The Kingdom of Saudi Arabia has issued the General Rules for Secondary Use of Data to regulate how data may be used for purposes beyond those for which it was originally collected. The Rules establish a controlled framework that allows secondary use of data while ensuring safeguards for privacy, security, and legal rights.
The Rules work together with the Data Sharing Policy issued by SDAIA and the Personal Data Protection Law (PDPL). They do not replace these laws.Instead, they provide clarity on how secondary use of data is governed within the existing legal and regulatory framework.
What Is “Secondary Use of Data”?
Under the Rules, secondary use of data means using data for a purpose different from the purpose for which it was originally collected. The focus is on the change in purpose, regardless of how the original purpose was described or documented.
Secondary use occurs when data collected for one activity is later reused for another identified purpose, such as using operational or administrative data for analysis, research, or policy-related work. Such use is subject to controls and procedural requirements and is not automatic.
Permitted Purposes and Explicit Exclusions
The Rules recognise secondary use of data only for defined purposes set out in the framework, including:
- Serving the public interest
- Supporting research, development, and innovation (RDI)
- Improving the efficiency of government entities’ operations and supporting decision-making
At the same time, the Rules expressly require that the purpose of data sharing for secondary use must explicitly exclude profit-oriented purposes. This restriction applies regardless of whether the Applicant is a government entity, private entity, or research institution.
Secondary use under these Rules is therefore limited to public interest and developmental purposes and does not extend to profit-driven objectives.
Scope of Application: Where the Rules Apply
The Rules apply to specific data sharing scenarios within the Kingdom of Saudi Arabia and are stated not to prejudice any legal provisions or regulatory requirements set out in other documents or statutory instruments. They govern:
- Data-sharing requests between government entities
- Data-sharing requests submitted by government entities to private entities
- Data-sharing requests submitted by private entities to government entities
The Rules also apply, in practice, to individuals and institutions involved in research activities, including academic researchers, where data sharing is required for research, development, and innovation purposes and requests are submitted through academic or research institutions.
Principles Governing Secondary Use of Data
The Rules set clear principles for how data may be reused for secondary purposes, in line with PDPL and national data governance objectives. In simple terms, secondary use must be lawful, responsible, secure, and in the public interest.
The key principles are:
- Privacy and Personal Data Protection: Any secondary use of personal data must comply with the PDPL, its Implementing Regulations, and related requirements.
- Purpose-Based and Responsible Second Use: Data may be shared only for purposes recognised under the Rules and must align with national interests while respecting individual rights.
- Data Quality and Accuracy: Shared data should be accurate, complete, up to date, and suitable for the stated purpose.
- Ethical Use of Data: Data must be handled using recognised best practices, with due respect for intellectual property, commercial confidentiality, and licensing conditions.
- Data Security: Appropriate technical and organisational measures must be in place, in line with cybersecurity requirements issued by the National Cybersecurity Authority.
- Public Interest: Where secondary data use supports public interest and national development objectives, it may take precedence over other legitimate interests, provided it does not violate the Rules or applicable laws.
How Secondary Use Requests Are Made and Controlled
Before data can be shared for secondary use, Applicants must submit a complete and detailed request. This should clearly explain the purpose, necessity, and legitimacy of the requested data. Requests are generally directed to the Data Source Entity (the entity that originally produced, collected, or retains the data) or must include evidence of its approval if sent through another route. For research-related requests, any related questionnaires should be attached, and academic or research institutions must provide written approval from the relevant authority. Incomplete or unclear requests may be rejected.
Data sharing is implemented through defined mechanisms depending on the entities involved:
- Government to Government: Requests are submitted via the Data Marketplace platform.
- Automated Sharing (Government & Private): Parties must propose a data-sharing method and obtain approval from the NDMO.
- Non-Automated Sharing: Data must be shared securely following directives issued by competent authorities.
The Data Sharing Entity evaluates requests based on whether the requested data serves the public interest, as determined by the requesting government entity within its regulatory competencies. It then decides to approve or reject the request. Applicants may seek a legal opinion from the National Data Management Office (NDMO) if their request is rejected.
The NDMO provides centralised legal oversight, helping ensure consistent interpretation and application of the Rules, and may intervene to resolve disputes or complete regulatory procedures where necessary.
Dispute Resolution and Legal Oversight
Any party involved in data sharing under the Rules may request a legal opinion from the NDMO regarding disputes arising from their application. The Office may, where necessary, proceed with completing regulatory procedures in relation to the matter. This mechanism provides centralised legal oversight and supports consistent interpretation and application across entities.
Conclusion
The Rules for Secondary Use of Data (2025) provide a structured framework for reusing data in Saudi Arabia while ensuring compliance with national data governance, the PDPL, and sectoral regulations. They allow data to be shared for authorised purposes under controlled conditions, with safeguards on scope, security, and licensing. Secondary use is permitted only when properly justified, following established procedures, and aligned with legal and ethical requirements.
