Data Sharing Policy

1. Scope

The provisions of this Policy apply to the processes of sharing data produced by The Financial Academy (TFA) with other government entities, private entities, or individuals – irrespective of the source, form, or nature of these data. This includes paper records, emails, data stored on electronic media, handwritten documents, or any other form of recorded data. This Policy does not apply if the Data Requester is a government entity and the data-sharing request is for security purposes or to fulfill judicial requirements.

2. The Main Principles for Data Sharing

The Financial Academy adopts the following data sharing principles:

First Principle: Promoting A Culture of Sharing

The Financial Academy shall share the key data it generates in order to achieve integration with other entities. It shall adopt the “ once-only” principle to collect data from right sources, reducing duplication, inconsistencies, and disparate data sources. If the data is requested from a source other than its original one, the approval of the data owner shall be obtained before sharing it with the requesting party.

Second Principle: Legitimacy of Purpose

Data sharing shall be conducted for legitimate purposes that are grounded in a legal basis or justified operational need aimed at achieving a public benefit without compromising the national interests, the operations of entities, individual privacy, or environmental safety. Exceptions shall be made for data and entities exempted by Royal Orders.

Third Principle: Authorized Access

All Data Sharing Parties shall be authorized to access, obtain, and utilize the shared data (which could require security scanning depending on the data's nature and sensitivity level). In addition, the Parties involved should have the knowledge, skills as well as qualified, well-trained persons to handle the data being shared.

Fourth Principle: Transparency

All Data Sharing Parties shall make available all information necessary for exchanging data with TFA. This includes the requested data, collection purpose, means of transmission, storage methods, protection controls, and destruction mechanism.

Fifth Principle: Shared Responsibility

All Data Sharing Parties shall share responsibility for decisions regarding data sharing and processing, ensuring alignment with specified purposes, compliance with security controls outlined in the data-sharing agreement, and adhering to the relevant regulations, legislations, and policies.

Sixth Principle: Data Security

All Data Sharing Parties shall implement appropriate security controls to protect data and ensure a secure and trusted data-sharing environment as per relevant regulations and legislations, and in accordance with the directives issued by the National Cybersecurity Authority.

Seventh Principle: Ethical Use

All Data Sharing Parties shall apply ethical practices during the data-sharing process to ensure that it is utilized with fairness, integrity, honesty and respect, and not only adhere to information security policies or to relevant regulatory and legislative requirements.

3. Necessary Steps for Data Sharing

• The Data Requester shall fill out the “Data Request Form” approved by The Financial Academy before submitting it.
• The Requester shall be notified via the communication channel of the status of the request.
• Should the request be approved, the Requester will be provided with the requested data.

4. Data Sharing Controls

All Data Sharing Parties shall agree to the necessary controls in order to properly manage and protect the data to be shared, as follows:

• The Requester shall clearly specify the legal basis or the actual need for requesting the data sharing, including, for example, the entity regulations, the Royal Order qualifying the entity to obtain the data, or the signed agreements.
• The Financial Academy shall maintain data classification levels, the protection of intellectual property rights, and the privacy of personal data.
• The Financial Academy shall verify that the requested data fall under the key data produced by the Academy, to ensure that data are sought from right source.
• The Academy will only provide the minimum data required to fulfill the specified purposes for their collection.
• Data protection controls issued by the National Cybersecurity Authority shall be adhered to.
• Means of sharing data, whether physical or digital, shall be specified.
• Security and reliability of data-sharing channels shall be verified to mitigate potential risks. Secure data-sharing channels used by entities can be utilized.
• The data-sharing mechanism shall be established, specifying whether the business data specialist will directly send the data to the Requester, or a third-party service provider will carry out the sharing process.
• It shall be determined whether the existing data sharing media - such as the Government Service Bus (GSB) and the National Information Center (NIC) network - will be utilized, or other media, like the wireless web, remote access, a virtual private network (VPN), or an application programming interface (API), will be used.
• A mechanism for destroying the physical media used in data sharing shall be agreed upon.