MUSCAT, AUGUST 11
The Ministry of Transport, Communications, and Information Technology has unveiled a personal data protection policy for state administrative units in an effort to “enhance the performance of government units, increase their transparency and accountability, and encourage economic diversification and the use of data-based services”.
Formally released in March this year, the policy aims to create a framework that balances individuals' rights with allowing data processing and retention, while adopting global personal data protection policies.
Furthermore, the policy aims to leverage the economic value of data, recognizing it as an economic resource that helps drive innovation and supports economic transformations. Additionally, it seeks to enhance the trust of data owners in the ability of government units to manage and handle personal data.
According to the policy, personal data is defined as data that identifies or can identify a natural person directly or indirectly by reference to one or more identifiers such as a name, civil number, electronic identifiers, location data, or reference to one or more factors related to the genetic, physical, mental, psychological, social, cultural, or economic identity.
The Ministry will assume responsibility for monitoring the compliance of state administrative units with the policy and present the results of compliance and adherence to the Council of Ministers.
According to the policy, data must be collected through legitimate and fair means, mandating that the collected data should be limited to what is necessary to meet its legal requirements or direct operational activities.
Furthermore, the policy mandates the consent of data subjects to the processing of their data. State administrative units must apply security measures to protect data from accidental or unauthorised destruction, accidental loss, or unauthorised alteration, disclosure, breach, or any other forms of processing. In addition to establishing mechanisms to ensure the secure destruction of personal data to prevent unauthorised parties from accessing the data.
According to the policy, personal data must be processed within the geographic boundaries of the Sultanate of Oman “to ensure national sovereignty over this data and protect the privacy of its owners.” Government departments will be allowed to transfer or process data abroad under specific circumstances such as executing a contract to which the data subject is a party, pursuing or defending legal claims, and protecting the vital interests of the data subject, with the approval of the Cyber Defense Center. In the case of any data breaches, or unauthorised access to personal data, government units are required to notify the Cyber Defense Center.
The policy is expected to come into effect in March 2026.
Oman Observer is now on the WhatsApp channel. Click here