Processing information requests

Contents on this page

Who can send information requests?
How can enterprises receive information requests?
Which deadlines apply?
Which types of questions must be answered?
What is an “adequate” answer?
Are enterprises obligated to carry out additional investigations in order to provide an adequate answer?
Can enterprises refer to other enterprises?
Which language should an information request be answered in?
When can enterprises deny an information request?

The Transparency Act (the “Act”) gives anyone the right to request information from enterprises regarding how they address adverse impacts on fundamental human rights and decent working conditions. We call such enquiries information requests. The following guidance targets primarily enterprises who are subject to the Act (“enterprises”), who have a duty to answer information requests.

Who can send information requests?

Any person has the right to ask for information from an enterprise upon written request. «Any person» means anyone, e.g. other businesses, public bodies, civil society organizations, journalists, or members of the general public.  

It is not a requirement that individuals requesting information are Norwegian or have an affiliation to Norway, nor is it necessary for an individual to give a reason for their inquiry. An enterprise cannot decline a request for information on the basis of who has made the request or their motives for the request. Enterprises are also obligated to answer anonymous information requests.

How can enterprises receive information requests?

Enterprises must accept all written requests for information, regardless of which channels are used. Many enterprises choose to make a specific email address accessible or a form regarding the Act on their website. Enterprises also have a duty to accept letters sent to their address or that are delivered physically at a place of sale or an office.    

Apart from the requirement that information requests shall be in writing, the law does not regulate how an information request must be designed or presented. It is sufficient that an inquiry or question is submitted to the enterprise, and that this is submitted in writing. There is a low threshold for what is considered an information request pursuant to the Act.

Which deadlines apply?

Enterprises shall answer information requests within a reasonable time and no later than three weeks from receiving the request. See the Act section 7 (Lovdata).   

In cases where the amount or type of information requested makes it disproportionately burdensome to answer within three weeks, enterprises can extend the deadline within which they provide information to two months after the request is received. In such cases enterprises must inform the person seeking information that they will be unable to answer their request within the three-week deadline, the reason(s) for the extension and when that person can expect an answer. An extended deadline may apply for example when a request requires compiling a large amount of information or where answering a request demands time and work which goes far beyond that which would be normal for an information request.    

Enterprises should engage in dialogue with those requesting information where it is considered necessary to gain further clarification of the question being asked.  

Those requesting information may ask follow-up questions. Each case must be assessed individually as to whether the additional question is considered a new information request, and whether it therefore requires a new deadline or not.

Which types of questions must be answered?

The public has the right to information, including both general information about how an enterprise addresses adverse impacts on fundamental human rights and decent working conditions and specific information connected to particular goods and services.   

• General information will often apply to the various steps in a due diligence assessment. For example, this could include information about how an enterprise is organised and structured, what kinds of guidelines and routines an enterprise has established to prevent adverse impacts on human rights and working conditions, which adverse impacts an enterprise has identified and measures they are taking to address these, and what effect such measures have had. 
• Information regarding human rights and decent working conditions connected to a specific product or service could be, for example, information about the working conditions related to the production of a particular product. Information may also relate to how an enterprise ensures decent working conditions at the product’s place of production, where the raw materials originate from or how a local population is affected by the production or service provision.   

Information shall be provided in writing and shall be adequate and comprehensible.   

An enterprises’ due diligence assessments will be the starting point for responses to information requests. Answers to information requests must therefore be seen in the context of two principals that guide due diligence assessments: the risk-based approach principle and the principle of proportionality.

What is an “adequate” answer?

The Act requires that an answer to an information request adequately answers the question asked, based on how the business addresses adverse impacts on fundamental human rights and decent working conditions.  

The level of detail a business must provide depends on the specific request for information and an assessment of what is required to provide an adequate answer. It is important that enterprises give as precise information as possible, so that the public are able to make an informed decision and verify an enterprise’s due diligence assessments.   

