|
OPCW |
Conference of the States Parties |
|
First Session |
C-I/DEC.13 |
|
Agenda item 39 |
16 May 1997 |
|
Original: ENGLISH |
DECISION
GUIDELINES FOR PROCEDURES ON THE RELEASE OF CLASSIFIED INFORMATION BY THE OPCW, IN ACCORDANCE WITH PARAGRAPH 2(C)(III) OF THE CONFIDENTIALITY ANNEX;
A CLASSIFICATION SYSTEM FOR LEVELS OF SENSITIVITY OF CONFIDENTIAL DATA AND DOCUMENTS, TAKING INTO ACCOUNT RELEVANT WORK UNDERTAKEN IN THE PREPARATION OF THE CONVENTION, IN ACCORDANCE WITH PARAGRAPH 2 (D) OF THE CONFIDENTIALITY ANNEX;
RECOMMENDATIONS FOR PROCEDURES TO BE FOLLOWED IN CASE OF BREACHES OR ALLEGED BREACHES OF CONFIDENTIALITY, IN ACCORDANCE WITH PARAGRAPH 18 OF THE CONFIDENTIALITY ANNEX.
(PARIS RESOLUTION, SUBPARAGRAPHS 12(U), (V) AND (W))
The Conference
Recalling that the Commission developed a Draft OPCW Policy on Confidentiality that includes the above mentioned issues as well as rules governing the composition and operating procedures of the Commission for the settlement of disputes related to confidentiality as required by the Confidentiality Annex, paragraph 23, in a combined manner,
Recalling that the Commission adopted the draft OPCW Policy on Confidentiality as annexed to PC-XI/B/WP.8 and as amended by Working Group B, and decided to apply the provisions of this draft OPCW Policy on Confidentiality, mutatis mutandis, to the work of the Preparatory Commission. (PC-XI/17, paragraph 7.7)
Recalling that the Commission decided to correct the clerical error in the last line of subparagraph 6.2 of Part VI of the Draft OPCW Policy on Confidentiality (PC-D-1) by replacing the word "should" with "shall". (PC-XII/17, paragraph 8.7)
Bearing in mind that the Commission recommended in paragraph 45.4 of its Final Report that the Conference adopt the above mentioned OPCW Policy on Confidentiality, as corrected.
Hereby:
1. Adopts adopt the above mentioned OPCW Policy on Confidentiality, as corrected, annexed hereto.
Annex
THE ORGANISATION
FOR THE PROHIBITION OF CHEMICAL WEAPONS
DRAFT
OPCW POLICY ON CONFIDENTIALITY
The Hague
May 1997(blank page)
Preface
The Draft OPCW Policy on Confidentiality was developed by the Expert Group on Confidentiality (Annex to PC-XI/B/WP.8) and was adopted as amended by the Preparatory Commission at its Eleventh Session (PC-XI/17, subparagraph 7.7 and PC-XI/B/12, subparagraph 7.2). The Draft OPCW Media and Public Affairs Policy was developed by the Formal Consultations on OPCW Media and Public Affairs Policy (Attachment toPC-X/A/WP.5) and was provisionally approved as amended by the Preparatory Commission at its Tenth Session (PC-X/23, subparagraph 6.11 and PC-X/A/3, subparagraph 6.4), pending the adoption of other relevant documents including the Draft OPCW Policy on Confidentiality.
The Preparatory Commission also decided that the Draft OPCW Policy on Confidentiality and the Draft OPCW Media and Public Affairs Policy would apply, mutatis mutandis, to the work of the Preparatory Commission (PC-XI/17, subparagraph 7.7 and PC-X/23, subparagraph 6.12 respectively).
Ian R. Kenyon
Executive Secretary
(blank page)
Contents
Preface
Draft OPCW Policy on Confidentiality
Part I:Introduction
Part II: General Policy
Part III:Information and Confidentiality
Part IV: Basic Responsibilities on Confidentiality
Part V:OPCW Classification System for Confidential Information
Part VI: General Principles for Handling and Protection of Confidential Information
Part VII:Procedures for the Release of Information by the OPCW
Part VIII Administration
Part IX: Breach Procedures
IX.1: Breach Investigation Procedures
IX.2: Rules Governing the Commission for the Settlement of Disputes Relating to Confidentiality ("the Confidentiality Commission").
IX.3: The Role of States Parties in Relation to Breach Procedures
Part X:Annual Report on the Implementation of the Regime Governing the Handling of Confidential Information by the Secretariat
Part XI: Amendment Procedure
Glossary
Draft OPCW Policy on Confidentiality
PART I
INTRODUCTION
1. This document sets out the basis of the Organisation's policy for protecting confidentiality throughout activities related to the implementation of the Convention, for classifying and handling confidential information, and for dealing with breaches of confidentiality.
2. A policy for confidential information is essential to the work of the Organisation because of the intrusive verification measures which are aimed at promoting confidence in compliance with the Convention while respecting States Parties' legitimate concerns about the possible disclosure of sensitive information. Credible verification entails receptiveness on the part of States Parties and a level of intrusiveness in verification activities. The need for disclosure of appropriate information to demonstrate compliance with the Convention should be matched by credible reassurances for States Parties that proper measures are taken to prevent disclosure of information not relevant to the Convention and that any confidential information, once disclosed, will be appropriately protected.
3. Consequently, in defining States Parties' rights and obligations, the Convention embodies a balance between that disclosure necessary to enhance confidence in compliance with the Convention, and the prevention of disclosure of information not relevant to the Convention, in order to protect national security and proprietary rights, taking into account constitutional obligations. These two objectives are not necessarily in conflict; on the contrary, a credible and effective process of verification can be achieved which actively and integrally protects confidentiality. The Convention text provides practical assurances that all confidential information will be appropriately protected; and that verification procedures will seek to prevent the disclosure of information not related to verification of compliance with the Convention.
(blank page)
PART II
GENERAL POLICY
1. Paragraph 5 of Article VIII of the Convention provides the basis of the obligations of the Organisation to respect confidentiality:
"The Organisation shall conduct its verification activities provided for under this Convention in the least intrusive manner possible consistent with the timely and efficient accomplishment of their objectives. It shall request only information and data necessary to fulfil its responsibilities under this Convention. It shall take every precaution to protect the confidentiality of information on civil and military activities and facilities coming to its knowledge in the implementation of this Convention and, in particular, shall abide by the provisions set forth in the Confidentiality Annex."
2. Paragraph 6 of Article VII of the Convention establishes the obligation on each State Party to:
"treat as confidential and afford special handling to information and data that it receives in confidence from the Organisation in connection with the implementation of this Convention. It shall treat such information and data exclusively in connection with its rights and obligations under this Convention and in accordance with the provisions set forth in the Confidentiality Annex."
3. These basic requirements are elaborated in a number of other provisions of the Convention, especially in the Confidentiality Annex and in the provisions detailing verification procedures (e.g. paragraph 10 of Article VI; paragraphs 56 and 62, Part II of the Verification Annex and paragraph 48, Part X of the Verification Annex). From this basis, the fundamental elements of the Organisation's Policy on Confidentiality are:
(a) only that information necessary for the timely and efficient carrying out of its responsibilities under the Convention shall be sought and required; and requirements for information to which the Organisation shall be given access by a State Party shall be specified as precisely as possible;
(b) verification activities shall be designed, planned and carried out so as to avoid unnecessary disclosure of confidential information and so as to seek to prevent disclosure of such information not related to compliance with the Convention, consistent with effective and timely discharge of verification obligations under the Convention;
(c) confidential information not relevant to the Convention shall not be sought, recorded or retained in the course of verification or other activities, without prejudice to an inspected State Party's right to request such a disclosure in accordance with the Convention. Once disclosed, it shall be protected, shall not be further disseminated, and shall be appropriately disposed of;
(d) systematic procedures for limiting the dissemination of and access to information after information is collected and classified as confidential shall be established, monitored, and adhered to;
(e) information obtained in connection with the implementation of the Convention shall not be published or otherwise released unless with explicit authority and in accordance with the release procedures outlined in Part VII of this policy; and
(f) staff selection and training, and staffing policy and regulations, shall take into account the need to ensure that all staff members of the Secretariat meet the highest standards of efficiency, competence and integrity.
PART III
INFORMATION AND CONFIDENTIALITY
1. This Part sets out guidelines for developing a practical understanding of the scope of the terms 'information', 'confidential information' and 'confidentiality'. The Convention sets out no definitive account of how these terms are to be applied, and it is clear that they are to be determined in an operational context consistent with the implementation of the Organisation's and States Parties' various responsibilities under the Convention.
2. The Organisation will carry out its responsibilities greatly depending on the information obtained through its verification activities and provided by States Parties. Thus, information will be coming into the Organisation's possession or to a staff member of the Organisation in a continuous input-output pattern of acquiring, processing and producing further necessary information.
3. In view of the integral role of confidentiality in all the Organisation's activities, information can generally be considered in operational terms, covering its characteristics, its means of acquisition and storage, and media for its processing and transmission.
Scope of 'information'
4. The term 'information' must be understood in a very broad sense. Information is recognised by its capacity or potential to provide, either directly or indirectly, data or any knowledge, regardless of its physical or intangible character or make-up.
5. It further applies to any means of acquiring, transmitting or retaining knowledge or data which may be perceived, acquired, derived or retained by any individual or by the Organisation including by its personnel or equipment in the implementation of the Convention.
6. The term 'data' appears in several contexts in the Convention. Generally, 'data' carries the implication of information in a particular structure or format, such as the information embodied in a national declaration. However, in construing the text from the point of view of confidentiality, there is no substantial distinction between 'information' and 'data.' Hence, for the purposes of this policy, the term 'information' will be considered to subsume any references to 'data.' 'Information' or 'data' may include information which is incorrect, false or inaccurate.
7. To illustrate the scope of its application, 'information' includes, but is not limited to:
- documents with graphic, schematic, numerical, symbolic, pictorial, digital, analogue, photographic or written information ;
- the products of photography, imagery, inspection, observation, data processing, sampling and analysis;
- data stored or displayed on electronic, magnetic or any other physical medium;
- information expressed in relative or absolute terms; and
- samples and other bodies of chemicals including chemicals carried by earth, dust, filters and sampling, and equipment including sampling, analysis and safety equipment. Samples contain information, and through sample analysis can provide further information.
