Freedom of Information Policy
Key Principles and General Rules of Freedom of Information:
This Policy applies to all requests by individuals to view or obtain public information – unprotected and produced by public authorities, of whatever source, form or nature, including paper records, e-mail messages, information stored on computers, audio or video tapes, maps, photographs, manuscripts, handwritten documents, or any other form of recorded information.
This Policy does not apply to protected information, including the following:
1. Information that, if disclosed, may undermine the State’s national security, policies, interests or rights.
2. Military and security information.
3. Documents and information obtained in agreement with another state and classified as protected.
4. Inquiries, investigations, checks, inspections and monitoring in respect of a crime or violation.
5. Information that includes recommendations, suggestions or consultations for issuing governmental legislation or decision not issued yet.
6. Commercial, industrial, financial or economic information that, if disclosed, may result in gaining profits or avoiding losses in an illegitimate manner.
7. Scientific or technological research, or rights including intellectual property rights that, if disclosed, may result in the infringement of an incorporeal right.
8. Tender and bidding information that, if disclosed, may give rise to violation of fair competition.
9. Information that is protected, confidential or personal under another law, or requires certain legal action to be accessed or obtained.
Key Principles of Freedom of Information:
Principle (1): Transparency
Each individual has the right to know information related to activities of public authorities to enhance a culture of integrity, transparency and accountability.
Principle (2): Necessity and Proportionality
Any restrictions on requesting access to protected information received, produced, or handled by public authorities must be justified in a clear and explicit way.
Principle (3): In Principle, Information Is Open for Disclosure
Each individual has the right to view unprotected public information. The applicant may not need to have a certain quality or interest in this information to obtain, nor will it not expose the person to any legal accountability related to this right.
Principle (3): Equality
All requests to view or obtain public information shall be addressed on the basis of equality and non-discrimination between individuals.
Individual Rights to View or Obtain Public Information
First: The right to view any information that is not protected.
Second: The right to know the reason for rejecting the request for viewing or obtaining the requested information.
Third: The right to appeal against the decision relevant to rejecting the request to view or obtain the requested information.
Public Entities Obligations:
1. The public entity shall be responsible for preparing and enforcing policies and procedures related to exercising the right to access or obtain public information. The entity’s primary official shall be responsible for approving such policies and procedures.
2. The public entity shall establish an administrative unit to be linked to data management offices in government agencies established pursuant to Royal Decree No. 59766, dated 20/11/1439 AH. Such unit shall be responsible for developing, documenting and monitoring the implementation of policies and procedures approved by the entity’s senior management related to the right to access information. Duties and responsibilities of such unit shall include setting appropriate standards for determining data classification levels, in accordance with data classification policy, and using them as a main reference when processing requests to access or obtain public information.
3. The public entity shall determine and provide possible means (Public information request forms), whether in paper or electronic form, through which an individual can request view or access to public information.
4. The public entity shall verify IDs of individuals before granting them the right to view or obtain public information in accordance with the controls approved by National Cybersecurity Authority and relevant authorities.
5. The public entity shall set necessary criteria for determining fees involved in processing requests to access or obtain public information based on nature and size of data, effort exerted and time spent, in accordance with data monetization policy. Further, the public entity shall document all records of requests to access or obtain information and decisions taken regarding such requests, provided that such records are reviewed to address cases of misuse or non-response.
6. The public entity shall prepare and document policies and procedures for maintaining and disposing of records of requests in accordance with laws and legislations related to the entity’s business and activities.
7. The public entity shall prepare and document necessary procedures to manage, process and document extension requests, rejected requests, and define tasks and responsibilities related to the relevant work team, as well as cases where the regulatory authority and office are notified according to the administrative hierarchy and time period specified for processing the requests.
8. The public entity shall notify individuals, in an appropriate manner, if the request is rejected in whole or in part, with an explanation of reasons for rejection, right to complain, and how to exercise such right within a period not exceeding (15) days after decision is made.
9. The public entity shall initiate awareness programs to promote a culture of transparency and raise awareness in accordance with freedom of information policies and procedures approved by the entity’s senior management.
10. The public entity shall be responsible for monitoring compliance with freedom of information policies and procedures periodically, to be presented to the entity’s primary official or his delegate. Corrective actions to be taken in case of non-compliance shall be identified and documented, and the regulatory authority and office shall be notified as per the administrative hierarchy.
