Annex on the Protection of Confidential Information
A. General Principles for the Handling of Confidential Information
- The obligation to protect confidential information shall pertain to the verification of both civil and military activities and facilities. Pursuant to the general obligations set forth in Article VIII, the Organization shall:
- Require only the minimum amount of information and data necessary for the timely and efficient carrying out of its responsibilities under this Convention;
- Take the necessary measures to ensure that inspectors and other staff members of the Technical Secretariat meet the highest standards of efficiency, competence, and integrity;
- Develop agreements and regulations to implement the provisions of this Convention and shall specify as precisely as possible the information to which the Organization shall be given access by a State Party.
- The Director-General shall have the primary responsibility for ensuring the protection of confidential information. The Director-General shall establish a stringent regime governing the handling of confidential information by the Technical Secretariat, and in doing so, shall observe the following guidelines:
- Information shall be considered confidential if:
- It is so designated by the State Party from which the information was obtained and to which the information refers; or
- In the judgement of the Director-General, its unauthorized disclosure could reasonably be expected to cause damage to the State Party to which it refers or to the mechanisms for implementation of this Convention;
- All data and documents obtained by the Technical Secretariat shall be evaluated by the appropriate unit of the Technical Secretariat in order to establish whether they contain confidential information. Data required by States Parties to be assured of the continued compliance with this Convention by other States Parties shall be routinely provided to them. Such data shall encompass:
- The initial and annual reports and declarations provided by States Parties under Articles III, IV, V and VI, in accordance with the provisions set forth in the Verification Annex;
- General reports on the results and effectiveness of verification activities; and
- Information to be supplied to all States Parties in accordance with the provisions of this Convention;
- No information obtained by the Organization in connection with the implementation of this Convention shall be published or otherwise released, except, as follows:
- General information on the implementation of this Convention may be compiled and released publicly in accordance with the decisions of the Conference or the Executive Council;
- Any information may be released with the express consent of the State Party to which the information refers;
- Information classified as confidential shall be released by the Organization only through procedures which ensure that the release of information only occurs in strict conformity with the needs of this Convention. Such procedures shall be considered and approved by the Conference pursuant to Article VIII, paragraph 21 (i);
- The level of sensitivity of confidential data or documents shall be established, based on criteria to be applied uniformly in order to ensure their appropriate handling and protection. For this purpose, a classification system shall be introduced, which by taking account of relevant work undertaken in the preparation of this Convention shall provide for clear criteria ensuring the inclusion of information into appropriate categories of confidentiality and the justified durability of the confidential nature of information. While providing for the necessary flexibility in its implementation the classification system shall protect the rights of States Parties providing confidential information. A classification system shall be considered and approved by the Conference pursuant to Article VIII, paragraph 21 (i);
- Confidential information shall be stored securely at the premises of the Organization. Some data or documents may also be stored with the National Authority of a State Party. Sensitive information, including, inter alia, photographs, plans and other documents required only for the inspection of a specific facility may be kept under lock and key at this facility;
- To the greatest extent consistent with the effective implementation of the verification provisions of this Convention, information shall be handled and stored by the Technical Secretariat in a form that precludes direct identification of the facility to which it pertains;
- The amount of confidential information removed from a facility shall be kept to the minimum necessary for the timely and effective implementation of the verification provisions of this Convention; and
- Access to confidential information shall be regulated in accordance with its classification. The dissemination of confidential information within the Organization shall be strictly on a need-to-know basis.
- The Director-General shall report annually to the Conference on the implementation of the regime governing the handling of confidential information by the Technical Secretariat.
- Each State Party shall treat information which it receives from the Organization in accordance with the level of confidentiality established for that information. Upon request, a State Party shall provide details on the handling of information provided to it by the Organization.
B. Employment and Conduct of Personnel in the Technical Secretariat
- Conditions of staff employment shall be such as to ensure that access to and handling of confidential information shall be in conformity with the procedures established by the Director-General in accordance with Section A.
- Each position in the Technical Secretariat shall be governed by a formal position description that specifies the scope of access to confidential information, if any, needed in that position.
