Legal and Tax Updates
May 20 2025

Data Sharing Act 2025

The coming into force of the Data Sharing Act 2025 (“DSA”) on 28 April 2025 marks a significant legislative milestone in Malaysia’s data governance landscape. The DSA establishes a formalised and secure framework for the exchange of data among public sector agencies. By enabling and facilitating seamless and secure access to shared information, the DSA is expected to enhance the efficiency of public service delivery and strengthen inter-agency coordination, ultimately contributing to a more integrated and responsive public sector.

We set out below a summary of the key provisions under the DSA.

Applicability The DSA applies to the sharing of data between public sector agencies in Malaysia.
Public sector agencies” is defined to mean (a) the armed forces; (b) the judicial and legal service; (c) the general public service; (d) the police force; (e) the education service; and (f) any statutory authority exercising powers vested in it by a federal law.
Data The DSA defines “data” as any facts, statistics, instructions, concepts or other information in a form that is capable of being communicated, analyzed or processed, whether by an individual or a computer or other means.
Establishment of the National Data Sharing Committee (“Committee”) The DSA establishes the Committee which is responsible to the Cabinet. Members of the Committee consist of the following:
  • the Secretary General of the ministry charged with the responsibility for digital, who shall be the Chairman;
  • a representative from each of the ministries;
  • a representative of the Prime Minister’s Department;
  • the Chief Government Security Officer;
  • a representative of the National Cyber Security Agency; and
  • a representative of the Personal Data Protection Department.
Functions of the Committee The Committee has the following functions:
  • to formulate policies and strategies relating to data sharing under the DSA (e.g. method of data sharing, data handling and storage safeguards, etc.);
  • to oversee the effective implementation of the DSA;
  • to take or recommend appropriate steps or administrative actions to resolve the difficulties or administrative issues which arise during the implementation of the DSA;
  • to formulate policies relating to database for the purposes of data sharing under the DSA; and
  • to do such other things arising out of or consequential to the functions of the Committee under the DSA consistent with the purposes of the DSA.
Data sharing

Section 12 of the DSA permits any public sector agency (“Data Requestor”) to request[1], from another public sector agency (“Data Requestee”), for the sharing of data under the control[2] of the Data Requestee for the following purposes:

  • to enhance the efficiency or effectiveness of policies, programme management or service planning and delivery by the public sector agencies;
  • to reduce or prevent threat to the life, health or safety of a person, or threat to public health or safety;
  • to respond to a public emergency;
  • in the public interest;
  • or such other purposes as the Committee may determine.

For the purpose of sharing open data, any open data that is available freely by any public sector agency may be accessible and shared regardless of whether a data sharing request is made.
Evaluation of data request

Section 14(1) of the DSA requires the Data Requestee to evaluate:

  • whether the purpose for which the data is requested warrants the sharing of the data;
  • whether the sharing of the data is against the public interest; and
  • whether the Data Requestor has appropriate security and technical safeguards in place to ensure that the shared data is not subject to unauthorized access or use.
Responding to data request Section 14(2) of the DSA requires the Data Requestee to respond as to whether the data requested may be provided, with or without conditions, or is refused within 14 days from the date of receiving the request.
Refusal to share data Under section 15 of the DSA, a Data Requestee may refuse to share some or all of the data requested based on the following reasons:
  • the data requested could reasonably be expected to disclose, or enable a person to ascertain, the identity of a confidential source of information relating to the enforcement or administration of law;
  • the data requested could reasonably be expected to disclose the existence or identity of a person included in a witness protection programme;
  • the data requested could reasonably be expected to disclose investigative measures or procedures, including intelligence gathering methodologies, investigative techniques or technologies, covert practices or information sharing arrangements between law enforcement agencies;
  • the sharing of the data requested will constitute a breach of one or more of the following:
    • solicitor-client privilege or legal professional privilege;
    • an agreement or a contract;
    • an equitable obligation of confidence; or
    • an order of a court or tribunal;
  • the data requested involves one or more of the following:
    • national security or defence;
    • the investigation of a breach, or possible breach, of any written law;
    • an inquest or inquiry into death; or
    • a proceeding before a court or tribunal;
  • the Data Requestee believes on reasonable grounds that the sharing of the data requested would be likely to endanger the health, safety or welfare of one or more individuals;
  • the data requested is inconsistent with the purpose(s) for which the data may be shared and does not warrant the sharing of such data;
  • the Data Requestor does not possess appropriate security and technical safeguards to ensure that the data to be shared is not subject to unauthorized access or use; or
  • any other reason as the Committee may determine.
Duties in relation to data sharing
  • The DSA imposes duties on both the Data Requestor and Data Requestee including, among others, obligations relating to data security, record keeping, reporting of data sharing particulars and unauthorised data sharing to the Director General of the National Digital Department.
  • Where the Data Requestor arranges for any third party to conduct any data migration, data integration or data analytics work using the shared data, the Data Requestor is required to ensure that the prior consent of the Data Requestee is obtained.

