On 1 July 2023, a new provision granting exemption from secrecy obligations entered into force in the Swedish Public Access to Information and Secrecy Act (2009:400). The provision was introduced under the new article Chapter 10 section 2 a, and reads as follows:
Secrecy does not prevent disclosure of information to an individual or to another authority entrusted on behalf of the disclosing authority with the task of merely technically processing or technically storing the information, unless, with regards to the circumstances, a disclosure is inappropriate.
Furthermore, a new provision in Chapter 44 Section 5 of the Public Access to Information and Secrecy Act was added, restricting the freedom to communicate information. However, this new provision will not be further analyzed here.
Since the secrecy breaking provision in Chapter 10 Section 2 a of the Public Access to Information and Secrecy Act is new, information on its interpretation is mainly collected from the government bill. In the government bill, it is stated that the new amendments aim to create better conditions for authorities to outsource or coordinate their IT operations and to strengthen the protection of the information provided to an individual when outsourcing IT operations. IT operations that can be subject to outsourcing are diary and case management systems or office support systems, which include e-mail, calendar and document management support. Coordinated IT operations are when one authority entrusts another authority to provide basic IT operational services to the commissioning authority, while outsourcing of IT operations refers to the situation where an authority entrusts a corresponding assignment to a private service provider. Hereafter, we will only discuss outsourcing as we consider it most relevant to private actors. As stated in the government bill, a service provider can, within the framework of outsourcing for example, provide a technical infrastructure or platform for IT operations or IT-based functions in the form of applications and services.
In the government bill, it is stated that authorities are prevented from disclosing information if it involves an unauthorized disclosure under the Public Access to Information and Secrecy Act. Information that is covered by secrecy and is made available to a service provider is considered to be disclosed. Such disclosure is only permitted unless secrecy prevents it. The bill mentions that an authority may be prevented from outsourcing IT operations because secrecy classified information cannot be separated from a larger amount of information or because the flow of information in the service is unpredictable. However, the new provision will perhaps minimize these kinds of obstacles to disclosure by granting exemption from secrecy obligations.