ANNEX E
CONFIDENTIALITY PROVISIONS
I. GENERAL PRINCIPLES FOR THE HANDLING OF CONFIDENTIAL INFORMATION
(A) THE CONFIDENTIALITY REGIME
1. In order to establish and maintain the regime governing the handling of confidential information pursuant to Article IV (hereinafter referred to as "the Confidentiality Regime"), an appropriate unit of the Technical Secretariat (hereinafter referred to as "the Confidentiality Unit") under the direct responsibility of the Director-General shall be charged with overall supervision of the administration of confidentiality provisions.
2. The Confidentiality Regime shall be considered and approved by the Conference. The Organization shall not process, handle or distribute information or data supplied to it in confidence by States Parties until the regime has been approved by the Conference.
3. The Executive Council shall establish a sub-committee in accordance with its rules of procedure to monitor and make recommendations on the Confidentiality Regime being applied by the Technical Secretariat.
4. Subsequently, the Director-General shall report annually to the Conference on the implementation of the Confidentiality Regime by the Technical Secretariat.
(B) THE ESTABLISHMENT OF A CLASSIFICATION SYSTEM
5. A classification system shall be introduced, which shall provide for clear criteria ensuring the inclusion of information into appropriate categories of confidentiality and the justified durability of the confidential nature of information. While providing for the necessary flexibility in its implementation, the classification system shall protect the right of States Parties providing confidential information. The classification system shall be considered and approved by the Conference pursuant to Article IX, paragraph 22 (i).
6. Each State Party from which information was received or to which information refers shall have the right, in consultation with the Confidentiality Unit as the State Party may consider appropriate, to classify such information in accordance with the classification system. Any such classification shall be binding for the Organization.
(C) CRITERIA FOR CLASSIFICATION AS CONFIDENTIAL
7. The essential factors to be considered in determining the classification of an item of information are as follows:
(a) The degree of potential damage which its disclosure could cause to a State Party, a natural or legal person of a State Party, or to the Protocol or the Organization; and
(b) The degree of potential advantage its disclosure could offer to a State, or to a natural or legal person.
(D) ACCESS TO CONFIDENTIAL INFORMATION
8. Access to confidential information shall be regulated in accordance with its classification and shall be on a need-to-know basis.
9. Not less than 30 days before an employee is given clearance for access to confidential information that refers to activities on the territory or in any other place under the jurisdiction or control of a State Party, the State Party concerned shall be notified of the proposed clearance. The proposal shall be regarded as accepted unless the State Party declares within 30 days its non-acceptance in writing. Individuals on the list of designated personnel as provided for in Annex D, section I, paragraphs 1 to 16 after acceptance by States Parties, shall be deemed to have fulfilled this requirement.
10. [If necessary to fulfil its obligations under this Protocol, the Technical Secretariat may grant access to information and data classified as confidential to entities or individuals outside the Technical Secretariat. Such access] [The information and data classified as confidential shall not be made available outside the Organization. In case such access is requested, it] shall be strictly limited to the minimum necessary and shall be granted only on specific approval by the Director-General accompanied by explicit consent of the State Party concerned as well as on the basis of a specific secrecy agreement and in conformity with the procedures of the Confidentiality Regime.
11. Each access to confidential information at the Technical Secretariat shall be recorded on file when accessing and exiting. This record shall be retained for 10 years.
12. To the greatest extent consistent with the effective implementation of the provisions under this Protocol, confidential information shall be handled and stored by the Technical Secretariat in a form that precludes direct identification of the facility to which it pertains.
(E) OBLIGATIONS FOR INTENDED RELEASE OF CONFIDENTIAL INFORMATION
13. No confidential information obtained by the Technical Secretariat in connection with the implementation of this Protocol shall be published or otherwise released, except as follows:
(a) Any information may be released with the express consent of the State Party from which the information was received and the State Party to which the information refers;
(b) Information classified as confidential shall be released by the Organization only through procedures which ensure that the release of information only occurs in strict conformity with the needs of this Protocol. Such procedures shall be considered and approved by the Conference pursuant to Article IX, paragraph 22 (i).
II. CONDITIONS OF STAFF EMPLOYMENT RELATING TO THE PROTECTION OF CONFIDENTIAL INFORMATION
(A) GENERAL REQUIREMENTS
1. Conditions of staff employment shall be such as to ensure that access to and handling of confidential information shall be in conformity with the procedures established by the Director-General in accordance with this Protocol and its Annexes.
2. Each position in the Technical Secretariat shall be governed by a formal position description that specifies, inter alia, the scope of access to confidential information, if any, needed in that position.
