Freedom of Information Key Principles and General Dispositions

Scope

This policy applies to any requests made by any individual to access or obtain unprotected public information produced by public entities, regardless of the source, form, or type of the information. This includes paper records, emails, computer information, audio or video cassettes, maps, photographs, manuscripts, handwritten documents, and any other kind of recorded information.

The following information is considered confidential and is not covered by this policy:

1. Information that, if disclosed, could harm the national security, policies, interests, or rights of the Kingdom of Saudi Arabia;

2. Military and security information;

3. Protected documents and information collected through an arrangement with another state;

4. Inquiries, investigations, checks, inspections, and surveillance pertaining to a crime, violation, or threat;

5. Information including recommendations, suggestions, or consultations for the issuance of government legislation or decision not issued yet;

6. Commercial, industrial, financial, or economic information that, if disclosed, may be used to illicitly gain profits or prevent costs;

7. scientific or technological research or rights, including an intellectual property right, that, if disclosed, could result in the violation of an incorporeal right;

8. Tender and bidding information that, if disclosed, may give rise to a violation of fair competition; and

9. Information that is protected, confidential, or private under another law, or for which access requires legal action.

Key Principles:

Principle 1: Transparency

Individuals have the right to obtain information pertaining to the actions of public entities in an effort to improve their integrity, transparency, and accountability.

Principle 2: Necessity and Reasonable Justification

Any restrictions on requesting access to or acquiring protected information received, created, or administered by a public entity must be clearly and explicitly justified.

Principle 3: Public Information Disclosure

Every individual has the right to access or get (unprotected) public information, and the applicant does not need to have a specific status or interest in the information to be able to access it, nor is he or she subject to legal liability for exercising this right.

Principle 4: Equality

All requests for information access or acquisition are processed equally and without discrimination.

Rights of Individuals to Access or Obtain Public Information:

I. The right to access and get any (unprotected) publicly available information from any public entity.

II. The right to know why a request for access to information was denied.

III. The right to file an appeal notice against the decision to deny access to the requested information

Obligations of Public Entities:

1. The public entity is responsible for creating and executing policies and procedures connected to exercising the right to access or obtain public information, while the head of the public entity is responsible for approving and adopting the same.

2. The public entity shall establish an administrative unit that is linked to the data management offices established across government entities by Royal Decree No. 59766 dated 20/11/1439H. The unit is responsible for developing, documenting, and monitoring the implementation of policies and procedures pertaining to the right to access information that has been approved by the entity's top management. The functions and responsibilities of that unit shall include developing appropriate standards to determine levels of data classification in the absence of them in accordance with the Data Classification Policy and using them as a primary reference while processing requests for access to or obtaining public information.

3. The public entity shall identify and provide possible means (forms for requesting public information), whether paper or electronic, through which the applicant can request access to or obtaining of public information.

4. Before providing individuals the right to access or get public information, the public entity must verify their identity in accordance with the measures set by the National Cybersecurity Authority and other relevant authorities.

5. In accordance with the Data Revenue Policy Document, the public entity shall establish the necessary standards for establishing the fees for processing requests to access or get public information based on the nature and size of the data, the effort expended, and the time required. The public institution must maintain a record of all requests to access or obtain public information and the choices made in response, with the proviso that these records must be examined to address instances of misuse or non-response.

6. The public entity must adopt and document policies and processes for the maintenance and disposal of records in conformity with laws and regulations pertaining to its operations and activities.

7. The public entity must create and record the procedures necessary for managing, processing, and documenting requests that are subject to extension or denial. The same shall also describe the duties and responsibilities of the relevant work team, as well as the circumstances in which the Regulatory Authority and NDMO are alerted in accordance with the reporting lines and within the set timeframe for processing requests.

8. The public entity must notify the applicant in a timely way if the request is denied in whole or in part, including the reasons for the denial, the right to appeal, and instructions on how to exercise this right, within fifteen (15) days of making the decision.

9. The public entity launch awareness programs to foster a culture of transparency and raise public knowledge in accordance with Freedom of Information Policies and Procedures approved by the top management of the entity.

10. The public entity is responsible for monitoring compliance with Freedom of Information Policies and Procedures on a regular basis and communicating the results to the head of the public entity or the delegate. The corrective actions to be implemented in the event of noncompliance must be identified, and the Regulatory Authority and NDMO must be notified in accordance with the reporting lines.