Applicability to those in the private sector

While the DSA only applies to data sharing between public sector agencies, the DSA may still be relevant to businesses in the private sector. For example, section 17(2) of the DSA provides that where a third party is engaged by a Data Requestor to conduct any data migration, data integration or data analytics work, such third party shall handle the data in compliance with the DSA and the requirements relating to the security of the data applicable in respect of the shared data. Any third party who fails to comply commits an offence and shall, upon conviction, be liable to a fine not exceeding RM1,000,000 or imprisonment for a term not exceeding 5 years or to both.

Conclusion

The Personal Data Protection Act 2010 does not apply to the federal government and state governments. While the DSA governs “data”, the coming into force of the DSA regulates the sharing of data between public service agencies provides clear rules and defined responsibilities on how such data can be shared.

With the recent amendments to the Personal Data Protection Act 2010 aimed at strengthening Malaysia’s data protection framework, the coming into force of the DSA underscores the government’s broader commitment to building a robust, transparent, and secure data governance regime. By facilitating structured data exchange among public sector entities, the DSA is poised to enhance policy coordination, improve public service delivery, and lay the foundation for more data-driven governance. As the implementation of the DSA progresses, ongoing attention to regulatory clarity, accountability mechanisms, and data protection safeguards will be critical to ensuring that the benefits of inter-agency data sharing are realised without compromising individual privacy rights or public trust.

[1] The request shall specify: (a) the data requested; (b) the purpose for which the data is requested; (c) the public service agencies intended to be the data recipient and the data provider; and (d) the manner of handling the data requested.

[2] “Control” means data that is within the possession or custody of the Data Requestee.

The information provided here is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.

Hui Lynn Tan

Hui Lynn Tan

Partner
Partner
Malaysia

Michelle Koh

Michelle Koh

Associate
Associate
Malaysia

Related Insights

Malaysia: Transforming Malaysia’s Energy Landscape – Open Grid Access through CRESS

Legal and Tax Updates
February 26 2025

Malaysia: Implementation of the Personal Data Protection (Amendment) Act 2024

Legal and Tax Updates
January 09 2025

Malaysia’s Progress in Green Investment: A General Overview

Legal and Tax Updates
September 27 2024

Malaysia: Launch of the Forest City Special Financial Zone and Securities Commission FAQs on Family Office

Legal and Tax Updates
September 26 2024

Malaysia: Proposed Amendments to the Personal Data Protection Act 2010

Legal and Tax Updates
September 04 2024

Malaysia: Licensing and Regulatory Framework for Digital Insurers and Takaful Operators

Legal and Tax Updates
September 04 2024

Malaysia Tax Alert: Proposed Amendments to the Income Tax Act 1967 and Labuan Business Activity Tax Act 1990

Legal and Tax Updates
April 22 2024

Malaysia: Updates to the Beneficial Ownership Reporting Framework

Legal and Tax Updates
April 05 2024

Malaysia: Keeping up with Growing Cyber Threats and Intrusions – Malaysia’s Cyber Security Bill 2024

Legal and Tax Updates
April 01 2024
View All