hokoriagov > Legislation > Freedom of Information and Data Protection Act, 2026

Freedom of Information and Data Protection Act, 2026

Type:
Status:

An Act to provide for Freedom of Information requests, Subject Access Requests, adequate data protection and for the establishment of the Information and Data Protection Office.

ENACTED by the Koru of the Hokorian State under the Constitution of the Hokorian State.

Part I- Preliminary

Section 1- Short title

  1. This Act may be cited as the Freedom of Information and Data Protection Act, 2026.

Section 2- Commencement

  1. This Act shall come into force on a date appointed by the Koru of the Hokorian State.
  2. Different dates may be appointed for different provisions.

Section 3- Constitutional basis and objects

  1. This Act gives legal effect to Section 11.3 of the Constitution of the Hokorian State, as amended.
  2. The objects of this Act are-
    1. to guarantee lawful access to information held by public authorities;
    2. to protect personal data and private information;
    3. to establish enforceable individual rights in respect of personal data;
    4. to ensure accountability, transparency and proportionality in data processing;
    5. to establish an independent supervisory authority with binding powers;
    6. to provide effective remedies, sanctions and enforcement.

Section 4- Interpretation

  1. In this Act, unless the context otherwise requires-
    1. “Authority” means the Government, the Koru’s Office, the Assembly, any Office or Agency of the State and any publicly funded body;
    2. “Applicant” means a person making a request under this Act;
    3. “Personal data” means any information relating to an identified or identifiable individual;
    4. “Data controller” means a person or body that determines the purposes and means of processing personal data;
    5. “Data processor” means a person or body that processes personal data on behalf of a data controller;
    6. “Processing” includes collection, recording, storage, use, disclosure, transmission, alteration or erasure;
    7. “FOI request” means a request for recorded information held by an Authority;
    8. “Subject Access Request” or “SAR” means a request for personal data relating to the applicant;
    9. “IDPO” means the Information and Data Protection Office established under this Act;
    10. “Working day” has the meaning given by constitutional order.

Part II- Freedom of Information

Section 5- Right of access

  1. Every Hokorian citizen has the right to obtain access to information held by an Authority.
  2. Requests from non-citizens may be complied with at the discretion of the Authority.
  3. An applicant is not required to state reasons for making a request.

Section 6- Form and assistance

  1. Requests may be made in writing or electronically.
  2. Authorities shall provide reasonable assistance to applicants.
  3. Requests shall be handled without unnecessary formality.

Section 7- Time limits

  1. Authorities shall respond to FOI requests within 14 working days.
  2. A single extension of up to 14 working days may be applied where-
    1. the request is complex; or
    2. consultation with another Authority is required.
  3. Reasons for extension must be given in writing.

Section 8- Cost

  1. FOI requests and Subject Access Requests shall be free of charge.
  2. No request may be refused on grounds of cost, effort or administrative burden.

Part III- Exemptions and Safeguards

Section 9- Limited exemptions

  1. Information may be withheld only where disclosure would-
    1. endanger national security;
    2. prejudice public order;
    3. undermine the dignity or integrity of the State;
    4. unlawfully disclose personal data;
    5. duplicate information already lawfully and publicly accessible.
  2. Exemptions shall be interpreted narrowly and proportionately.

Section 10- Protection of personal data in FOI

  1. FOI requests shall not be used to obtain personal data.
  2. Personal data shall be disclosed only through a Subject Access Request.
  3. Anonymisation shall be used where disclosure is otherwise lawful.

Part IV- Data Protection Principles and Rights

Section 11- Principles of lawful processing

  1. Personal data shall be-
    1. processed lawfully, fairly and transparently;
    2. collected for specified and legitimate purposes;
    3. limited to what is necessary;
    4. accurate and kept up to date;
    5. retained only as long as necessary;
    6. secured against unauthorised access or loss.

Section 12- Lawful bases for processing

  1. Personal data may be processed only where-
    1. the individual has given consent;
    2. processing is required to comply with a legal obligation;
    3. processing is necessary for the performance of a statutory or public function;
    4. processing is necessary to protect vital interests;
    5. processing is necessary for legitimate interests, except where overridden by fundamental rights.
  2. Public Authorities shall rely primarily on statutory or public-interest bases.