Request for Information Access Process

The principal requirements for requesting access to or obtaining public information are as follows:

1. The request must be in writing or electronically transmitted;

2. “Public Information Request Form” approved by the public entity must be filled out;

3. The request must explicitly declare that it is intended to acquire or obtain public information;

4. The request must specify how the final decision and notices will be communicated to the applicant (e.g., national address, email, or through the entity’s website); and

5. The request must be addressed directly to the public entity.

Request for Public Information Access Process:

I. Requests must be submitted by filling out a “Public Information Request Form”, whether in electronic format or paper and submitting the same to the public entity that owns the requested information.

II. The public entity must make one of the following determinations within thirty (30) days of receiving a request to access or obtain public information:

1. Grant: If the public entity grants a request to access or obtain information in whole or in part, the applicant must be notified in writing or electronically of the applicable fees, and the public entity must make the information available to the applicant within a reasonable timeframe that does not exceed ten (10) days after receipt of payment.

2. Denial: If the public entity declines a request for access to or acquisition of information, the rejection decision should be conveyed in writing or electronically and should include the following details:

  • Whether the request is denied in whole or in part;
  • A concise statement for the basis of denial, if applicable;
  • The right to appeal such denial decision and how the applicant can exercise such right.

3. Extension: In the event that the public entity is unable to respond to the request for access in a timely manner, the response time should be extended within a reasonable amount of time given the size and nature of the information requested—for example, no more than an additional thirty (30) days—and the public entity must provide the following information to the applicant:

  • Notification of the extension and the new deadline for completion of the request;
  • A concise statement for the basis of delay;
  • The right to appeal such extension and how the applicant can exercise such right.

4. Notice: If the needed information is available on the entity's website or is beyond its scope of responsibility, the individual requesting the information must be notified in writing or electronically, with the following details:

  • The type of notice: for instance, the requested information is available on the entity's website, or the request is beyond its authority;
  • The right to appeal such notice and how the applicant can exercise such right.

III. In the case that the applicant wishes to appeal the denial decision of a public body, he or she may send a written or electronic notice of appeal to the entity's office within ten (10) business days after receiving the decision of the public entity. The Board of Grievances within the entity's office shall consider the request, make the appropriate determination, and notify the applicant of the review fees, which are refundable if the request is approved, and the appeal result.

General Dispositions

I. Public entities shall ensure that this Policy is consistent with their policies and processes and disseminate the same to all of their affiliates and subsidiaries to guarantee integration and attainment of desired goals.

II. Public entities must strike a balance between the right to access and get information and other required criteria, such as national security and the protection of personal data.

III. Public entities must comply with this Policy and document compliance on a regular basis in line with the mechanisms and procedures set by these entities in consultation with one another.

IV. The Regulatory Authorities, in coordination with NDMO, shall design the mechanisms, procedures, and controls for resolving complaints within a certain timeframe and in accordance with the reporting lines.

V. Public entities must notify NDMO if a request for access to or obtaining public information is denied, or if they decide to extend the stated period and supply information covered by this Policy.

VI. When contracting with other entities, such as companies performing public services, the public entity shall periodically audit the compliance of these companies with this Policy, using mechanisms and procedures determined by the entity itself, including any subsequent contracts conducted by the other entities.

VII. The public entities, in cooperation with NDMO, should have the right to establish additional rules for handling requests for specific categories of public information according to their nature and sensitivity.

VIII. Public entities must provide paper or electronic forms for requesting access to public information, with a description of the requested information and a list of possible delivery methods.

Freedom of Information and Open Data

Globally, open data programs and policies were initiated and formulated to assist the expansion of national economies and innovation agendas. Providing specialised datasets to researchers, entrepreneurs, and startups promotes an open and transparent government by creating a conducive climate for business growth.

Driving an open data program is also a proactive measure taken by a public entity to uphold the right to access public information by providing or publishing certain material as open data before it is requested. As a result, it is anticipated that effective open data programs and policies will be correlated with fewer requests for access to public information, hence lowering government expenses associated with processing such requests.

 

Relevant Legislation:

National Data Governance Interim Regulations issued by SDAIA:

https://sdaia.gov.sa/ndmo/Files/PoliciesAr.pdf