The Government has officially approved a comprehensive national framework to govern the secure and lawful sharing of data among government institutions. The new Data Sharing Policy, adopted on May 26, 2025, establishes clear guidelines to foster transparency, trust, and accountability in information exchange, aiming to improve data-driven decision-making while safeguarding privacy and respecting legal standards. Data sharing involves one government institution providing information—such as anonymized statistics, reports, or sensitive personal data (e.g., names, addresses, medical records)—to another to support public duties. All such exchanges must be conducted legally and ethically, serving legitimate public purposes. Spearheaded by the Rwanda Information Society Authority (RISA), the Data Sharing Platform will act as the backbone of government data partnerships. It will enable authorized entities to access and share datasets within a secure, transparent environment featuring advanced security protocols and a user-friendly design. ALSO READ: Establishing data sharing protocol within government agencies Legal and ethical considerations All data requests must be supported by a valid legal basis and comply with existing Rwandan laws and privacy regulations. Only the minimum necessary data should be shared, and institutions are encouraged to verify the relevance and accuracy of data before sharing. Any inaccuracies discovered must be promptly corrected. Shared data must be protected through encryption, access controls, and other safeguards to prevent unauthorised access, loss, or misuse. Citizens retain rights to access, correct, or delete their personal information, even as data is shared across government entities. Rwanda’s framework promotes the Five Safes approach—safe projects, safe people, safe settings, safe data, and safe outputs—to ensure responsible data use. This methodology prompts questions such as: Is the use appropriate? Are the users trustworthy? Is the environment secure? Government bodies must conduct risk assessments and clearly define roles and responsibilities. No data should be shared with third parties without authorisation. Personal identifiers should be removed where possible, and data use must align with the original purpose unless further approval is granted. Secure storage, disposal procedures, and breach response protocols are mandated. ALSO READ: What should feature in a Rwandan business’s data privacy policy? Process for data sharing Authorised institutions must register as approved data sharing entities. Data recipients submit formal applications detailing their use cases, which undergo review and approval by the Data Sharing Commission. Once authorised, data is delivered via Rwanda’s official platform through secure mechanisms such as APIs, ensuring data integrity and security. Both parties retain ownership of their respective intellectual property and data. Shared datasets are to be used solely for the agreed purpose, and new intellectual property resulting from data use belongs to the developing party. Licenses may be granted as necessary to support the initiative. Liability, disputes, and termination Parties are responsible for their conduct and operations under the agreement, which includes provisions for indemnity and handling disputes through negotiation or escalation to the Data Sharing Commission. The agreement’s validity aligns with the approved use case duration or until renewal or termination is approved. It is governed by Rwandan law and courts. Derrick Orta Ndahiro, President of Wikimedia User Group Rwanda, lauded the policy’s potential to streamline access to public information, reducing bureaucratic delays and facilitating collaboration across sectors. Innocent Muramira, a Kigali-based lawyer, highlighted its alignment with international standards and legal safeguards, emphasising that responsible data sharing can be a pillar of modern governance without infringing on legal rights or privacy.
