1. Introduction

 Freedom of information is a fundamental right that ensures individuals access to data and information held by government entities and public institutions. This right is an important tool for promoting transparency and accountability within the authority, and for enabling citizens to actively participate in decision-making and monitor institutional performance.

2. The Purpose of the Policy 

The purpose of this Policy is to ensure compliance with the freedom of information requirements outlined in the NDI Index and the regulations of the National Data Management Office (NDMO), while ensuring that all employees of the Authority understand and apply the standards and procedures of freedom of information in a legal and secure manner, in accordance with relevant laws and regulations.

3. Policy Scope

This policy applies to all individual requests to access or obtain public — non-protected — information produced by the Authority, regardless of its source, form, or nature. This includes paper records, emails, computer-stored data, audio tapes, videos, maps, photographs, manuscripts, handwritten documents, or any other form of recorded information.

This policy shall not apply to the following types of information:

1. Information whose disclosure would harm the national security of the Government, its policies, interests, or rights.

2. Military and security information.

3. Information and documents obtained under an agreement with another country and classified as protected.

4. Investigations, inquiries, enforcement actions, inspections, and monitoring activities related to a crime, violation, or threat.

5. Information that includes recommendations, proposals, or consultations intended for legislation or a government decision that has not yet been issued.

6. Commercial, industrial, financial, or economic information, the disclosure of which would result in unlawful profit or loss avoidance.

7. Scientific or technical research, or rights that involve intellectual property where disclosure would infringe on moral rights.

8. Information related to competitions, tenders, and auctions where disclosure would compromise fair competition.

9. Information deemed confidential or personal under other applicable laws, or that can only be accessed or obtained through specific legal procedures.

Policy Statement

Fundamental Principles of Freedom of Information

1. Principle One: Transparency

Individuals have the right to access information related to the Authority’s activities, in support of integrity, transparency, and accountability.

1. Principle Two: Necessity and Proportionality

Any restrictions on access to or obtaining protected information received, produced, or handled by EXPRO must be clearly and explicitly justified.

1. Principle Three: Disclosure as the Default for Public Information

Every individual has the right to access public — non-protected — information. The requester is not required to have a specific legal standing or particular interest to access the information, nor will they face legal liability for exercising this right.

Principle Four: Equality

All requests to access or obtain public information shall be treated equally and without discrimination among individuals.

Individuals’ Rights on Access to Public Information

First: The right to access and obtain any non-protected information maintained by the Authority.

Second: The right to be informed of the reasons for denial of access to the requested information.

Third: The right to appeal a decision denying access to or provision of the requested information.

Responsibilities of the Government Expenditure and Project Efficiency Authority (EXPRO)

1. The Data Management Office (DMO) shall be responsible for developing and implementing policies and procedures for accessing or obtaining information held by the Authority. The CEO shall be responsible for approving such policies and procedures.

2. The Data Management Office shall provide appropriate means (public information request forms), whether in paper or electronic format, through which individuals can request access to or obtain public information.

3. The Data Management Office must verify the identity of individuals before granting access to or provision of public information, in accordance with the regulations set by the National Cybersecurity Authority and other relevant entities.

4. The Data Management Office shall establish criteria for determining any fees associated with processing public information requests, based on the nature and volume of data, effort required, and time spent.

5.  The Data Management Office shall document all records of information access requests and decisions made in response. These records shall be periodically reviewed to address cases of misuse or lack of response.

6. The Data Management Office shall develop and document policies and procedures for retaining and disposing of request records in accordance with applicable laws and regulations relevant to the Authority’s operations.

7. The Data Management Office shall establish and document procedures for managing, processing, and recording extension requests, rejections, and related workflows. It shall also define the roles and responsibilities of the relevant team and determine the circumstances under which the Saudi Authority for Data and Artificial Intelligence (SDAIA) must be notified, in accordance with the reporting line and within the prescribed timeframe.

8. The Data Management Office must appropriately notify the requester in the event of full or partial rejection of a request, clearly stating the reasons for the rejection and the right to appeal, including how to exercise that right within 15 days of the decision.

9. The Data Management Office shall develop awareness programs to promote a culture of transparency and enhance understanding in accordance with the freedom of information policies and procedures approved by the Authority’s senior management.

10. The Data Management Office shall be responsible for regularly monitoring compliance with the freedom of information policies and procedures. Reports shall be submitted to the head of the Authority or their delegate. Corrective actions must be identified and documented in the event of non-compliance, and the regulatory body and DMO shall be notified as per the administrative hierarchy.

General Provisions for Freedom of Information

First: The Authority shall align this policy with its organizational documents, including policies and procedures, and circulate it across all affiliated or related entities to ensure integration and achievement of its intended objectives.

Second: The Authority must balance the right of access to information with other essential requirements, such as national security and the protection of personal data privacy.

Third: The Authority must comply with this policy and regularly document its compliance, in accordance with the mechanisms and procedures defined by the relevant entities in coordination with the office.

Fourth: The Authority, in coordination with the office, shall develop mechanisms, procedures, and controls for handling complaints within a defined timeframe and in line with the organizational hierarchy.

Fifth: The Authority must notify the office if a request to access or obtain public information is denied or if the deadline for providing the information within scope is extended.

Sixth: When contracting with third parties — such as companies providing public services — the Authority must periodically verify those parties’ compliance with this policy, in accordance with the mechanisms and procedures set by the Authority. This shall also apply to any subsequent subcontracts.

Seventh: The Authority reserves the right, after coordination with the office, to establish additional rules for handling requests related to specific types of public information, based on their nature and sensitivity.

Eighth: The Authority shall develop access request forms, paper-based or electronic, specifying the necessary information and available means for providing the requested information.