Processing information requests
Contents on this page
Who can send information requests?
How can enterprises receive information requests?
Which deadlines apply?
Which types of questions must be answered?
What is an “adequate” answer?
Are enterprises obligated to carry out additional investigations in order to provide an adequate answer?
Can enterprises refer to other enterprises?
Which language should an information request be answered in?
When can enterprises deny an information request?
«The Transparency Act shall promote enterprises’ respect for fundamental human rights and decent working conditions in connection with the production of goods and the provision of services and ensure the general public access to information regarding how enterprises address adverse impacts on fundamental human rights and decent working conditions.» Source: The Transparency Act section 1 (Lovdata)
The Transparency Act (the “Act”) gives anyone the right to request information from enterprises regarding how they address adverse impacts on fundamental human rights and decent working conditions. We call such enquiries information requests. The following guidance targets primarily enterprises who are subject to the Act (“enterprises”), who have a duty to answer information requests.
Who can send information requests?
Any person has the right to ask for information from an enterprise upon written request. «Any person» means anyone, e.g. other businesses, public bodies, civil society organizations, journalists, or members of the general public.
It is not a requirement that individuals requesting information are Norwegian or have an affiliation to Norway, nor is it necessary for an individual to give a reason for their inquiry. An enterprise cannot decline a request for information on the basis of who has made the request or their motives for the request. Enterprises are also obligated to answer anonymous information requests.
How can enterprises receive information requests?
Enterprises must accept all written requests for information, regardless of which channels are used. Many enterprises choose to make a specific email address accessible or a form regarding the Act on their website. Enterprises also have a duty to accept letters sent to their address or that are delivered physically at a place of sale or an office.
Apart from the requirement that information requests shall be in writing, the law does not regulate how an information request must be designed or presented. It is sufficient that an inquiry or question is submitted to the enterprise, and that this is submitted in writing. There is a low threshold for what is considered an information request pursuant to the Act.
Which deadlines apply?
Enterprises shall answer information requests within a reasonable time and no later than three weeks from receiving the request. See the Act section 7 (Lovdata).
In cases where the amount or type of information requested makes it disproportionately burdensome to answer within three weeks, enterprises can extend the deadline within which they provide information to two months after the request is received. In such cases enterprises must inform the person seeking information that they will be unable to answer their request within the three-week deadline, the reason(s) for the extension and when that person can expect an answer. An extended deadline may apply for example when a request requires compiling a large amount of information or where answering a request demands time and work which goes far beyond that which would be normal for an information request.
Enterprises should engage in dialogue with those requesting information where it is considered necessary to gain further clarification of the question being asked.
Those requesting information may ask follow-up questions. Each case must be assessed individually as to whether the additional question is considered a new information request, and whether it therefore requires a new deadline or not.
Which types of questions must be answered?
The public has the right to information, including both general information about how an enterprise addresses adverse impacts on fundamental human rights and decent working conditions and specific information connected to particular goods and services.
- General information will often apply to the various steps in a due diligence assessment. For example, this could include information about how an enterprise is organised and structured, what kinds of guidelines and routines an enterprise has established to prevent adverse impacts on human rights and working conditions, which adverse impacts an enterprise has identified and measures they are taking to address these, and what effect such measures have had.
- Information regarding human rights and decent working conditions connected to a specific product or service could be, for example, information about the working conditions related to the production of a particular product. Information may also relate to how an enterprise ensures decent working conditions at the product’s place of production, where the raw materials originate from or how a local population is affected by the production or service provision.
Information shall be provided in writing and shall be adequate and comprehensible.
An enterprises’ due diligence assessments will be the starting point for responses to information requests. Answers to information requests must therefore be seen in the context of two principals that guide due diligence assessments: the risk-based approach principle and the principle of proportionality.
Risk-based approach
The principle of a risk-based approach means that enterprises’ due diligence assessments should correspond to the severity and probability of the adverse impact. When probability and severity are high, will there be a need for more extensive due diligence assessments.
This will impact which areas an enterprise will have adequate information about.
Proportionality
The principle of proportionality means that what is expected of enterprises is dependent on, among other things, their size, nature, and business context.
This means that larger enterprises can be expected to use more resources than smaller enterprises in order to carry out due diligence assessments and to respond to information requests. The workload of a given enterprise must also be weighed against the consideration of the public’s right to information and, for example, the need to be able to follow-up and verify the claims of an enterprise.
What is an “adequate” answer?
The Act requires that an answer to an information request adequately answers the question asked, based on how the business addresses adverse impacts on fundamental human rights and decent working conditions.
The level of detail a business must provide depends on the specific request for information and an assessment of what is required to provide an adequate answer. It is important that enterprises give as precise information as possible, so that the public are able to make an informed decision and verify an enterprise’s due diligence assessments.
In some cases, it will be possible to direct the person requesting information to publicly available information, including the enterprises own account of due diligence, where this gives an adequate and comprehensible answer to the question asked. In order for a response to an information request to be adequate, it may be necessary to give additional information to what is expected under section 5 of the Act: duty to account for due diligence (Lovdata).
Do enterprises have to state their place of production?
Enterprises are not obligated to state their place of production when they respond to information requests. Place of production includes the name or address of the factory or facility where the majority of the goods, i.e. the final product, is assembled.
In addition, enterprises are not obligated to provide other information that similarly identifies the place of production. An example of this could be giving the name of a town where there is only one factory relevant for the industry in question. In order to answer an information request adequately about how adverse impacts associated with production, or a production site, are addressed, it may nevertheless be necessary to include certain factual information related to the place of production. This could be, for example, where in the world the production takes place.
The precise geographical information that the person making an information request has a right to must be individually assessed in each case. Relevant considerations when making such an assessment are what is required for the answer to be adequate, whether the information can be verified, as well as the principals of risk-based approach and proportionality.
It should be possible to provide adequate and correct information about human rights and decent working conditions related to production without specifying the place of production.
Do enterprises have to provide information about their suppliers?
Enterprises do not have a general obligation to give the names of suppliers or provide a supplier list when requested. They have a duty to answer the specific information request based on how the enterprise addresses adverse impacts. Specific names and lists are not always necessary in order to answer this.
In some cases, however, it may be necessary to give names of specific suppliers in order to be able to adequately answer an information request, unless this would fall within an exception for place of production, competitively sensitive enterprise data or other grounds for denial.
This must be assessed in each individual case based on, among other things:
- whether the information request is sufficiently specificed
- whether the information request applies to specific adverse impacts
- the consideration of verifiability
- the principles of proportionality and risk-based approach
Are enterprises obligated to carry out additional investigations in order to provide an adequate answer?
The enterprise will usually be able to provide the person requesting information with general information about their work with due diligence assessments without carrying out additional investigations. In relation to more specific information requests, for example about a particular product or service, the enterprise may not have enough knowledge to be able to answer adequately. The enterprise must then consider if and to what extent they must carry out additional investigations in order to adequately answer the information request.
Whether an enterprise is required to conduct further investigations in addition to those already carried out through due diligence assessments, will vary depending on whether the enterprise has already mapped the relevant adverse impact which the information request relates to and, if so, how the impact has been categorized in the due diligence assessments, for example as high, medium or low risk.
Impacts that the enterprise has mapped
As a starting point, enterprises should have sufficient information to be able to adequately answer how they are addressing adverse impacts that have been mapped and categorized as higher risk through their due diligence assessments. The more serious and probable an adverse impact, the more information an enterprise is likely to have about it. The enterprise may still have to carry out additional investigations if it is necessary in order to adequately answer the question about how it has addressed the particular impact.
For adverse impacts that an enterprise has mapped and categorised as lower risks, the enterprise may, as part of its response, explain and justify how the impact has been assessed and deprioritised through the enterprise’s due diligence assessment.
Impacts that the enterprise has not mapped
As a general rule enterprises must conduct additional investigations if they receive an information request about an impact that has not been mapped. This includes both actual and potential adverse impacts.
There are certain exceptions to this principle, for example if the request is obviously unreasonable because it will require a disproportionate use of resources in order to provide an answer. In cases where it would be resource-intensive to provide the answer to the request, note that this must be seen in light of the right to extend the response deadline to a maximum of two months.
If an information request makes an enterprise aware of a previously unknown adverse impact, this may trigger the need for new mapping and prioritisation in accordance with section 4 of the Act (Lovdata). Enterprises must carry out due diligence assessments continuously. See section “Which deadlines apply?” above for more information in cases when there may be grounds for postponing the response deadline, and when the enterprise can deny an information request.
Can enterprises refer to other enterprises?
It is the enterprise which receives the information request that has a duty to reply with an adequate answer, based on how they address adverse impacts on human rights and decent working conditions. In general, such information requests are best answered by the enterprise itself.
In certain cases, however, it is possible for an enterprise to refer the person requesting information to another enterprise who may be better equipped to answer a request. This could include for example a distributor, wholesaler or supplier. In cases where enterprises consider referring the request to another, it will be relevant to consider, among other things:
- what the information request relates to. For example, does the question relate to another enterprise’s due diligence assessments or something that another enterprise has more information about?
- the size and resources of the enterprise which received the information request
- whether the other enterprise is covered by the Act
Although an enterprise may choose to refer a person requesting information to another enterprise, responsibility remains with the enterprise which has received the original information request to make sure that the answer is adequate.
In cases where the person requesting information has not received an adequate response from the enterprise to which they have been referred, the enterprise that received the information request may have to carry out its own investigations. If an enterprise wishes to refer a person requesting information to an enterprise that is not subject to the Act and therefore does not have a duty to respond to information requests, the enterprise referring to another should take responsibility for the dialogue with the other enterprise to ensure that the person requesting information receives an adequate response.
It is also possible for subsidiaries to refer to the parent company in order to answer certain questions. In addition, in certain circumstances an enterprise can refer to publicly available information when this information is adequate and comprehensible enough as a response to the information request.
Which language should an information request be answered in?
As a general rule enterprises should answer information requests in Norwegian. However, it is possible to answer information requests in the language they are written in if the enterprise has the opportunity to do so.
If the information request is written in a language other than Norwegian, for example English, a response in English will be more comprehensible for the person requesting information.
Nevertheless, the Act does not require that enterprises answer information requests in languages other than Norwegian. Enterprises, therefore, have the right to answer in Norwegian even if the information request is written in another language.
When can enterprises deny an information request?
In principle, enterprises must respond to all questions they receive, based on how they address adverse impacts on fundamental human rights and decent working conditions.
If the enterprise denies a request for information, it shall inform the person requesting information of the legal basis for the denial, the right and time limit for demanding a more detailed justification for the denial and that the Norwegian Consumer Authority is the supervisory and guidance body. If the individual requesting information asks for further justification within three weeks of receiving the denial, the enterprise must give their written reasoning as quickly as possible and at the latest within three weeks from receiving the request for further justification.
Protection again self-incrimination does not prevent enterprises from releasing information about violations of fundamental human rights when responding to requests for information. The protection against self-incrimination is about the enterprises’ right not to be forced to contribute to its own conviction. The duty to respond to requests for information is not linked to an ongoing investigation or supervisory case but to a response to a request for information, which thereby ensures the public’s access to information.
In general, enterprises are not obliged to release information which is classified according to the Security Act or protected by the Copyright Act. Enterprises can only deny information requests in the following cases:
1. An information request does not provide a sufficient basis for identifying what the request concerns
Enterprises can deny an information request which is incomprehensible.
The information request must be formulated so that it is possible to understand what information is being requested. This exception should be narrowly construed. Enterprises cannot, for example, deny an information request because a private person has not formulated their request as clearly as a journalist or other professional person would do.
If the request is formulated in a way that is unclear, enterprises should enter into a dialogue with the person requesting information before any denial of the request is made.
2. An information request is clearly unreasonable
Enterprises can deny information requests that are clearly unreasonable. Again, this exception should be narrowly construed. The exception applies predominantly to malicious requests or requests that affect the enterprise in an unreasonable way.
In order to assess if a request is unreasonable enterprises must weigh the public’s interest in transparency against the workload for the enterprise, where responding to the information request would entail excessive financial and administrative burdens.
In most cases enterprises will be able to respond to all or at least parts of an information request without it being considered unreasonable.
It should be emphasized that enterprises are able to extent the response deadline to a maximum of two months in cases where the amount or type of information needed to respond is disproportionately burdensome to answer within three weeks. The person requesting information must be informed of the extension, the reason for the extension and when they can expect a response.
3. Data relating to an individual’s personal affairs
This provision shall be interpreted in the same way as the corresponding provision in section 13 of the Public Administration Act (Lovdata).
Personal affairs include information about a person that is usually kept private. For example, personal characteristics, political affiliation, sexual preference, genetic or other sensitive biometric information, personal health data and lifestyle. The duty of confidentiality does not include information such as national identity number, citizenship, place of residence, profession, employer, or workplace.
If an information request asks for information which includes data relating to an individual’s personal affairs, the enterprise must adapt their response so that the confidentiality of the individual remains protected and such data is not given. If it is not possible to adapt the information in this way, the request can be denied.
4. Competitively sensitive enterprise data
This provision shall be interpreted in the same way as the corresponding provision in section 13 of the Public Administration Act (Lovdata).
A request for information may be denied if the requested information concerns data regarding technical devices and procedures or other operational and business matters which for competitive reasons it is important to keep secret in the interests of the person whom the information concerns. This includes information that directly relates to the exercise of business activities, for example information on production methods, products, contract terms, marketing strategies, analyses, forecasts, or strategies related to the enterprise.
It must be of competitive importance to keep the information confidential. This means that revealing the information could lead to financial loss or reduced profit for the enterprise, either directly or by competitors being able to exploit the information.
In the same way as for data relating to an individual’s personal affairs, enterprises must adapt their responses so that they answer the information request whilst avoiding giving such information regarding business activities. Enterprises can deny information requests in cases where this is not possible.
What must enterprises do if they are aware of actual adverse impacts on human rights?
Where enterprises are aware of actual adverse impacts on fundamental human rights, the right to information applies irrespective of the exceptions listed above. See the Act section 6 paragraph 3 (Lovdata).
As a rule, it will be possible to convey information in a satisfactory way without divulging competitively sensitive enterprise data or other confidential information. When it comes to disregarding confidentiality, the provision must be interpreted and understood restrictively. This opening in the provision is intended to be reserved for special cases.
As part of an information request, the person requesting information can refer to actual adverse impacts on fundamental human rights which either they or a third party have uncovered, and ask questions about these. The enterprise is considered to be aware of the adverse impact when made aware of the situation through an information request.
If the enterprise has not already mapped the situation in question in their due diligence assessments, they may need to carry out investigations in order to answer the information request. See more under “Are enterprises obligated to carry out additional investigations in order to provide an adequate answer?”
An “actual adverse impact” means a situation that has materialised. A “potential adverse impact” refers to a situation which has not materialised, but which poses a risk. The consideration of transparency about actual adverse impacts on fundamental human rights outweighs an enterprises’ general interest in keeping such information secret.