Working Paper by Friend of the Chair on Confidentiality :
E. Confidentiality Provisions (WP.265)
Click here to view the Disclaimer.
Click here to return to the list of Working Papers.
AD HOC GROUP OF THE STATES PARTIES
TO THE CONVENTION ON THE PROHIBITION
OF THE DEVELOPMENT, PRODUCTION AND
STOCKPILING OF BACTERIOLOGICAL
(BIOLOGICAL) AND TOXIN WEAPONS
AND ON THEIR DESTRUCTION
BWC/AD HOC GROUP/WP.265
23 January 1998
Original: ENGLISH
Ninth session
Geneva, 5-23 January 1998
Working paper submitted by the Friend of the Chair on Confidentiality
E. CONFIDENTIALITY PROVISIONS
I. GENERAL PRINCIPLES FOR THE HANDLING OF
CONFIDENTIAL INFORMATION
(A) THE NEED-TO-KNOW PRINCIPLE
1. [The obligation to protect confidential information shall pertain to the verification of both civil and military activities and facilities. Pursuant to the general obligations set forth in Article IV, the Organization shall] [The Organization] shall require only the minimum amount of information and data necessary for the timely and efficient carrying out of its responsibilities under [this Protocol] and shall avoid any access to [confidential] information and data not related to the aims of this Protocol. [The Organization] shall develop agreements and regulations to implement the provisions of this Protocol and shall specify as precisely as possible the information to which [the Organization] shall be given access by a State Party. Confidential information shall only be disseminated within the Organization in accordance with paragraph 5.
(B) THE CONFIDENTIALITY REGIME
2. [The Director-General shall have the primary responsibility for ensuring the protection of confidential information and shall establish and maintain a stringent regime governing the handling of confidential information pursuant to paragraph 4 (a), Article IV of this Protocol (hereinafter referred to as the Confidentiality Regime). In order to establish the Confidentiality Regime, an appropriate unit of [the Secretariat] (hereinafter referred to as the Confidentiality Unit) [shall] [may] be charged with overall supervision of the administration of confidentiality provisions.] In order to establish the regime governing the handling of confidential information pursuant to Article IV (hereinafter referred to as the Confidentiality Regime), an appropriate unit of [the Secretariat] (hereinafter referred to as the Confidentiality Unit) [shall][may] be charged with overall supervision of the administration of confidentiality provisions.
GE.98-60316
BWC/AD HOC GROUP/WP.265
page 2
3. [As the objective of the Confidentiality Regime is the protection of the rights of the States Parties providing the information,] the regime shall be considered and approved by [the Conference of the States Parties]. The approval of the Confidentiality Regime by [the Conference] shall be mandatory prior to initial processing, further handling and authorized distribution of the information and data the States Parties have passed on to [the Organization] in confidence. 1 2
4. Subsequently, the [Director-General] shall report [annually] to [the Conference] [the Executive Council] on the implementation of the Confidentiality Regime by [the Secretariat].
(C) THE ESTABLISHMENT OF A CLASSIFICATION SYSTEM
[4 bis. Each State Party from which the information was received or to which the information refers shall have the right [, in due consultation with the Confidentiality Unit as the Party may consider appropriate,] to classify any information that it provides under this Protocol in accordance with the classification system.]
5. The [Director-General] [head of the Confidentiality Unit] or persons to whom such authority was delegated shall have the authority to classify information and data [submitted by States Parties] [information generated by the Organization in the implementation of its duties] according to a classification system [evaluated by States Parties] [which is to be introduced by the [head of the Confidentiality Unit]] [unless such information and data have been already classified by the States Parties]. The classification system shall provide for clear criteria ensuring the inclusion of information into appropriate categories of confidentiality and shall be considered and approved by [the Conference].
6. [All data and documents obtained [produced] by [the Secretariat] [in implementation of its duties] shall be evaluated by the Confidentiality Unit in order to establish whether they contain confidential information. If confidential information is contained, the Confidentiality Unit shall classify this information according to the classification system [in consultation with States Parties concerned.] [provided that the State Party of which the information was obtained has not already classified that information].]
BWC/AD HOC GROUP/WP.265
page 3
[(D) CRITERIA FOR CONFIDENTIALITY
7. Information shall be considered confidential if:
(i) It is designated to be confidential by the State Party from which the information was [received] [, and to which the information refers]; or
(ii) In the judgement of [the Director-General or] [the head of the Confidentiality Unit], its [unauthorized] disclosure could reasonably be expected to cause damage [either] [to the State Party to which it refers or] to the implementation mechanisms of this Protocol.]
[7 bis. A classification system shall be introduced, which shall provide for clear criteria ensuring the inclusion of information into appropriate categories of confidentiality and the justified durability of the confidential nature of information. While providing for the necessary flexibility in its implementation the classification system shall protect the right of States Parties providing confidential information. A classification system shall be considered and approved by the Conference pursuant to Article IX, paragraph 21 (h).
(a) The essential factors to be considered in determining the level of sensitivity of an item of information are as follows:
(i) The degree of potential damage which its disclosure could cause to a State Party, any other body of a State Party, including a commercial firm or to any national of a State Party, or to the Protocol or [the Organization] ; and
(ii) The degree of potential, particular or selective advantage, its disclosure could offer to an individual, a State, or any other body, including a commercial firm.
