Cornerstones of good FOI legislation Tuesday, 14. May 2013

It seems like our initiative for freedom of information (FOI) had some impact in Austria: the government/coalition has announced an understanding to abolish state secrecy by-default and introduce the principle of FOI.

However, the draft legislation that has been leaked are less than promising: there are a number of obvious points of intransparency which would make it extremely easy to obfuscate information that should definitely be included in any reasonable FOI law.

I'd like to share with you what I think are the main points good FOI legislation should include, inspired by international examples, conversations with people like Smári McCarthy and the talk. by Nataša Pirc Musar


The first part is easy: FOI applies to all government agencies on all administrative levels and all government-controlled entities. If the latter were not included, it'd be incredibly easy to remove documents from public view: just create a company and have it receive the documents. All downsides to this can be mitigated by a commercial secret exception (see below).

In practise, one would define "government-controlled entities" as any entity your board of audit audits.

There's also the concept of "functional government agencies": persons or companies which "do the administration's job" (or which the administration delegates certain jobs to). Include those too. To implement this, there should be a provision that all contracts w/ government agencies need to include a provision for maximum transparency of the contractor within the scope of the contract.

Contractors can still have secret agreements with non-government agencies. Want to run an organization outside of the boundaries of FOI? Just don't take jobs from the public administration.

Disclosure principles

Partial disclosure must be a basic principle: if a document contains sensitive information, everything but that sensitive information must still be handed over.

The format of disclosure must be the requester's choice: if they want to see the original documents, they get physical access. If they want copies, they get those. If they want copies of electronic documents, they get exacty those electronic documents, not scans of printouts.

Documents then can and should be managed in a way which makes disclosure easy and painless. Migrating to different, electronic filing systems makes a lot of sense in any case. Make public disclosure a primary use case for those.

Disclosure-on-request is a bit of work. Consider preemptive disclosure, which is a fancy way of saying that you should just publish data that you have no reason to keep secret/private anyway. Check the "publication" section for details on this.


Have a small number (aim for <10) of reasonable exceptions. Access-info has a list of permissible exceptions in their RTI Rating Methodology document (item 29). Most importantly: personal data of natural persons must be protected (The extent of this protection may be subject to a lot of discussion.), same with legitimate commercial interests (business secrets).

Personally, I'm all in favor of pseudonymization: include personal information that was relevant for the decision, as long as it can't be used to identify people - i have yet to see this implemented anywhere.

Have exceptions of exceptions: a public interest test and a harm test must be required: if public interest is at stake (f.e.: corruption, human rights, etc) or if there is no risk of actual harm to protected interests these exceptions must not apply.

Some laws have absolute positive exceptions: everything in which tax money is spent must be absolutely open. There are downsides to this, the main one being it cutting heavily into the personal data exception. Discussing this issue is especially fun, I have yet to make up my mind. There often seem to be complimentary laws mitigating the impact of this.

DO NOT have exceptions for "personal data of legal entities".


Have a specialized, independent institution as a first instance for appeals. This institution is usually called something along the lines of "information commissioner". It must be about as independent as your country's board of audit.

Give them the right to see all the documents which are in the possession of all entities to which FOI applies. Even classified ones. Give them the right to search entities premises if they do not cooperate. Give them the right to revoke the classification of documents.

Give them the right to sanction officials who repeatedly deny valid requests for information.

Don't let them be the final instance.

It's entirely reasonable to combine this institution with a data protection commission, if it exists. If you're in the EU, these need to exist and be independent. These jobs have more in common than you think.


Opening up a states' administration is a lot of work for everyone involved, especially if it isn't accomplished by a paradigm shift. The relevant question: if we want the government to be open, why shouldn't all non-classified, digital documents be public by default, for everyone to access?

For most legislators, this may be a little too much, though some could be warmed up to that idea.

However, certain documents should be made public by default: contracts with the administration, purchases by the administration, politicians expenses if covered by tax money, …

All these published documents (from all administrative levels) must be collected at a central website for public data.

Some countries have provisions that contracts with the administration shall not be valid until they've been published for ~30 days. The administration must be able to step back from these contracts without payment until then. This is an entirely good idea. Insist on this.

The End

This is all I've got so far. If you're really interested in this, the aforementioned Access-Info/CLD document is a must-read.

Anything else? Ping me.