In 2025, the phrase “data is the new oil” has never been more accurate. Data has become one of the most valuable assets in the digital economy, fueling innovation, business intelligence, and regulatory oversight. As we anticipated, 2025 is proving to be a year marked by significant regulatory and compliance changes, with the implementation of the Personal Data Protection (Amendment) Act 2024 and the Cyber Security Act 2024. Today, we turn our focus to another key piece of legislation that is heavily data-centric but from a different perspective, which is the Data Sharing Act 2025.
Many may not have heard of the Data Sharing Act 2025, hence, in this article, we aim to break the Data Sharing Act 2025 down into digestible insights through 10 key takeaways, with the intention of providing a clear understanding of what the Data Sharing Act 2025 entails, its objectives, how it may impact your organization, and its implications for other legal frameworks.
Takeaway 1: What is the Data Sharing Act 2025 About?
From a broad perspective, the Data Sharing Act 2025 is designed to facilitate and govern the sharing of data between public sector agencies. This legislation is binding on the Federal Government, with public sector agencies including key public services such as the armed forces, the judicial and legal services, the general public services of the Federation, the police force, the education service, and others.
Although the Data Sharing Act 2025 primarily concerns public sector agencies, it is important to recognize that private sector entities may still be indirectly affected, as the data shared by public sector agencies may include information that originates from or relates to private organizations, making it imperative for organizations to understand how their data could be impacted under this new framework.
Takeaway 2: The Current Status of the Data Sharing Act 2025
The Data Sharing Act 2025 received Royal Assent on 5 February 2025 and has been gazetted on 20 February 2025. This law will come into operation on a date to be appointed by the Minister by notification in the Gazette.
Takeaway 3: What Does “Data” Mean Under the Data Sharing Act 2025
Unlike the definition of “personal data” under the Personal Data Protection Act 2010, which focuses on information relating to data subjects, the definition of “data” under the Data Sharing Act 2025 is significantly broader.
Under the Data Sharing Act 2025, “data” is defined as “any facts, statistics, instructions, concepts, or other information in a form that is capable of being communicated, analyzed, or processed, whether by an individual, a computer, or other means.”
This expansive definition of “data” ensures that nearly all forms of information, as long as they can be communicated, analyzed, or processed to fall within the scope of the Data Sharing Act 2025. The deliberate breadth of this definition ensures comprehensive coverage, capturing all conceivable forms of data shared between public sector agencies, and this would certainly help to mitigate any potential loopholes and ensure consistency in the treatment of various types of information.
Takeaway 4: Public Sector Agency Requests for Data Sharing
The Data Sharing Act 2025 now allows a public sector agency to request data from another public sector agency that has control over the requested data. When making such a request, the requesting public sector agency must provide 4 key pieces of information:
i. the data requested;
ii. the purpose for which the data is requested;
iii. the public service agencies intended to be the data recipient and the data provider; and
iv. the manner of handling the data requested.
For the purpose of data requests, the Data Sharing Act 2025 outlines 5 specific purposes for which data may be shared:
i. to enhance the efficiency or effectiveness of policies, programme management or service planning and delivery by the public sector agencies;
ii. to reduce or prevent threat to the life, health or safety of a person, or threat to public health or safety;
iii. to respond to a public emergency;
iv. in the public interest; or
v. such other purposes as the National Data Sharing Committee may determine.
Takeaway 5: Data Sharing is Not Mandatory
When a public sector agency receives a data sharing request, it is not mandatory to provide the requested data. Instead, the public sector agency must evaluate the request based on 3 key considerations:
i. whether the purpose for which the data is requested warrants the sharing of the data;
ii. whether the sharing of the data is against the public interest; and
iii. whether the public sector agency requesting the data has appropriate security and technical safeguards in place to ensure that the shared data is not subject to unauthorized access or use.
Upon completing the evaluation, the public sector agency must respond within 14 days of receiving the request, indicating whether the data may be provided, with or without conditions, or whether the request is refused.
Takeaway 6: Grounds for Refusing a Data Sharing Request
If a public sector agency determines that a data request should not be granted, the Data Sharing Act 2025 provides an extensive list of justifications for refusal. While the list is rather extensive, we will highlight 3 notable reasons for rejecting a data sharing request:
i. the sharing of the data requested will constitute a breach of the solicitor-client privilege or legal professional privilege;
ii. the requested data pertains to matters of national security or defense; or
iii. the public sector agency believes on reasonable grounds that the sharing of the data requested would be likely to endanger the health, safety or welfare of one or more individuals.
Takeaway 7: Legal Obligations of Data Providers and Data Recipient
If data sharing is permitted, both the data provider and data recipient must comply with five key legal obligations under the Data Sharing Act 2025:
i. ensure that the shared data is managed and maintained in compliance with any legal requirements concerning its custody and control that are applicable to such data;
ii. take necessary measures to ensure the security and privacy of the data including the protection of data from any loss, misuse, unauthorized or accidental modification, access or disclosure, alteration or destruction and the preservation of rights of individuals relating to personal data protection;
iii. keep record of all particulars relating to the shared data;
iv. report any unauthorized sharing of data to the Director General; and
v. comply with such other requirements as the Committee may determine
Takeaway 8: Third-Party Data Handling
If a data recipient engages a third party to conduct any data migration, data integration, or data analytics work using shared data under the Data Sharing Act 2025, the data recipient shall ensure that the consent of the data provider is obtained before the data is handled by such third party.
Takeaway 9: Severe Penalties for Unauthorized Use or Disclosure
Any officer or servant of a data recipient is prohibited from using or disclosing the shared data other than for the purpose for which the data is shared. In the event of infringement of such provision, upon conviction, the offender may face severe penalties of a fine up to RM1 million, or imprisonment for up to 5 years, or both.
Takeaway 10: Open Data is Exempt from Data Request Requirements
The provisions for data request treatment under the Data Sharing Act 2025 do not apply to open data sharing. Open data, which is freely available from public sector agencies, may be accessed and shared regardless whether a request is made under the law.
Conclusion
In conclusion, the Data Sharing Act 2025 marks a significant milestone in Malaysia’s evolving data governance framework. While its primary scope is limited to public sector agencies, but we trust that its implication would actually extend beyond, either directly or indirectly, particularly for private sector entities involved in data handling, such as data integration and analytics services for government bodies. This Data Sharing Act 2025 is both timely and necessary as Malaysia strengthens its regulatory landscape to ensure more secure, structured, and accountable data governance, as data continues to drive decision-making and digital transformation, our country is also preparing to navigate this new digital regulatory environment effectively.
◦
If your organization needs help with further insights and legal guidance on Personal Data Protection (Amendment) Act 2024 or Data Protection Officer outsourcing services, please feel free to reach out to the firm’s Technology Practice Group. Lawyers from the Technology Practice Group have a wealth of experience assisting clients with their legal needs, particularly pertaining to compliance with the Personal Data Protection Act 2010, and will certainly be able to assist.
About the authors
Ong Johnson
Partner
Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”),
Fintech, TMT Disputes, TMT Competition, Regulatory
and Compliance
johnson.ong@hhq.com.my
◦
Lo Khai Yi
Partner
Co-Head of Technology Practice Group
Technology, Media & Telecommunications (“TMT”), Technology
Acquisition and Outsourcing, Telecommunication Licensing and
Acquisition, Cybersecurity
ky.lo@hhq.com.my.
More of our Tech articles that you should read:
