31999F0130(03)

COUNCIL ACT of 3 November 1998 adopting rules on the confidentiality of Europol information (1999/C 26/02)

THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Convention based on Article K.3 of the Treaty on European Union on the establishment of a European Police Office (Europol Convention) (1), and in particular Article 31(1) thereof,

Having regard to the draft rules submitted by the Management Board,

Whereas it is for the Council, acting unanimously, to adopt appropriate rules on the confidentiality of information which is obtained by or exchanged with Europol on the basis of the Europol Convention,

HAS ADOPTED THE FOLLOWING RULES:

CHAPTER I

DEFINITIONS AND SCOPE

Article 1 Definitions

For the purposes of these rules,

(a) 'processing of information` ('processing`) means any operation or set of operations which is performed on personal or non-personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

(b) 'third party` means a third State or body as referred to in Article 10(4) of the Convention;

(c) 'Europol Security Committee` means the Committee consisting of representatives of the Member States and Europol described in Article 3;

(d) 'Europol Security Coordinator` means the Deputy Director to whom the Director of Europol - in pursuance of Article 29(2) of the Europol Convention - assigns, alongside his other tasks, the function of coordination and control in matters of security;

(e) 'Europol Security Officer` means the Europol officer appointed by the Director of Europol and responsible for security issues in accordance with Article 5;

(f) 'Security Manual` means the manual implementing these rules, to be established in accordance with Article 6;

(g) 'security level` means a security marking of Europol 1, 2, 3 assigned to a document processed by or through Europol as mentioned in Article 8;

(h) 'security package` means a specified combination of security measures to be applied to information subject to a Europol security level as mentioned in Article 8;

(i) 'basic protection level` means the level of protection which will be applied to all information processed by or through Europol, except information which is expressly marked or is clearly recognisable as being public information, as mentioned in Article 8(1).

Article 2 Scope

1. These rules establish the security measures to be applied to all information which is processed by or through Europol within its organisation.

2. Member States undertake to ensure that such information shall, within their territory, receive a level of protection which is equivalent to the level of protection offered by these measures.

3. Electronic links between Europol and the national units of the Member States shall provide a level of protection which is equivalent to the level offered by these measures. A common standard for these electronic links shall be approved unanimously by the Security Committee after consulting the competent authorities of the Member States.

4. The Annex hereto shows an overview of the Europol security levels, as referred to in Article 8, and the equivalent markings currently applied by the Member States to information subject to those security levels. When a Member State informs the other Member States and Europol of any changes in the national provisions on security levels or in the equivalent markings, Europol will elaborate a revised version of the abovementioned overview. At least once a year the Europol Security Committee shall ascertain whether or not the overview is up-to-date.

CHAPTER II

SECURITY RESPONSIBILITIES

Article 3 Europol Security Committee

1. A Europol Security Committee shall be set up, consisting of representatives of the Member States and of Europol, which shall meet at least once a year.

2. The Europol Security Committee shall have as its task to advise the Management Board and Director of Europol on issues relating to security policy and including the application of the Security Manual.

3. The Europol Security Committee shall establish its rules of procedure. The meetings of the Europol Security Committee shall be chaired by the Security Coordinator.

Article 4 Security Coordinator

1. The Security Coordinator shall have general responsibility for all issues relating to security, including the security measures laid down in these rules and the Security Manual. He shall monitor the enforcement of security provisions and inform the Director of all breaches of security, who shall, in serious cases, inform the Management Board. If such a breach risks compromising the interests of a Member State, that Member State shall also be informed.

2. The Security Coordinator shall be directly answerable to the Director of Europol.

Article 5 Security Officer

1. The responsibility for the practical implementation of the security measures laid down in these rules and in the Security Manual shall lie with the Europol Security Officer, who shall be directly answerable to the Security Coordinator. The specific tasks of the Security Officer shall be:

(a) the management of the Security Unit of Europol;

(b) to instruct, assist and advise Europol staff and liaison officers as to their duties under these rules and the Security Manual;

(c) to enforce security provisions, investigate breaches of such provisions and report on them as soon as possible to the Security Coordinator;

(d) continuous review of the adequacy of security measures on the basis of threat assessments. To that end he shall report to the Security Coordinator as a rule at least once a month and - in exceptional cases - whenever it is deemed necessary and shall make observations and suggestions;

(e) tasks assigned to him under these rules or the Security Manual;

(f) other tasks assigned to him by the Security Coordinator.

