Key Principles and General Dispositions for Freedom of Information
Scope
This policy applies to any requests made by any individual to access or obtain unprotected public information produced by public entities, regardless of the source, form, or type of the information. This includes paper records, emails, computer information, audio or video cassettes, maps, photographs, manuscripts, handwritten documents, and any other kind of recorded information.
The following information is considered confidential and is not covered by this policy:
1. Information that, if disclosed, could harm the national security, policies, interests, or rights of the Kingdom of Saudi Arabia;
2. Military and security information;
3. Protected documents and information collected through an arrangement with another state;
4. Inquiries, investigations, seizure, inspections, and surveillance pertaining to a crime, violation, or threat;
5. Information including recommendations, suggestions, or consultations for the issuance of government legislation or decision not issued yet;
6. Commercial, industrial, financial, or economic information that, if disclosed, may be used to illicitly gain profits or prevent costs;
7. scientific or technological research or rights, including an intellectual property right, that, if disclosed, could result in the violation of an moral right;
8. Tender and bidding information that, if disclosed, may give rise to a violation of fair competition;
9. Information that is confidential or private under another law, or that requires specific legal procedures to be accessed.
Key Principles for freedom of information:
Principle 1: Transparency
Individuals have the right to obtain information pertaining to the actions of public entities in an effort to improve their integrity, transparency, and accountability.
Principle 2: Necessity and Reasonable Justification
Any restrictions on requesting access to or acquiring protected information received, created, or administered by a public entity must be clearly and explicitly justified.
Principle 3: Public information is open by default
Every individual has the right to access or get (unprotected) public information, and the applicant does not need to have a specific a ground or interest in the information to be able to access it, nor is he or she subject to legal liability for exercising this right.
Principle 4: Equality
All requests for information access or acquisition are processed equally and without discrimination.
Rights of Individuals to Access or Obtain Public Information:
I. The right to access and get any (unprotected) publicly available information from any public entity.
II. The right to know why a request for access to information was denied.
III. The right to file an appeal against the decision to deny access to the requested information.
Obligations of Public Entities:
1. The public entity is responsible for creating and executing policies and procedures connected to exercising the right to access or obtain public information, and the head of the public entity is responsible for approving and adopting the same.
2. The public entity shall establish an administrative unit that is linked to the data management offices established across government entities by Royal Order No. 59766 dated 20/11/1439H. The unit is responsible for developing, documenting, and monitoring the implementation of policies and procedures pertaining to the right to access information that has been approved by the entity's top management. The functions and responsibilities of that unit shall include developing appropriate standards to determine levels of data classification in the absence of them in accordance with the Data Classification Policy and using them as a primary reference while processing requests for access to or obtaining public information.
3. The public entity shall identify and provide possible means (forms for requesting public information), whether paper or electronic, through which the applicant can request access to or obtaining of public information.
4. Before providing individuals the right to access or obtain public information, the public entity must verify their identity in accordance with the measures set by the National Cybersecurity Authority (NCA) and other relevant authorities.
5. The public entity shall set the necessary standards for determining the fees for processing requests to access or obtain public information based on the nature of the data, its size, the effort spent, and the time taken - in accordance with the Data Revenue Framework Interim Regulation. The public entity shall document all records of requests to access or obtain public information and the decisions taken on these requests, provided that these records would be reviewed to address cases of misuse or non-response.
6. The public entity shall prepare and document policies and procedures for proper records keeping and disposing of it in accordance with the relevant national laws and regulations.
7. The public entity shall prepare and develop the necessary procedures to manage, process, and document the requests subject to extension or denial. They shall also define roles and responsibilities related to the appointed staff and document the cases in which the Regulatory Authority and NDMO are notified according to the time period specified for processing the requests.
8. The public entity shall notify the applicant - in an appropriate manner - in the event the request is rejected in whole or part, explaining the reasons for the denial and the right to appeal and how to exercise this right within a period not exceeding (15) days after the making the decision.
9. The public entity shall launch awareness programs to promote and enhance the culture of transparency and raise awareness of the Freedom of Information policies and procedures approved by the top management of the entity.
10. The public entity shall launch awareness programs to promote and enhance the culture of transparency and raise awareness of the Freedom of Information policies and procedures approved by the top management of the entity.