Information can be acquired or transmitted through any medium of communications or human sense. Information can be obtained and transmitted due to the mere presence of persons on site or through access granted to them. Thus, equipment, objects, clothes and other personal belongings could become sources of information.
Operational definitions of some forms of information
8. The following operational definitions, which cover only some forms of information, apply for the purpose of guidelines for handling and protection of information under this Policy. It is to be understood that the following definitions are flexible enough to ensure that handling guidelines can be applied effectively and practically:
- 'Document' could extend to a variety of physical items displaying information or data;
- 'Computer material' includes any computer storage and processing medium, such as disks, tapes and diskettes. This term also covers portable computers, which may be used to record information during an on-site inspection;
- 'Audio-visual material' includes audio and video tapes, developed and undeveloped photographic films including the negatives of still photographs and the positives. (Positive prints of still photographs may be considered also as documents); and
- 'Sample' includes a sample's collection medium and any further information acquired or derived from analysis.
In the application of general operating guidelines to particular items of information falling under these definitions, there may be overlapping reference (for instance, a transparency for overhead projection may be handled as a document or as audio-visual material, and a computer printout may be handled as a document or as computer material).
Confidentiality of information under the Convention
9. A basic principle on confidentiality, set down in subparagraph 2(c) of the Confidentiality Annex, is that no information obtained by the Organisation in connection with the implementation of the Convention shall be published or otherwise released, except as specifically provided for.
10. Specific procedural guidelines in subparagraph 2(a) of the Confidentiality Annex provide that information shall be considered confidential if:
(a) it is so designated by the State Party from which the information was obtained and to which the information refers; or
(b) in the judgement of the Director-General, its unauthorised disclosure could reasonably be expected to cause damage to the State Party to which it refers or to the mechanisms for implementation of the Convention.
11. The following factors shall be weighed and carefully balanced by the Director-General or his[*] delegate in determining confidentiality of information:
- the potential of its disclosure causing damage to a State Party, any other body of a State Party, including a commercial firm, any national of a State Party, or to the Convention or the Organisation;
- the potential of its disclosure offering particular or selective advantage to an individual, a State, or any other body, including a commercial firm;
- the basic requirement for effective verification of compliance; and
- benefits stemming from the dissemination of general information regarding the implementation of the Convention, in order to promote its acceptance and credibility.
12. In determining whether the information it is providing to the Organisation contains confidential information, a State Party could also consider the above factors. The designation of information as confidential shall not undermine the obligation for a State Party to demonstrate compliance with the Convention and shall not be used by a State Party to conceal non-compliance. Furthermore, a State Party cannot prevent the dissemination of information which in accordance with the Convention shall be transmitted in a specified manner to States Parties upon request or routinely.
13. Once information has been determined to contain confidential information, it will be necessary to specify the level of sensitivity and scope of access to it. This will be normally done through a system of classification which is set out in Part V of this Policy.
Relationship of information to the Convention
14. The relationship of information to the purposes of the Convention can have implications for how confidentiality measures will apply to that information. Three significant distinctions can be discerned in the implementation of the Convention:
- information pertinent to the Organisation to fulfil its responsibilities under the Convention or provided by States Parties to fulfil their obligations under the Convention;
- information not related to the aims of the Convention, to which an inspected State Party grants access to demonstrate compliance with the Convention, or which it incidentally discloses in the course of verification activities; and
- information, including sensitive information, which is not related to the aims of the Convention, and to which an inspected State Party denies access consistent with its rights and obligations under the Convention.
15. Verification procedures and activities need to be guided by these distinctions. However, a judgement as to the relationship of information to the purposes of the Convention could be determined operationally, as the characterisation of information in this way is greatly dependant on individual contexts and circumstances. Obligations to protect confidentiality will be set in relation to information described under each of these distinctions.
PART IV
BASIC RESPONSIBILITIES ON CONFIDENTIALITY
1. Overall responsibilities of the Organisation
1.1 The OPCW will receive a great deal of confidential information from States Parties and may be exposed to or acquire more confidential information, often of a more sensitive nature, in the course of verification activities. The OPCW's internal processes will generate further confidential information. This Organisation including its constituent elements therefore must abide by certain obligations to respect confidentiality, in particular:
(a) not to publish or otherwise release information obtained in connection with the implementation of the Convention unless in accordance with the information release procedures as set out in Part VII of this Policy;
(b) to design, plan and carry out verification activities in the least intrusive manner possible, so as avoid disclosure of non-relevant information and to minimise disclosure of confidential information, where this is consistent with effective and timely verification;
(c) to seek and require only the disclosure of information necessary to serve the aims of the Convention, and to specify informational requirements as precisely as possible;
(d) to minimise accessibility of, to protect, and to prevent further dissemination of confidential information not relevant to the Convention which may be incidentally disclosed in the course of verification activities, consistent with effective and timely verification; and
(e) to establish, follow and monitor systematic procedures for limiting the dissemination of and access to information classified as confidential.
1.2 Responsibilities of the Director-General
1.2.1 The Director-General is specifically tasked with primary responsibility for the protection of confidential information. The Director-General must establish the regime for handling confidential information within the Secretariat in accordance with the guidelines laid down in the Convention including the Confidentiality Annex and this Policy.
1.2.2 The Director-General is responsible for supervising adherence to the confidentiality regime within the Secretariat, and must report annually on the implementation of the regime.
1.2.3 The Director-General has a central role in dealing with breaches and alleged breaches of confidentiality. This includes the establishment of procedures to be followed and the conduct of investigations in accordance with the Breach Procedures, and the imposition of punitive and disciplinary actions in accordance with the Staff Rules and Regulations. The procedures to be followed should be based on any determinations by the Conference on this subject.
1.2.4 The Director-General may initiate requests for States Parties to provide "details on the handling of information provided by the Organisation" (CA, (A)4), and consult with States Parties on the form and timing of such requests in accordance with any guidelines set by the Conference. The Director-General could, for instance, request regular reports from all States Parties on their handing of confidential OPCW information.
1.3 Responsibilities of the Secretariat
1.3.1 The basic responsibilities of the Secretariat concerning confidentiality derive essentially from the responsibilities of the Organisation and of the Director-General. However, in the practical implementation of the Convention, the definition, conduct and monitoring of the responsibilities of Secretariat staff to safeguard confidentiality are of crucial importance. Particular obligations apply to staff of the Secretariat through their involvement in verification activities and their consequent access to confidential information, both civil and military, which will include information disclosed by a State Party in pursuance of CWC obligations, as well as sensitive information not relevant to the aims of the Convention in the event that such sensitive information is disclosed.
1.3.2 In addition to the broader obligations already outlined, the Secretariat has the following specific responsibilities:
(a) through the appropriate unit, to evaluate all data and documents it obtains to determine whether confidential information is included;
(b) to establish within a formal position description a specification of the scope of access to confidential information needed for each staff position;
(c) to undertake secrecy agreements with each staff member and to undertake secrecy agreements with authorised bodies outside the Organisation, as necessary;
(d) to maintain a continuing programme of training and awareness for all staff on confidentiality issues, and to monitor each employee's record on protecting confidential information as an explicit element of performance evaluation;
(e) to advise a State Party of a proposed clearance of an employee for access to confidential information that refers to activities on the territory or in any other place under the jurisdiction and control of that State Party, not less than thirty days before access is granted; and
(f) to handle and store confidential information in a form that precludes direct identification with the facility it refers to, as far as this can be done consistent with effective verification.
1.3.3 The responsibilities of individual staff members are further defined by a secrecy agreement which must be executed by each employee.
1.4 Responsibilities of the inspection team
1.4.1 Particular responsibilities of members of an inspection team stem from the following:
(a) inspectors on site may have access to confidential information;
(b) the inspection team must negotiate with the inspected State Party on certain matters related to confidentiality that require agreement; and
(c) the inspection team is guided by its mandate, draws up an inspection plan, and must decide on specific measures to be employed during the inspection.
1.4.2 Inspection teams shall therefore:
(a) conduct inspections in the least intrusive manner possible consistent with the effective and timely accomplishment of their mission;
(b) plan the inspection and take into consideration proposals which may be made by the State Party receiving an inspection, at whatever stage of the inspection, to ensure that sensitive equipment or information, not related to chemical weapons, is protected;
(c) fully respect the procedures designed to protect sensitive installations and to prevent the unauthorised disclosure of confidential data;
(d) request only the information and data which are necessary to fulfil the inspection mandate;
(e) prepare an inspection report which only contains facts relevant to compliance with the Convention;
(f) protect and prevent further dissemination of confidential information not relevant to the Convention to which inspection teams have access in the course of on-site inspections; and
(g) respect an inspected State Party's denial of access to sensitive information consistent with the State Party's rights and obligations.
2.1 Responsibilities of the States Parties
2.1.1 States Parties must treat information received from the Organisation in accordance with its level of sensitivity as expressed in its classification category. The way this obligation is carried out will naturally differ between States Parties, but as a rule this information should be given at least the same level of protection as that afforded to information with comparable national classification or comparable confidentiality under national legal systems. States Parties shall establish or adapt suitable means of handling and protection of OPCW confidential information in a manner consistent with the principles set out in Part VI of this Policy.
2.1.2 Each State Party must provide on request details on the handling of information provided to it by the Organisation. This procedure is aimed at promoting general reassurance among States Parties that confidentiality is effectively safeguarded. The responses of States Parties to such requests should at least confirm that standards for handling information are in accordance with subparagraph 2.1.1 above.
2.1.3 In safeguarding confidentiality of information, States Parties must adhere to the essential obligation to demonstrate compliance with the Convention in accordance with its verification provisions.
2.1.4 Each State Party must cooperate with and support, to the extent possible, the Director-General in investigating breaches or alleged breaches of confidentiality, and in taking appropriate action in accordance with the elaborated breach procedures should an investigation determine that a breach has occurred. This obligation may include provision of details on the handling of information provided to the State Party by the Organisation and, if necessary, the State Party's participation as one of the disputing parties before the "Commission for the settlement of disputes related to confidentiality" in the event of the breach going before that body.
