The Ministry of Technology, Communications, and Information Technology (MTCIT) issued at the beginning of this week a brand new data protection policy for government entities that sets the rules for the processing of personal data by government entities. The policy mandates that all government entities must commit to protecting personal data and must implement security measures against unauthorised access or breaches.
Given that the Personal Data Protection Law does not apply to the processing of personal data by government entities, the MTCIT had to issue a separate Personal Data Protection Policy of the Units of the Administrative Apparatus of the State. This policy imposes obligations on government data controllers, such as the obligation to only collect data through legitimate means, ensure the data is correct and accurate, and make sure that the data does not remain identifiable after the use of the data is exhausted.
The policy also gives data subjects some rights in relation to the processing of their data by government entities such as the right to know that such processing is taking place, the right to have access to their data, and the right to have their data rectified.
A contentious issue with government data governance has always been data localisation requirements. The policy states that it is not permitted to process personal data outside Oman except after the approval of the Cyber Defence Centre and only in certain explicitly determined cases.
Unlike the legally binding law applicable to private data controllers, there are no penalties or fines for government data controllers who violate the policy.
This policy applies to proper government entities, such as the Ministry of Education, SQU, and the OIA. It does not apply to government-owned companies, to whom the actual Personal Data Protection Law applies.
The policy enters into force after 24 months from the date of its adoption and circulation by the Ministry of Transport, Communications, and Information Technology. You can read it in full in English on the link below: