Freedom of Information

This section highlights the rights to information policy in Saudi Arabia related to confidential public information. Here, you will gain insight into the eligibility of requesting information and the rights of individuals to obtain information based on five conditions while also understanding which information can be requested and which information is excluded. Additionally, this section offers the official steps and procedures for requesting access to information and the platform on which you may apply while also providing contact information of the relevant entities to contact for any inquiries on the freedom of information policy.

Share The Page

Freedom of Information

It is the unprotected or confidential public information that the platform processes regardless of its source, form, or nature - open data fall under public information. The process of providing individuals with public data for a fee is called "freedom of information," or as it is known, a "right to information policy."

Freedom of Information Controls

The National Data Management Office (NDMO) has adopted Freedom of Information Standards and Controls as part of the Data Management and Personal Data Protection Standards. The Freedom of Information domain comprises four controls and nine specifications. This domain focuses on providing Saudi citizens access to government information, portraying the process for accessing such information, and the appeal mechanism in the event of a dispute.

Freedom of Information Regulation

The National data governance policies and the National Data Management and Personal Data Protection Standards set the legal basis for the rights of individuals to access public sector information and obligations of public entities for all requests coming from any individual to access or obtain public information – unprotected – produced or held by public entities, regardless of the source, form or nature. This includes paper records, emails, information stored on computers, audio or video cassettes, microfiche, maps, photographs, handwritten notes, or any other recorded information. The Regulation also defines the roles and responsibilities of the Saudi Data and Artificial Intelligence Authority (SDAIA) and its sub-entities, as well as the obligations of the National Data Management Office (NDMO) and National Information Center (NIC).

Data Classification Policy and Controls

The policy and controls set the regulatory framework for classifying data received, produced or processed by public entities, regardless of its source, form or nature.

To learn more about the Controls and Specifications for National Data Management Controls, Governance, and Personal Data Protection, click here.

Personal Data Protection Law and its Executive Regulations

The law and its executive regulations set out the fundamentals for protecting personal data, the rights of data subjects, and the obligations of controllers.

To learn more about the Regulation on Personal Data Transfer Outside the Kingdom, click here.

Work Rules of the Committees for the Consideration of Violations of the Provisions of the Personal Data Protection Law and its Regulations

The Work Rules of the Committees for the Consideration of Violations of the Provisions of the Personal Data Protection Law and its Regulations aim to control and govern the work of these committees in accordance with the provisions of the law and its regulations.

Rules for Appointing Personal Data Protection Officer

The rules clarify the cases in which a personal data protection officer must be appointed at the controllers subject to the application of the provisions of the Personal Data Protection Law and its executive regulations and the minimum requirements for appointment.

Data Sharing Policy and Controls

The policy and controls set the fundamentals and principles of freedom of information, and apply to individuals’ requests to access or obtain unprotected public information produced by public entities.

To view the Controls and Specifications for National Data Management Controls, Governance, and Personal Data Protection, click here.

Freedom of Information Policy and Controls

To view the Controls and Specifications for National Data Management Controls, Governance, and Personal Data Protection, click here.

Open Data Policy and Controls

The policy and controls set and regulate the frameworks governing open data, which is a subset of public information.

To view the Controls and Specifications for National Data Management Controls, Governance, and Personal Data Protection, click here.

Individuals’ Rights to Obtain Information

Who can request Information?
Every individual has the right to submit a request and know information related to the platform’s activities and has the right to view public information - unprotected - in exchange for a financial fee. The applicant doesn’t need to have a certain quality or interest in this information to obtain it, nor will it subject the person to any legal liability related to this right, which strengthens the system of integrity, transparency, and accountability. These rights include:

Right to submit a request to obtain or access any information not protected by public authorities.

Right to know the reason for the rejection of the request for access or to see the requested information.

Right to file a grievance against the decision to reject the request to obtain or access the requested information.

All requests to access or obtain public information are dealt with based on equality and non-discrimination between individuals.

Any restrictions on requesting access to protected information should be justified clearly and explicitly.

What information can be requested?

The regulation applies to all requests to access "unprotected and open data" information, regardless of its source, form, or nature, to improve the performance and efficiency of work and benefit from the data. As for the excluded information to which the provisions of this policy do not apply is "protected information" such as:

Information that the disclosure harms the state’s national security, policy, interests, or rights.