2.2 Responsibility of observers
2.2.1 When, in the course of a challenge inspection, the inspected State Party agrees to grant access to an observer in accordance with paragraph 55 of Part X of the Verification Annex, the observer may have access to some confidential information and will accordingly incur particular responsibilities in relation to its handling and protection. Thus the handling and protection of confidential information by the observer must be fully consistent with all relevant provisions of the Convention, including the Confidentiality Annex, and with this Policy, particularly the detailed handling provisions of Part VI of this Policy. As Article IX, subparagraph 12(a) of the Convention indicates that the observer is a "representative" of the requesting State Party, such information is also subject to the provisions of Article VII, paragraph 6, in respect of both the requesting State Party and the observer as its representative in particular, and hence shall be treated as confidential and afforded special handling.
2.2.2 Hence the requesting State Party shall be fully responsible for and shall take all necessary measures to ensure that the observer complies with and is individually bound by all relevant provisions of this Policy, as well as to ensure that effective legal remedies and penalties are available in the event of the observer breaching confidentiality, comparable to the measures taken in the event of an official of that State Party breaching confidentiality. Once any confidential information is disclosed to or acquired by the observer, in addition to and without diminishing the observer's own individual responsibility, the requesting State Party also becomes responsible for the handling and protection of that information in accordance with the Convention and with this Policy. For his part, the observer is to adhere to and be bound by all provisions of this Policy relating to the protection of confidential information, and shall not take any unauthorised action in this regard.
PART V
OPCW CLASSIFICATION SYSTEM FOR CONFIDENTIAL INFORMATION
1. Categories of confidential information
1.1 All information acquired or produced by the Organisation and its constituent elements which is determined to be confidential must be given a classification, based on established categories which correspond to the level of sensitivity of confidential information. In its application, the classification system will not impair the requirement for effective verification of compliance with the Convention, and it should be capable of providing, as necessary, for the release of general information, in adequately desensitised form, regarding the implementation of the Convention, in order to promote its acceptance and credibility.
1.2 The essential factors to be considered in determining the level of sensitivity of an item of information are as follows:
(a) the degree of potential damage which its disclosure could cause to a State Party, any other body of a State Party, including a commercial firm, or to any national of a State Party, or to the Convention or the Organisation; and
(b) the degree of potential particular or selective advantage its disclosure could offer to an individual, a State, or any other body, including a commercial firm.
These factors correspond to the factors used in determining the confidentiality of information.
1.3 Based on these guiding factors, and the specific classification criteria set out below, confidential information shall be classified according to the following categories, in increasing order of sensitivity:
. OPCW RESTRICTED
. OPCW PROTECTED
. OPCW HIGHLY PROTECTED
The prefix 'OPCW' in the names of these categories is used purely to facilitate handling of classified material, in clearly identifying classifications as being those applied by the Organisation and in avoiding any conflict or misunderstanding with distinct national classification systems. The use of this prefix does not imply any particular scope of dissemination.
1.4 There is a distinction between a classification category (which is based on the sensitivity of information) and the scope of dissemination of information (which is based, for instance, on the subject matter, the need-to-know principle, and the particular purpose for which the information is to be used). Level of classification will not prevent the dissemination of information as specifically required by the Convention, including under subparagraph 2(b) of the Confidentiality Annex.
1.5 Information not falling into any of the above-mentioned categories shall be considered not classified and may be marked appropriately. Information which is not classified will be subject to appropriate protection from release by the Organisation and by States Parties, unless specifically cleared for release in accordance with the separately defined release procedures.
1.6 The level of protection afforded to confidential information shall be linked to the level of sensitivity as indicated by its classification category. Each State Party and the Organisation shall protect OPCW classified information originating both from within the Organisation and from States Parties in accordance with its level of sensitivity as expressed by its classification category.
Classification category: OPCW RESTRICTED
CRITERION:
1.7 This category comprises information of which the unauthorised disclosure would be prejudicial to the effectiveness or credibility of the Convention, or prejudicial to the interests of a State Party or of a commercial or governmental body or of a national of a State Party.
EXAMPLES:
1.8 Unless specified otherwise, due to the greater or lesser sensitivity of the data in question, the following forms of information might be classified OPCW RESTRICTED when they are acquired or generated by any means by the Organisation:
(a) the initial and annual reports and declarations provided by States Parties under Articles III, IV, V and VI and in accordance with the Verification Annex, where these documents are considered by originating States Parties as being of this level of sensitivity;
(b) general reports on the results and effectiveness of verification activities; and
(c) information to be supplied to all States Parties in accordance with other provisions of the Convention.
1.9 Other information to be classified and handled as OPCW RESTRICTED may include: routine confidential correspondence between States Parties and the Secretariat, and internal working documents of the Organisation which are not of particular sensitivity. This may also include information relating to the internal processes and decision-making of the Secretariat, and other managerial or administrative information, where open disclosure of the information might hamper the Organisation's effectiveness in implementing the Convention.
DISSEMINATION:
1.10 OPCW RESTRICTED information that must be routinely provided to States Parties in accordance with subparagraph 2(b) of the Confidentiality Annex shall be disseminated accordingly.
Classification category OPCW PROTECTED
CRITERION:
1.11 This category comprises information of which the unauthorised disclosure may cause substantial damage to the effectiveness or credibility of the Convention, or to the interests of a State Party or of a commercial or governmental body or of a national of a State Party.
EXAMPLES:
1.12 Unless specified otherwise in accordance with greater or lesser sensitivity, the following forms of information might be classified as OPCW PROTECTED when they are acquired or generated by any means by the Organisation:
(a) the initial and annual reports and declarations provided by States Parties under Articles III, IV, V and VI and in accordance with the Verification Annex, where these documents are considered by the originating States Parties as being of this level of sensitivity;
(b) unpublished technological information about production processes and facilities, and technical information about industrial products;
(c) less sensitive or more general information related to commercial transactions and the cost factors of industrial processes and production;
(d) detailed initial reporting on an inspection, including information on anomalies or incidents at facilities, and inspection reports;
(e) data and information regarding inspection planning of the Secretariat and the inspection goals for a specific facility;
(f) facility agreements and any attachments thereto; and
(g) information regarding the validation and evaluation of information contained in declarations, facility agreements and inspection reports.
Where such information is not considered relevant to verification of compliance, it will normally be treated initially as OPCW HIGHLY PROTECTED, even before any formal classification is determined, as specified in subparagraph 1.17 of this Part.
DISSEMINATION:
1.13 OPCW PROTECTED information that must be routinely provided to States Parties in accordance with subparagraph 2(b) of the Confidentiality Annex shall be disseminated accordingly.
Classification category OPCW HIGHLY PROTECTED
CRITERION:
1.14 This category comprises sensitive confidential information of which the unauthorised disclosure would cause serious damage to the effectiveness or credibility of the Convention, or its aims and purpose, or cause serious damage from the point of view of national security or commercial secrecy to the interests of a State Party or of a commercial or governmental body or national of a State Party.
EXAMPLES:
1.15 Unless specified otherwise in accordance with lesser sensitivity, the following forms of information might be classified as OPCW HIGHLY PROTECTED when they are acquired or generated by any means by the Organisation:
(a) the initial and annual reports and declarations provided by States Parties under Articles III, IV, V and VI and in accordance with the Verification Annex, where these documents are considered by originating States Parties as being of this level of sensitivity;
(b) samples taken from inspected sites and returned samples from designated laboratories, and results from analysis of samples;
(c) especially sensitive confidential information especially provided by a State Party; and
(d) confidential information for which access is normally only required, or voluntarily or incidentally provided, during the actual conduct of an on-site inspection, such as :
- process flow diagrams;
- photographs, plans and diagrams of the site;
- specific data related to technological processes and their parameters;
- analytical data of samples taken on site and analysed on site;
- commercially sensitive market information, such as a detailed list of customers, and individual quantities sold to them; and
- other detailed, highly specific technical, commercial or national security information.
Where such information is not considered relevant to the verification of compliance, it will normally be treated initially as OPCW HIGHLY PROTECTED, even before any formal classification is determined, as specified in subparagraph 1.17 below.
1.16 In most inspection scenarios, the highly sensitive information specified in subparagraph 1.15(d) above, that may or may not have a national confidential classification, may be kept at the inspected facility and shall only be made available for on-site use during the inspection. When such information is not taken off site and access to it is limited, there will accordingly be no application of the OPCW classification process within the Secretariat. Even so, during inspection activities the inspection team will give this information at least the level of protection afforded to information as OPCW HIGHLY PROTECTED. The classification category of such information should be specified to the extent possible in facility agreements.
1.17 Sensitive confidential information not related to the verification of compliance which is incidentally revealed or collected by any member of an inspection team shall not be recorded in any form, and shall not be further disseminated. When access is afforded to such sensitive information during inspection activities, any member of the inspection team must give it at least the level of protection afforded to information classified as OPCW HIGHLY PROTECTED, until or unless the inspected State Party specifies particular handling or level of sensitivity. In such a case the inspected State Party may designate (as provided in subparagraph 2.5 of this Part) an initial classification of such information during the inspection process or in a facility agreement. In the event that such sensitive information is taken to the Secretariat inadvertently or by agreement with the inspected State Party, it shall be classified as OPCW HIGHLY PROTECTED, and protected accordingly, unless the inspected State Party specifies otherwise.
DISSEMINATION:
1.18 OPCW HIGHLY PROTECTED information that must be routinely provided to States Parties in accordance with subparagraph 2(b) of the Confidentiality Annex shall be disseminated accordingly.
2. Classification authority
2.1 For information which has been determined to be classified and which is transmitted to or generated by the Secretariat, it is mandatory for a classification regime to be applied in accordance with the above categories and guidelines under the direct authority of the Director-General. This regime will include an internal procedure for maintaining consistency of classification for documents generated within the Secretariat, and for consulting on and, if necessary, authorising such classification.
2.2 The classification of such information is to be established by the following authorities:
(a) in the case of confidential information provided by a State Party, that State Party has the authority to designate its initial classification category;
- if a State Party provides information which appears to be confidential without indicating a level of sensitivity, the Director-General or his delegate will be responsible for applying a provisional classification category and treat the information accordingly. He will have the responsibility for consulting promptly with the originating State Party in order to confirm, amend or remove this provisional classification; and
(b) in the case of confidential information generated by the Secretariat, the originator of the information shall be responsible for assigning a provisional classification. The Director-General or his delegate has the authority and responsibility to apply a definitive classification to the information.
