The main principles and general rules of freedom of information:
The provisions of this Policy shall apply to any requests submitted by individuals to access or obtain (unprotected) public information produced by public entities, regardless of its source, form or nature. This shall include paper records, emails, information stored on computers, audio or video cassettes, maps, photographs, manuscripts or handwritten documents, or any other form of recorded information.
The provisions of these Policies shall not apply to protected information, including the following:
1. Information that, if disclosed, may harm the State’s national security, policies, interests or rights.
2. Military and security information.
3. Documents and information obtained in agreement with another state and classified as protected.
4. Inquiries, investigations, checks, inspections and monitoring operations in respect of a crime, violation or threat.
5. Information comprising recommendations, suggestions, or consultations for issuing a governmental legislation or decision that is not made yet.
6. Commercial, industrial, financial or economic information that, if disclosed, may result in gaining profits or avoiding losses in an illegitimate manner.
7. Scientific or technological research, or rights including intellectual property rights, that, if disclosed, may result in infringement of a legal right.
8. Information on competitions, tenders and bids that, if disclosed, may violate fair competition;.and
9. Information which is deemed Restricted or personal under another law, or requires certain legal actions to be accessed or obtained.
Main Principles for Freedom of Information
Principle 1: Transparency
An individual shall have the right to access information related to the activities of public entities to enhance the system of integrity, transparency, and accountability.
Principle 2: Necessity and Proportionality
Any restrictions on requesting access to or obtainment of protected information received, produced, or managed by public entities shall be justified in a clear and explicit manner.
Principle 3: Public Information Disclosure
Every individual shall be entitled to access or obtain (unprotected) public information; such Requestor shall not necessarily have a certain status or interest in this information to be able to obtain same and he shall not be subject to any legal accountability related to this right.
Principle 4: Equality
All requests for data access shall be treated on an equal basis and in a non-discriminatory manner.
Rights of Individuals to Access or Obtain Public Information
1. The right to access and obtain any (unprotected) public information held by any public entity.
2. The right to be informed about the reason for denial of the request to access or obtain the required information; and
3. The right to appeal any decision denying a request to access or obtain the required information.
Obligations of Public Entities
1. A public entity shall be responsible for preparing and implementing policies and procedures related to exercising the right to access or obtain public information, and the head of the entity shall be responsible for adopting and approving these policies and procedures.
2. A public entity shall establish an administrative unit linked to the data management offices at government entities established pursuant to the Royal Order no. 59766, dated 20/11/1439H. This unit shall be assigned the responsibility to develop, document and monitor the implementation of policies and procedures approved by the entity’s senior management and related to the right to access public information. The functions and responsibilities of that unit shall include development of appropriate standards to determine the data classification levels in case of their absence – according to the Data Classification Policy – and to use these standards as a main reference upon addressing the requests for access to or obtainment of public information.
3. A public entity shall determine and provide possible means (forms for public information requests) – whether in paper or electronic form – through which an applicant can request access to or obtainment of public information.
4. A public entity shall verify the identity of individuals before granting them the right to access or obtain public information in accordance with the controls approved by the National Cyber Security Authority and the relevant entities.
5. A public entity shall set the necessary standards for determining the fees for processing requests to access or obtain public information based on the nature and size of the data, the effort spent, and the time taken, as per the Data Monetization Framework Policy1 .
6. A public entity shall document all records of requests to access or obtain public information and the decisions made with regard thereto, provided that these records are revised to address cases of misuse or non-response.
7. A public entity shall prepare and document policies and procedures for proper record keeping and for disposal thereof, in accordance with the laws and regulations related to entity functions and activities.
8. A public entity shall prepare and document the necessary procedures to manage, process, and document the requests for extension and denied requests. It shall also define the roles and responsibilities of the concerned staff and shall decide on the cases to be notified to the Regulatory Authority and NDMO as per the administrative hierarchy and in accordance with the time period specified for processing requests.
9. A public entity shall notify an applicant – in an appropriate manner – in the event that his request is rejected in whole or in part, explaining the reasons for denial and highlighting the right to appeal and how to exercise this right within a period not exceeding 15 days from the date on which the decision was made.
10. A public entity shall launch awareness-raising programs to promote a culture of transparency and raise awareness pursuant to the Freedom of Information Policies and Procedures approved by the senior management of the entity.
