Freedom of Information

A freedom of information policy

The information freedom policy adopted by the National Data Management Office (NDMO) establishes the fundamentals and guidelines for data freedom, which apply to requests made by individuals to access unprotected public data created or acquired by public entities.

This policy applies to all requests from individuals to access or obtain public information—not protected—that is produced by public entities, regardless of its source, form, or nature. This includes paper records, email messages, information stored on computers, audio or video tapes, maps, photographs, manuscripts, handwritten documents, or any other form of recorded information.

The provisions of this policy do not apply to protected information :

•Information whose disclosure would harm the national security of the state, its policies, interests, or rights.
•Military and security information.
• Information and documents obtained under an agreement with another country and classified as protected.
• Investigations, inquiries, enforcement actions, and monitoring related to a crime, violation, or threat.
•Information that includes recommendations, suggestions, or consultations for the issuance of legislation or government decisions that have not yet been issued.
•Information of a commercial, industrial, financial, or economic nature that, if disclosed, could result in illegal profit or loss.
•Scientific or technical research, or rights involving intellectual property rights, the disclosure of which would infringe on a moral right.
•Information related to competitions, tenders, and bids that, if disclosed, could disrupt fair competition.
•Information that is confidential or personal under another regulation or requires specific legal procedures to access or obtain.

The basic principles of freedom of information are:

Principle One: Transparency Individuals have the right to know information related to the activities of public entities, promoting a system of integrity, transparency, and accountability.

Principle Two: Necessity and Proportionality Any restrictions on requests for access to or obtaining protected information received, produced, or handled by public entities must be justified clearly and explicitly.

Principle Three: The Default for Public Information is Disclosure Every individual has the right to access public information—not protected—without necessarily having a specific status or interest in that information to obtain it, and they are not subject to any legal accountability related to this right.

Principle Four: Equality All requests for access to or obtaining public information are treated based on equality and without discrimination among individuals.

Individuals' rights to access or obtain public information:

• The right to access and obtain any unprotected information held by any public entity.
•The right to know the reason for denying access to or obtaining the requested information.
•The right to appeal the decision to reject the request for access to or obtaining the requested information.

Key steps and requirements for accessing or obtaining information

Main requirements for requests to access or obtain public information:

•The request must be in writing or electronically.
•The approved General Information Request Form must be filled out by the public entity.
• The request must be to access or obtain public information.
•The request form must include details on how to send the final decision and notifications to the individual (such as the national address, email, or the entity's website, etc.).
•The request form must be submitted directly to the public entity.

Main steps to request access or general information:

First: requests are submitted by filling out a General Information Request Form—electronically or on paper—and submitting it to the public entity that holds the information.

Second: The public entity, within a specified timeframe (30 days) from receiving the request for access to or obtaining public information, must make one of the following decisions:

Approval: If the public entity approves the request for access to or obtaining the information, either fully or partially, the individual must be notified in writing or electronically of the applicable fees. The public entity must make this information available to the individual.

Rejection: If the request for access to or obtaining the information is denied, the rejection must be communicated in writing or electronically and include.

Extension: If it is not possible to process the request for access to the information within the specified time, the public entity should extend the period for responding by a reasonable duration based on the size and nature of the requested.

Notification: If the requested information is available on the entity’s website or is not under its jurisdiction, the individual must be notified in writing or electronically.

Third: If an individual wishes to appeal the rejection of the request by a public entity, they may submit a written or electronic notice of appeal to the office of the entity within a period not exceeding (10) working days from receiving the decision from the public entity. The appeals committee at the entity’s office will review the request, make an appropriate decision, and notify the individual of the review fees—these will be refunded if the committee approves the request and the appeal decision.

General provisions

First: Public entities shall align this policy with their regulatory documents—policies and procedures—and disseminate it to all affiliated or related entities to achieve integration and ensure the intended goal of its preparation.

Second: Public entities must balance the right to access and obtain information with other requirements, such as national security and the protection of personal data privacy.

Third: Public entities must comply with this policy and document compliance periodically according to the mechanisms and procedures established by these entities after coordination.

Fourth: Regulatory entities, after coordinating with the office, shall prepare the mechanisms, procedures, and controls related to handling complaints according to a specified timeline and by the organizational hierarchy.

Fifth: Public entities must notify the office if a request for access to or obtaining public information is denied or if the timeframe for providing this information is extended—these falls within the scope.

Sixth: When public entities contract with other entities—such as companies providing public services—they must periodically verify the compliance of these different entities with this policy according to the mechanisms and procedures established by the entity, including any subsequent contracts that the other entities may enter.