2.3 Any document being generated within the Organisation which contains confidential information should provisionally be classified by its originator. In establishing a classification category for a new document that is being generated within the Organisation, due regard should be paid by the originator to the level of sensitivity already established for documents and/or information held by the Organisation and which is pertinent to this new document.
2.4 States Parties, in designating a classification category for confidential information, should take into account its level of sensitivity and the corresponding criteria established for each category described in subparagraphs 1.7, 1.11 and 1.14 above. The illustrative indications, set out above, of the forms of information which may be classified under each category do not prejudice the primary authority of a State Party to establish the classification of confidential information it provides.
Classification authority in the course of inspections
2.5 During the course of an inspection, or in the formulation of a facility agreement, an inspected State Party may designate an initial classification for confidential information, taking into account the level of sensitivity and the corresponding classification criteria. This initial classification will have immediate effect during the conduct of an inspection and in the transmission of confidential information to the Secretariat on completion of the inspection. In cases when the inspected State Party discloses to any member of the inspection team sensitive confidential information without establishing a formal classification for it, or when such information is revealed to any member of the inspection team, this member will bear the responsibility of treating this information as OPCW HIGHLY PROTECTED, unless the inspected State Party specifies otherwise.
3. Duration of classification
3.1 As a rule, the classification determined for a particular item of information will continue to apply until it is specifically altered or removed in accordance with the guidelines established for reclassification and declassification. When providing confidential information, a State Party may indicate the duration of classification that is to apply to the information. If no indication is given, the duration will be assumed to be unlimited.
3.2 To maintain viable and effective protection of confidential information, to enhance effective verification of compliance and understanding of the whole verification system, and to reduce the archival holdings of formerly sensitive material, States Parties, the Director-General and other originators of such documents within the Organisation may need, inter alia, to keep under review the designation of confidentiality, and the continuing application of classification categories, with a view to either declassification, reduction of classification, or release.
3.3 Classification of information and its duration may be reviewed in particular in the context of a programme for the disposal of records of the Organisation. In carrying out such a programme, the Director-General may from time to time seek the written consent of the originating States Parties in the declassification of records in accordance with agreed procedures. For confidential information generated by the Secretariat, the Director-General shall from time to time review the assigned classifications for holdings of confidential information. If the information refers to any State Party, that State Party will need to provide its written consent before the termination of the duration of the classification. In this respect, an internal review procedure will be established.
4. Change of classification category
Reclassification of confidential information
4.1 The authority to change the classification of an item of confidential information will be the same as that specified in subparagraphs 2.2(a) and 2.2(b) of this Part for determination of the original classification of that information. In particular, an item of information supplied by a State Party shall not be reclassified without the written consent of that State Party. This rule will also apply to such items of information contained in documents which had originated within the Organisation.
4.2 States Parties which have originated or received an item of OPCW classified information, and senior Secretariat staff (Branch Heads and above) making use of an item of such information, may request a change in the classification category for that item. Such a request should be based on a clear operational need, and should be acted upon in accordance with the following provisions.
4.3 When the State Party which originated an item of OPCW classified information requests a change of classification, that request will be carried out. Before confirming the change, the Director-General may consult with that State Party on the consequences of the proposed change.
4.4 When there is a request, in accordance with subparagraph 4.2 above, for a change in the classification category of confidential information which was generated by the Secretariat, the Director-General or his delegate shall, in making a determination, abide by the criteria established for the application of classification categories with reference to the stated operational need.
4.5 Reclassification of Secretariat-generated information may be required when the information is amended, supplemented or revised so as to create a substantial difference in sensitivity. For instance, a draft report on compliance may have greater sensitivity than the final version, or sensitive material may be omitted in a revised version of an inspection report intended for wider distribution. The principles set out above will be applied in undertaking reclassification, unless the Convention specifies otherwise.
Declassification of confidential information
4.6 The provisions specified above for reclassification of confidential information shall also apply to its declassification. In particular, an item of information supplied by a State Party shall not be declassified without the written consent of that State Party. The following guidelines shall additionally be followed in deciding on the declassification of confidential information:
(a) if declassification is proposed for confidential information originating in the Secretariat and referring to a State Party in a way that influenced its original classification, the Director-General shall obtain the express written consent of the State Party for the declassification; and
(b) for confidential information generated by the Secretariat, the Director-General (or his delegate) shall consider at least the same aspects that he took into account when he designated the information as confidential.
4.7 The declassification of confidential information does not imply that it is, ipso facto, available for public release. Release beyond the Organisation of any information, including formerly confidential information which has been declassified, will require a separate process of consultation and approval in accordance with Part VII of this Policy. This will also apply to information provided to States Parties by the Organisation under an OPCW classification.
PART VI
GENERAL PRINCIPLES FOR HANDLING AND PROTECTION OF CONFIDENTIAL INFORMATION
1.1 This Part sets out the principles governing the Organisation's provision of access to and regular dissemination of information determined to be confidential, and governing the associated procedures for handling and protection of confidential information. This covers the transmission of confidential information within the Organisation (including its constituent elements), and the transmission of confidential information to authorised representatives of States Parties. Guidelines for public or other release of information beyond the Organisation and States Parties are set out in Part VII.
1.2 These principles are to be applied in the detailed elaboration of all procedures relating to the handling of confidential information, including in the OPCW Inspection Manual, the Declaration Handbook, and the Information Management System (IMS). Further practical procedures shall be set out on the basis of these principles in administrative directives issued by the Director-General. The principles contained in this Part shall apply to all operations of the Organisation, within the Secretariat and other organs of the Organisation, as well as in their dealings with States Parties. States Parties which receive confidential information from the Organisation are required to protect it in accordance with obligations under paragraph 6 of Article VII and paragraph 4 of the Confidentiality Annex. States Parties should therefore establish or adapt suitable means of handling and protection for OPCW confidential information in a manner consistent with these principles.
1.3 The Confidentiality Annex (CA) sets out the two principles governing access to and the dissemination of confidential information within the Organisation:
- access to confidential information shall be regulated in accordance with its classification; and
- the dissemination of confidential information within the Organisation shall be strictly on a need-to-know basis (CA, subparagraph 2(h)).
1.4 It follows from these fundamental principles firstly that the level of sensitivity of confidential information will govern the procedures by which it is made available to its recipients and the means employed to protect it; and secondly that the authorised recipients of confidential information will be determined in accordance with their demonstrated need, related to the purposes of the Convention. An important consideration in managing the dissemination of confidential information is the scope of access afforded to States Parties: in this context, a primary and unconditional need to know is established by the requirement for data to be provided to all States Parties for them to be assured of continued compliance with the Convention by other States Parties (CA, subparagraph 2(b)). Access to the relevant confidential information defined by this provision must therefore be provided to serve the vital aim of due transparency and enhanced mutual confidence between States Parties.
1.5 The actual scope of access associated with a certain item of confidential information shall be specifically determined, rather than implicitly assumed, and specific practical steps shall be undertaken in order to protect it against illegitimate or unauthorised access. The rigour of the determination of scope of authorised access and the required level and intensity of protection against unauthorised access shall be regulated in accordance with the classification of that confidential information. However, level of classification does not in itself determine the scope of access to classified information, but simply the manner in which it is to be handled and protected against unauthorised disclosure.
2.1 The scope of access to confidential information is the full set of possible recipients authorised to acquire or retain that information; dissemination is the process of actively passing that information to its authorised recipients. Accordingly, the notion of 'access' to information entails permitting an individual to acquire or retain that information. Dissemination of confidential information is made possible by the application of protection measures applied in accordance with the level of sensitivity of information, so that it is disseminated to the extent required for the implementation of the Convention without unnecessary or unauthorised disclosure. Accordingly, dissemination of confidential information to all authorised recipients within the Organisation must take place, irrespective of level of classification, with the appropriate protection measures being taken. In this connection, it is notable that States Parties have an obligation under Article VII, paragraph 6, to apply special handling to confidential information received in accordance with the Convention.
2.2 Detailed protection procedures and measures are therefore to be elaborated to permit access to confidential information by an individual Secretariat staff member or by a State Party in accordance with a functional need to know or a specific provision of the Convention, while impeding all other access with a rigour and level of effort linked to the sensitivity of the information as established by its classification. The provision of confidential information to the Conference and to the Executive Council shall be based on the general principles for the dissemination of confidential information.
2.3 The need-to-know principle is the governing principle for determination of the scope of access and the recipients of dissemination of information. There is no absolute right within the Organisation to receive confidential information: no individual staff member of the Secretariat and no member of any organ of the Organisation is entitled by virtue of status or level alone to have access to any items of OPCW confidential information.
2.4 Access to confidential information shall normally be granted both on a case-by-case basis and in accordance with the determination of the functional need to know. There is, however, an unconditional requirement for access to certain information by States Parties in accordance with subparagraph 2(b) of the Confidentiality Annex, and this and related provisions should be viewed as establishing an unquestionable need to know for each State Party, so as to be ensured of the continued compliance of other States Parties with the Convention.
2.5 Within the Secretariat, the specific function or tasks defined for a staff member shall, within practical bounds, be the principal determinant of that individual's need to know and of the consequent scope of authorised access to confidential information.
2.6 The Director-General has the primary responsibility for ensuring the protection of confidential information (CA, paragraph 2). Hence, subject to the provisions of the Convention, the Director-General shall be the final arbiter in the determination of the need to know in relation to any particular items of confidential information.
2.7 An appropriate unit of the Secretariat shall be charged with overall supervision of the administration of confidentiality provisions and the Director-General may specifically authorise the head of this unit to exercise certain delegations of the authority relating to confidentiality. The precise identity of this unit will be determined through general planning of the Secretariat, but for the purposes of this document it is referred to as the "designated confidentiality unit".
2.8 Once the scope of authorised access to confidential information has been determined on the basis of the need-to-know principle, access shall be granted by means of detailed handling procedures established for the Organisation, to ensure that the manner of access and the level of protection provided are linked to the classification which applies. Each access by a staff member of the Secretariat to a physical medium holding confidential information shall be controlled on a need-to-know basis and shall be recorded, and this record shall be retained. In the event that such access is through an electronic data system, a log-on and log-out procedure shall be established and followed by authorised staff members to ensure that no individual can gain access in the name of another staff member. The designated confidentiality unit will supervise the routine operation of these handling procedures.
