Malaysia enacts data sharing rules for public sector

With the introduction of the Data Sharing Act 2025 (the “Act”), Malaysia has formalised the rules governing data sharing between its public sector agencies. Designed to foster greater collaboration and efficiency, the Act includes provisions on data requests and evaluation processes, and imposes stringent compliance requirements on responsible organisations. While the Act applies to public agencies, private sector businesses providing services to such public agencies will need to understand how the new framework could affect the operational delivery of their services, as well as underlying legal obligations.

What is the objective of the Act?

On 28 April 2025, the Act officially came into effect. The purpose of the Act is to provide a legal and structured framework for secure and efficient sharing of data between public sector agencies, such as Malaysia’s armed forces, its judicial and legal service, the general public service of the Federation, the nation’s police force, and its education service.

The Act governs the following:

The sharing of data under the control of a public sector agency with another public sector agency.
The establishment of a National Data Sharing Committee.<
The duties and powers of the Director General of the National Digital Department.

To whom does the Act apply?

While the Act mainly targets public sector agencies, it is important to note that private sector organisations may also be indirectly impacted. This is because public agencies may share data that involves or originates from private entities. For that reason, it is important for these private sector organisations to understand how their data might be used or governed under the new framework.

What does “Data” mean under the Act?

Under the Act, “data” is defined as “any facts, statistics, instructions, concepts, or other information in a form that is capable of being communicated, analysed, or processed, whether by an individual, a computer, or other means.”

In comparison to the definition of “personal data” under the Personal Data Protection Act 2010 (“PDPA”), the definition of “data” under the Act is much broader. Such broad definition means that almost any kind of information, as long as it can be shared, analysed, or processed, comes within the scope of the Act. It is designed to cover all types of data shared between public sector agencies and ensure the consistent treatment of such information.

What does the Act lay down for data sharing among public agencies in Malaysia?

The Act provides a structured framework for a data sharing request and imposes strict compliance requirements.

Request for data¹

Public agencies can formally submit a request for data and it must include the following:

The data requested.
The purpose for which the data is requested.
The public service agencies intended to be the data recipient and the data provider.
The manner of handling the data requested.

Evaluation process²

Before approving a request, the public sector agency to whom a request for data sharing is made must make the following evaluation:

Whether the purpose for which the data is requested warrants the sharing of the data.
Whether the sharing of the data is against public interest.
Whether the public sector agency requesting the data has appropriate security and technical safeguards in place to ensure that the shared data is not subject to unauthorised access to use.

The public sector agency must provide a response within 14 days from the date of receiving the request. In the event that the public sector agency is not able to do so within 14 days, they will have to provide a written response explaining the reason and the period within which such response will be provided.

Grounds of refusal for a data sharing request³

The Act provides an extensive list of reasons for refusing the request, whichare highlighted below:

The data requested could reasonably be expected to disclose, or enable a person to ascertain, the identity of a confidential source of information relating to the enforcement or administration of law.
The data requested could reasonably be expected to disclose the existence or identity of a person included in a witness protection programme.
The data requested could reasonably be expected to disclose investigative measures or procedures, including intelligence gathering methodologies, investigative techniques or technologies, covert practices or information sharing arrangements between law enforcement agencies.
The sharing of the data requested will constitute a breach of one or more of the following:
1. the solicitor-client privilege or legal professional privilege;
2. an agreement or a contract;
3. an equitable obligation of confidence; or
4. an order of a court or tribunal.
The data requested involves one or more of the following:
1. national security or defence;
2. the investigation of a breach, or possible breach, of any written law;
3. an inquest or inquiry into death; or
4. a proceeding before a court or tribunal.
The public sector agency believes on reasonable grounds that the sharing of the data requested would be likely to endanger the health, safety or welfare of one or more individuals.
The data requested is inconsistent with the purpose specified under Section 13 of the Act and does not warrant the data to be shared.
The public sector agency requesting the data does not possess appropriate security and technical safeguards to ensure that the data to be shared is not subject to unauthorised access or use.
Any other reason as the Committee may determine.

What are the repercussions of non-compliance?

The Act provides that if an officer or servant of a public sector agency uses or discloses shared data for purposes other than those for which it was intended, they may be liable, upon conviction, to a fine of up to RM1 million, imprisonment for a term not exceeding five years, or both.

What is the impact of this Act for organisations?

Although the Act is directed at public sector agencies, it has important implications for private sector organisations, particularly those that work with or provide digital services to government bodies.

These organisations should take steps to ensure their operations are aligned with the framework introduced under the Act. This involves evaluating compliance procedures in contracts involving government data sharing, enhancing cybersecurity measures within the organisation, and ensuring that third-party service providers manage shared data responsibly. This approach helps organisations manage risk more effectively and maintain trust in their relationships with public sector agencies.

Moving toward global standards

The Act marks an important step in improving how Malaysia’s public sector manages and shares data. It introduces a clearer legal framework for public sector agencies to exchange data securely, while remaining consistent with existing laws like the PDPA. Although it does not directly adopt standards like the GDPR, it reflects similar principles of responsible data use. For now, the focus is on domestic sharing, but the stronger governance structure could support cross-border co-operation in the future.

Conclusion

The Act establishes a comprehensive legal framework for data sharing within Malaysia’s public sector. Private sector organisations that engage with these public sector agencies should consider the broader legal implications of this new lawand assess whether existing contracts, data practices, and compliance frameworks align with the new requirements. Taking proactive steps will be essential to minimise regulatory exposure and support ongoing collaboration with public sector agencies.

Should you need assistance or have enquiries about whether and how this new regulatory requirement affects your organisation, please reach out to your usual contact at Hogan Lovells or the authors.

Authored by Charmian Aw and Audrey Koh.

References

1 See Section 12 of the Act.

2 See Section 14 of the Act.

3 See Section 15 of the Act.