The main steps for the request to access public information:
The main requirements for the request to access public information:
1. The request should be in writing or electronically;
2. The request should be filled out in a dedicated form made accessible by the public entity;
3. The request should clearly state that it is a request for Freedom of Information purposes;
4. The request should give details about how notices can be sent to the requester (for example: address, email, or through the entity’s website);
5. The request should be sent directly to the public entity.
The main steps for the request to access public information:
First: Applications should be submitted by filling out a “Public Information Request Form” – electronic format or paper – and submitting it to the public entity that has the information.
Second: The public entity, in not less than thirty (30) days of receipt of a request to access or obtain public information, shall take one of the following steps:
Grant: If the public entity grants a request to access to or obtain information in whole or in part, the applicant should be advised in writing the applicable fees, and the public entity should make this information available to the applicant within a reasonable period that does not exceed ten (10) working days of receipt of payment.
Denial: If the public entity denies a request to access to or obtain information, rejection decision should be communicated in writing or electronically and should include the following information:
• Whether the request is denied in whole or in part;
• A concise statement for the basis of denial, if applicable;
• The right to appeal such denial decision and how the applicant can exercise such right.
• Notice of a right to appeal such denial, including notice as to the manner in which any appeal must be taken.
3. Extension: In the event the public entity is unable to respond to the request for access in due time, the time in which to respond should be extended within reasonable time given the size and nature of information requested – for example not exceeding an additional thirty (30) calendar days – and the public entity should provide the applicant with the following information:
• Notice of the Extension and the new date when the request is expected to be completed;
• A concise statement for the basis of delay;
• Notice of a right to appeal such delay, including notice as to the manner in which any appeal must be taken.
4. Notice: If the required information is available on the entity’s website, or is not within its competence, the individual requesting the information must be notified, in writing or electronically, including the following information:
• The type of notice, for example, the required data is available on the entity’s website, or is not within its competences;
• The right to complain about this notice and how to exercise this right.
Third: In the event the applicant wants to appeal a denial by a public entity, they could submit a written or electronic notice of appeal to the public entity’s Office within a specific period of time, not exceeding ten (10) working days after receiving the decision of the public entity. The Board of Grievances within the entity’s office, shall review the application, make the appropriate decision and notify the applicant of the related fees – they are refunded if the Board approves the request and the appeal decision.
General Dispositions
First: Public entities shall ensure that these Interim Regulations are in line with their policies and procedures and circulate the same to all its affiliates or relevant agencies to ensure alignment and achievement of targeted objectives.
Second: Public entities shall balance between the right to be informed and to access information with other necessary requirements, such as national security and personal data protection.
Third: Public entities shall comply with these Interim Regulations and document compliance periodically, in accordance with the mechanisms and procedures determined by the entities after coordination with NDMO.
Fourth: Regulatory Authorities – in coordination with NDMO – shall develop the mechanisms, procedures, and controls related to resolving complains within a specific timeframe.
Fifth: Public entities shall notify NDMO in the event the request for access to public information is rejected or the public entities have decided to extend time to respond and provide information that is in scope of these Interim Regulations.
Sixth: When contracting with other entities - such as companies performing public services - the public entity shall audit on a periodic basis the compliance of these entities according to the mechanisms and procedures determined by the entity itself, including any subsequent contracts conducted by the other entities.
Seventh: The public entities shall have the right to set additional rules for handling requests related to specific types of public information according to their nature and sensitivity after coordination with NDMO.
Eighth: Public entities shall prepare forms for the request or access to public information - whether paper or electronic – specifying the required information and clarifying possible means to provide the required information.
Freedom of Information and Open Data
Open data programs and policies have been launched around the world to support growth of the national economy and innovation agenda. Making specific datasets available for public access and use has benefited researchers, innovators, other members of the public and even companies and helped create a conductive environment for business growth, promoting an open and transparent government.
Driving an open data program also represents the proactiveness of a public entity in upholding the right to access public information and making specific datasets open ahead of being requested. As such, it is expected that effective open data programs can be correlated with less Freedom of Information requests, potentially lowering the respective government expenses.
Relevant Legislation:
National Data Governance Interim Regulations issued by SDAIA:
https://sdaia.gov.sa/ndmo/Files/PoliciesAr.pdf