Section 13- Subject Access Requests

  1. Every individual has the right to access personal data relating to them.
  2. Authorities shall respond within 14 working days.
  3. No fee shall be charged.

Section 14- Rectification and erasure

  1. An individual may request-
    1. correction of inaccurate data; or
    2. deletion of unlawfully held data.
  2. Controllers shall comply unless retention is required by law.

Section 15- Right to object and restrict processing

  1. An individual may object to the processing of their personal data on reasonable grounds.
  2. Where an objection is raised, processing shall be restricted pending review.
  3. The IDPO may order suspension, modification or continuation of processing.

Section 16- Data portability

  1. Where personal data is processed by automated means, an individual may request a copy-
    1. in a structured and commonly used format; and
    2. capable of transfer to another controller.
  2. This right does not apply where processing is necessary for public authority functions.

Part V- Data Security and Breaches

Section 17- Security obligations

  1. Controllers and processors shall implement appropriate technical and organisational measures to protect personal data.
  2. Security measures shall be proportionate to risk.

Section 18- Data breach notification

  1. A controller shall notify the IDPO without undue delay where a data breach risks harm to individuals.
  2. Where a breach presents a high risk, affected individuals shall be informed without undue delay.
  3. The IDPO may issue binding directions on mitigation and disclosure.

Part VI- Information and Data Protection Office

Section 19- Establishment

  1. The Information and Data Protection Office is hereby established.
  2. The IDPO shall be an independent regulator overseen by a Director appointed by the Koru of the Hokorian State.

Section 20- Functions and powers

  1. The IDPO shall-
    1. monitor and enforce compliance with this Act;
    2. investigate complaints;
    3. resolve disputes;
    4. issue binding orders;
    5. impose administrative fines.

Section 21- Administrative fines

  1. The IDPO may impose fines not exceeding €1,500 for non-compliance.
  2. Fine proceeds shall be paid-
    1. into the Central Fund; or
    2. in whole or in part to affected individuals, at the discretion of the IDPO.

Part VII- Enforcement of IDPO Orders

Section 22- Duty to comply

  1. Every person or body subject to an IDPO order shall comply within the specified timeframe.
  2. Failure to comply constitutes a breach of statutory duty.

Section 23- Civil enforcement

  1. An IDPO order is enforceable as if it were an order of the High Court of Justice.
  2. The IDPO may certify non-compliance and seek enforcement through civil proceedings.

Section 24- Debt recovery

  1. Unpaid fines constitute a civil debt owed to the State.
  2. The Office of the Treasury may recover such debts using lawful means.

Section 25- Criminal offence of obstruction

  1. A person commits an offence if they-
    1. wilfully refuse to comply with an IDPO order;
    2. obstruct an investigation;
    3. destroy, conceal or falsify information.
  2. Conviction may result in fines or other lawful penalties.

Part VIII- Jurisdiction and Appeals

Section 26- IDPO jurisdiction

  1. The IDPO has jurisdiction over disputes arising under this Act.
  2. The IDPO may order disclosure, partial disclosure, refusal or remedial action.

Section 27- Mandatory court referral

  1. Where a dispute concerns the Information and Data Protection Office itself, the matter shall be referred directly to the Courts.
  2. Subordinate offices remain subject to IDPO jurisdiction.

Part IX- Miscellaneous

Section 28- Protection from reprisal

  1. No person shall suffer detriment for exercising rights under this Act.
  2. Authorities shall act in good faith.

Section 29- Processor liability

  1. A data processor shall-
    1. act only on lawful instructions;
    2. implement appropriate security measures.
  2. Processors are directly liable for breaches of this Act.

Section 30- Regulations

  1. The Koru may make regulations to give effect to this Act.

Section 31- Supremacy and consistency

  1. This Act prevails over inconsistent policy or administrative practice.
  2. Nothing in this Act derogates from the Constitution.