Biological and Toxin Weapons Convention (BTWC) Database
Rolling text - Annexes E and F
(pages 206 to 217)
Ad Hoc Group 11th Session
BWC/AD HOC/41
Annex I
pages 206 - 217
E. CONFIDENTIALITY PROVISIONS
I. GENERAL PRINCIPLES FOR THE HANDLING OF CONFIDENTIAL INFORMATION
[(A) GENERAL PRINCIPLE
1. Pursuant to the general obligations set forth in Article IV, [the Organization] shall require only the minimum amount of information and data necessary for the timely and efficient carrying out of its responsibilities under this Protocol and shall avoid any access to [confidential] information and data not related to the aims of this Protocol. [The Organization] shall develop agreements and regulations to implement the provisions of this Protocol and shall specify as precisely as possible the information to which [the Organization] shall be given access by a State Party. Confidential information shall only be disseminated in accordance with the provisions set forth in section V of this annex.]
[(A) THE NEED-TO-KNOW PRINCIPLE
1 bis Access to confidential information shall be regulated in accordance with its classification and shall be [strictly] on a need-to-know basis.] [Each access to confidential information shall be recorded on file when accessing and exiting. This record shall be retained for [(time period to be specified)].]
(B) THE CONFIDENTIALITY REGIME
2. [ In order to establish and maintain the regime governing the handling of confidential information pursuant to Article IV (hereinafter referred to as "the Confidentiality Regime"), an appropriate unit of [the Secretariat] [(hereinafter referred to as "the Confidentiality Unit")] under the direct responsibility of the Director-General shall be charged with overall supervision of the administration of confidentiality provisions.]
3. The Confidentiality Regime shall be considered and approved by [the Conference]. [The Organization] shall not process, handle or distribute information or data supplied to it in confidence by States Parties until the regime has been approved by [the Conference].122
4. Subsequently, the Director-General shall report [annually] to the [Conference] [Executive] [Consultative] [Council] on the implementation of the Confidentiality Regime by the [Secretariat].
5. To the greatest extent consistent with the effective implementation of the provisions under this Protocol, confidential information shall be handled and stored in a form that precludes direct identification of the facility to which it pertains, if handled outside the Confidentiality Unit.
[6. [If necessary to fulfil its obligations under this Protocol,] the [Secretariat] may grant access to information and data classified as confidential to entities or individuals not on the staff of the [Secretariat] only on specific approval by [the Director-General] [the head of the Confidentiality Unit] accompanied by consent of the State Party concerned. The [Secretariat] shall notify the State Party concerned of the proposed access and [unless the State Party concerned explicitly disclaims the proposed access within [30] days after the above notification, the proposal may be deemed to be consented to].]
(C) THE ESTABLISHMENT OF A CLASSIFICATION SYSTEM
7. A classification system shall be introduced, which shall provide for clear criteria ensuring the inclusion of information into appropriate categories of confidentiality and the justified durability of the confidential nature of information. While providing for the necessary flexibility in its implementation the classification system shall protect the right of States Parties providing confidential information. The classification system shall be considered and approved by the Conference pursuant to Article IX, paragraph 24 (h).
8. Each State Party from which information was received or to which information refers shall have the right, in due consultation with the [appropriate] [confidentiality] unit as the party may consider appropriate, to classify such information in accordance with the classification system. Any such classification shall be binding for the Organization.123
[9. All data and documents, excluding purely administrative documents, obtained or produced by [the Secretariat] [in implementation of its duties] shall be evaluated by the [appropriate] [confidentiality] unit in order to establish whether they contain confidential information. If confidential information is contained, the [appropriate] [confidentiality] unit shall classify this information according to the classification system in consultation with States Parties concerned and provided that the State Party of which the information was obtained has not already classified that information.]
(D) CRITERIA FOR [CONFIDENTIALITY] [CLASSIFICATION]
10. The essential factors to be considered in determining the level of classification of an item of information are as follows:
(a) The degree of potential damage which its disclosure could cause to a State Party, any other body of a State Party, including a commercial firm or to any national of a State Party, or to the Protocol or [the Organization]; and
(b) The degree of potential, particular or selective advantage, its disclosure could offer to an individual, a State, or any other body, including a commercial firm.