2.9 There are various circumstances when the Secretariat will need to determine authorised scope of access and consequently to disseminate confidential information to States Parties. In all cases, the governing principle is that established in subparagraph 2(b) of the Confidentiality Annex, and procedures shall be established to ensure that the requirements of this provision are met. Hence, data required by States Parties to be assured of the continued compliance with this Convention by other States Parties shall be routinely provided to them. In particular, information management and clearance procedures shall be followed to ensure that the information which must be provided to all States Parties, in accordance with subparagraph 2(b) of the Confidentiality Annex, is duly provided without further need for consultation and approval within the Secretariat.
2.10 In the case of the provision of certain confidential information to a State Party for a particular purpose, when it is not the application of a specific requirement under the Convention for dissemination, but is related to a more specific need to know (such as in the course of clarifications under Article IX, paragraphs 3 - 7, or in the settlement of disputes under Article XIV), the general rule is that the Director-General or a single senior official to whom this authority is specifically delegated under the primary responsibility of the Director-General shall be consulted and shall give specific clearance for the proposed access, after confirming the need to know, with the agreement of any State Party to which the information refers and/or which has provided the information. The Director-General shall at all times be kept informed of any exercise of such authority.
2.11 The method of provision of confidential information to a State Party by the Organisation shall be based on the need for continuity of protection, at a level linked to the sensitivity of the information. The receiving State Party is obliged in turn to afford such confidential information the special handling appropriate to its level of sensitivity, and shall provide, upon request, details on the handling of information provided to it by the Organisation.
Granting of access to other authorised recipients associated with the Organisation
2.12 It may be necessary to disseminate OPCW confidential information to certain authorised entities or individuals that are outside the Secretariat but are integral to the Organisation's implementation of particular functions specified in the Convention. The Director-General shall establish a stringent regime to govern such access and, in accordance with the Confidentiality Annex, paragraph 2, will retain primary responsibility for any access approved under this regime. Any such proposed access must be specifically authorised by the Director-General or the single senior official specifically delegated this authority under the regime and under the direct responsibility of the Director-General, and then only after a functional need to know has been clearly established for the proposed recipient. The Director-General shall at all times be kept informed of any exercise of such authority.
- The Secretariat shall notify a State Party of any such access of those authorised entities or individuals to confidential information in relation to the territory of the State Party or any other place under the jurisdiction or control of the State Party. A specific secrecy agreement providing for protection of confidentiality shall be required as a condition for such access, and this agreement shall be binding on each individual it designates as an authorised recipient. An assessment of the level of protection provided to confidential information by the proposed recipient may be undertaken as a preliminary measure.
- The above principle applies to the transfer of samples to designated laboratories under the regime established under paragraph 56 of Part II of the Verification Annex. It may also apply, inter alia, to any access to OPCW confidential information required by an authorised expert (such as may be appointed under subparagraph 4(e) of Article IX or paragraph 8 of Part XI of the Verification Annex) in order to discharge an official function.
- In case of access to confidential information by authorised entities and individuals outside the Secretariat, such access shall be strictly limited to the minimum necessary for carrying out functions integral to the Convention's implementation.
2.13 Each person who has been granted access to OPCW confidential information in accordance with this provision shall be responsible for ensuring that any individual beyond the Secretariat to whom he subsequently discloses such information has a functional need to know and also has written authorisation from the Director-General or the delegate (as specified in subparagraph 2.12 above) granting the necessary access.
2.14 Access to OPCW confidential information within the Secretariat shall be granted only to those for whom such access is necessary for the fulfilment of designated professional duties. In determining need to know within the Secretariat, close attention shall be paid to a staff member's formal position description and specified scope of access to confidential information. An explicit reference to a staff member's particular professional functions is required in permitting access to OPCW PROTECTED and OPCW HIGHLY PROTECTED information. The authorised scope of access to confidential information classified OPCW HIGHLY PROTECTED shall be expressed in writing on a case-by-case basis.
2.15 A register shall be kept of those staff members whose professional duties entail regular access to confidential information relating to each State Party. The Secretariat shall inform a State Party of proposals to accord to an individual staff member access to confidential information in relation to the territory of that State Party or any other place under its jurisdiction or control. The State Party concerned shall be informed not less than thirty days before access is confirmed. Any staffing appointments or changes in personnel structure or functions that will lead to access to confidential information relating to States Parties must be advised to the States Parties concerned not less than thirty days in advance.
2.16 Only certain senior executive staff members shall be authorised to grant access to confidential information to other staff members under their supervision. An administrative directive shall be established by the Director-General which determines the respective criteria according to strict need to know. The granting of access is in each case contingent on a determination that the subject matter is of direct relevance to the proposed recipient's specified duties, with such access always subject to review by the Director-General. In cases of uncertainty about the functional or task-specific need-to-know status of a proposed recipient, a senior staff member with a supervisory responsibility over the recipient must be consulted.
3.1 The dissemination of confidential information needs to be distinguished from the process of release of information by the Organisation. In general terms, the dissemination of confidential information refers to the authorised disclosure of such information within the Organisation including all its organs and to the governments of States Parties, including governmental organisations and authorised entities or individuals within States Parties concerned with the operation of the Convention, when this disclosure is essential for specific professional tasks or is in accord with the provisions of the Convention for the furnishing of information to States Parties. With regard to the "release" of information by the Organisation, this process, and its precise scope of application, are defined in Part VII of this Policy.
3.2 Specific handling and protective procedures shall be applied on a continuous basis from the first acquisition, collection or generation of confidential information by the Organisation, and to all subsequent activities during its dissemination. Information that may be confidential is acquired, collected and generated by the Organisation in several ways:
(a) information is provided to the Organisation by States Parties:
- in conformity with their declaration obligations and reporting requirements specified under the Convention;
- in the course of a formal procedure established under the Convention, such as those included in Article IX; and
- in passing on other information pertinent to implementation of the Convention;
(b) other information pertinent to implementation of the Convention in a State Party may be passed to the Secretariat by that State Party;
(c) information may be passed to the Secretariat or any other organ of the Organisation by a representative of a State Party in the course of a formal procedure established under the Convention, such as those included in Article IX;
(d) information is acquired or collected by an inspection team in the course of an on-site inspection;
(e) information is generated by Secretariat staff members through the synthesis or other processing of other information, for instance in the course of analysing samples or compiling inspection reports. Generated information may draw on or duplicate information initially provided by States Parties, or may only use information from within the Secretariat. The synthesis of information or the conduct of analysis may produce confidential information which is of a higher level of sensitivity than its original sources.
3.3 When information is received by the Organisation from any of these sources, specific obligations are incurred to protect and handle it appropriately. In particular, the initial recipient or the originator of the information is obliged to ensure that the confidentiality content is clearly determined, and that the correct classification has been applied, in consultation where necessary with the designated confidentiality unit. Confidential information which is compiled or synthesised by Secretariat staff members, and which draws on confidential information originating from States Parties shall, as a rule, bear at a minimum the classification designated by the State Party, unless the level of the sensitivity of the information has been reduced with the consent of the originating State Party, or the level of sensitivity is determined to be higher. Any deviation from this rule shall be confirmed by the Director-General's delegate in the designated confidentiality unit.
3.4 Information generated within the Secretariat (such as analytical or other reports, policy papers, profiles, letters, memoranda) which contains confidential information shall be initially classified and so labelled by its originator in accordance with its sensitivity, at a level at least as high as the most sensitive classification of the source material from which it was derived or which was used in the synthesis. Where the level of sensitivity has consequently increased above that of the original source material, a higher level of classification shall be applied.
3.5 Information, including that designated as confidential, which is passed to the Organisation by a State Party must be provided by an official representative of that State Party. The Secretariat will establish and follow a registry process to record the receipt and the official source of such material.
3.6 The classification of information provided by a State Party to the Secretariat would in most cases have already been specified by that State Party, in view of its primary authority for classification. In doing so, the State Party should take into account the level of sensitivity and the corresponding criteria established for each classification category in Part V of this Policy. If a State Party provides the Secretariat with information which appears to be confidential, but without indicating a level of sensitivity, a provisional classification category shall be implemented as provided under subparagraph 2.2 of Part V of this Policy.
3.7 The overall obligation to protect and appropriately handle information upon first disclosure to the Organisation is especially important when information is collected during the course of on-site inspections, such as the collection of site-specific observations or the taking of samples. Particular principles for the handling and protection of confidential information during inspections are accordingly set out in paragraph 6 of this Part.
3.8 Individuals shall not discuss or disclose confidential matters in any circumstances when they do not have control over the security of the information and its environment. The Director-General shall establish in an administrative directive specific procedures to prevent unauthorised access and disclosure in conversation or through telecommunication media, with the level of physical or other protective measures linked to the level of sensitivity of the information as expressed in its classification. Actual recourse to the approved use of telecommunications for transmission of confidential information shall be limited to cases of clear operational necessity.
3.9 Subject to the obligation to preclude unauthorised access, Secretariat staff members may disclose confidential information to, or discuss it with:
(a) authorised Secretariat staff members with an established need to know;
(b) persons, who are not permanent staff members, to whom access has been granted under the provisions of subparagraphs 2.12 and 2.13 of this Part, such as authorised experts or authorised personnel of a designated laboratory who are individually bound by secrecy agreements; in such a case the amount of information disclosed shall be kept to a minimum, yet should be sufficient to facilitate the task for which the access was granted; and
(c) authorised representatives of a State Party to which the information pertains, which has the clear entitlement to such disclosure as explicitly established by a provision of the Convention, or for which any other authorisation and need to know have been established.
3.10 The Director-General shall issue and the designated confidentiality unit shall supervise the implementation of administrative directives setting out detailed practical handling procedures for the following categories of physical media, to ensure the protection of confidential information each such medium carries during all handling and storage operations:
- documents, including papers and paper files;
- computer material;
- audio-visual material; and
- samples.
These administrative directives shall aim at establishing practical mechanisms for ensuring that all the principles established in this document are met.
3.11 For confidential information which relates specifically to inspected or declared facilities, a coding system and associated storage shall be applied to preclude direct identification of any facility to which it pertains, to the greatest extent consistent with effective verification.