- The Director-General, the inspectors and the other members of the staff shall not disclose even after termination of their functions to any unauthorized persons any confidential information coming to their knowledge in the performance of their official duties. They shall not communicate to any State, organization or person outside the Technical Secretariat any information to which they have access in connection with their activities in relation to any State Party.
- In the discharge of their functions inspectors shall only request the information and data which are necessary to fulfil their mandate. They shall not make any records of information collected incidentally and not related to verification of compliance with this Convention.
- The staff shall enter into individual secrecy agreements with the Technical Secretariat covering their period of employment and a period of five years after it is terminated.
- In order to avoid improper disclosures, inspectors and staff members shall be appropriately advised and reminded about security considerations and of the possible penalties that they would incur in the event of improper disclosure.
- Not less than 30 days before an employee is given clearance for access to confidential information that refers to activities on the territory or in any other place under the jurisdiction or control of a State Party, the State Party concerned shall be notified of the proposed clearance. For inspectors the notification of a proposed designation shall fulfil this requirement.
- In evaluating the performance of inspectors and any other employees of the Technical Secretariat, specific attention shall be given to the employee’s record regarding protection of confidential information.
C. Measures to Protect Sensitive Installations and Prevent Disclosure of Confidential Data in the Course of On-Site Verification Activities
- States Parties may take such measures as they deem necessary to protect confidentiality, provided that they fulfil their obligations to demonstrate compliance in accordance with the relevant Articles and the Verification Annex. When receiving an inspection, the State Party may indicate to the inspection team the equipment, documentation or areas that it considers sensitive and not related to the purpose of the inspection.
- Inspection teams shall be guided by the principle of conducting on-site inspections in the least intrusive manner possible consistent with the effective and timely accomplishment of their mission. They shall take into consideration proposals which may be made by the State Party receiving the inspection, at whatever stage of the inspection, to ensure that sensitive equipment or information, not related to chemical weapons, is protected.
- Inspection teams shall strictly abide by the provisions set forth in the relevant Articles and Annexes governing the conduct of inspections. They shall fully respect the procedures designed to protect sensitive installations and to prevent the disclosure of confidential data.
- In the elaboration of arrangements and facility agreements, due regard shall be paid to the requirement of protecting confidential information. Agreements on inspection procedures for individual facilities shall also include specific and detailed arrangements with regard to the determination of those areas of the facility to which inspectors are granted access, the storage of confidential information on-site, the scope of the inspection effort in agreed areas, the taking of samples and their analysis, the access to records and the use of instruments and continuous monitoring equipment.
- The report to be prepared after each inspection shall only contain facts relevant to compliance with this Convention. The report shall be handled in accordance with the regulations established by the Organization governing the handling of confidential information. If necessary, the information contained in the report shall be processed into less sensitive forms before it is transmitted outside the Technical Secretariat and the inspected State Party.
D. Procedures in Case of Breaches or Alleged Breaches of Confidentiality
- The Director-General shall establish necessary procedures to be followed in case of breaches or alleged breaches of confidentiality, taking into account recommendations to be considered and approved by the Conference pursuant to Article VIII, paragraph 21 (i).
- The Director-General shall oversee the implementation of individual secrecy agreements. The Director-General shall promptly initiate an investigation if, in his judgement, there is sufficient indication that obligations concerning the protection of confidential information have been violated. The Director-General shall also promptly initiate an investigation if an allegation concerning a breach of confidentiality is made by a State Party.
- The Director-General shall impose appropriate punitive and disciplinary measures on staff members who have violated their obligations to protect confidential information. In cases of serious breaches, the immunity from jurisdiction may be waived by the Director-General.
- States Parties shall, to the extent possible, cooperate and support the Director-General in investigating any breach or alleged breach of confidentiality and in taking appropriate action in case a breach has been established.
- The Organization shall not be held liable for any breach of confidentiality committed by members of the Technical Secretariat.
- For breaches involving both a State Party and the Organization, a “Commission for the settlement of disputes related to confidentiality”, set up as a subsidiary organ of the Conference, shall consider the case. This Commission shall be appointed by the Conference. Rules governing its composition and operating procedures shall be adopted by the Conference at its first session.