3. In the discharge of their functions, staff members of the Technical Secretariat shall only request information and data which are necessary to carry out their duties and avoid to the extent possible any access to information and data unrelated to the discharge of their duties. They shall not make any records of such information collected incidentally and not related to the requirements of their duties.
(B) INDIVIDUAL SECRECY AGREEMENTS
4. The Director-General and the other members of the staff shall enter into individual secrecy agreements with the Technical Secretariat in which each staff member shall agree not to disclose during the period of employment and for an unlimited period after termination of the staff member's functions, to any unauthorized State, organization or person any confidential information coming to the staff member's knowledge in the performance of official duties, unless the information has been declassified or officially released by the Organization.
(C) CODE OF CONDUCT
5. No staff member shall, except with explicit approval of the Director-General:
(a) Issue statements to the press, radio or other media of public information;
(b) Accept or keep speaking engagements;
(c) Take part in film, theatre, radio or television productions or presentations;
(d) Submit articles, books or other material for publication;
related to the activities of the Organization.
6. In order to avoid unauthorized disclosures, staff members shall be appropriately advised and reminded about confidentiality considerations and of the possible penalties that they would incur in the event of improper disclosure.
7. In evaluating the performance of staff members of the Technical Secretariat, specific attention shall be given to the employee's record regarding protection of confidential information.
[(D) OBLIGATIONS OF OBSERVERS AND THE REQUESTING STATE PARTY SENDING AN OBSERVER
[8. The requesting State Party shall ensure that an observer sent in accordance with Annex D, section I, subsection D, complies with and is individually bound by all relevant provisions of this Protocol. If any confidential information is disclosed to or acquired by the observer, in addition to and without diminishing the observer's own individual responsibility, the requesting State Party shall also become responsible for the handling and protection of that information in accordance with this Protocol.]]
III. PROCEDURES IN CASE OF BREACHES OR ALLEGED BREACHES OF CONFIDENTIALITY
(A) OBLIGATION FOR INQUIRY
1. The Director-General shall establish procedures to be followed in case of breaches or alleged breaches of confidentiality, which shall be considered and approved by the Conference pursuant to Article IX, paragraph 22 (i). The Director-General shall also implement decisions of the Conference of States Parties amending the procedures related to the issue of breaches or alleged breaches of confidentiality.
2. The Director-General shall promptly initiate an inquiry when there is indication that obligations concerning the protection of confidential information have been violated. The Director-General shall also promptly initiate an inquiry if an allegation concerning a breach of confidentiality is made by a State Party.
3. In case of an allegation of a breach of confidentiality, States Parties and/or staff members which are named in the allegation or which might be involved in the alleged breach shall be informed of that allegation immediately. The Director-General shall hold consultations with the concerned States Parties in the course of the inquiry.
4. States Parties shall, to the extent possible, cooperate with and support the Director- General in conducting an inquiry of any breach or alleged breach of confidentiality and in taking appropriate action in accordance with applicable laws and regulations in case a breach has been established.
5. An inquiry shall result in a written report, which shall remain confidential and be subject to the application of the need-to-know principle. The Director-General shall, upon request, provide the report to the States Parties concerned. The results of the inquiry shall be reported to the Conference of the States Parties in a form from which specific confidential material has been removed to ensure that confidential information connected with a breach is not further disclosed beyond its authorized scope of access, and to respect those elements of the privacy of the individual staff members not relevant to the case.
(B) INTERIM MEASURES
6. The Director-General may take interim measures any time after the commencement of the inquiry in order to prevent further damage. These measures may include withdrawal of personnel concerned from specific functions, denial of access to certain information and, in serious cases, temporary suspension, pending completion of procedures contained in this section.
(C) MEASURES IN CASE OF BREACHES OR ALLEGED BREACHES
7. In case of a breach or an alleged breach of confidentiality by an agent or official of a State Party or by a staff member of the Technical Secretariat, consultations shall be held between the States Parties concerned or between the Organization and States Parties concerned to address the case. If such consultations are not concluded to the satisfaction of the parties involved within 60 days, each State Party shall have the right to initiate the proceedings of the Confidentiality Commission to consider the case. The Commission shall seek to settle the case through mediation, inquiry, conciliation, arbitration or other peaceful means. The Commission may request the Director-General to submit the result of the inquiry.
8. When the inquiry pursuant to paragraph 2 establishes that there has been a breach of confidentiality by a staff member of the Technical Secretariat, Article IV, paragraph 6, and section E of Article IX shall apply.