(b) Based on guiding factors in subparagraph (a) and the specific classification criteria set out below, confidential information shall be classified into the following categories, given in increasing order of sensitivity :
(i) Restricted :
This category comprises information of which unauthorized disclosure would be prejudicial to the effectiveness or credibility of the Protocol, or prejudicial to the interests of a State Party or of a commercial or governmental body or of a national of a State Party;
BWC/AD HOC GROUP/WP.265
page 4
(ii) Protected :
This category comprises information of which unauthorized disclosure may cause substantial damage to the effectiveness or credibility of the Protocol, or to the interest of a State Party or of a commercial or governmental body or of a national of a State Party;
(iii) Highly protected :
This category comprises sensitive information of which unauthorized disclosure would cause serious damage to the effectiveness or credibility of the Protocol, or its aims and purpose, or cause serious damage from the point of view of national security or commercial secrecy to the interest of a State Party or of a commercial or governmental body or national of a State Party.]
(E) OBLIGATIONS FOR HANDLING OF CONFIDENTIAL INFORMATION
[7 ter. To the greatest extent consistent with the effective implementation of the verification provisions of this Protocol, information shall be handled and stored by the [Technical] Secretariat in a form that precludes direct identification of the facility to which it pertains.]
8. Each access by a staff member of [the Secretariat] to confidential information shall be regulated in accordance with its classification and shall be [strictly] on a need-to-know basis. [Each access to confidential information shall be recorded on file when accessing and exiting. This record shall be retained for [an unlimited period] [(time period to be specified)]].
[8 bis. [If necessary to fulfil its obligations under this Protocol,] [the Secretariat] may grant access to information and data classified as confidential to entities or individuals not on the staff of [the Secretariat] only on specific approval by [the DirectorGeneral] [the head of the Confidentiality Unit] accompanied by consent of the State Party concerned. [The Secretariat] shall notify the State Party concerned of the proposed access and [unless the State Party concerned explicitly disclaims the proposed access within [30] days after the above notification, the proposal may be deemed to be consented to].]
9. [Wherever possible] [the Secretariat] shall avoid the transmission of [(level) to be specified] confidential information in telephone conversations, by electronic means or fax/telex to or from locations outside of [the Secretariat] [unless it is enciphered (coded) (scrambled)].
(F) HANDLING OF SENSITIVE INFORMATION ON THE PREMISES OF STATES PARTIES
[10. Data required by the States Parties to be assured of the continued compliance with the Convention and this Protocol by other States Parties shall be [routinely] [, upon request,] provided to them. Such data shall encompass:
BWC/AD HOC GROUP/WP.265
page 5
(a) The initial and annual declarations provided by States Parties under Article III and relevant Annexes and Appendices;
(b) General reports on the results and effectiveness of verification activities; and
(c) Information to be supplied to all States Parties in accordance with the provisions of this Protocol.]
11. Each State Party shall protect information which it receives from [the Organization] at the same level of confidentiality established for that information. Upon request, a State Party shall provide details on the [manner in which] information provided to it by [the Organization] [is to be handled].
12. [The Secretariat] shall [upon] the request of the States Parties [be prepared to] examine information and data which the States Parties regard as being of particular sensitivity in a special manner. Such information and data would not [in any case] have to be physically transmitted to [the Secretariat], provided that it remained available for ready further examination by [the Secretariat] on premises of the States Parties.
(G) OBLIGATIONS FOR INTENDED RELEASE OF CONFIDENTIAL INFORMATION
13. No confidential information obtained by [the Secretariat] in connection with the implementation of this Convention shall be published or otherwise released, except [as follows:]
(i) The information is summarized in a way that the resulting information is no longer of a confidential nature [with the consent of the State Party concerned];
(ii) All States Parties directly concerned explicitly agree to the publication/release;
[(iii) The information is - in accordance with the provisions set forth in [this Protocol] - required by the States Parties to be assured of the continued compliance with this Convention by other States Parties [. This information shall include declarations made under Article ... of this Protocol.];]
[(iv) [After carefully weighing up,] [in the judgement of the Director-General] the release is necessary to fulfil [the Organization's] obligations under this Protocol.]
[13 bis. No information obtained by [the Secretariat] in connection with the implementation of this Protocol shall be published or otherwise released, except as follows ;
BWC/AD HOC GROUP/WP.265
page 6
(a) General information on the implementation of this Protocol may be compiled and released publicly in accordance with the decisions of the Conference or the Executive Council;
(b) Any information may be released with the express consent of the State Party to which the information refers ;
(c) Information classified as confidential shall be released by the Organization only through procedures which ensure that the release of information only occurs in strict conformity with the needs of this Protocol. Such procedures shall be considered and approved by the Conference pursuant to Article IX, paragraph 21 (h).]
[14. [If necessary to fulfil its obligations under this Protocol,] [the Secretariat] may grant access to information and data classified as confidential to entities or individuals not staff of [the Secretariat] only on specific approval by [the Director-General] [the head of the Confidentiality Unit]. [The Secretariat] shall notify a State Party [at least 30 days] before any such access is intended.]
Notes
1. This provision is without prejudice to further discussion on the availability to States Parties of initial and annual declarations made under Article III.
2. "[The Organization] shall not process, handle or distribute information or data supplied to it in confidence by States Parties until the regime has been approved by [the Conference]" is a possible alternative formulation for the sentence.
---------