PURPOSE: to establish rules on the confidentiality of information of Europol.
LEGISLATIVE ACT: Council Decision 2009/968/JHA adopting the rules on the confidentiality of Europol information.
BACKGROUND: in accordance with the Europol Decision 2009/371/JHA, it is for the Council, acting by qualified majority after consulting the European Parliament, to adopt implementing rules on the confidentiality of information which is obtained by, or exchanged with, Europol.
This is the purpose of this decision.
CONTENT: the rules set out in this decision establish the security measures to be applied to all information which is processed by or through Europol. They aim in particular at setting out the security responsibilities in relation to data and providing technical measures applicable to the classification of data. The Annex shows an overview of the Europol classification levels and the equivalent markings currently applied by the Member States to information subject to those classification levels.
The different rules may be summarised as follows:
(1) Security responsibilities: the decision defines the responsibilities of all parties involved in the process of data protection:
· Member States' responsibilities: Member States shall ensure that, within their territory, Europol information receive a level of protection which is equivalent to the level of protection offered by the security measures established by these rules;
· Security Coordinator: the Security Coordinator is part of the internal structure of Europol (Deputy Director) and shall have general responsibility for all issues relating to security, including the security measures laid down in these rules and in the Security Manual;
· Security Committee: this shall consist of representatives of the Member States and of Europol and shall have as its task to advise the Management Board and Director of Europol on issues relating to security policy;
· Europol Director: the Director shall, along with the liaison bureaus and Europol national units, ensure observance of the rules and of the Security Manual. The security measures laid down in this decision shall be observed by all persons at Europol, as well as by any other person involved in Europol-related activities who is under a particular obligation of discretion or confidentiality.
Security Manual: the Security Manual shall provide management direction and support for security in accordance with business requirements and contains detailed rules on the security measures to be applied in order to provide for the basic protection level for the processing and classification of data.
Security Officers: Security Officers shall support the Director in the implementation of the security measures laid down in these rules and in the Security Manual. They shall be directly answerable to the Security Coordinator and their overall task shall be to ensure the application of the rules laid down in the decision. They shall also investigate breaches of security provisions.
(2) General principles applicable to the confidentiality of data: these provisions establish, in particular, the basic protection level and classification levels to apply to data depending on their degree of importance. Member States shall ensure the application of the basic protection level by a variety of measures, including the obligation of discretion and confidentiality, limiting access to information to authorised personnel, data protection requirements as far as personal data are concerned and general technical and procedural measures to safeguard the security of the information.
As a principle, all information processed by or through Europol (with the exception of information which is expressly marked as being public information) shall be subject to a basic protection level within Europol and in Member States. Information requiring additional security measures shall be subject to a Europol classification level, which shall be indicated by a specific marking. Information shall be subject to a security level only where strictly necessary and only for the time necessary.
Four levels of classification have been established:
Such classified information and material shall bear an additional marking ("EUROPOL") under the classification marking to indicate that it originates in Europol.
Each Europol classification level shall relate to a specific security package, to be applied within Europol. The security packages shall offer different levels of protection, depending on the content of the information, and taking account of the detrimental effect which unauthorised access, dissemination or use of the information might have on the interests of Europol or the Member States.
The security packages shall consist of various measures of a physical, technical, organisational or administrative nature, as laid down in the Security Manual.
Choice of classification level: the Member State supplying information to Europol shall be responsible for the choice of any appropriate classification level for such information, taking account of the classification of the information under their national regulations, the need for the operational flexibility required for Europol to function adequately. Europol may change the classification level (for instance removing or adding a classification level to a document), only with the prior agreement of the Member State concerned. In order to design uniform classification levels, the decision presents in its Annex a table of equivalence between national classifications and corresponding Europol classifications. However, the table is only illustrative.
Note that when information does not come from a Member States and has no classification, Europol shall be responsible for determining the classification level.
Moreover, the decision contains a procedure for changing the classification level (based on a decision of the Member State or Europol).
Processing, access and security clearance: lastly, there are provisions in order to regulate access to information within Europol. Thus, access to, and possession of, information shall be restricted within the Europol organisation to those persons who, by reason of their duties or obligations, need to be acquainted with such information or to handle it. Persons entrusted with the processing of information shall have obtained security clearance and shall further receive special training. Security clearance may only be granted by the Security Coordinator. Authorisation may be withdrawn immediately by the Security Coordinator on justifiable grounds. In principle, no person shall have access to information subject to a classification level without having been granted security clearance at the appropriate level. However, there are derogations, left to the discretion of the Security Coordinator and only in exceptional circumstances. The derogations give a specific and limited authorisation to persons cleared at ‘CONFIDENTIEL UE/EU CONFIDENTIAL’ level to have access to specific information classified up to ‘SECRET UE/EU SECRET’ level, if, by reason of their duties or obligations in a specific case, they need to be acquainted with information subject to a higher Europol classification level or grant temporary authorisation to access classified information for a period not exceeding six months.
Third parties: in accordance with the Europol Decision, Europol may conclude cooperation agreements with entities or third parties. In that event, Europol shall include in the agreements specific provisions on the confidentiality of data exchanges, in accordance with the rules laid down in this proposal and in the security manual.
ENTRY INTO FORCE: 01/01/2010.