II. CONDITIONS OF STAFF EMPLOYMENT RELATING TO THE
PROTECTION OF CONFIDENTIAL INFORMATION
(A) GENERAL REQUIREMENTS
1. Conditions of staff employment shall be such as to ensure that access to and handling of confidential information shall be in conformity with [the procedures established by the Director-General] in accordance with this Protocol and its Annexes.
2. Each position in the Technical [Secretariat] [Body] shall be governed by a formal position description that specifies, inter alia, the scope of access to confidential information, if any, needed in that position.
3. In the discharge of their functions employees of the Technical [Secretariat] [Body] shall only request the information and data which are necessary to carry out their duties [and avoid any access to information and data unrelated to the discharge of their duties]. They shall not make any records of information collected incidentally and not related to the requirements of their duties
(B) INDIVIDUAL SECRECY AGREEMENTS
4. [The Director-General and the other members of] the staff shall enter into individual secrecy agreements with the Technical [Secretariat] [Body] in which each staff member shall agree not to disclose during the period of employment and for a [unlimited] period of [5] [10] years after termination of the staff member´s functions, to any unauthorized State, organization or person any confidential information coming to the staff member´s knowledge in the performance of official duties.
(C) CODE OF CONDUCT
5. Each staff member shall be obliged to abstain from any kind of public pronouncement, which might adversely reflect on his or her status or on his or her integrity, independence or impartiality, [or from revealing any confidential information].124
6. No staff member shall, except with explicit approval of the Director-General:
(a) Issue statements to the press, radio or other media of public information;
(b) Accept or keep speaking engagements;
(c) Take part in film, theatre, radio or television productions or presentations;
(d) Submit articles, books or other material for publication;
related to the activities of [the Organization].125
7. In order to avoid unauthorized disclosures, members of investigation teams and all staff members shall be appropriately advised and reminded about security considerations and of the possible penalties that they would incur in the event of improper disclosure.
[8. In evaluating the performance of members of investigation teams and all employees of the Technical [Secretariat] [Body], specific attention shall be given to the employee's record regarding protection of confidential information.]
III. MEASURES TO PROTECT CONFIDENTIAL INFORMATION [OBTAINED] IN THE COURSE OR AS A RESULT OF ON-SITE ACTIVITIES126
(A) PRINCIPLE OF LEAST INTRUSIVE ACTION
1. Investigating or visiting teams shall be guided by the principle of conducting on-site activities and investigations in the least intrusive manner consistent with the timely and effective accomplishment of their mission. [In particular, the number, duration and intensity of on-site activities [visits] [and investigations] actually carried out shall be kept to the minimum necessary.] [Investigating or visiting teams shall [at any time] take into consideration proposals which may be made by the States Parties to keep the amount of confidential information coming to their knowledge to the minimum necessary.]
[2. Members of the investigating or visiting team shall strictly abide by the provisions set forth in Article IV and relevant Annexes governing the conduct of investigations. They shall respect the procedures designed to protect sensitive installations and to prevent the disclosure of confidential data.]
3. In conducting its activities, the Technical [Secretariat] [Body] shall avoid undue intrusion into the States Parties' activities not prohibited under the Convention.
[4. Confidential information including, inter alia, photographs, plans and other documents required only for the purpose of on-site activities of a specific facility or for which special investigation according to Annex E, section I, paragraph 13, was requested by a State Party shall, to the extent possible, be stored with [the National Authority] of the State Party or be kept under lock and key at the facility to which it pertains.]
(B) [ESCORT] [OBSERVATION OF ON-SITE ACTIVITIES]
5. Each investigated [/visited] State Party shall have the right to have investigators and [inspection assistants] accompanied during their inspections by representatives of that State Party, provided that investigators shall not thereby be delayed or otherwise impeded in the exercise of their functions.
6. The representative of the investigated [/visited] State Party shall have the right to observe all on-site activities carried out by the investigating or visiting team.
