17.12.2009

EN

Official Journal of the European Union

L 332/17

---

COUNCIL DECISION 2009/968/JHA

of 30 November 2009

adopting the rules on the confidentiality of Europol information

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (1) (the Europol Decision) and in particular Article 40 thereof,

Having regard to the draft rules submitted by the Management Board,

Having regard to the Opinion of the European Parliament,

Whereas in accordance with the Europol Decision, it is for the Council, acting by qualified majority after consulting the European Parliament, to adopt implementing rules on the confidentiality of information which is obtained by, or exchanged with, Europol (hereinafter the rules),

HAS DECIDED AS FOLLOWS:

CHAPTER I

DEFINITIONS AND SCOPE

Article 1

Definitions

For the purposes of these rules,

(a)

‘processing of information’ or ‘processing’ means any operation or set of operations which is performed on personal or non-personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(b)	‘third party’ means an entity referred to in Articles 22(1) and 23(1) of the Europol Decision;

(c)	‘Security Committee’ means the Committee consisting of representatives of the Member States and Europol, as described in Article 4;

(d)	‘Security Coordinator’ means the Deputy Director to whom the Director — in pursuance of Article 38(2) of the Europol Decision — assigns, alongside his other tasks, the function of coordination and control in matters of security;

(e)	‘Security Officers’ means the Europol staff, appointed by the Director, responsible for security issues in accordance with Article 6;

(f)	‘Security Manual’ means the manual implementing these rules, to be established in accordance with Article 7;

(g)	‘classification level’ means a security marking assigned to a document processed by or through Europol, as referred to in Article 10;

(h)	‘security package’ means a specified combination of security measures to be applied to information subject to a Europol classification level as referred to in Article 10;

(i)	‘basic protection level’ means the level of protection which shall be applied to all information processed by or through Europol, except information which is expressly marked or is clearly recognisable as being public information, as referred to in Article 10(1);

(j)	‘staff’ means temporary staff and contract staff as defined in Article 39(4) of the Europol Decision;

(k)

‘Europol classified information’ means any information and material in any form, an unauthorised disclosure of which could cause varying degrees of prejudice to the essential interests of Europol or of one or more Member States, and that requires the application of appropriate security measures as defined in Article 7(2)(b).

Article 2

Scope

1.   These rules establish the security measures to be applied to all information which is processed by or through Europol.

2.   Communication channels between Europol and the national units of the Member States, referred to in Article 8 of the Europol Decision, shall provide a level of protection which is equivalent to the level offered by these measures. A common standard for these communication channels shall be approved by the Security Committee.

3.   The Annex sets out an overview of the Europol classification levels, as referred to in Article 10, and the equivalent markings currently applied by the Member States to information subject to those classification levels. When a Member State informs the other Member States and Europol of any changes in its national provisions on classification levels or in the equivalent markings, Europol shall elaborate a revised version of the overview reproduced in the Annex. At least once a year the Security Committee shall ascertain whether the overview is up to date.

CHAPTER II

SECURITY RESPONSIBILITIES

Article 3

Member States' Responsibilities

1.   Member States shall undertake to ensure that, within their territory, Europol information receive a level of protection which is equivalent to the level of protection offered by the security measures established under these rules.

2.   Member States shall undertake to inform the Security Coordinator of all security breaches that may compromise the interests of Europol or of a Member State. In the latter case, the Member State concerned shall also be informed directly through the national unit.

Article 4

Security Committee

1.   A Security Committee shall be set up, consisting of representatives of the Member States and of Europol, which shall meet at least twice a year.

2.   The Security Committee shall have as its task to advise the Management Board and Director of Europol on issues relating to security policy, including the application of the Security Manual.

3.   The Security Committee shall establish its rules of procedure. The meetings of the Security Committee shall be chaired by the Security Coordinator.

Article 5

Security Coordinator

1.   The Security Coordinator shall have general responsibility for all issues relating to security, including the security measures laid down in these rules and in the Security Manual. The Security Coordinator shall monitor the enforcement of security provisions and inform the Director of all breaches of security. In serious cases, the Director shall inform the Management Board. If such breaches risk compromising the interests of a Member State, that Member State shall also be informed.

2.   The Security Coordinator shall be directly answerable to the Director of Europol.

3.   The Security Coordinator shall be security cleared to the highest level in accordance with the laws and regulations applicable in the Member State of which the Security Coordinator is a national.

Article 6

Security Officers

1.   Security Officers shall support the Director in the implementation of the security measures laid down in these rules and in the Security Manual. Security Officers shall be directly answerable to the Security Coordinator. The specific tasks of the Security Officers shall be:

(a)	to instruct, assist and advise all persons at Europol — as well as any other person involved in Europol-related activities who is under a particular obligation of discretion or confidentiality — as to their duties under these rules and under the Security Manual;

(b)	to enforce security provisions, investigate breaches thereof and report on them immediately to the Security Coordinator;

(c)	to regularly review the adequacy of security measures on the basis of risk assessments; to that end, they shall report to the Security Coordinator as a rule at least once a month and, in exceptional cases, whenever it is deemed necessary and shall provide appropriate recommendations and advice;

(d)	to perform the tasks assigned to them under these rules or under the Security Manual; and

(e)	to perform any other tasks assigned to them by the Security Coordinator.