Key Steps for Viewing or Obtaining Information
Key Requirements for Requests to Access or Obtain Public Information:
1. The request must be in written or electronic from.
2. The <Public Information Request Form> approved by the public entity must be filled out.
3. The request must be for the purposes of accessing or obtaining public information.
4. The application form must include details on how to send final decision and notices to the individual (National address, e-mail, or entity’s website... etc.)
5. The application form must be sent directly to the public entity.
Key Steps for Requesting Access to or Obtaining General Information:
First: Requests shall be made by filling out a <Public Information Request Form> - electronic or paper - and submitting such form to the public entity that has the information.
Second: The public entity shall, within a specified period of time (30 days) from receiving the request to view or obtain general information, take one of the following decisions:
1. Approval: If the public entity has approved the request to access or obtain information in whole or in part, the individual must be notified in writing or electronically of the applicable fees. The public entity must make this information available to the individual within a period not exceeding (10) working days from free receipt.
2. Rejection: If the request to access or obtain information is rejected, the individual must be notified in writing or electronically of such rejection, including the following information:
- Determine whether the application was rejected in whole or in part.
- Reasons for rejection, if applicable.
- The right to complain about such rejection and how to exercise such right.
3. Extension: If the request for access to information cannot be processed in the specified time, the public entity should extend the response time to a reasonable period depending on size and nature of information requested (e.g., additional (30) days), and shall provide the individual with the following information:
- Notice of extension and date on which the application is expected to be completed.
- Reasons of delay.
- The right to complain about such extension and how to exercise such right.
4. Notice: If the requested information is available on the entity’s website, or not within its competence, the individual must be notified of the same in writing or electronically, provided that such notice includes the following information:
- Notice Type: For example: The required data is available on the entity’s website, or is not within its competence.
* The right to complain about this notice and how to exercise this right.
Third: If the individual wishes to file a grievance against the rejection of request by a public entity, he can submit a written or electronic notice of the grievance to the entity’s office within a period not exceeding (10) working days from receiving the entity’s decision. Grievance Committee at the entity’s office shall review the request, take appropriate decision and notify the individual of review fee. Such fee shall be refunded if the committee approves the request and appeal decision.
First: The public entities shall harmonize this policy with their regulatory documents - policies and procedures, and circulate them to all their affiliated or related entities in order to achieve complementarity and ensure the achievement of the desired goal of preparing them.
Second: The public entities must balance the right to access and obtain information with other necessary requirements such as achieving national security and maintaining the privacy of personal data.
Third: The public entities must comply with this policy and document compliance periodically in accordance with the mechanisms and procedures that these entities specify after coordination.
Fourth: The regulatory authorities - after coordination with the office- shall prepare the mechanisms, procedures and controls related to handling complaints according to a specific time frame and the organizational hierarchy.
Fifth: The public entities must notify the office in the event that a request to access or obtain public information is rejected, or to extend the period specified for providing this information – which falls within the domain.
Sixth: The public entity, when contracting with other bodies, such as companies that carry out public services, must periodically verify the compliance of other entities with this policy in accordance with the mechanisms and procedures specified by the entity, provided that this includes any subsequent contracts that other parties undertake.
Seventh: The public entities have the right to set additional rules for handling requests related to specific types of public information according to their nature and sensitivity after coordination with the office.
Eighth: The public entities must prepare forms for viewing or obtaining public information - whether paper or electronic - in which the necessary information and possible means to provide the required information shall be specified.
Freedom of information and open data:
Open data programs and policies are usually prepared and developed around the world to support the national economic and innovation agenda. Undoubtedly, availability and dissemination of a specific set of public information for researchers, entrepreneurs, innovators and start-ups helps to create an environment conducive to business growth, and indicates an open and transparent government.
Open data programs and policies are also a proactive step by the entities in maintaining the right to access public information by making available or publishing a specific set of information - such as open data - before requesting access to or obtaining it. Thus, effective open data programs and policies reduce the volume of requests to access public information, thus reducing government expenditures related to processing requests.
According to the national data governance policies announced by the Saudi Data and Artificial Intelligence Authority (SDAIA):