In some cases, it will be possible to direct the person requesting information to publicly available information, including the enterprises own account of due diligence, where this gives an adequate and comprehensible answer to the question asked. In order for a response to an information request to be adequate, it may be necessary to give additional information to what is expected under section 5 of the Act: duty to account for due diligence (Lovdata).

Do enterprises have to state their place of production? 

Enterprises are not obligated to state their place of production when they respond to information requests. Place of production includes the name or address of the factory or facility where the majority of the goods, i.e. the final product, is assembled.   

In addition, enterprises are not obligated to provide other information that similarly identifies the place of production. An example of this could be giving the name of a town where there is only one factory relevant for the industry in question. In order to answer an information request adequately about how adverse impacts associated with production, or a production site, are addressed, it may nevertheless be necessary to include certain factual information related to the place of production. This could be, for example, where in the world the production takes place.  

The precise geographical information that the person making an information request has a right to must be individually assessed in each case. Relevant considerations when making such an assessment are what is required for the answer to be adequate, whether the information can be verified, as well as the principals of risk-based approach and proportionality.     

It should be possible to provide adequate and correct information about human rights and decent working conditions related to production without specifying the place of production.

Do enterprises have to provide information about their suppliers?

Enterprises do not have a general obligation to give the names of suppliers or provide a supplier list when requested. They have a duty to answer the specific information request based on how the enterprise addresses adverse impacts. Specific names and lists are not always necessary in order to answer this.   

In some cases, however, it may be necessary to give names of specific suppliers in order to be able to adequately answer an information request, unless this would fall within an exception for place of production, competitively sensitive enterprise data or other grounds for denial.  

This must be assessed in each individual case based on, among other things:  

• whether the information request is sufficiently specificed   
• whether the information request applies to specific adverse impacts  
• the consideration of verifiability   
• the principles of proportionality and risk-based approach 

Are enterprises obligated to carry out additional investigations in order to provide an adequate answer? 

The enterprise will usually be able to provide the person requesting information with general information about their work with due diligence assessments without carrying out additional investigations. In relation to more specific information requests, for example about a particular product or service, the enterprise may not have enough knowledge to be able to answer adequately. The enterprise must then consider if and to what extent they must carry out additional investigations in order to adequately answer the information request.   

Whether an enterprise is required to conduct further investigations in addition to those already carried out through due diligence assessments, will vary depending on whether the enterprise has already mapped the relevant adverse impact which the information request relates to and, if so, how the impact has been categorized in the due diligence assessments, for example as high, medium or low risk.

Can enterprises refer to other enterprises?

It is the enterprise which receives the information request that has a duty to reply with an adequate answer, based on how they address adverse impacts on human rights and decent working conditions. In general, such information requests are best answered by the enterprise itself.   

In certain cases, however, it is possible for an enterprise to refer the person requesting information to another enterprise who may be better equipped to answer a request. This could include for example a distributor, wholesaler or supplier. In cases where enterprises consider referring the request to another, it will be relevant to consider, among other things:   

• what the information request relates to. For example, does the question relate to another enterprise’s due diligence assessments or something that another enterprise has more information about? 
• the size and resources of the enterprise which received the information request 
• whether the other enterprise is covered by the Act 

Although an enterprise may choose to refer a person requesting information to another enterprise, responsibility remains with the enterprise which has received the original information request to make sure that the answer is adequate.   

In cases where the person requesting information has not received an adequate response from the enterprise to which they have been referred, the enterprise that received the information request may have to carry out its own investigations. If an enterprise wishes to refer a person requesting information to an enterprise that is not subject to the Act and therefore does not have a duty to respond to information requests, the enterprise referring to another should take responsibility for the dialogue with the other enterprise to ensure that the person requesting information receives an adequate response.   

It is also possible for subsidiaries to refer to the parent company in order to answer certain questions. In addition, in certain circumstances an enterprise can refer to publicly available information when this information is adequate and comprehensible enough as a response to the information request.

Which language should an information request be answered in?

As a general rule enterprises should answer information requests in Norwegian. However, it is possible to answer information requests in the language they are written in if the enterprise has the opportunity to do so.  

