OPCW

1. Introduction

This report is submitted to the Conference of the States Parties (hereinafter "the Conference") in accordance with paragraph 3 of Part A of the Confidentiality Annex to the Convention. The report summarises the principal activities undertaken by the Technical Secretariat (hereinafter the "Secretariat") in relation to the implementation of the OPCW’s confidentiality regime during the year 1999.

2.1 On the basis of the experience gained since the entry into force (EIF) of the Convention with regard to the implementation of the confidentiality regime, the Director-General reviewed the confidentiality functions of the Secretariat and reorganised these functions as outlined in his Note on the management of confidentiality within the Secretariat (EC-XIV/DG.3, dated 13 January 1999). On 15 February 1999 the confidentiality unit in the former Declarations and Confidentiality Branch was renamed the Confidentiality Office (CDO), and was moved from the Verification Division and made directly responsible to the Director-General. Since then the Head of the Confidentiality Office has reported directly to the Director-General, and has operated under his direct control and guidance. The primary responsibility of the Confidentiality Office was to assist the Director-General to monitor the implementation of the confidentiality regime with regard to the handling and protection of confidential information throughout the Secretariat. The Confidentiality Office was also responsible for updating all confidentiality procedures, providing all confidentiality-related training, conducting initial inquiries into any breaches of confidentiality, and advising the Director-General on confidentiality issues in general.

2.2 Additionally, in order to provide for better protection of the confidential information held by the Secretariat in both hard copy and electronic form, the Director-General established a Confidentiality/Security Steering Group under his direction to ensure close coordination between the Confidentiality Office, the Information Security Officer, and the Chief of Security. The Confidentiality Auditor was enlisted as an ex officio member of the steering group.

2.3 In 1998 the Director-General constituted the Confidentiality Review Group (CRG) to review the Manual of Confidentiality Procedure (MCP) and, in the light of the experience gained since EIF, to suggest suitable amendments to streamline the confidentiality procedures used within the Secretariat, while at the same time maintaining the stringency of the overall confidentiality regime. The work of this group was almost completed during the period under review. The previous 25 chapters of the MCP were reorganised and renumbered, with a view to making them more transparent and user-friendly. As of 31 December 1999 the revised MCP contained 13 chapters, the first nine of which had already been substantively revised. The review of the remaining chapters was to be completed in the light of the implementation of the security-critical network-electronic document management system (SCN-EDMS) and of the recommendations of the experts engaged by the Secretariat to provide advice concerning the electronic processing of confidential information on that system. At the close of the period under review this task was expected to be completed by the end of March 2000. The following were among the main changes to current procedures to be introduced during 1999:

2.4 The Director-General issued an administrative directive containing a comprehensive list of statements of the scope of access to verification-related confidential information (SACI) for those posts within the Secretariat which were identified as requiring access to such information (OPCW-TS/AD/30, dated 22 April 1999). The SACI now forms part of the job description for these posts, in accordance with paragraph 6 of the Confidentiality Annex. The scope of access defined by the SACI is subject to the provisions of the OPCW Policy on Confidentiality and the requirements of the Manual of Confidentiality Procedure. A change in the SACI for a specific post is possible only on the written instruction of the Director-General.

2.5 With the creation of the SACI statements for the relevant Secretariat posts, it is no longer necessary to distinguish between regular and occasional access, as all access is simply categorised as access. However, in anticipation of possible situations in which a staff member for whom a notification has already been given in accordance with paragraph 11 of the Confidentiality Annex might need to be granted access to information which is not specified in his/her SACI statement, the Director-General or his designated nominee is able to grant such ad hoc access on a strictly case-by-case basis.

3. States Parties’ procedures for handling confidential information

The Executive Council regularly monitors the submission by States Parties of their confidentiality procedures for the handling of confidential information, as required in paragraph 4 of Part A of the Confidentiality Annex. During the period under review the Council regularly expressed its concern about the many States Parties which had not yet complied with this important aspect of the confidentiality regime. As of 31 December 1999 only 42 of the 128 States Parties were in compliance with this important provision of the Convention.

4. Auditing activities for the confidentiality regime

4.1 Within the Secretariat the directors of the divisions involved in the processing of confidential information conducted internal inspections and reviews during the period under review in accordance with the provisions of the OPCW Manual of Confidentiality Procedure. The Confidentiality Office monitored these internal inspections and rendered assistance when it was required. The Confidentiality Office, on its own initiative, also conducted surprise checks, in order to ensure that Secretariat staff members were correctly adhering to confidentiality procedures. As a result of these checks the following incidents came to light during the period under review.

4.2 During the period under review 19 incidents of the alleged violation of confidentiality procedures were reported to the Confidentiality Office. A formal investigation was ordered into three of these incidents, the basic facts of which are outlined below:

Sixteen incidents not requiring formal investigation

Incidents leading to formal investigations

4.3 A formal investigation was ordered on three occasions: two incidents related to missing documents, and a third incident related to the incorrect dissemination of a classified document. Details of these incidents are reported below:

4.4 In the first incident, at the conclusion of the changeover of Branch Heads in the Declarations Branch in March 1999, three documents could not be "accounted for" by the outgoing and incoming Branch Heads. After conducting extensive preliminary enquiries the Confidentiality Office reported to the Director-General that one of these three documents had not been lost, with the audit trail suggesting that the intended copy of the document had never been made. Regarding the second document, the substantive officer stated that the document had existed only in electronic form, and a hard copy printout had never been produced. Despite an exhaustive search lasting several weeks, no trace of the third document could be found. On the basis of the report by the Confidentiality Office, the Acting Director-General ordered an investigation into these two latter cases, which was conducted by a senior Secretariat staff member, as required by paragraph 3 of Part IX.1 of the OPCW Policy on Confidentiality. The State Party associated with the third missing document was informed of the incident, and the results of the investigation were as follows:

4.5 The Acting Director-General accepted the recommendations in relation to the cases described in subparagraphs 4.4(a) and (b) above, and cautioned the staff members in question to be more careful in their handling of classified materials in the future.

Second incident

4.6 In the second incident the Confidentiality Office found, in March 1999, that one staff member had left the Organisation without properly accounting for and handing over the classified documents in his possession. During preliminary inquiries the Confidentiality Office found that the confidential materials and the confidential material register (CMR) in the possession of the outgoing staff member had not been properly maintained. When all the records of this staff member had been verified, one OPCW Restricted document remained unaccounted for. On the basis of preliminary inquiries conducted by the Confidentiality Office, the Director-General ordered an investigation into this incident by a senior staff member of the Secretariat, as required by paragraph 3 of Part IX.1 of the OPCW Policy on Confidentiality. The State Party in question was apprised by the Director-General of these facts, and of the actions taken by him in relation to them.

4.7 In this case the investigation revealed that the supposedly missing document was in fact a draft document classified as "OPCW Restricted", which is not required to be registered in the CMR. A copy of this draft was sent to the State Party in question. In order to keep track of the transfer of this document to the State Party the staff member, without being required by the procedures to do so, had entered it in his CMR. This draft document was updated in consultation with the State Party, and was later declassified by it. As the established procedures do not require a destruction certificate in the event of the destruction of an unclassified document, no such certificate was prepared. In this case the State Party in question was fully apprised of these facts. In his report the investigation officer stated that, as this case had demonstrated, the staff member involved had not, in his handling of confidential documents, always strictly followed the procedures laid down in the Manual of Confidentiality Procedure. According to the investigating officer, however, these administrative lapses did not amount to any breach of confidentiality. Furthermore, the investigation officer also recognised that adequate administrative steps had been taken by the Secretariat after the incident to ensure the strict implementation of the confidentiality procedures, with a view to preventing any recurrence of such incidents. In view of these findings, the Director-General closed the investigation into this incident.

4.8 The third incident related to the inadvertent delivery, on 15 December 1999, of confidential documents belonging to a State Party to the representative of another State Party, because the cover memorandum for the documents was not addressed to the correct State Party. The State Party in question was informed of the lapse as soon as it was discovered, and an investigation into the incident was promptly initiated in accordance with the procedure laid down in the OPCW Policy on Confidentiality.

With the reorganisation of confidentiality functions within the Secretariat, the system of distributing documents for sessions and meetings of the policy-making organs and their subsidiary bodies was also streamlined. As mentioned in subparagraph 2.3(b) above, from 4 June 1999 onwards all classified documents which were to be considered at the sessions and meetings of the policy-making organs were processed and distributed by staff of the Conference Services Branch with an appropriate confidentiality clearance, who had already been performing these tasks in relation to unclassified documents. During 1999 the Confidentiality Office provided the training necessary for all staff members of the Conference Services Branch whose tasks involved the handling of classified documents.

6. Implementation activities

6.1 In December 1999 the Secretariat’s Security Office started the installation of the electronic security card reader system in all rooms in the security-critical area. This work, which was expected to be completed in early 2000, was aimed at improving security in general, and also at significantly enhancing the protection of the security-critical network. The Security Office also completed its work on a high-security room for securing confidential information by inspection team leaders during the pre- and post-inspection periods. This room is located in the security-critical area, and is monitored with electronic card reader systems and video surveillance. The Security Office also completed the security upgrade at the OPCW Laboratory and Equipment Store in Rijswijk. This upgrade included the installation of both an exterior closed circuit television video surveillance system and some interior cameras. Communications links were expected to be completed in early 2000, to allow for the monitoring of this system from the 24-hour security control centre located in the OPCW headquarters building. When completed, the system will enhance physical security for personnel, information, property, and OPCW Laboratory activities. The Security Office also installed a new internal closed circuit television video system in the security-critical area during 1999.

6.2 All new staff members employed by the Secretariat during the period under review concluded individual secrecy agreements when they took up their posts, in accordance with the Confidentiality Annex to the Convention.