Information that includes recommendations, suggestions, or consultations for the issuance of legislation or government decisions has not yet been issued.

Information of a commercial, industrial, financial or economic nature, the disclosure of which would lead to profit achievement or encounter loss in an illegal manner.

Scientific or technical research or rights that contain an intellectual property right whose disclosure leads to an infringement of a moral right.

Information related to bids and auctions, the disclosure of which would prejudice competition’s fairness.

Information confidential or personal under another system requires specific legal procedures to access or obtain it.

Military and security information.

Information and documents obtained by an agreement with another country and classified as protected.

Investigations, searches, seizures, inspections, and surveillance related to a crime, violation, or threat.

Obligations of Public Entities

The public entity is responsible for preparing and implementing policies and procedures related to exercising the right to access or obtaining public information. The entity’s primary office is responsible for accepting and approving it.

The public entity establishes an administrative unit to be linked to the data management offices in government agencies that were established according to the Royal Decree No. 59766 dated 20/11/1439 AH and assigns it the responsibility to develop, document and monitor the implementation of the policies and procedures approved by the entity’s senior management related to the right to access the information, provided that the tasks and responsibilities of the unit include setting appropriate standards for determining the levels of data classification in the absence of them - in accordance with the data classification policy - and using them as a main reference when processing requests to access or obtain public information.

The public entity identifies and provides the possible means (public information request forms) - whether it is a paper or electronic form - through which an individual can request access to or access public information.

The public authority verifies individuals’ identities before granting them the right to view or obtain public information through the controls approved by the National Cybersecurity Authority and the relevant authorities.

The entity sets the necessary criteria for determining the fees involved in processing requests to access or obtain public information. This precision is based on the nature and size of the data, the effort exerted, and the time spent. According to the data monetization policy, public documents record the requests for access or obtain information and decisions regarding these requests. So, these records are reviewed to address cases of abuse or non-response.

The public entity prepares and documents the policies and procedures for maintaining and disposing of records of requests according to the laws and legislation related to the entity’s business and activities.

The public agency prepares and documents the necessary procedures to manage, process, and document extension requests. However, rejected requests define tasks and responsibilities related to the relevant work team in cases where the regulatory authority and the office are notified. This case is according to the administrative hierarchy according to the period specified for processing the requests.

If the request is denied, the public authority must notify the individual in a timely and appropriate manner. The explanation of the reasons for rejection, whether in whole or in part, should be clear. As a result, the requester gets the right to complain and exercise his rights within fifteen (15) days of the decision.

The public entity prepares awareness programs to promote a culture of transparency and raise awareness through the freedom of information policies and procedures approved by the entity’s senior management.

The public entity is responsible for monitoring compliance with freedom of information policies and procedures periodically, and it is presented to the entity’s first official or whoever he authorizes. Corrective actions that will be taken in the event of non-compliance are determined and documented, and the regulatory authority and office are notified according to the administrative hierarchy.

Saudi Data and Artificial Intelligence Authority (SDAIA)
The Saudi Data and Artificial Intelligence Authority (SDAIA) is the competent authority in the Kingdom concerned with data and AI including big data. SDAIA is also the national reference in all matters related to the organization, development, and handling of data and AI; in addition, it has the original competence in all matters related to operation, research, and innovation in the field of data and AI.

National Data Management Office (NDMO)
The National Data Management Office (NDMO) is one of the sub-entities of the Saudi Data and Artificial Intelligence Authority (SDAIA). Data Management is the process of developing, implementing, and supervising plans, policies, programs, and practices that enable entities to govern data and enhance its value as a precious asset. The Office also manages, digitizes, develops, and enables national data to enhance national assets and capabilities and protect personal and sensitive data by developing the necessary strategies, regulations, policies, and controls, supporting their implementation and monitoring compliance with them. Additionally, the National Data Management Office (NDMO) aims to enhance the Kingdom’s capabilities through proposing data-related regulations, while ensuring excellence in data management as an asset to enhance the Kingdom’s development vision.

Further Information

National Data Governance Policies.

Principles and General Rules for Freedom of Information.

Principles and General Rules for Open Data.

Saudi Data and AI Authority's Laws and Regulations.

Comments & Suggestions

For any inquiries or comments, please fill in the required information.