(C) PROTECTION OF SENSITIVE INFORMATION AND EQUIPMENT
7. Pursuant to Article IV, paragraph 3, each State Party may, when receiving an investigation [or visit], indicate to the investigating [or visiting] team the equipment, documentation or areas that it considers sensitive and not related to the purpose of the investigation [or visit]. [The investigating [or visiting] team shall avoid any access to that equipment, documentation or areas, provided that it agrees that the access is not necessary to fulfil the obligations of the investigating [or visiting] team.] Likewise, the investigating [or visiting] team shall not make any records of information collected incidentally and not related to their mandate.
8. If removal of information or data from a facility is necessary to achieve timely and effective implementation under [this Protocol], the amount of information and data to be removed from a facility shall be kept to the minimum necessary.
[(D) PROTECTION OF SAMPLES
9. The Director-General shall have the primary responsibility for ensuring that the confidentiality of samples during the transfer to designated laboratories for analysis off-site is protected. The Director-General shall do so in accordance with procedures to be considered and approved by [the Conference] pursuant to ... of [this Protocol].
10. Designated laboratories shall enter into specific secrecy agreements confirming the obligations established within ... of [this Protocol] governing sampling procedures and process of analysis.]
[(E) REPORTS
11. The report to be prepared after each investigation shall contain only facts relevant to compliance with [this Protocol].
12. The report shall be handled in accordance with the regulations established by the Confidentiality Unit governing the handling of confidential information. If necessary, the information contained in the report shall be processed into less sensitive forms, before it is transmitted outside the Technical [Secretariat] [Body] or the inspected State Party, respectively.]
IV. PROCEDURES IN CASE OF BREACHES OR ALLEGED BREACHES
OF CONFIDENTIALITY
[(A) BREACH OF CONFIDENTIALITY
1. A breach of confidentiality shall include, inter alia, any unauthorized disclosure of confidential information held by [the Organization] to any State, organization or unauthorized person, [regardless of the intention or the consequences of the disclosure]. A breach of confidentiality shall also be associated with misuse of confidential information to gain a personal advantage or [to benefit] or damage the interests of a third party.]
(B) OBLIGATION FOR INQUIRY
2. The Director-General shall establish procedures to be followed in case of breaches or alleged breaches of confidentiality, which shall be considered and approved by [the Conference] pursuant to Article IX, paragraph 24 (h). The Director-General shall also implement decisions of the [Conference of] States Parties amending the procedures related to the issue of breaches or alleged breaches of confidentiality.
3. The Director-General shall promptly initiate an inquiry, following sufficient indication that there has been a violation of an obligation to protect confidential information on the part of:
(a) A staff member of the Technical [Secretariat] [Body]; or(b) An agent or official of a State Party.
[3 bis The Director-General shall promptly initiate an inquiry if, in his or her judgement, there is sufficient indication that obligations concerning the protection of confidential information have been violated. The Director-General shall also promptly initiate an inquiry if an allegation concerning a breach of confidentiality is made a State Party.]
4. In case of an allegation of a breach of confidentiality, States Parties and/or staff members which are named in the allegation or which might be involved in the alleged breach or violation shall be informed of that allegation immediately.
5. (a) When the inquiry pursuant to paragraph 3 establishes that there has been a breach of confidentiality, the Director-General shall, in case of (a) of paragraph 3, impose appropriate punitive and disciplinary measures on staff members who have violated their obligations to protect confidential information in accordance with the Staff Rules and Regulations.
(b) In case of a breach of confidentiality by a person referred to in (b) of paragraph 3, consultations shall be held between the Organization and States Parties concerned to address the case.
6. [In cases where a State Party considers that there has been a breach of confidentiality by a staff member of the Technical [Secretariat] [Body], consultations shall be held between the Director-General and the State Party, and the Director-General shall initiate promptly an inquiry. If such consultations are not concluded successfully [within 60 days], the State Party shall have the right to initiate the proceedings of the] [For breaches involving both a State Party and the [Organization], a ] Confidentiality Commission, set up in accordance with paragraph 7, Article IV and paragraph 24 (j), Article IX of this Protocol, [to] [shall] consider the case. The Commission shall seek to settle the case through mediation, enquiry, conciliation, arbitration or other peaceful means. The Commission may request the Director-General to submit the result of the inquiry to the extent possible.