6.3 During the period under review the Director-General sent 16 notes verbales containing clearance notifications to all States Parties, in accordance with paragraph 11 of the Confidentiality Annex. These notifications concerned 15 new appointees, 42 staff members reassigned to new posts, one staff member assigned additional functions, and six staff members leaving the Secretariat. At the close of the period under review the total number of Secretariat staff members included in the confidential information clearance register was 180. In addition seven staff members of the Permanent Court of Arbitration who will act as a registry to the Confidentiality Commission, as well as 29 interpreters and 13 members of the security audit team, were notified to States Parties, on the basis of a mutatis mutandis application of paragraph 11 of the Confidentiality Annex.

6.4 The new performance management appraisal system which was due to be formally introduced in the Secretariat during 2000 specifically provides for the appraisal of staff members by their supervisory officers, inter alia with regard to their record in handling and protecting confidential information.

7. Classification of documents (by category) received from States Parties

7.1 The classified documents received from States Parties between EIF and 31 December 1999 were categorised as follows:

7.2 In the above table H specifies OPCW Highly Protected, P specifies OPCW Protected, R specifies OPCW Restricted, and U specifies Unclassified.

7.3 The above figures indicate that the Secretariat was consistently receiving a very high proportion (73%) of pages classified as H and P, as a result of which the documents derived from them are accordingly also classified as H and P. The handling and protection of documents in these categories involves the utilisation of considerable resources. The Director-General wishes to reiterate his request to States Parties to review the classification of the documents which they have already submitted and, if possible, to reduce their classification level to the OPCW Restricted level at the very least, if not to declassify them altogether. Similarly, the Director-General urges States Parties, when submitting information in the future, to classify their documents at the lowest possible level, in order to enhance the speed and efficiency of their processing.

8.1 In accordance with the Note by the Director-General regarding the introduction of the electronic document management system (EDMS) (S/94/99, dated 4 February 1999), the Verification Division loaded onto the SCN and its EDMS application the declarations of those States Parties which had given their consent to this, as well as inspection-related information such as inspection mandates, preliminary factual finding reports, final inspection reports and facility agreements. In order to meet the audit team’s requirement that it should audit an operational system, staff of the Verification Division used this data to test the SCN’s operating procedures, in order to ensure that they were functioning correctly.

8.2 The Secretariat notified all States Parties of the names of members of the external audit team nominated by those States Parties which had expressed an interest in providing qualified and experienced experts to conduct a final audit of the
SCN-EDMS system. Such a notification was deemed necessary because the audit team’s review of the operating system would involve the processing of confidential information which they might inadvertently see during the final audit. The clearance notifications for the members of the audit team were based on a mutatis mutandis application of paragraph 11 of the Confidentiality Annex. Only auditors from States Parties which had consented to the loading of their declaration data onto the SCN were able to take part in such security audits.

8.3 In addition, Secretariat staff began to make use of the mini-SCN for the completion of final inspection reports and for the translation of classified materials (see subparagraphs 6.2 and 8.3 of S/94/99). After these facilities began to be used, it proved possible to end the use of stand-alone computers for such activities. Furthermore, the use of the mini-SCN enabled the Secretariat to fully log, monitor and audit all activities related to the processing of translation materials and
inspection-related reports, something which had not previously been possible in an environment with stand-alone computers.

8.4 It is expected that, as more and more information becomes accessible in electronic form to authorised users of the SCN, there will be a significant reduction in the reproduction of classified information within the security-critical area.

8.5 In October 1999 the security audit team II (SAT II) met to conduct an operational control and security audit of the verification information system-electronic document management system (VIS-EDMS). The SAT II report identified a number of matters requiring attention in the areas of physical security, confidentiality and information systems security, and recommended that use of the VIS-EDMS should not be expanded at that time. By the close of the period under review the Secretariat had undertaken a number of measures designed to rectify the problems identified by SAT II, with a view to having the VIS-EDMS ready for audit by April 2000.

The recommendations of the Office of the Internal Oversight concerning the handling and protection of confidential materials, as contained in its annual report on the period from 1 July 1997 to 31 December 1998 (EC-XV/DG.10, dated 9 April 1999), were implemented.

The Confidentiality Office, with the assistance of the Training and Staff Development Branch, developed a programme during 1999 to provide regular confidentiality training for all staff members of the Secretariat. When joining the Secretariat all staff members attend an introductory course covering the basics of confidential information handling and protection. Specific and continuous training is provided to those staff members whose functions in the Organisation and access rights require such training. During 1999 a total of 498 persons received such customised training, in accordance with their specific requirements. The following table contains a breakdown of the confidentiality training courses which were conducted during the year under review.

10.2 Confidentiality training courses were also conducted for the members of the Confidentiality Commission and the Scientific Advisory Board, as well as for the six staff members of the Permanent Court of Arbitration in The Hague who will service the registry of the Confidentiality Commission

The Confidentiality Office provided confidentiality training for the above-mentioned six staff members of the Permanent Court of Arbitration who are designated to handle any information forwarded or addressed to the Confidentiality Commission. After this training had been completed the six staff members of the Permanent Court of Arbitration signed the OPCW secrecy agreement. They were notified to States Parties and cleared by the Director-General for access to confidential information in accordance with paragraph 11 of the Confidentiality Annex.