December 2024 and has received Royal Assent,[1] represents a significant milestone in strengthening data governance within the federal government. Although it has yet to come into force, this legislation is set to play a crucial role in facilitating secure and regulated data sharing among public sector agencies (“PSAs”), while reinforcing transparency and accountability within Malaysia’s data ecosystem.

This Act regulates data sharing among public sector agencies. It applies to public services as defined in Article 132 of the Federal Constitution, excluding joint public services under Article 133 and the public services in each individual State. This new Act is essential to facilitate seamless, secure, and efficient data exchange among government agencies, thereby enhancing governance, ensuring data integrity, and supporting informed decision-making.

The Act sets out, among other provisions, the following:

1. Establishment of the National Data Sharing Committee

The Act establishes the National Data Sharing Committee (“Committee”), which is responsible for[2]:

  • Developing policies and strategies related to data sharing.
  • Overseeing the implementation of the Act.
  • Addressing administrative challenges encountered during implementation of the Act.
  • Formulating policies concerning database management for data sharing.
  • Carrying out any other functions arising out of or consequential to the functions of the Committee under the Act consistent with its purposes.

The policies dan strategies referred to may include[3]:

  • the procedures to preserve the privacy and confidentiality of data;
  • the safeguards relating to data handling and storage;
  • the method for data sharing under the Act; and
  • the risk assessment frameworks for data handling and storage.

2. Procedures for Data Sharing

The Act sets out a structured procedure for data sharing between the PSAs, detailing[4]:

  • the data requested;
  • the purpose for data requested;
  • the PSA intended to be the data recipient and data provider; and
  • manner of handling the data requested.

3. Evaluation Process

The Act also outlines the strict evaluation process and response required from a PSA receiving a data request. This framework will incorporate data analysis and artificial intelligence (AI), which Malaysia has actively promoted over the past year through the establishment of the Ministry of Digital. By ensuring responsible and secure data-sharing practices, this legislation further advances the MADANI Government’s vision of transforming Malaysia into an AI-driven nation.

In evaluating a data request, the PSA must consider[5]:

  • whether the purpose for which the data is requested warrants the sharing of the data;
  • whether the sharing of the data is against the public interest; and
  • whether the public sector agency requesting the data has appropriate security and technical safeguards in place to ensure that the shared data is not subject to unauthorized access and use.

4. Refusal of Data Sharing

Stringent measures are in place to ensure the responsible handling of shared data. PSAs are obligated to safeguard data from unauthorized access, maintain comprehensive records of shared information, and promptly report any security breaches. Data sharing may be denied on the following grounds[6]:

  • The requested data could reasonably be expected to disclose or enable the identification of a confidential source of information related to the enforcement or administration of the law.
  • The requested data could reasonably be expected to reveal the existence or identity of a person under a witness protection programme.
  • The requested data could reasonably be expected to disclose investigative measures or procedures, including intelligence-gathering methodologies, investigative techniques, covert practices, or information-sharing arrangements between law enforcement agencies.
  • The sharing of the requested data would constitute a breach of legal privileges or confidentiality obligations.
  • The requested data pertains to national security or defence, the investigation of a breach, or potential breach, of any written law, an inquest or inquiry into a death; or proceedings before a court or tribunal.
  • The public sector agency has reasonable grounds to believe that sharing the requested data would likely endanger the health, safety, or welfare of one or more individuals.
  • The requested data is inconsistent with the purpose specified under Section 13 and does not justify disclosure.
  • The requesting public sector agency does not possess the necessary security and technical safeguards to prevent unauthorized access or misuse of the shared data.
  • Any other reason as determined by the Committee.

5. Duties Related to Data Sharing

To ensure the secure and responsible exchange of data, the Act imposes strict obligations on all parties involved in data sharing:

Parties Duties
Duty of Data Providers and Recipients[7] (a)      Ensure data management and maintenance comply with legal requirements.

(b)      Implement necessary security and privacy measures, including protection from loss, misuse, unauthorized access, or destruction.

(c)      Maintain records of all shared data.

(d)      Report any unauthorized data sharing to the Director General.

(e)      Comply with additional requirements set by the Committee.

Duty of Third Parties Handling Shared Data[8] (a)      Obtain the data provider’s consent before allowing third-party access.

(b)      Ensure the third party complies with the Act and follows security protocols.

Any third party failing to comply may face penalties of up to one million ringgit (RM1,000,000) or five years’ imprisonment, or both.

 

Conclusion

The Act represents a significant milestone in Malaysia’s digital governance, providing a structured framework for making and evaluating data requests to ensure responsible and regulated data-sharing practices. By streamlining data exchange, enhancing security, and ensuring compliance, the Act strengthens public sector efficiency and advances Malaysia’s vision of a data-driven and AI-powered future.

If you have any questions, please contact our Head of Advisory & Compliance, Mr. Fakhrul Fadzilah (fakhrul@nzchambers.com), or our Legal Associate, Ms. Husna Shariff (husna@nzchambers.com).

Authors:

  1. Mr. Fakhrul Fadzilah
  2. Ms. Husna Shariff

References:

[1] https://bernama.com/en/news.php//world/general/news.php?id=2396179

[2] Section 6(1) of the Act

[3] Section 6(2) of the Act

[4] Section 12(1) of the Act

[5] Section 14(1) of the Act

[6] Section 15 of the Act

[7] Section 16 of the Act

[8] Section 17 of the Act

Published Date: 19 March 2025