The notion of access to information lies between two, somewhat opposite legal concepts:

• The protection of personal data;

• The access to information.

On the one side, the term refers to the right generally or specifically held by individuals or legal entities to obtain all communicable information under the law or certain items of information that concern them in particular. On the other side, the notion pertains to the right of persons not to have information concerning them be disclosed, modified, or aggregated, especially through any automated processing to which such data may be subject.

OECD countries have passed legislation on the right to access information and established institutions guaranteeing the right to access information. These entities play a fundamental role in the promotion, application, and growth of this right, as well as in the protection of personal data and the communication of documents and information (OECD, 2019).

From an institutional point of view, the oversight functions to guarantee the right to access information and protect personal data may be carried out by a single institution or separately by at least two institutions. Sometimes the functions are performed by an institution that also performs other functions. In organisational terms, there are four kinds of institutions in OECD countries:

• An Ombudsman or Mediator (for example, in Sweden, Norway, and New Zealand);

• An Information Commissioner (for example, in the United Kingdom, Slovenia, Hungary, Scotland, and Germany);

• A commission or institution (for example, in France, Italy, Portugal, Mexico, and Chile);

• Another body responsible for monitoring this right, such as the Right to Information Assessment Review Council and the Ombudsman in Turkey, both of which ensure the observance of all relevant laws.

The right of access to information has constitutional and conventional foundations in OECD countries. However, there is no provision in international law requiring the creation of an oversight body for access to information.

All OECD countries have a body to review the right of access to information. The constitution of some OECD countries provides for the creation of an oversight body for access to information, but most of these institutions have been created by law or executive order.

Among OECD countries, some oversight bodies for access to information are competent only for legislation regarding the disclosure of information, and other bodies are competent for legislation regarding the protection of personal data during their collection, processing and storage. Some oversight bodies combine these two functions, while other bodies are also responsible for additional functions.

Some access to information oversight bodies take the form of single-person entities, such as ombudsmen or information commissioners, while others are collegial institutions, such as access to information commissions.

To facilitate the application of laws on the right to access information, national legislation authorises oversight bodies to provide their opinions, recommendations, and counsel to the authorities and all individuals involved in the law’s application. Generally, these institutions have the power to produce studies and reports, and to formulate general observations and proposals for action (see Box 1.1)

Institutions often have the right to conduct investigations at their own initiative to formulate their observations.

The processing of requests to access information is of primary importance to the work of an oversight body. It entails the examination and consideration of complex legal issues. This function is granted by the relevant legislation on access to information. The institution is authorised to give its opinion on all aspects of this legislation in relation to the individual or collective situations it may review. It specifically provides its opinion on the grounds for the refusal to communicate any information, and often on the possibility of its reuse, especially in Europe.

The free nature of access to information is becoming the rule, or at the very least, the relative cost does not exceed an acceptable threshold. Penalties for the undue communication of information vary depending on individual laws and practices. Similarly, exceptions to the right to access information remain significant in some countries, and the institutions often provide their opinion on these exceptions. An official decision is generally based on three principles: the protection or privacy and national security, the concept of on-going matters, and the correctness of the application.

The specific purpose of piece of information’s accessibility or inaccessibility is to protect the legitimate interests of certain individuals or, more generally, those of society as a whole. For example, whistle-blowers must benefit from specific, adequate protections.

The modes of recourse against refusals of access to information and the legal grounds that grant people the right to consult an oversight body vary from one OECD member country to another. In case of an explicit or tacit refusal, some legal systems authorise the victim of the refusal to file an appeal before a court, or to appeal to an oversight body. Other legal systems, such as France’s, require that the person apply to the oversight body before bringing any legal proceedings.

When an oversight body receives a request to access information, it issues an administrative, public, or judicial decision. It may in some cases allow for a partial communication of the information.

Single-person bodies are in most cases structured around a representative, information commissioner, or ombudsman. This person manages an office and may receive support from a council. Collegial institutions are composed of several members who hold the same hierarchical level, make collective decisions, and are managed by a chairperson.

Usually, oversight bodies are supported by administrative departments whose personnel and organisation generally reflect the diversity of their missions. These bodies that are responsible solely for access to information are smaller in size and have a relatively simple organisation. When the oversight body has a greater number of functions, the amount of staff increases and the organisational chart becomes more complex.

Depending on the traditions and legislation, the institutions enact procedures with varying degrees of formality to introduce, review, and rule on access to information, both in general and specifically concerning one or more individuals.

Oversight bodies enjoy considerable autonomy in their operations. Their budgets differ widely in function of their missions, size, and the specific situation of each state or inter-state group.

