Data Sharing Act 2025 – Overview and Key Provisions.

On 28 April 2025, the Data Sharing Act 2025 (Act) officially came into force, marking a significant milestone in Malaysia’s evolving data governance framework. The Act, which received Royal Assent on 5 February 2025 and was gazetted on 20 February 2025, establishes a structured regulatory framework for data sharing among public sector agencies. This landmark legislation aims to enhance transparency, improve data security and drive operational efficiency in public sector data management.

Introduced alongside the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024, the Act further reinforces the nation’s goal of becoming a regional data hub by strengthening data protection measures.

Definition Of “public sector agency” And “data”

Under the Act, “public sector agency” means:

(i) the agency in charge of the public services referred to in Clause (1) of Article 132 of the Federal Constitution, except for the joint public services mentioned in Article 133 and public service of each State; and

(ii) any statutory authority exercising powers vested in it by a federal law.

Meanwhile, “data” means any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analysed or processed, whether by an individual or a computer or other means.

This definition establishes a clear scope of applicability, ensuring that only authorized government entities may request and share data under the Act.

Scope Of Data Sharing

The Act regulates the request, processing, and sharing of data among public sector agencies. Under Section 12(1), a public sector agency may request data from another public sector agency for the following purposes:

(a) to enhance the efficiency or effectiveness of policies, programme management or service planning and delivery by the public sector agencies

(b) to reduce or prevent threat to the life, health or safety of a person, or threat to public health or safety

(d) in the public interest; or

(e) such other purposes as the Committee may determine.

While the Act primarily governs data sharing among public sector agencies, it may also have indirect implications for private entities. Data shared between public sector agencies may involve information related to private organisations, potentially affecting

data access, usage and regulatory considerations. As such, it is essential for businesses to evaluate how this framework might affect their data management practices and compliance obligations.

Establishment Of The National Data Sharing Committee

The National Data Sharing Committee (Committee) is responsible for regulating and overseeing the implementation of the Act. The committee is chaired by the Secretary General of the ministry charged with the responsibility for digital, with the Director General of the National Digital Department serving as the secretary.

Apart from the Chairman, the Committee consists of the following members:

(a) a representative from each of the ministries

(b) a representative of the Prime Minister’s Department

(d) a representative of the National Cyber Security Agency

(e) a representative of the Personal Data Protection Department

The main function of the Committee is to formulate policies and strategies relating to data sharing under the Act.

By centralising governance under the Committee, the Act ensures that data-sharing policies are standardised, enhancing accountability and operational efficiency across public sector agencies.

Procedures For Data Sharing

Requesting data

When a public sector agency requests data from another public sector agency, it must submit a formal request that includes the data requested, the purpose for which the data is requested and the manner of handling the data requested.

Evaluation by the receiving agency

Upon receiving the request, the receiving public sector agency is to evaluate the request and respond 14 days. The evaluation process includes considering whether the purpose for which the data is requested warrants the sharing of the data, whether the sharing of the data is against the public interest and whether the public sector agency requesting the data has appropriate security and technical safeguards in place to ensure that the shared data is not subject to unauthorised access or use.

Grounds for refusing a request

A request for data sharing may be refused under the following circumstances:

(a) the data requested could reasonably be expected to disclose, or enable a person to ascertain, the identity of a confidential source of information relating to the enforcement or administration of law.

(b) the data requested could reasonably be expected to disclose the existence or identity of a person included in a witness protection programme.

(c) the data requested could reasonably be expected to disclose investigative measures or procedures including intelligence gathering methodologies, investigative techniques or technologies, covert practices or information sharing arrangements between law enforcement agencies.

(d) the sharing of the data requested will constitute a breach of one or more of the following:

(i) the solicitor-client privilege or legal professional privilege;

(ii) an agreement or a contract;

(iii) an equitable obligation of confidence; or

(iv) an order of a court or tribunal;

(e) the data requested involves one or more of the following:

(i) national security or defence;

(ii) the investigation of a breach, or possible breach, of any written law;

(iii) an inquest or inquiry into death; or

(iv) a proceeding before a court or tribunal;

(f) the public sector agency believes on reasonable grounds that the sharing of the data requested would be likely to endanger the health, safety or welfare of one or more individuals;

(g) the data requested is inconsistent with the purpose specified under Section 13 of the Act and does not warrant the data to be shared;

(h) the public sector agency requesting the data does not possess appropriate security and technical safeguards to ensure that the data to be shared is not subject to unauthorised access or use; or

(i) any other reason as the Committee may determine.

These procedures ensure that data-sharing decisions are made with careful consideration and in compliance with relevant regulations. The framework provides clear guidelines for requesting, evaluating, and possibly refusing to share some or all of the data sharing requests, thus promoting a balance between facilitating inter-agency cooperation and safeguarding public interest and data protection. This structured approach is designed to enhance efficiency and foster public trust in Malaysia's public sector data-sharing practices.

Commentary

As part of Malaysia’s ongoing efforts to promote ethical practices and strengthen its position as a regional data hub, the National Cloud Computerisation Policy is set to be released in the second quarter of this year. This policy will introduce regulations designed to encourage the ethical use of artificial intelligence, further reinforcing Malaysia’s position as a regional data hub.

Meanwhile, the Personal Data Protection Commissioner (PDPC) has intensified compliance inspections and enforcement actions to uphold data protection standards. To enhance regulatory oversight, the PDPC is expanding its presence, starting with new offices in Sabah and Sarawak, and plans for further nationwide expansion. These initiatives highlight Malaysia’s commitment to ensuring robust data security, regulatory compliance and digital transformation, creating a secure and well-regulated digital ecosystem.

The Data Sharing Act 2025 represents a landmark development in Malaysia’s data governance landscape. By establishing a structured, secure, and accountable framework, the Act strengthens regulatory oversight, promotes responsible data sharing and safeguards privacy while fostering innovation. With clear guidelines on data accessibility and protection, Malaysia is well-positioned to navigate the evolving digital economy. This legislation will play a pivotal role in shaping a resilient and efficient data ecosystem that prioritises security, transparency and technological progress.

30 April 2025