2.   Security Officers shall be security cleared to the appropriate level required by their duties and in accordance with the laws and regulations applicable in the Member States of which they are a national.

Article 7

Security Manual, procedure and content

1.   The Security Manual shall be adopted by the Management Board after having consulted the Security Committee.

2.   The Security Manual shall provide management direction and support for security in accordance with business requirements and shall set out Europol’s approach to managing security. The Security Manual shall contain:

(a)	detailed rules on the security measures to be applied within Europol in order to provide for the basic protection level referred to in Article 10(1) of these rules, such measures being based on Articles 35 and 41(2) of the Europol Decision and taking account of Article 40(3) thereof; and

(b)	detailed rules on the security measures associated with the different Europol classification levels and the corresponding security packages referred to in Article 10(2) and 10(3); the Security Manual shall also take account of Article 46 of the Europol Decision.

3.   The Security Manual shall be reviewed at regular intervals, or when significant changes occur, in order to ensure its continuing suitability, adequacy, and effectiveness.

4.   Amendments to the Security Manual shall be adopted in accordance with the procedure set out in paragraph 1.

Article 8

Security accreditation of systems

1.   All Europol systems used to process Europol classified information shall be accredited by the Management Board after having consulted the Security Committee and after having obtained assurance of the effective implementation of the required security measures deriving from the system specific security requirements (SSSR), Information Risk Register and any other relevant documentation. Subsystems and remote terminals or workstations shall be accredited as part of all the systems to which they are connected.

2.   The SSSR shall be adopted and amended by the Management Board after having consulted the Security Committee. This SSSR shall comply with the relevant provisions of the Security Manual.

Article 9

Observance

1.   The security measures laid down in these rules and in the Security Manual shall be observed by all persons at Europol, as well as by any other person involved in Europol-related activities who is under a particular obligation of discretion or confidentiality.

2.   The Director, the liaison bureaus and Europol national units shall be responsible for ensuring observance of these rules and of the Security Manual in accordance with paragraph 1.

CHAPTER III

GENERAL PRINCIPLES

Article 10

Basic protection level, classification levels and security packages

1.   All information processed by or through Europol, with the exception of information which is expressly marked or is clearly recognisable as being public information, shall be subject to a basic protection level within Europol and in Member States.

2.   In accordance with Article 3, Member States shall ensure the application of the basic protection level referred to in paragraph 1, by a variety of measures in accordance with national legislation and regulations, including the obligation of discretion and confidentiality, limiting access to information to authorised personnel, data protection requirements as far as personal data are concerned and general technical and procedural measures to safeguard the security of the information, taking into account Article 41(2) of the Europol Decision.

3.   Information requiring additional security measures shall be subject to a Europol classification level, which shall be indicated by a specific marking. Information shall be subject to a security level only where strictly necessary and only for the time necessary.

4.   The following Europol classification levels shall be used:

(a)   ‘RESTREINT UE/EU RESTRICTED’: this classification shall be applied to information and material the unauthorised disclosure of which could be disadvantageous to the interests of Europol, the EU or one or more Member States;

(b)   ‘CONFIDENTIEL UE/EU CONFIDENTIAL’: this classification shall be applied to information and material the unauthorised disclosure of which could harm the essential interests of Europol, the EU or one or more Member States;

(c)   ‘SECRET UE/EU SECRET’: this classification shall be applied to information and material the unauthorised disclosure of which could seriously harm the essential interests of Europol, the EU or one or more Member States;

(d)   ‘TRÈS SECRET UE/EU TOP SECRET’: this classification shall be applied to information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of Europol, the EU or one or more Member States.

Such classified information and material shall bear an additional marking (‘EUROPOL’) under the classification marking to indicate that it originates in Europol.

Each Europol classification level shall relate to a specific security package, to be applied within Europol. The security packages shall offer different levels of protection, depending on the content of the information, and taking account of the detrimental effect which unauthorised access, dissemination or use of the information might have on the interests of Europol or the Member States.

When information classified at different levels is gathered, the classification level to be applied shall be at least as high as that applicable to the information protected at the highest level. In any event, a group of information may be given a higher protection level than that of each of its parts.

The translation of a classified document shall be given the same classification level, and shall be subject to the same protection, as the original document.

5.   A caveat marking may be used for specifying additional conditions such as distribution of the information is limited to specific information exchange channels, embargo and a particular distribution on a need-to-know basis. Such caveat markings shall be defined in the Security Manual.

6.   The security packages shall consist of various measures of a physical, technical, organisational or administrative nature, as laid down in the Security Manual.

