Part I- Preliminary

Section 1- Title and effect

1. This Act shall be known as the Freedom of Information and Data Protection Act, 2026.
2. This Act shall have effect immediately upon the Constitution of the Hokorian State coming into force.

Section 2- Interpretation

1. “Public body” means any office, authority or body exercising public functions under the authority of the State.
2. “Information” means recorded information in any form.
3. “Personal data” means information relating to an identifiable person.
4. “Request” means a request for access to information under this Act.
5. “Processing” means the collection, use, storage or disclosure of personal data.
6. “Regulatory Authority” means the independent regulator established under law with responsibility for oversight of information and data protection matters.

Part II- Freedom of Information

Section 3- Right to request information

1. A person may request access to information held by a public body:
   • Requests must be made in a clear and identifiable form,
   • Requests must reasonably describe the information sought.
2. A public body shall respond to a request within a reasonable time.
3. Access shall be provided unless refusal is permitted under this Act.

Section 4- Scope and form of access

1. Access to information may be provided:
   • In full,
   • In part where necessary,
   • Subject to reasonable conditions.
2. A public body may redact information where lawful grounds for refusal apply.
3. Information shall be provided in a usable and accessible form where possible.

Section 5- Grounds for refusal

1. A request may be refused where disclosure would:
   • Prejudice the security of the State,
   • Endanger public safety or order,
   • Impair the effective operation of government,
   • Disclose confidential internal deliberations,
   • Disclose personal data contrary to Part III,
   • Be otherwise unlawful.
2. Refusal must be justified and recorded.
3. Where possible, partial disclosure shall be preferred over full refusal.

Section 6- Procedure and review

1. Public bodies may require clarification of a request where necessary.
2. A person may request a review of a refusal by the Regulatory Authority.
3. The Regulatory Authority may:
   • Require reconsideration of a request,
   • Direct partial or full disclosure where appropriate,
   • Uphold a refusal where lawful.

Part III- Personal Data Protection

Section 7- Lawful processing of personal data

1. Personal data shall be processed only where:
   • It is necessary for a lawful public function,
   • It is authorised by law,
   • Consent has been given where required.
2. Processing must be fair, proportionate and limited to its purpose.

Section 8- Use and disclosure of personal data

1. Personal data shall not be disclosed where disclosure would:
   • Cause unjustified harm,
   • Interfere with privacy without lawful basis.
2. Disclosure may occur where required or authorised by law.
3. Public bodies shall take reasonable steps to protect personal data.

Section 9- Retention and accuracy

1. Personal data shall be retained only for as long as necessary.
2. Public bodies shall take reasonable steps to ensure accuracy.
3. Inaccurate data shall be corrected or removed where appropriate.

Part IV- Oversight and Powers of the Regulatory Authority

Section 10- Oversight and compliance

1. The Regulatory Authority shall oversee compliance with this Act.
2. The Regulatory Authority may:
   • Monitor the conduct of public bodies,
   • Require information relevant to compliance,
   • Investigate potential breaches.
3. Public bodies shall cooperate with the Regulatory Authority.

Section 11- Enforcement powers

1. The Regulatory Authority may take action where a breach of this Act is identified:
   • Issue directions requiring compliance,
   • Require correction or deletion of personal data,
   • Require disclosure of information where unlawfully withheld.
2. Directions of the Regulatory Authority shall be binding unless overturned by the Court.
3. A person affected by a direction may challenge it before the Court.

Part V- Offences and Enforcement

Section 12- Offence of unlawful refusal of information

1. A public official commits an offence where they:
   • Knowingly refuse a valid request without lawful grounds,
   • Intentionally obstruct access to information.
2. Levels of severity:
   • Basic offence: improper refusal without significant harm,
   • Aggravated offence: repeated or deliberate obstruction.
3. Penalties:
   • Basic offence shall carry a minimum term of no penalty and a maximum term of 1 month,
   • Aggravated offence shall carry a minimum term of 1 month and a maximum term of 3 months.

Section 13- Offence of misuse of personal data

1. A person commits an offence where they:
   • Process or disclose personal data without lawful basis,
   • Use personal data in a manner causing harm or risk.
2. Levels of severity:
   • Basic offence: limited misuse,
   • Aggravated offence: serious or harmful misuse.
3. Penalties:
   • Basic offence shall carry a minimum term of no penalty and a maximum term of 1 month,
   • Aggravated offence shall carry a minimum term of 1 month and a maximum term of 3 months.

Part VI- Final Provisions

Section 14- Regulations and procedures

1. The Koru may establish procedures, forms and systems for:
   • Requests for information,
   • Handling of personal data,
   • Cooperation with the Regulatory Authority.
2. Such procedures must be consistent with this Act.

Section 15- Interpretation and application

1. This Act shall be applied in a manner that balances access to information with protection of privacy.
2. Any doubt shall be resolved in favour of both transparency and lawful protection of personal data.