Even though the institutions are independent, they are subject to oversight, as all public bodies should be. They are exempt from the hierarchical control of the head of their department and the actions of the supervisory body within the executive branch, but, depending on the country’s legislation, they may be subject to different forms of external oversight of an administrative or judicial nature.

Whether or not an oversight body reports to the Parliament, it remains under its oversight, either by virtue of the parliamentary oversight of the executive branch or directly, for example, as part of the compilation and review of the annual budget. Some bodies submit their reports directly to the Parliament, which may debate them.

Different types of judicial recourse against the actions of an oversight body are also possible, depending on the legal system of each OECD member country.

There is no specific obligation under international law to create an oversight body such as an Information Commission, an Information Commissioner or an Ombudsman. At the General Assembly in September 2015, the member states of the United Nations adopted Agenda 2030, formulated to guide global and national development policies for the next 15 years. Agenda 2030 includes 17 Sustainable Development Goals (SDGs), each with multiple specific targets. Among these targets is SDG 16.10, which obliges signatory countries to “ensure public access to information and protect fundamental freedoms, in accordance with national legislation and international agreements”.

The Organisation for Security and Cooperation in Europe (OSCE), the Council of Europe and the OECD have also adopted several documents pertaining to oversight bodies for access to information.

In its May 2007 review of the right of access to information, the Organisation for Security and Cooperation in Europe, of which Kazakhstan is a member, included the existence of a dedicated oversight body in its analysis of the core elements of the right, and it recommended all member states to create such a body. The review document explained that “There should be an adequate mechanism for appealing each refusal to disclose. This should include having an independent oversight body such as an Ombudsman or Commission which can investigate and order releases. The body should also promote and educate on freedom of information.” (OSCE, 2007)

The Council of Europe in its 2002 Recommendation on Access to Official Documents states in its Principle IX that “An applicant whose request for an official document has been refused, whether in part or in full, or dismissed, or has not been dealt with within the time limit […] should have access to a review procedure before a court of law or another independent and impartial body established by law.”

Recommendation of the Council of the OECD on Open Government declares that adherents should “Ensure the existence and implementation of the necessary open government legal and regulatory framework, including through the provision of supporting documents such as guidelines and manuals, while establishing adequate oversight mechanisms to ensure compliance” (OECD, 2017b).

In summary:

• Kazakhstan has no legal international obligation to create an oversight body for access to information;

• There is no mandatory principle or specific recommendation by the OECD to compel Kazakhstan to establish an oversight body for access to information.

Kazakhstan’s constitution does not provide for the obligation to create a body to monitor the right of access to information. It was the Law of the Republic of Kazakhstan of 16 November 2015 “On Access to Information” that established such a body. The Law in its Article 19 provides general provisions allowing the creation of the CATI: “in order to account for and defend public interests in the field of access to information, and also in order to satisfy the demands of information users, a consultative-advisory body or commission on issues of access to information is formed within the structure of a designated body, determined by the Government of the Republic of Kazakhstan”.

The right of access to information covers a range of aspects, and different institutions can be mandated to ensure protection of this right.

Article 18 of the Law provides: “Decisions and actions (inactions) of information holders, including a governmental body, a local self-government, an organisation, an official, a public servant, violating the rights of information users may be appealed against in a superior body, to a superior official, and/or in court.”

Kazakhstan passed the law on Personal Data Protection, dated May 21, 2013 No. 94-V. The liability for violation of that law is both administrative and criminal. When the infringements occur in Kazakhstan, the prosecutor’s office is responsible for supervising the implementation of that law and initiating administrative proceedings for its violation.

For violations of personal data protection that happen abroad, any person may address his/her claims to the Ministry of Internal Affairs of Kazakhstan or its territorial departments. Such measures include banning access to Kazakhstan for foreign websites which contain illegally obtained personal data (Colibri Kazakhstan LLP, 2016).

In summary:

• The law on Personal Data Protection does not create a special body to carry out oversight for its execution, investigate possible violations of the law and impose sanctions. These tasks are entrusted to the judiciary and the government.

• The executive power of the Republic of Kazakhstan has wide competencies for the nature, objectives, competencies, powers and organisation of the CATI.

Colibri Kazakhstan LLP. Kazakhstan: Personal data protection. Article published on August 4, 2016. Website accessed on September 12, 2018 http://www.mondaq.com/x/516624/Data+Protection+Privacy/Security+As+A+Measure+Of+Comfort+For+Creditors,

OECD (2019), Institutions guaranteeing access to information in OECD member countries and in the MENA Region countries, OECD Public Governance Reviews, OECD Publishing, Paris, forthcoming.

OSCE (2007), Access to information by the media in the OSCE region: trends and recommendations.