Article 11

Choice of classification level

1.   The Member State supplying information to Europol shall be responsible for the choice of any appropriate classification level for such information in accordance with Article 10. Where applicable, when supplying information to Europol, the Member State shall mark it with a Europol classification level as referred to in Article 10(4).

2.   In choosing a classification level, Member States shall take account of the classification of the information under their national regulations, the need for the operational flexibility required for Europol to function adequately and the requirement that classification of law enforcement information should be the exception and that, if such information has to be classified, the lowest possible level should be assigned.

3.   If Europol, on the basis of information already in its possession, comes to the conclusion that the choice of a classification level needs changing (for instance removing or adding a classification level, or adding a classification level to a document previously subject to the basic protection level), it shall inform the Member State concerned and seek to agree on an appropriate classification level. Europol shall not specify, change, add or remove a classification level without such agreement.

4.   Where information generated by Europol is based upon, or contains, information supplied by a Member State, Europol shall determine, in agreement with the Member State concerned, whether the basic protection level is sufficient or whether the application of a Europol classification level is required.

5.   Where information is generated by Europol itself, and such information is not based upon, nor contains, information supplied by a Member State, Europol shall determine any appropriate classification level for such information, using criteria laid down by the Security Committee. Where necessary, Europol shall mark the information accordingly.

6.   Member States and Europol shall, where information also concerns the essential interests of another Member State, consult that Member State on whether any classification level should be applied to that information and, if so, which classification level should be applied.

Article 12

Changing the classification level

1.   A Member State which has supplied information to Europol may, at any time, require that the selected classification level be changed, including by removing or adding a classification level. Europol shall be obliged to remove, amend or add a classification level in accordance with the wishes of the Member State concerned.

2.   The Member State concerned shall, as soon as circumstances allow, request that the classification level in question be downgraded or removed altogether.

3.   A Member State supplying information to Europol may specify the time period for which the choice of classification level will apply, and any possible amendments to the classification level thereafter.

4.   Where the basic protection level or classification level has been determined by Europol in accordance with Article 11(4), Europol shall only change the basic protection or classification level in agreement with the Member States concerned.

5.   Where the classification level has been determined by Europol in accordance with Article 11(5), Europol may change or remove the classification level at any time it is deemed necessary.

6.   Where information, the classification level of which is changed in accordance with this Article, has already been supplied to other Member States, Europol shall inform the recipients of the change to the classification level.

Article 13

Processing, access and security clearance

1.   Access to, and possession of, information shall be restricted within the Europol organisation to those persons who, by reason of their duties or obligations, need to be acquainted with such information or need to handle it. Persons entrusted with the processing of information shall have obtained an appropriate security clearance and shall further receive special training.

2.   All persons who may have access to information subject to a classification level processed by Europol shall undergo security clearance in accordance with Article 40(2) of the Europol Decision and the Security Manual. The Security Coordinator shall, on the basis of the result of the security clearance procedure, subject to the provisions of the Security Manual, grant authorisation to those persons cleared at the appropriate national level, who by reason of their duties or obligations, need to be acquainted with information subject to a Europol classification level. The authorisation is subject to regular review by the Security Coordinator. Authorisation may be withdrawn immediately by the Security Coordinator on justifiable grounds. The Security Coordinator shall also be responsible for ensuring the implementation of paragraph 3.

3.   No person shall have access to information subject to a classification level without having been granted security clearance at the appropriate level. Exceptionally, however, the Security Coordinator may, after consultation of a Security Officer,

(a)

give a specific and limited authorisation to persons cleared at ‘CONFIDENTIEL UE/EU CONFIDENTIAL’ level to have access to specific information classified up to ‘SECRET UE/EU SECRET’ level, if, by reason of their duties or obligations in a specific case, they need to be acquainted with information subject to a higher Europol classification level; or

(b)

grant temporary authorisation to access classified information for a period not exceeding six months, pending the outcome of the security clearance referred to in paragraph 2, if it is in the interest of Europol, and after giving the national competent authorities notification and provided there is no reaction from them within three months; the Security Coordinator shall inform the national competent authorities concerned of the granting of such temporary authorisation. The granting of this temporary authorisation shall not give access to information classified as ‘SECRET UE/EU SECRET’ and above.

4.   Such authorisation shall not be granted where a Member State, when supplying the information concerned, has specified that the discretion afforded to the Security Coordinator under paragraph 3 shall not be exercised in relation to that information.

Article 14

Third parties

When concluding confidentiality agreements with third parties, or when concluding agreements in accordance with Articles 22(4) and 23(7) of the Europol Decision, Europol shall take account of the principles laid down in these rules and in the Security Manual, which should be applied accordingly to information exchanged with such third parties.

CHAPTER IV

FINAL PROVISIONS

Article 15

Review of the rules

Any proposals for amendments to these rules shall be considered by the Management Board with a view to their adoption by the Council in accordance with the procedure provided for in Article 40(1) of the Europol Decision.

Article 16

Entry into force

These rules shall enter into force on 1 January 2010.

---

(1)  OJ L 121, 15.5.2009, p. 37.

---

---