If the information request is written in a language other than Norwegian, for example English, a response in English will be more comprehensible for the person requesting information.   

Nevertheless, the Act does not require that enterprises answer information requests in languages other than Norwegian. Enterprises, therefore, have the right to answer in Norwegian even if the information request is written in another language.

When can enterprises deny an information request?

In principle, enterprises must respond to all questions they receive, based on how they address adverse impacts on fundamental human rights and decent working conditions.  

If the enterprise denies a request for information, it shall inform the person requesting information of the legal basis for the denial, the right and time limit for demanding a more detailed justification for the denial and that the Norwegian Consumer Authority is the supervisory and guidance body. If the individual requesting information asks for further justification within three weeks of receiving the denial, the enterprise must give their written reasoning as quickly as possible and at the latest within three weeks from receiving the request for further justification.   

Protection again self-incrimination does not prevent enterprises from releasing information about violations of fundamental human rights when responding to requests for information. The protection against self-incrimination is about the enterprises’ right not to be forced to contribute to its own conviction. The duty to respond to requests for information is not linked to an ongoing investigation or supervisory case but to a response to a request for information, which thereby ensures the public’s access to information.  

In general, enterprises are not obliged to release information which is classified according to the Security Act or protected by the Copyright Act. Enterprises can only deny information requests in the following cases:

1. An information request does not provide a sufficient basis for identifying what the request concerns

Enterprises can deny an information request which is incomprehensible.

The information request must be formulated so that it is possible to understand what information is being requested. This exception should be narrowly construed. Enterprises cannot, for example, deny an information request because a private person has not formulated their request as clearly as a journalist or other professional person would do.

If the request is formulated in a way that is unclear, enterprises should enter into a dialogue with the person requesting information before any denial of the request is made.

2. An information request is clearly unreasonable

Enterprises can deny information requests that are clearly unreasonable. Again, this exception should be narrowly construed. The exception applies predominantly to malicious requests or requests that affect the enterprise in an unreasonable way.

In order to assess if a request is unreasonable enterprises must weigh the public’s interest in transparency against the workload for the enterprise, where responding to the information request would entail excessive financial and administrative burdens.

In most cases enterprises will be able to respond to all or at least parts of an information request without it being considered unreasonable.

It should be emphasized that enterprises are able to extent the response deadline to a maximum of two months in cases where the amount or type of information needed to respond is disproportionately burdensome to answer within three weeks. The person requesting information must be informed of the extension, the reason for the extension and when they can expect a response.

3. Data relating to an individual’s personal affairs

This provision shall be interpreted in the same way as the corresponding provision in section 13 of the Public Administration Act (Lovdata).  

Personal affairs include information about a person that is usually kept private. For example, personal characteristics, political affiliation, sexual preference, genetic or other sensitive biometric information, personal health data and lifestyle. The duty of confidentiality does not include information such as national identity number, citizenship, place of residence, profession, employer, or workplace.   

If an information request asks for information which includes data relating to an individual’s personal affairs, the enterprise must adapt their response so that the confidentiality of the individual remains protected and such data is not given. If it is not possible to adapt the information in this way, the request can be denied.

4. Competitively sensitive enterprise data

This provision shall be interpreted in the same way as the corresponding provision in section 13 of the Public Administration Act (Lovdata).  

A request for information may be denied if the requested information concerns data regarding technical devices and procedures or other operational and business matters which for competitive reasons it is important to keep secret in the interests of the person whom the information concerns. This includes information that directly relates to the exercise of business activities, for example information on production methods, products, contract terms, marketing strategies, analyses, forecasts, or strategies related to the enterprise.   

It must be of competitive importance to keep the information confidential. This means that revealing the information could lead to financial loss or reduced profit for the enterprise, either directly or by competitors being able to exploit the information.   

In the same way as for data relating to an individual’s personal affairs, enterprises must adapt their responses so that they answer the information request whilst avoiding giving such information regarding business activities. Enterprises can deny information requests in cases where this is not possible.