4.1 In order to ensure the proper handling of OPCW confidential information, all documents and media for information storage shall be clearly marked in accordance with the marking instructions set out in an administrative directive issued by the Director-General and supervised by the designated confidentiality unit. The basis of the markings will be the three classification categories, one of which should be clearly applied to any medium carrying information determined to be confidential:
- OPCW RESTRICTED
- OPCW PROTECTED
- OPCW HIGHLY PROTECTED
4.2 Each individual document must be clearly marked according to the highest level of sensitivity of the material it contains. Where this may facilitate subsequent release or dissemination of less sensitive portions of a document, the principle of portion marking may be applied so that classification indications are given of the particular levels of sensitivity of sections within a document, the overall document being clearly marked as bearing the highest level of sensitivity.
4.3 The Confidentiality Annex stipulates that all data and documents obtained by the Secretariat shall first be evaluated for confidentiality content (subparagraph 2(b)) and that, if confidential, such data and documents shall then be classified (subparagraph 2(d)); this process shall accord with the right of any State Party to designate information it provides as confidential. The designated confidentiality unit will be the appropriate unit for this task, and will therefore implement procedures to ensure that all information with possible confidentiality content which has been acquired from outside the Secretariat is evaluated and any necessary classification is clearly marked. The determination of the classification to be applied and the authority to classify must be in accordance with the OPCW Classification System. In cases where information appears to be confidential but is initially not clearly marked by the originator, appropriate marking shall be carried out by the unit, with the determination of a provisional classification category if necessary. Any provisional classification so applied should be promptly confirmed, amended or removed following consultations with the originator of the information.
4.4 All confidential information generated in the Secretariat is required to be clearly marked by its originator in accordance with a provisional classification category relevant to its sensitivity. The level of this classification must be determined in accordance with the OPCW Classification System. Branch heads must supervise the proper marking of internally generated confidential material, under the overall coordination and authority of the designated confidentiality unit.
4.5 Information generated by inspectors on the basis of information provided by an inspected State Party, such as inspection reports or parts thereof, shall be marked with the classification which accords with the level of sensitivity indicated by the State Party. In cases where the level of sensitivity of such information is unclear, the information shall be treated as OPCW HIGHLY PROTECTED until the level of sensitivity has been clarified through consultations with the inspected State Party.
4.6 Filing and record-keeping procedures to ensure that the internal routing and filing of confidential information are registered shall be established by the Secretariat in accordance with an administrative directive issued by the Director-General and supervised by the designated confidentiality unit. These procedures shall record the provision of any such confidential information to any individual, agency or body within and beyond the Secretariat, including to representatives of States Parties.
4.7 All confidential information should be stored and internally distributed in a manner that records each staff member who has had access to it, and the date and time of access. The Secretariat shall also establish additional record-keeping procedures to ensure the continuous monitoring of OPCW HIGHLY PROTECTED information, and to determine who has had or currently has such information in his possession.
4.8 Copying information entails its replication in a way that generates potential or possible additional access to the information. When copying confidential information, the number of copies made should be kept to a minimum and shall be linked to the approved scope of access and consequent dissemination. The staff member responsible for copying the information must ensure that all copies of a copied document clearly have the appropriate markings.
4.9 OPCW HIGHLY PROTECTED information can be copied only after obtaining the registered consent of an authorised senior staff member other than the staff member who will be copying the information, or in terms of a specific standing order. Such consent may specify that the copying must be done under the supervision of another staff member. The number of copies taken must be recorded, and each copy numbered. Copies should be distributed to any approved recipients, with this transmission recorded. Any surplus copies, or copies no longer in use shall be returned to the filing clerk, who shall either file or destroy them, recording this action.
4.10 Information to be provided to States Parties in accordance with subparagraph 2(b) of the Confidentiality Annex, but which is confidential, shall be copied and disseminated routinely in accordance with the requests of States Parties and in accordance with an administrative directive issued by the Director-General. In the case of OPCW PROTECTED and OPCW HIGHLY PROTECTED information, a record should be kept of the number of copies taken and the recipient(s) of each of the copies.
4.11 An administrative directive issued by the Director-General shall establish handling procedures for the Secretariat to ensure the secure disposal and destruction of material containing confidential information. These procedures shall cover:
- technical methods of destruction or disposal for all categories of media;
- registration of destroyed or disposed material;
- witness procedures during destruction and disposal; and
- reporting requirements for highly classified material provided by States Parties.
4.12 Transmission of confidential information, in hard copy and electronic format, to and from the Secretariat shall occur in conformity with the level of sensitivity of the information and shall be bound by strict procedures set out in an administrative directive issued by the Director-General. These procedures shall include:
- guidelines for secure mailing or manual transmission, and the safe-hand carriage, of confidential information; and
- procedures for secure transmission by telephone, telefacsimile and other telecommunications systems.
4.13 These rules must ensure that for each item of confidential information disseminated:
- the item is received at its intended destination;
- only authorised users have access to any transmitted data; and
- the recipient of a message can verify that the sender is an authorised person.
4.14 An administrative directive issued by the Director-General will describe the standards set down for the secure communications system established for the IMS, and this will be applied in the inspection manual.
4.15 Staff members and other authorised personnel using confidential information or who are responsible for its safe-keeping must take every precaution to prevent deliberate or accidental access to such information by unauthorised persons. This involves at a minimum following all the procedures and meeting the standards established within the Organisation for handling and protecting confidential information, and ensuring the continuity of protection during dissemination.
4.16 Confidential information must not be used or placed so that it is exposed or made accessible to individuals not authorised to have access to such information. The designated confidentiality unit shall establish procedures to ensure that confidential information is properly handled by Secretariat staff members, and the Director-General shall ensure that these procedures are fully carried out, that any violations are detected and reported, and that appropriate disciplinary sanctions are imposed in accordance with Part IX of this Policy .
4.17 The Director-General shall set out, in an administrative directive, physical security measures for offices, laboratories, information storage areas, computer media and audio-visual material classified as confidential, as well as standards for physical storage facilities within the Secretariat, including locks and security of secure areas, filing cabinets and sealed containers. These measures shall include procedures for restricting access to OPCW buildings and other sites, and for registering the presence of visitors and staff members during and after working hours. The procedures shall include special access arrangements for especially sensitive areas within the OPCW building(s) and other sites, such as storage areas for confidential information, office areas working with the processing and validation of declarations and inspection reports, the operations centre, and the OPCW Laboratory.
4.18 Confidential information shall be stored securely at the premises of the Organisation. Some data or documents may also be stored with the National Authority of a State Party. Sensitive information, including, inter alia, photographs, plans and other documents required only for the inspection of a specific facility may be kept under lock and key at this facility (CA, subparagraph 2(e)).
4.19 To the extent practicable, storage of OPCW confidential information at the National Authority of a State Party or at an inspected facility should accord with the minimum standards applied by the Secretariat.
4.20 Handling procedures shall be established in an administrative directive issued by the Director-General to cover the carriage of confidential information from the premises of the Organisation, between inspected sites and the Organisation, and between the Organisation and representatives of States Parties. Any such removal shall occur only for purposes related to the implementation of the Convention, and only to the minimal extent necessary for the performance of authorised professional functions.
4.21 Procedures shall be set out in an administrative directive issued by the Director-General to cover the eventuality of a loss or suspected loss of OPCW confidential information, including loss by an inspector, by a staff member of the Secretariat or by a representative of a State Party, as well as loss in transit. Such procedures shall include requirements for reporting, investigations, and consulting with States Parties concerned. As the loss or suspected loss indicates a possible breach of confidentiality, the procedures for dealing with breaches or alleged breaches of confidentiality must be invoked.
5.1 The handling procedures for confidential information set out in paragraph 4 above apply to all confidential information, regardless of the medium on which it is stored; the following additional procedures relate to information carried on particular forms of media.
5.2 An administrative directive shall set out procedures for the handling of audio-visual material containing confidential information, specifying levels of protection in accordance with classification categories, and following closely the procedures specified for handling documents containing confidential information.
5.3 Access to all sites of the OPCW and key components of the IMS, such as the servers and mass storage devices, must be controlled. All hardware of the IMS and especially workstations, servers and user terminals shall be protected, not only from theft or criminal damage, but also from unauthorised physical access and tampering attempts. In addition, maintenance and repair activities on IMS hardware shall be supervised and recorded. Access to such hardware items as servers, printers, back-up devices, as well as other output devices, shall be limited to staff members with appropriate clearances.
5.4 Procedures for the protection of confidential data stored within the IMS and any other electronic data-processing system or storage device shall incorporate the following elements:
- access control measures against unauthorised users or any unauthorised external access;
- separation of the files and data of the various users; and
- audit on user activities including access to the databases and changes made to operating system parameters and system files. In particular, any access by individual staff to computer files containing confidential information shall be recorded and regular audits conducted of these records.
5.5 The data, document and information computer security procedures shall provide detailed guidelines for protecting confidentiality while creating, handling, marking, backing up and destroying all forms of computer files, computer documents and other documents relevant for tasks such as system administration and computer security management and operations.
5.6 Computer material (including portable storage media such as diskettes) and confidential information stored in the OPCW IMS must be handled and protected in accordance with handling and storage procedures supported by detailed technical specifications set out in an administrative directive by the Director-General.
Samples from on-site inspections
5.7 Paragraph 55 of Part II of the Verification Annex provides for the transfer of samples taken during inspections off-site for analysis at designated laboratories. The process of sampling is inherently relevant to the verification of compliance with the Convention, but such samples may also incidentally carry and potentially yield other information which is itself not directly relevant to verification. For this reason, the inspection manual shall include procedures for ensuring the protection of the confidentiality of samples transferred for off-site analysis at designated laboratories.
5.8 Development and implementation of the regime established under paragraph 56 of Part II of the Verification Annex for the collection, handling, transport and analysis of samples shall be founded on the requirement for the protection of confidentiality during the transfer to and storage by designated laboratories. This regime shall address the particular concern that further confidential information not related to compliance might be yielded during the process of compliance-related analysis. Further confidentiality concerns shall be addressed by the sample accounting procedures established under paragraph 57 of Part II of the Verification Annex, and associated procedures for informing the inspected State Party that designated laboratories have destroyed samples or have returned them to the Secretariat after the completion of analysis for appropriate final handling. Designated laboratories shall be required to enter specific secrecy agreements confirming obligations established under the regime governing the sampling and analysis process.
