The National Centre for Statistics and Information (NCSI) published last week the legal framework for the governance of public sector data in the form of a National Data Strategy. Even though the name does not sound like it, the National Data Strategy is a legal instrument equivalent to secondary level legislation exactly identical to a regulation issued by a ministerial decision. This legal instrument governs the whole life cycle of public sector data, provides a framework for the exchange and release of this data, and establishes a system for the designation of national base registries for key public sector datasets, among many other things. This post highlights some of the key concepts found in this strategy.
Background
As the Personal Data Protection Law came out earlier this year, it might be easy to assume that the National Data Strategy is somehow related to it, but it is not—even though there is some overlap in regard to data breach provisions found in that law and the strategy. The National Data Strategy has its legal basis in article 5 of the Statistics and Information Law of 2019. This law defines the data strategy in article 1 as “A comprehensive framework for the governance and management of data produced by government and non-government bodies, and includes the choices and decisions to be taken for the exchange and integration of data between bodies,” the law entrusts NCSI with the responsibility to issue the strategy in article 5, and it outlines in detail the scope of the data strategy in article 6.
For those who wonder why it is NCSI, and not the Ministry of Transport, Communication, and Information Technology (MTCIT) that was entrusted with the responsibility of issuing the National Data Strategy, it is useful to remember that NCSI is not responsible for statistics only, but also information, which makes NCSI the country’s information commission in addition to being the statistical office. NCSI is also responsible for the census, which is one of the biggest and most strategic planning projects that the government does on a periodic basis, and this makes NCSI a major stakeholder in ensuring that a system exists for the smooth exchange of information between public sector entities.
Data is deemed a strategic asset of the Sultanate of Oman, and all entities addressed by this strategy shall safeguard it, improve it, and maximise its value in a manner that serves the public interest.
National Data Strategy 2022, NCSI Decision 103/2022 (issued 21 July 2022, published 28 August 2022) OG 2022, art 4.
Scope of Application
The National Data Strategy has an identical scope of application to the Records and Archives Law, which operates in the same sphere as the strategy since the Records and Archives Law essentially deals with certain types of physical datasets while the National Data Strategy deals with digital datasets. According to article 3, the strategy applies to proper government entities, companies in which the government has a shareholding of 25% or more, and private sector companies that carry out activities relating to public utilities. Some data of military and security entities can be exempt from the scope of application of the strategy by the National Security Council.
The scope of the national data strategy is extremely wide and covers the whole government, the majority of government-owned companies, and private companies that are responsible for public utilities in a wide sense that includes telecommunication companies and companies responsible for managing fundamental government facilities such as airports and ports.
However, unlike the Data Protection Law or the Records and Archives Law, there are no fines or imprisonment punishments for violating the National Data Strategy, but it still can be enforced, at least against proper government entities, through administrative justice procedures.
Data Principles Featured in the National Data Strategy
The National Data Strategy introduces a number of data quality and management principles that are relatively new to the Omani context, these principles include:
Open by Default
Article 7 stipulates that public sector data is unclassified by default and Article 28 stipulates that public sector data controllers have a duty to release their unclassified data as open data.
Digital First
Article 11 stipulates that public sector data controllers must collect their data using digital technologies.
Data Minimisation
Article 12 stipulates that public sector data controllers must collect only the data that they actually need.
Open Source
Article 15 stipulates that public sector data controllers must use open formats when storing their data. Article 1 defines an open format as one which can be processed using an open source tool.
Key Concepts
Data Classification and Re-Classification
A key challenge for exchanging and releasing public sector data in Oman has always been the over-classification of public sector data, even when the data in question does not fall under any of the classification degrees stipulated in the Classification Law. The National Data Strategy attempts to address this challenge to enable public sector data controllers to exchange and release their data by working around the Classification Law in a number of ways. Firstly, the strategy prohibits data controllers from classifying data that does not fall within the scope of the Classification Law, and deems the default status of data to be unclassified. Secondly, the strategy permits data controllers to use anonymisation and aggregation techniques to create a sub-dataset of a classified dataset to facilitate exchange and release. Thirdly, the strategy empowers NCSI and MTCIT to instruct data controllers to correct their classification in a manner compliant with the law and the strategy.
Data Exchange
The strategy uses two distinct concepts for data sharing: data exchange and data release. Data release is the voluntary release of data by a data controller as open data, while data exchange is the direct exchange of data with a specific entity through some sort of data integration system. Prior to the issuance of the strategy, there was no framework for approving or rejecting requests for direct access to public sector data. The strategy dedicates the whole of Chapter 5 to establishing a framework for which any private entity can make a request to exchange data with a public sector data controller, and it sets deadlines for responding to such requests (30 days), creates an appeal system at NCSI for dealing with rejected exchange requests, and empowers NCSI and MTCIT to instruct a public sector data controller to directly exchange data with a third party without the need for a request. The strategy requires all data exchanges to be conducted through an official data integration system created by the MTCIT.
Base Registries
One of the extremely interesting concepts found in the strategy is the concept of base registries, which attempts to address the issue of the duplication of effort in collecting and storing data, and the impact this has on identifying a single source of truth for certain key public sector datasets. Under Chapter 8 of the strategy, if NCSI believes that a certain database owned by a public sector data controller should be considered as the authority for a certain dataset, NCSI can designate this database as a base registry, and upon this designation, it becomes illegal for any other public sector data controller to collect this data from any other source—including from individuals—so that the controller would have to rely on the base registry as their source for the data in question.
For example, if Royal Oman Police (ROP) already has all the information relating to the marital status of nationals and residents in Oman, it becomes prohibited for the Ministry of Health (MOH) to start collecting this data on its own if NCSI designates ROP’s database as the base registry for this information, and MOH should link with ROP’s database to access this data.
Final Thoughts
The National Data Strategy is a major development in the management of public sector data, and it is a positive step for making public sector data accessible and open. However, due to the fact that this legal instrument does not have teeth, a lot of work would need to be done to raise awareness of its existence, educate public sector data controllers of their obligations, and inform private sector entities of their new rights to demand to have access to public sector data through the new system for data exchange requests.
You can read the full text of the National Data Strategy on this link.
