The Dubai Data initiative, led by the Dubai Data Establishment (DDE) under the Smart Dubai Office, is said to be the world’s most ambitious and comprehensive data initiative. In the latest development in the country's journey towards smart transformation, DDE launched the Dubai Data Policies in February 2018 to govern the sharing and use of "Dubai Data". In this article, we consider the impact of the new policies on public and private sector entities in Dubai.
In October 2015, Dubai issued Law No. 26 of 2015 regulating data dissemination and exchange in the Emirate of Dubai (the Dubai Data Law). This innovative piece of legislation was intended to enable the fulfilment of Dubai's vision of becoming a smart city by creating a framework to facilitate and encourage the sharing of data between government entities and the wider dissemination of information as "open data".
Interestingly, the Dubai Data Law identified data relating to the Emirate as "Dubai Data" and clarified that this would be deemed an asset owned by the Government that must be dealt with in accordance with the provisions of the Dubai Data Law and its associated resolutions.
Dubai Data Policies
Smart Dubai's Resolution No. 2 of 2017 was passed pursuant to the Dubai Data Law in October 2017 and approved certain policies with primary application to governmental entities, including the rules and procedures regulating data classification, dissemination, exchange and protection (the Policies). It grants DDE the authority to supervise the implementation of the Policies.
As a preliminary condition, government entities are required to prepare a list of data available to them concerning the Emirate of Dubai, including any Dubai Data created by or under their control. This applies both to local government entities in Dubai (including all government departments, councils and authorities such as the various free zone regulatory bodies) and UAE Federal Government entities that have data concerning Dubai.
Data classification policy
Government entities are required to ensure the dissemination and exchange of data according to a schedule of priority outlined in the Policies and the Dubai Data Manual that has been published separately by DDE. Before making data available via the dedicated Dubai Data platform, government entities are required to classify the data as follows:
- Open Data: data that can be openly disclosed to individuals and organisations for use, reuse and sharing
- Shared Data: data that is owned by government entities and made available for sharing and reuse by other government entities, subject to further classification as follows:
- Confidential: data that is shareable across government entities only. This includes information where disclosure to the public or an unauthorised party would cause limited harm to public or personal interest.
- Sensitive: data that is shareable within certain groups and subject to strict controls. This includes information where disclosure to the public or an unauthorised party would cause major harm to public or personal interest, such as a threat to life, freedom or safety.
- Secret: data that is shareable in a limited way between certain individuals and subject to strict controls on a "need-to-know" basis. This includes information where disclosure would constitute an illegal action and could cause extreme harm to public or personal interests or national security.
Data protection and intellectual property rights policy
The data protection provisions of the Policies make clear that personal data and any information that identifies or is commercially sensitive in respect of a private sector entity may not be disseminated as open data. This information must be deleted from any Dubai Data before it can be released as open data.
Similarly, Dubai Data in which third parties have intellectual property rights (IPR) cannot be distributed as open data or exchanged as shared data without the consent of the IPR owner. This addresses a previous concern that the Dubai Data Law could see the Government unilaterally claiming ownership of any information falling within the broad definition of Dubai Data.
The Policies further require government entities to obtain the consent of individuals and private sector organisations to the use and sharing of their personal or commercial data with other government entities. By obtaining such consent at the point of collection, government entities will be able to pool data and this should reduce the need for government departments to repeatedly request the same information from corporates and citizens. The Policies also require government entities to permit individuals and private sector entities to modify their data and cancel consents.
Government entities must adhere to principles of transparency, clarity and proportionality in dealing with personal and private sector data.
Policy on use and reuse of Dubai Data
Open data accessed on the government platform will be subject to the terms of a licence issued by DDE. The Policies envisage that open data may be sold in exceptional cases, namely where its collection, processing or availability would result in additional costs on the relevant government entity or DDE. The price of such data would be determined by DDE in conjunction with the relevant government entity.
DDE may also sell value-added services that support the public interest and Dubai's smart transformation goals.
The Policies require government entities to terminate any existing arrangements to provide, sell or share data at the earliest opportunity (or allow them to lapse) and not to enter into new data-related contracts outside the scope of the Dubai Data Law without DDE's consent.
Technical standards policy
The Dubai Data Manual will include governance frameworks, procedures around data dissemination and exchange, and technical standards regarding such data. This may include mandatory obligations and DDE's recommendations.
The Policies substantially advance the Dubai Data programme and establish clear obligations on government entities that were not previously included in the framework of the Dubai Data Law. All Dubai government entities (including free zone authorities) and certain Federal entities will have to consider the implications for collecting and using data. Dubai government entities in particular will be required to submit regular reports to DDE to establish their performance against these obligations. The Resolution was published in the Official Gazette on 21 December 2017 and sets a deadline of one year for Dubai government entities to conform to the Policies.
There will also be an indirect impact on the private sector, particularly in the context of government contracting. All suppliers and service providers will need to be familiar with the requirements and consider how their products and services may be impacted by the Policies. We would expect that some government entities will look to the private sector for support in implementing the technical requirements and handling some of the new data processing and management obligations.
The next significant item on the DDE's agenda is likely to be the creation and publication of policies to clarify the obligations on private sector data providers under the Dubai Data Law.