11. A public entity shall be responsible for monitoring compliance with the Freedom of Information Policies and Procedures on a periodical basis and presenting the results to the head of the entity (or his designee). It shall also determine and document the corrective measures to be taken in case of noncompliance and shall notify the Regulatory Authority and NDMO as per the administrative hierarchy.
Data Access or Obtainment Process
Main requirements for the request to access or obtain public information:
1. A request shall be made in writing or electronically.
2. A “public information request form”, as approved by the public entity, shall be filled in;
3. A request shall clearly state that it is for purposes of access to or obtainment of public information;
4. A request shall give details about how the final decision and notices are to be sent to the Requestor (for example, via the national address, email, or through the entity’s website, etc.);
5. A request shall be sent directly to the public entity.
Process for Requesting Access to or Obtainment of Public Information :
1. Requests shall be submitted by filling out a “public information request form” – in an electronic or paper format – to the public entity in possession of the information.
2. The public entity shall, within a period not less than 30 days from the date of receipt of the request to access or obtain public information, issue one of the following decisions:
a. Approval: If the public entity approves a request to access or obtain information in whole or in part, it shall notify the Requestor in writing of the applicable fees, and shall make this information available to the Requestor within a period not exceeding 10 days from the receipt of payment.
b. Denial: If the public entity denies a request to access or obtain information, a rejection decision shall be made in writing or electronically and shall include the following information: o Whether the request is denied in whole or in part; o The grounds for denial, if applicable; o A statement of the right to appeal such denial, and how to exercise this right.
c. Extension: In the event the public entity is unable to process request to access or obtain information in due time, it shall reasonably extend the response time as per the size and nature of the requested information; for example,said extension period shall not exceed an additional 30 calendar days. The public entity shall thereafter provide Requestor with the following information:
o Notice of extension and new date when the request is expected to be completed;
o The grounds for delay;
o A statement of the right to appeal such extension, and how to exercise this right.
d. Notice: If the required information is available on the entity’s website, or does not fall within its competence, that entity shall notify the Requestor, in writing or via electronic means, of the following information:
o The type of notice, for example, the required data is available on the entity’s website, or does not fall within its competence;
o A statement of the right to appeal this notice and how to exercise this right.
3. Should an applicant intend to appeal a decision of denial by a public entity, he may submit a written or electronic notice of appeal to the entity’s office within a period not exceeding ten working days from the date of receiving the decision of the public entity. The appeal committee within the entity’s office shall review the application and make the appropriate decision. It shall also notify the applicant of the related fees, which are to be refunded if the committee approves the appeal, and of the appeal decision.
1. Public entities shall ensure that these Policies are in line with their regulatory documents, policies and procedures, and shall circulate same to all agencies affiliated or associated therewith to ensure integration and achievement of the intended objectives.
2. Public entities shall balance between the right to access and obtain information and other necessary requirements, such as national security and personal data protection.
3. Public entities shall comply with these Policies and shall document such compliance on a periodical basis, in accordance with the mechanisms and procedures determined by these entities after coordination with NDMO.
4. The Regulatory Authorities shall – in coordination with NDMO – develop the mechanisms, procedures, and controls related to addressing complains within a specific timeframe and in accordance with the organizational hierarchy.
5. Public entities shall notify NDMO in the event that the request to access or obtain public information is rejected or that the response period to provide said information has been extended provided that such information falls within the scope of these Policies.
6. A public entity shall, upon contracting with other entities, such as companies performing public services, periodically verify the compliance of such entities with these Policies as per the mechanisms and procedures determined by the entity itself, including any subsequent contracts concluded by the other entities.
7. Public entities shall have the right to set additional rules for handling requests related to specific types of public information according to their nature and sensitivity, after coordination with NDMO.
8. Public entities shall prepare forms for the requests to access or obtain public information, whether in a paper or electronic format, specifying the required information and the possible means to provide the required information.
Freedom of Information and Open Data
Open data programs and policies are usually prepared and developed around the world to support growth of the national economy and innovation agenda. Needless to say, to make available and publish a specific dataset of public information for researchers, entrepreneurs, innovators, and start-ups helps to create a conductive environment for business growth, and emphasizes the work of an open and transparent government. Open data programs and policies also represent a proactive step taken by public entities to uphold the right to access public information by making available and publishing a specific dataset of public information, as open data, ahead of being requested. As such, it is expected that effective open data programs and policies will reduce the number of requests to access public information, and this will consequently lower government expenses related to processing such requests.
According to the national data governance policies announced by the Saudi Data and Artificial Intelligence Authority (SDAIA):