6.1 The Confidentiality Annex and earlier sections of this Policy establish fundamental principles for the handling and protection of confidential information during inspections, both the information acquired or collected during the verification of compliance, and other information not relevant to the aims of the Convention which may be disclosed in the course of inspection activities. The OPCW inspection manual is to establish detailed procedures founded on these principles, including the necessary procedures for the use, protection and scope of access of data, documents and files during the conduct of inspections, consistent with the requirements of the Confidentiality Annex and the functional requirements for inspectors in the field. These must take into account functional requirements for the protection of data stored in portable devices, and the general procedures established for the carriage and storage of confidential information.
6.2 The key practical elements for the protection of confidential information in the course of inspections are the inspection procedures, the use of equipment, and the process of consultation within the inspection team and with representatives of the inspected State Party. Inspection procedures shall stipulate a clear hierarchical line of communication within the inspection team to allow consultations on issues that arise in relation to confidentiality, and the use to be made of confidential information. In accordance with this structure, there shall be consultations during facility agreement negotiations, pre-inspection briefings, and during the conduct of initial and subsequent inspections, between representatives of the inspected State Party, the inspected facility and the inspection team, to establish clearly the level of access to be granted to each inspection team member and the treatment to be afforded to confidential information disclosed or collected. In the case of a challenge inspection, an observer is obliged to respect fully the confidentiality of any information to which access is provided in accordance with the Convention's challenge inspection provisions, and shall treat such information accordingly.
6.3 The classification procedure set out in subparagraph 2.5 of Part V of this Policy shall be applied to information collected during the course of inspection. In accordance with this procedure, such information shall be promptly evaluated for confidentiality, and shall thereupon be given an initial classification and due protection in accordance with its sensitivity, with close reference to any facility agreement and in agreement with representatives of the inspected State Party. Where there is no relevant agreement in place prior to the inspection, the inspected State Party should be encouraged by the inspection team to nominate whenever possible the classification category of any confidential information disclosed during the course of inspection. In the event that sensitive confidential information is disclosed or revealed to any member of the inspection team without any indication of its classification category, the classification system requires that it be handled and protected as OPCW HIGHLY PROTECTED unless the inspected State Party provides otherwise. In general, where there is doubt or uncertainty, handling and protection afforded to confidential information should be at the most stringent level applicable, and consultations on further disclosure and dissemination even within the inspection team must fully heed the need-to-know principle for determining scope of access. If collected information includes confidential information not relevant to the Convention, it will require particular handling as discussed in the relevant paragraph below.
6.4 This Policy sets out clear principles governing the protection of confidential information not relevant to compliance with the Convention, and the particular responsibilities in this regard. Hence verification activities must be designed, planned and carried out so as to avoid unnecessary disclosure of confidential information and so as to seek to prevent disclosure of such information not related to compliance with the Convention in the terms of any inspection mandate, consistent with effective and timely discharge of verification obligations. These principles also require that confidential information not relevant to compliance with the Convention shall not be sought, recorded or retained: in the course of any inspection, it is a basic responsibility of each member of the inspection team, and especially of its leader, to ensure that this does not occur. However, it is recognised that in the course of inspection activities, it might occur that other confidential information which is itself not relevant to the purpose of the inspection is collected or recorded in various forms (as are set out in the definition of "information" in Part III of this Policy), by means of items such as approved inspection equipment, inspectors' clothing, and personal articles. In the event that such information is disclosed in the course of inspection activities, it shall not be further disseminated in any form, even within the inspection team, and shall be returned to the inspected State Party or destroyed under its supervision.
6.5 In the course of inspection activities, the Confidentiality Annex specifies that States Parties "may take such measures as they deem necessary to protect confidentiality, provided that they fulfil their obligations to demonstrate compliance in accordance with the relevant Articles and the Verification Annex". Inspection teams are obliged, among other things, "to take into consideration proposals which may be made by the State Party receiving the inspection, at whatever stage of the inspection, to ensure that sensitive equipment or information, not related to chemical weapons, is protected". "Inspection teams shall strictly abide by the provisions set forth in the relevant Articles and Annexes governing the conduct of inspections. They shall fully respect the procedures designed to protect sensitive installations and to prevent the disclosure of confidential data."
6.6 Subject to a full consultation process with the inspected State Party both during and after an inspection (such as is established for challenge inspections in subparagraph 61 of Part X of the Verification Annex), the Organisation is responsible for confirming to the inspected State Party that information gathered in accordance with the provisions of the Convention in the course of inspection activities is relevant to compliance with the Convention in the terms of the inspection mandate. The inspection team must protect any information gathered during the inspection in accordance with the classification level which the inspected State Party prescribes for it. The inspected State Party may not, within the framework of existing obligations in relation to demonstration of compliance with the Convention, object to inclusion of information in the preliminary inspection findings, if following full consultations the inspection team maintains that it is relevant to compliance with the Convention in the terms of the inspection mandate.
6.7 Any information gathered in the course of inspection but not included in the listed and copied material provided to the inspected State Party is presumed not to be relevant to the inspection mandate, and must be treated as specified in subparagraph 6.4 above. The principle is recognised that limitations on access and dissemination, such as those agreed as part of managed access in the case of a challenge inspection, shall be complied with by inspection team members and that no information a State Party views as confidential but of which it has not received a copy will leave the inspection site without its consent. Without prejudice to the obligation for a State Party to demonstrate compliance, procedures to implement the above principles include, inter alia:
- additional cleaning of inspection equipment;
- changing of clothes before or after a particular inspection activity;
- leaving personal articles behind before entrance to a particular area;
- the transfer of affected equipment under joint seal to the Secretariat for decontamination under the supervision, if requested, of a representative of the inspected State Party;
- the retention on site of detachable parts carrying confidential information unrelated to the Convention; or
- after exploring all other possibilities, including the above, the retention of equipment on site.
These procedures shall not be abused and shall be implemented, where relevant, in accordance with a legal framework respecting the immunity established under subparagraph 11(d) of Part II of the Verification Annex.
6.8 None of the procedures followed in accordance with these principles shall impede or delay verification activities conducted under the inspection mandate and in accordance with the provisions of the Convention.
PART VII
PROCEDURES FOR THE RELEASE
OF INFORMATION BY THE OPCW
1. General
1.1 This Part of this Policy sets out the principles governing the procedures which the Organisation is to follow concerning the release of any information which it holds in connection with the implementation of the Convention. 'Release' of information by the Organisation refers to the approved disclosure of information beyond the Organisation itself (including all its constituent elements) and beyond the governments of States Parties (specifically, beyond governmental organisations and authorised entities or individuals within States Parties concerned with the operation of the Convention). Accordingly, these principles govern the release of OPCW information to any other international organisation, to the government of a State not party to the Convention, to private or governmental organisations unrelated to the implementation of the Convention, or to any individual who is neither employed or contracted by the Organisation nor authorised by a State Party in relation to implementation of the Convention.
1.2 In the course of the implementation of the Convention, there will be cases in which the Organisation needs to release information in order to comply with its obligations. The release may be fully public, or may be limited in scope according to particular circumstances. The need to release information may arise for both unclassified and classified information. No information obtained or generated by the Organisation in connection with the implementation of the Convention shall be published or otherwise released, except in accordance with the following guidelines.
2. Public release of information
2.1 The Director-General may publicly release information that is not designated as confidential (including formerly confidential information which has been declassified in accordance with subparagraphs 4.6 and 4.7 of Part V of this Policy) and that falls into one of the following categories:
(a) general information on the course of the implementation of the Convention which does not contain material relating specifically to any State Party. This excludes specific information about inspection activities being conducted in or planned for a State Party. The types of information which may be released publicly under this provision will be set out in a list approved by the Conference; this list could include details of declaration requirements and forms, generic or model documentation, summary information about the overall verification programme, and verification technology and methodology applied in on-site inspections;
(b) factual organisational information about the Organisation, except for information that relates to the security of the Organisation, or to personnel matters and the privacy of staff of the Secretariat; or
(c) information referring to a State Party, which is unclassified and which that State Party has specifically requested or consented to be publicly released.
2.2 The Director-General shall consider and decide upon individual requests for the public release of information, provided that it falls within the terms of the preceding paragraph. Requests going beyond these parameters shall be referred to the Executive Council or the Conference for decision.
2.3 All contacts between Secretariat staff members and the media shall be subject to this Policy, in particular, Part VII of this Policy (including these procedures established for the public release of information) and the OPCW Media and Public Affairs Policy. The Director-General shall issue an administrative directive governing media policy, in accordance with these public release policy guidelines.
3. Limited or non-public release of information
3.1 There may be cases where it is necessary[12] to release information beyond the Organisation in a manner that is short of full public release. This may include release to an international organisation or governmental organisation for official use only, and subject to certain conditions. Such non-public release may apply to confidential information bearing an OPCW classification, or to declassified as well as to unclassified information. Confidential information bearing an OPCW classification shall be released only if the Director-General confirms that adequate protection and control can be maintained in the recipient organisation. The Director-General shall conclude an agreement or agreed arrangements with potential recipient organisations on the handling and protection of classified information.
3.2 Limited or non-public release of information might take place:
(a) when the Executive Council decides to bring an issue or matter directly to the attention of the United Nations General Assembly and the United Nations Security Council in accordance with paragraph 36 of Article VIII;
(b) when the Conference decides to bring an issue to the attention of the United Nations General Assembly and the United Nations Security Council in accordance with paragraph 4 of Article XII; or
(c) when the Conference or the Executive Council decides to request the opinion of the International Court of Justice with the authorisation of the General Assembly of the United Nations in accordance with paragraph 5 of Article XIV.
3.3 The limited or non-public release of information which does not bear an OPCW classification can be authorised by the Director-General provided that the information falls within the categories set out in subparagraph 2.1 of this Part. Requests for the release of information not bearing an OPCW classification but going beyond these parameters shall be referred to the Executive Council or the Conference for decision.
3.4 When limited or non-public release is proposed for confidential information, the scope and conditions for such release shall be in strict conformity with the needs of the implementation of the Convention. The need-to-know principle governing dissemination of information must still apply.