2. The Security Officer must have security clearance to the highest level under the regulations applicable in the Member State of which he is a national.

Article 6 Security Manual; procedure and contents

1. The Security Manual shall be adopted by the Management Board after consultation with the Security Committee.

2. The Security Manual shall contain:

(a) detailed rules on the security measures to be applied within the Europol organisation in order to provide for a basic protection level as mentioned in Article 8(1) of these rules, such measures being based on Articles 25 and 32(2) of the Europol Convention and taking Article 31(3) of that Convention into account;

(b) detailed rules on the security measures associated with the different Europol security levels and the corresponding security packages as mentioned in Article 8(2) and (3).

3. Amendments to the Security Manual shall be adopted in accordance with the procedure outlined in paragraph 1.

4. For the Europol Computer System and any other computer systems employed at Europol used to process protectively marked information, a 'System Specific Security Requirement` (SSSR) shall be adopted and amended in accordance with the procedure outlined in paragraph 1. This System Specific Security Requirement shall comply with relevant provisions of the Security Manual.

Article 7 Observance

The security measures laid down in these rules and in the Security Manual shall be observed by all Europol staff and liaison officers, as well as any other person under a particular obligation of discretion or confidentiality.

CHAPTER III

GENERAL PRINCIPLES

Article 8 Basic protection level, security levels and security packages

1. All information processed by or through Europol, except information which is expressly marked or is clearly recognisable as being public information, shall be subject to a basic protection level within the Europol organisation as well as in the Member States. Information which is subject only to the basic protection level shall not require a specific marking of a Europol security level, but shall be designated as Europol information.

2. In accordance with Article 2(2), Member States shall ensure the application of the basic protection level mentioned in paragraph 1, by a variety of measures in accordance with national legislation and regulations, including the obligation of discretion and confidentiality, limiting access to information to authorised personnel, data protection requirements as far as personal data are concerned and general technical and procedural measures to safeguard the security of the information, taking Article 25(2) of the Europol Convention into account.

3. Information requiring additional security measures shall be subject to a Europol security level, which shall be indicated by a specific marking. Information shall be assigned such a security level only where strictly necessary and for the time necessary.

4. The Europol security levels will be numbered 'Europol level 1 to 3`,

>TABLE>

Each Europol security level shall relate to a specific security package, to be applied within the Europol organisation. The security packages shall offer different levels of protection, depending on the content of the information, and taking account of the detrimental effect which unauthorised access, dissemination or use of the information might have on the interests of the Member States or Europol. Europol levels 1 to 3 shall - with respect to the security measures to be applied - correspond as far as possible to existing international standards.

When information protectively marked at different levels is gathered, the security level to be applied shall be at least as high as that applicable to the information protected at the highest level. At all events, a group of information may be given a higher protection level than that of each of its parts.

The translation of protectively marked documents shall be subject to the same protection as the originals.

5. The security packages shall consist of various measures of a technical, organisational or administrative nature, as laid down in the Security Manual. They shall include permitted usage of the data subject to Article 17 of the Europol Convention, from unrestricted use to no use without the originator's consent.

Article 9 Choice of security level

1. The Member State supplying information to Europol shall be responsible for the choice of any appropriate security level for such information in accordance with Article 8. The Member State shall, where necessary, mark the information with a Europol security level as referred to in Article 8(4), when supplying it to Europol.

2. In choosing any security level, Member States shall take account of the classification of the information under their national regulations, as well as of the need for the operational flexibility required for Europol to function adequately.

3. If Europol - on the basis of information already in its possession - comes to the conclusion that the choice of a security level needs amendment (e.g. a possible removal or addition of such a level, including the addition of a security level to a document previously subject to the basic protection level), it shall inform the Member State concerned and seek to agree on an appropriate security level. Europol shall not specify, change, add or remove a security level without such agreement.