7. States Parties shall, to the extent possible, cooperate with and support the Director-General in conducting an inquiry of any breach or alleged breach of confidentiality and in taking appropriate action in accordance with applicable laws and regulations in case a breach has been established.
8. An inquiry shall result in a written report, which shall, if necessary, remain confidential and be subject to the strict application of the need-to-know principle. If necessary, the results of the inquiry shall be reported to the Conference of the States Parties.
(C) INTERIM MEASURES
9. The Director-General may take interim measures any time after the commencement of the inquiry in order to prevent further damage. These measures may include withdrawal of personnel concerned from specific functions, denial of access to certain information and, in serious cases, temporary suspension, pending completion of procedures contained in this Section.
[(D) OBLIGATIONS OF OBSERVERS AND OTHER AUTHORIZED INDIVIDUALS OR ENTITY BEYOND THE TECHNICAL [SECRETARIAT] [BODY]
[10. The requesting State Party shall ensure that an observer according to Annex D, section I, subsection (E) complies with and is individually bound by all relevant provisions of this Protocol. Once any confidential information is disclosed to or acquired by the observer, in addition to and without diminishing the observer's own individual responsibility, the requesting State Party shall also become responsible for the handling and protection of that information in accordance with this Protocol.
11. Paragraphs [...] shall apply, mutatis mutandis, to observers and other authorized individuals or entity beyond the Technical [Secretariat] [Body].]]
V. PROCEDURES TO PROTECT CONFIDENTIAL INFORMATION
(A) HANDLING OF CONFIDENTIAL INFORMATION
[1. Not less than 30 days before an employee is given clearance for access to confidential information that refers to activities on the territory or in any other place under the jurisdiction or control of a State Party, the State Party concerned shall be notified of the proposed clearance. For members of the investigation team the notification of a proposed designation in accordance with ... to individual States Parties shall fulfil this requirement.]
(B) HANDLING OF SENSITIVE INFORMATION ON THE PREMISES OF STATES PARTIES
2. Each State Party shall protect information which it receives from [the Organization] according to the level of confidentiality established for that information. Upon request, a State Party shall provide details on the manner in which information provided to it by [the Organization] is handled.
[3. [The Secretariat] shall upon the request of a State Party [be prepared to] examine in an appropriate manner information and data which the State Party regards as being of particular sensitivity. Such information and data would not necessarily have to be physically transmitted to [the Secretariat], provided that it remained available for ready further examination by [the Secretariat] on premises of the State Party.]127
(C) OBLIGATIONS FOR INTENDED RELEASE OF CONFIDENTIAL INFORMATION
4. No confidential information obtained by [the Secretariat] in connection with the implementation of this Protocol shall be published or otherwise released, except as follows:
[(a) General information on the implementation of this Protocol may be compiled and released publicly in accordance with the decisions of the Conference or the [Executive] [Consultative] [Council];]
(b) Any information may be released with the express consent of the State Party to which the information refers;
(c) Information classified as confidential shall be released by [the Organization] only through procedures which ensure that the release of information only occurs in strict conformity with the needs of this Protocol. Such procedures shall be considered and approved by the Conference pursuant to Article IX, paragraph 24 (h).
VI. PROCEDURES FOR ARCHIVING OF CONFIDENTIAL INFORMATION
F. SCIENTIFIC AND TECHNOLOGICAL EXCHANGE FOR PEACEFUL
PURPOSES AND TECHNICAL COOPERATION
Notes
122. This provision is made without prejudice to further discussion on the availability to States Parties of initial and annual declarations made under Article III.
123. There is a need to reconsider this in light of whether the declarations will contain confidential information.
124. A view was expressed that paragraphs 5 and 6 are too detailed and should be left to internal rules (Confidentiality Policy) of the future Organization.
125. Ibid.
126. A view was expressed that it may be more appropriate to address these issues in section F of Article III and the corresponding sections of the Annex.
127. A view was expressed that this is already dealt with under the managed access provisions.
File updated 24 May 1999.