3.5 If confidential information refers to a particular State Party, and that State Party expressly requests or consents to its release, then the release may proceed without further consultation. In all other cases, a decision of the Conference or the Executive Council is required for the release of confidential information beyond the Organisation. While a request for a decision on such a release can be put to either organ, such a request will normally be part of a general policy decision by the Conference or Executive Council to refer a related issue to an external body in accordance with the Convention, and so the decision on release would be taken by the same organ considering the general policy question.
3.6 A decision to approve such a release should be based upon:
(a) an explicit determination that the intended recipient has a clear need to know in accordance with the recipient's role in the implementation of the Convention; and
(b) a determination that the intended release conforms with the needs of the Convention.
3.7 When an apparent need arises for release of confidential information, the Director-General shall prepare a draft proposal for release for consultation and review by the parties concerned. The factors for determining confidentiality and the classification of the information are required to be fully addressed in the formulation of the proposed release. When applicable, the information proposed for release shall be processed into less sensitive forms so that disclosure of confidential information not relevant to the purpose of the release is avoided. In this case the processes for declassification or reclassification should be applied. If the confidential information was obtained from or refers to a State Party, the Director-General or a delegate authorised for this function is required to obtain the written consent of that State Party for the proposed release. The withholding of such consent shall not be used to avoid a State Party's obligations under the Convention.
3.8 In preparing a release proposal, the Director-General may propose specific conditions or limitations on the scope to be associated with the release, with the aim of ensuring that the release is focused on its particular purpose connected with the implementation of the Convention. Some of the limitations of scope or conditions that may apply are:
(a) access to the confidential information only on a temporary basis, such as for the duration of a meeting or for the duration of a consultancy;
(b) specification that the information is for official use only;
(c) request for particular handling, such as a request to destroy or return the information after a specified period;
(d) specific controls on some sensitive parts of the confidential information; and
(e) visual display of the confidential information, such as projection during the course of a meeting.
3.9 After consultation with the parties concerned, the proposal for release will then be put to the Executive Council or the Conference for decision.
PART VIII
ADMINISTRATION
The Director-General
1. The Director-General shall establish and supervise the implementation and auditing of the regime for the protection and handling of confidential information within the Organisation in accordance with the principles set out in the Confidentiality Annex and this Policy. To this end, the Director-General shall issue and supervise the implementation of administrative directives required by this Policy.
2. The Director-General shall have the primary responsibility for the enforcement of this regime and will charge appropriate units in the Secretariat with particular tasks for the implementation of the regime in accordance with this Policy. In exceptional cases, the Director-General may delegate specific authority in relation to implementation of the confidentiality regime to a limited number of senior Secretariat staff members, subject to specific limitations set out in this Policy[13]. The Director-General shall also personally supervise the conduct of those units and shall remain personally responsible for actions taken by his delegates in exercising his authority.
Administration of the confidentiality regime in the Secretariat
3. The confidentiality regime shall apply to the operations of all elements of the Secretariat. An appropriate unit of the Secretariat shall be designated for the task of evaluating all data and documents obtained by the Secretariat, to establish whether they contain confidential information, applying the guidelines set out in subparagraph 2(a) of the Confidentiality Annex and paragraph 11 of Part III of this Policy. Auditing of the operation of the confidentiality regime shall be conducted internally by the Secretariat and shall be kept functionally distinct from any unit tasked with its implementation.
4. Under the Director-General's supervision, the Secretariat shall ensure that its staff members are properly advised and reminded about their obligation to protect confidential information and to abide by the confidentiality regime, as well as about the principles of this Policy and the procedures required to implement it, the principles and procedures relating to security, and the possible penalties that they would incur in the event of unauthorised disclosure of confidential information.
PART IX
BREACH PROCEDURES
IX.1: BREACH INVESTIGATION PROCEDURES
1. Investigations into breaches and alleged breaches of confidentiality and violations of confidentiality obligations
On the basis of the provisions of the Confidentiality Annex (paragraph 19), this Part of the Policy outlines the procedure for investigations by the Director-General in relation to breaches and alleged breaches of confidentiality and violations of related obligations to protect confidential information.
Step 1: Investigation by the Director-General
Step 2: Interim action
Step 3: Report of investigations
Step 4: Action in response to an investigation report
4a: Disciplinary sanctions against serving Secretariat staff
4b: Sanctions against former Secretariat staff
4c: Action taken in relation to waiver of immunity
4d: Other legal action within national jurisdiction
4e: Action taken when a State Party appears responsible
4f: Action to reform or enhance the confidentiality regime
2. Definitions
A breach of the obligation to protect confidentiality ('a breach of confidentiality') includes any unauthorised disclosure of OPCW information to any individual, or government or private entity, regardless of the intention or the consequences of the disclosure. A breach of confidentiality can also be associated with misuse of information to gain a personal advantage or to benefit or damage the interests of a third party. A violation of obligations concerning the protection of confidential information is deemed to have taken place if there has been non-compliance with the specified procedures for the handling, protection, release and dissemination of confidential information so as to create a clear risk of unauthorised disclosure, with or without such disclosure actually occurring. In practical terms, there is considerable overlap between a breach of confidentiality and a violation of obligations to protect confidential information.
3. Step 1: Investigation by the Director-General
3.1 As required in the terms of the Confidentiality Annex, the Director-General shall promptly initiate an investigation:
(a) following 'sufficient indication' that there has been a violation of an obligation to protect confidential information on the part of a staff member of the Secretariat, another authorised individual or entity beyond the Secretariat , or an agent or official of a State Party; or
(b) when a State Party has lodged an allegation concerning a breach of confidentiality.
3.2 In particular, the Director-General shall initiate an investigation if he becomes aware that there is a reasonable possibility, or clear risk, of unauthorised disclosure of confidential information occurring, inter alia, in a manner:
(a) which violates the policy or guidelines of the Organisation established for the handling, protection, release and dissemination of confidential information; or
(b) which could adversely affect the object and purpose of the Convention or the interests of the Organisation, a State Party, or a commercial or governmental body or a national of a State Party, or could offer particular or selective advantage to an individual, a State, or any other body, including a commercial firm.
3.3 The Director-General is obliged to investigate any allegation by a State Party that a breach of confidentiality has occurred. Such an allegation should be made in writing to the Director-General, and should to the extent possible provide supporting information. An allegation should, if possible, state the nature of the information involved, the time and location at which the breach is alleged to have occurred, and the actual or possible future damage believed to affect relevant interests.
3.4 When a decision has been taken to proceed with an investigation, the decision should be made known immediately to any States Parties and any Secretariat staff member involved in the alleged breach or suspected violation.
3.5 The aim of the investigation is to establish whether there has been a breach of confidentiality or a violation of the handling, protection, dissemination or release procedures for confidential information, and the severity of any breach including the degree and nature of any damage caused. The investigation should also consider ways of enhancing the confidentiality regime so as to prevent any recurrence of a breach or violation of procedures.
3.6 The Director-General shall be directly responsible for the investigation, and will direct it personally, but may appoint a designated senior staff member to conduct investigatory work. The investigation should commence with a preliminary review of the circumstances surrounding the allegation or indication of a violation, and a consideration of any evidence or supporting information. The Director-General at this stage may find that a prima facie case does not exist; if so, he may, at his discretion, either consult with a State Party that has made an allegation, or he may conclude the investigation and report a finding that no prima facie case was established. Following the establishment of a prima facie case of a breach affecting the interests of a State Party, the Director-General shall notify the Executive Council that an investigation into a breach is in progressand, with the consent of that State Party, may present specific information about the investigation, if requested.
3.7 The investigation procedure following the establishment of a prima facie case may include the following activities:
(a) the collection and examination of evidence within the OPCW or its constituent organs;
(b) the examination of further material supplied by States Parties as evidence;
(c) confidential interviews with staff members of the Secretariat;
(d) consultations with States Parties concerned, including with representatives of industry or private entities concerned nominated by States Parties; and/or
(e) a request for a State Party to provide details on the handling of information provided to it by the Organisation.
3.8 The proceedings of the investigation will remain confidential, and will be subject to the strict application of the need-to-know principle. Particular care should be given to the possible damaging effects of disclosures about such an investigation to Secretariat staff members as well as to the interests of States Parties. The investigation should be conducted on the basis of objectivity and due process, and there should be no use of coercion to elicit information from any individual concerned. Every effort should be made to conclude the investigation and take appropriate action in response to its findings as quickly as is possible and consistent with proper procedure.
3.9 All States Parties concerned and all staff members of the Secretariat involved shall cooperate with and support the investigation to the extent possible. For States Parties, this may entail providing details of internal investigations conducted, furnishing evidence, advising on national judicial proceedings in relation to the same matter, and advising on the degree and nature of damage caused by a breach. Staff members are required to provide any factual information relating to the aims of the investigation and their professional responsibilities.
4. Step 2: Interim action
4.1 If a prima facie case is established which apparently implicates a currently serving member of the Secretariat:
(a) procedures will be initiated in accordance with the Staff Regulations and Rules to impose interim restrictive measures for the duration of the investigation, such as withdrawal from certain functions or denial of access to certain information, or, if the case appears serious, temporary suspension in accordance with the OPCW Staff Regulations and Rules;
(b) the Director-General shall consider and may propose immediate action, if necessary in consultation with the Executive Council, to protect all legitimate interests which could be prejudiced by the breach or alleged breach of confidentiality, including the interests of a State Party or of the Organisation; and
(c) if the investigation is at the request of a State Party, then the Director-General shall inform this State Party of any such interim action taken.
4.2 An employee suspected of involvement in a breach should be informed by registered letter of the decision to take such interim action, stating the basis of this action and advising of any recourse available.
4.3 If the preliminary stage of the investigation discloses prima facie indications that a State Party may have been responsible for a breach, or may have otherwise been involved, the Director-General shall consider and may propose immediate action for decision of the Executive Council, to protect all legitimate interests which could be prejudiced by the breach of confidentiality, including the interests of any other State Party or of the Organisation. The Director-General may request that State Party to provide details on the handling of information provided to it by the Organisation.
4.4 If the preliminary stage of the investigation discloses prima facie indications that a natural or legal person in a State Party's jurisdiction may have been responsible for a breach, or may have otherwise been involved, the Director-General may consult with and request support from that State Party, if necessary following Executive Council approval, on possible action to protect all legitimate interests which could be prejudiced by the breach of confidentiality.
5. Step 3: Report of investigations
5.1 The Directo