4. Where information generated by Europol is based upon or contains information supplied by a Member State, Europol shall determine in agreement with the Member State concerned whether the basic protection level is sufficient or whether the application of a Europol security level is required.

5. Where information is generated by Europol itself, and such information is not based upon nor contains information supplied by a Member State, Europol shall determine any appropriate security level for such information, using criteria laid down by the Security Committee. Where necessary, Europol shall mark the information accordingly.

6. Member States and Europol shall, where information also concerns the essential interests of another Member State, consult that Member State on whether any security level should be applied to that information and if so which security level should be applied.

Article 10 Amendment of security levels

1. A Member State which has supplied information to Europol may at any time require an amendment of any chosen security level, including a possible removal or addition of such a level. Europol shall be obliged to remove, amend or add a security level in accordance with the wishes of the Member State concerned.

2. The Member State concerned shall, as soon as circumstances allow, request that the security level in question be downgraded or removed altogether.

3. A Member State supplying information to Europol may specify the time period for which the choice of any security level will apply, and any possible amendments to the security level after such period.

4. Where the choice of the basic protection level or security level has been determined by Europol in accordance with Article 9(4), an amendment of the basic protection or security level shall only be effected by Europol in agreement with the Member States concerned.

5. Where the choice of the security level has been determined by Europol in accordance with Article 9(5), Europol may amend or remove the security level at any time where this is deemed necessary.

6. Where information whose security level is amended in accordance with this Article has already been supplied to other Member States, Europol shall be obliged to inform the recipients of the change of security level.

Article 11 Processing, access and security clearance

1. Access to and possession of information shall be restricted within the Europol organisation to those persons who, by reason of their duties or obligations, need to be acquainted with such information or to handle it. Persons entrusted with the processing of information shall have undergone any necessary security clearance and shall further receive special training.

2. All persons that may have access to information subject to a security level processed by Europol shall undergo security clearance in accordance with Article 31(2) of the Europol Convention and the Security Manual. The Security Coordinator shall, acting on a proposal from the Security Officer, subject to the provisions of the Security Manual, grant authorisation to those persons cleared at the appropriate national level, who by reason of their duties or obligations, need to be acquainted with information subject to a Europol security level. He shall also be responsible for ensuring the implementation of paragraph 3.

3. No person shall have access to information subject to a security level without having been granted security clearance at the appropriate level. Exceptionally however, the Security Coordinator may, after consultation of the Security Officer, give a specific and limited authorisation to persons cleared at level 1 or 2 to have access to specific information at a higher level, if, by reason of their duties or obligations, in a specific case, they need to be acquainted with information subject to a higher Europol security level.

4. Such authorisation shall not be granted where a Member State, when supplying the information concerned, has specified that the discretion afforded to the Security Coordinator by paragraph 3, shall not be exercised in relation to that information.

Article 12 Third parties

When concluding agreements on confidentiality with third parties in accordance with Article 18(6) of the Europol Convention, or agreements in accordance with Article 42 thereof, Europol shall take account of the principles laid down in these rules and the Security Manual, which should be applied accordingly to information exchanged with such third parties.

CHAPTER IV

FINAL PROVISIONS

Article 13 Entry into force

These rules shall enter into force on 1 January 1999.

Article 14 Review of the rules

Any proposals for amendments to these rules shall be considered by the Management Board with a view to their adoption by the Council in accordance with the procedure provided for in Article 31(1) of the Europol Convention.

Done at Brussels, 3 November 1998.

For the Council

The President

B. PRAMMER

(1) OJ C 316, 27.11.1995, p. 1.

ANNEX

Table of equivalence between national classifications and corresponding Europol classifications

The following table is illustrative: the obligation on Member States is to provide an equivalent level of protection to that afforded by Europol rather than to attach a particular label.

>TABLE>

NOTE

As mentioned in Article 2(4) Europol shall elaborate a revised version of this overview if notified of any changes of national provisions. At least once a year the Europol Security Committee shall examine whether the overview is up-to-date. Any difficulties in applying the concept of equivalence in levels of protection shall be discussed between Member States and Europol or collectively by the Security Committee. Similarly, the Security Committee shall consider the implications for the table of any adjustment to Europol's Security packages, as set out in the Security Manual.