PURPOSE: to establish rules on the confidentiality of information of Europol.
PROPOSED ACT: Council Decision.
BACKGROUND: in accordance with Council Decision 2009/371/JHA establishing Europol as a Community agency, it is for the Council, acting by qualified majority after consulting the European Parliament to adopt implementing rules on the confidentiality of information which is obtained by, or exchanged with, Europol.
The purpose of this proposal is to establish those rules.
CONTENT: the rules set out in this text establish the security measures to be applied to all information which is processed by or through Europol. They aim in particular at setting out the security responsibilities in relation to data and providing technical measures applicable to the classification of data. The Annex shows an overview of the Europol classification levels and the equivalent markings currently applied by the Member States to information subject to those classification levels.
The different rules may be summarised as follows:
(1) Security responsibilities: the proposal defines the responsibilities of all parties involved in the process of data protection:
The security measures laid down in this proposal shall be observed by all persons at Europol, as well as by any other person involved in Europol-related activities who is under a particular obligation of discretion or confidentiality.
Security Manual: the Security Manual shall provide management direction and support for security in accordance with business requirements and contains detailed rules on the security measures to be applied in order to provide for the basic protection level for the processing and classification of data.
Security Officers: Security Officers shall support the Director in the implementation of the security measures laid down in these rules and in the Security Manual. They shall be directly answerable to the Security Coordinator and their overall task shall be to ensure the application of the rules laid down in the proposal. They shall also investigate breaches of security provisions.
(2) General principles applicable to the confidentiality of data: these provisions establish, in particular, the basic protection level and classification levels to apply to data depending on their degree of importance. Member States shall ensure the application of the basic protection level by a variety of measures, including the obligation of discretion and confidentiality, limiting access to information to authorised personnel, data protection requirements as far as personal data are concerned and general technical and procedural measures to safeguard the security of the information.
As a principle, all information processed by or through Europol (with the exception of information which is expressly marked as being public information) shall be subject to a basic protection level within Europol and in Member States. Information requiring additional security measures shall be subject to a Europol classification level, which shall be indicated by a specific marking. Information shall be subject to a security level only where strictly necessary and only for the time necessary.
Four levels of classification have been established:
Each Europol classification level shall relate to a specific security package, to be applied within Europol, offering different levels of protection, depending on the content of the information, and taking account of the detrimental effect, which unauthorised access, dissemination or use of the information, might have.
Choice of classification level: the Member State supplying information to Europol shall be responsible for the choice of any appropriate classification level for such information, taking account of the classification of the information under their national regulations, the need for the operational flexibility required for Europol to function adequately. Europol may change the classification level (for instance removing or adding a classification level to a document), only with the prior agreement of the Member State concerned. In order to design uniform classification levels, the proposal presents in its Annex a table of equivalence between national classifications and corresponding Europol classifications. However, the table is only illustrative.
Note that when information does not come from a Member States and has no classification, Europol shall be responsible for determining the classification level.
Moreover, the proposal contains a procedure for changing the classification level (based on a decision of the Member State or Europol).
Processing, access and security clearance: lastly, there are provisions in order to regulate access to information within Europol. Thus, access to, and possession of, information shall be restricted within the Europol organisation to those persons who, by reason of their duties or obligations, need to be acquainted with such information or to handle it. Persons entrusted with the processing of information shall have obtained security clearance and shall further receive special training. Security clearance may only be granted by the Security Coordinator. Authorisation may be withdrawn immediately by the Security Coordinator on justifiable grounds.
In principle, no person shall have access to information subject to a classification level without having been granted security clearance at the appropriate level. However, there are derogations, left to the discretion of the Security Coordinator and only in exceptional circumstances. The derogations give a specific and limited authorisation to persons cleared at Europol Restricted level or Europol Confidential level to have access to specific information classified up to Europol Secret for a limited period, for example.
Third parties: in accordance with the Europol Decision, Europol may conclude cooperation agreements with entities or third parties. In that event, Europol shall include in the agreements specific provisions on the confidentiality of data exchanges, in accordance with the rules laid down in this proposal and in the security manual.