Seventh: Public entities have the right to establish additional rules for processing requests related to specific types of public information according to their nature and sensitivity after coordinating with the office.

Eighth: Public entities must prepare forms for accessing or obtaining public information—whether paper or electronic—that specify the necessary information and possible means for providing the requested information.

Legislations related

According to national data governance policies announced by the Saudi Data and Intelligence Authority

For comments and suggestions

For any inquiries or comments about government services, please fill out the required information.

Last modified: 16/06/2025 - 8:56 pm Time in Saudi Arabia

A freedom of information policy

The provisions of this policy do not apply to protected information :

•Information whose disclosure would harm the national security of the state, its policies, interests, or rights.

•Military and security information.

• Information and documents obtained under an agreement with another country and classified as protected.

• Investigations, inquiries, enforcement actions, and monitoring related to a crime, violation, or threat.

•Information that includes recommendations, suggestions, or consultations for the issuance of legislation or government decisions that have not yet been issued.

•Information of a commercial, industrial, financial, or economic nature that, if disclosed, could result in illegal profit or loss.

•Scientific or technical research, or rights involving intellectual property rights, the disclosure of which would infringe on a moral right.

•Information related to competitions, tenders, and bids that, if disclosed, could disrupt fair competition.

•Information that is confidential or personal under another regulation or requires specific legal procedures to access or obtain.

The basic principles of freedom of information are:

Principle One: Transparency Individuals have the right to know information related to the activities of public entities, promoting a system of integrity, transparency, and accountability.

Principle Two: Necessity and Proportionality Any restrictions on requests for access to or obtaining protected information received, produced, or handled by public entities must be justified clearly and explicitly.

Principle Three: The Default for Public Information is Disclosure Every individual has the right to access public information—not protected—without necessarily having a specific status or interest in that information to obtain it, and they are not subject to any legal accountability related to this right.

Principle Four: Equality All requests for access to or obtaining public information are treated based on equality and without discrimination among individuals.

Key steps and requirements for accessing or obtaining information

Main requirements for requests to access or obtain public information:

•The request must be in writing or electronically.

•The approved General Information Request Form must be filled out by the public entity.

• The request must be to access or obtain public information.

•The request form must include details on how to send the final decision and notifications to the individual (such as the national address, email, or the entity's website, etc.).

•The request form must be submitted directly to the public entity.

Main steps to request access or general information:

First: requests are submitted by filling out a General Information Request Form—electronically or on paper—and submitting it to the public entity that holds the information.

Second: The public entity, within a specified timeframe (30 days) from receiving the request for access to or obtaining public information, must make one of the following decisions:

Approval: If the public entity approves the request for access to or obtaining the information, either fully or partially, the individual must be notified in writing or electronically of the applicable fees. The public entity must make this information available to the individual.

Rejection: If the request for access to or obtaining the information is denied, the rejection must be communicated in writing or electronically and include.

Extension: If it is not possible to process the request for access to the information within the specified time, the public entity should extend the period for responding by a reasonable duration based on the size and nature of the requested.

Notification: If the requested information is available on the entity’s website or is not under its jurisdiction, the individual must be notified in writing or electronically.

Third: If an individual wishes to appeal the rejection of the request by a public entity, they may submit a written or electronic notice of appeal to the office of the entity within a period not exceeding (10) working days from receiving the decision from the public entity. The appeals committee at the entity’s office will review the request, make an appropriate decision, and notify the individual of the review fees—these will be refunded if the committee approves the request and the appeal decision.

General provisions

First: Public entities shall align this policy with their regulatory documents—policies and procedures—and disseminate it to all affiliated or related entities to achieve integration and ensure the intended goal of its preparation.

Second: Public entities must balance the right to access and obtain information with other requirements, such as national security and the protection of personal data privacy.

Third: Public entities must comply with this policy and document compliance periodically according to the mechanisms and procedures established by these entities after coordination.

Fourth: Regulatory entities, after coordinating with the office, shall prepare the mechanisms, procedures, and controls related to handling complaints according to a specified timeline and by the organizational hierarchy.

Fifth: Public entities must notify the office if a request for access to or obtaining public information is denied or if the timeframe for providing this information is extended—these falls within the scope.

Sixth: When public entities contract with other entities—such as companies providing public services—they must periodically verify the compliance of these different entities with this policy according to the mechanisms and procedures established by the entity, including any subsequent contracts that the other entities may enter.

Seventh: Public entities have the right to establish additional rules for processing requests related to specific types of public information according to their nature and sensitivity after coordinating with the office.

Eighth: Public entities must prepare forms for accessing or obtaining public information—whether paper or electronic—that specify the necessary information and possible means for providing the requested information.