ANNEX I
PERSONNEL SECURITY
I. INTRODUCTION
1.
This Annex sets out provisions for implementing Article 7. It lays down criteria for determining whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to have access to EUCI and the investigative and administrative procedures to be followed to that effect.
II. GRANTING ACCESS TO EUCI
2.
An individual shall only be granted access to classified information after:
(a)
his need-to-know has been determined;
(b)
he has been briefed on the security rules and procedures for protecting EUCI and has acknowledged his responsibilities with regard to protecting such information; and
(c)
in the case of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above:
—
he has been granted a PSC to the relevant level or is otherwise duly authorised by virtue of his functions in accordance with national laws and regulations, or
—
in the case of GSC officials, other servants or seconded national experts, he has been given authorisation for access to EUCI by the GSC Appointing Authority in accordance with paragraphs 16 to 25 up to a specified level and up to a specified date.
3.
Each Member State and the GSC shall identify the positions in their structures which require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above and therefore require security clearance to the relevant level.
III. PERSONNEL SECURITY CLEARANCE REQUIREMENTS
4.
After having received a duly authorised request, NSAs or other competent national authorities shall be responsible for ensuring that security investigations are carried out on their nationals who require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above. Standards of investigation shall be in accordance with national laws and regulations with a view to issuing a PSC or providing an assurance for the individual to be granted authorisation for access to EUCI, as appropriate.
5.
Should the individual concerned reside in the territory of another Member State or of a third State, the competent national authorities shall seek assistance from the competent authority of the State of residence in accordance with national laws and regulations. Member States shall assist one another in carrying out security investigations in accordance with national laws and regulations.
6.
Where permissible under national laws and regulations, NSAs or other competent national authorities may conduct investigations on non-nationals who require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above. Standards of investigation shall be in accordance with national laws and regulations.
Security investigation criteria
7.
The loyalty, trustworthiness and reliability of an individual for the purposes of being security cleared for access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be determined by means of a security investigation. The competent national authority shall make an overall assessment based on the findings of such a security investigation. The principal criteria used for that purpose include, to the extent possible under national laws and regulations, an examination of whether the individual:
(a)
has committed or attempted to commit, conspired with or aided and abetted another to commit any act of espionage, terrorism, sabotage, treason or sedition;
(b)
is, or has been, an associate of spies, terrorists, saboteurs, or of individuals reasonably suspected of being such or an associate of representatives of organisations or foreign states, including foreign intelligence services, which may threaten the security of the Union and/or Member States unless these associations were authorised in the course of official duty;
(c)
is, or has been, a member of any organisation which by violent, subversive or other unlawful means seeks, inter alia, to overthrow the government of a Member State, to change the constitutional order of a Member State or to change the form or the policies of its government;
(d)
is, or has been, a supporter of any organisation described in point (c), or who is, or who has been closely associated with members of such organisations;
(e)
has deliberately withheld, misrepresented or falsified information of significance, particularly of a security nature, or has deliberately lied in completing a personnel security questionnaire or during the course of a security interview;
(f)
has been convicted of a criminal offence or offences;
(g)
has a history of alcohol dependence, use of illegal drugs and/or misuse of legal drugs;
(h)
is or has been involved in conduct which may give rise to the risk of vulnerability to blackmail or pressure;
(i)
by act or through speech, has demonstrated dishonesty, disloyalty, unreliability or untrustworthiness;
(j)
has seriously or repeatedly infringed security regulations; or has attempted, or succeeded in, unauthorised activity in respect of communication and information systems; and
(k)
may be liable to pressure (e.g. through holding one or more non-EU nationalities or through relatives or close associates who could be vulnerable to foreign intelligence services, terrorist groups or other subversive organisations, or individuals whose aims may threaten the security interests of the Union and/or Member States).
8.
Where appropriate and in accordance with national laws and regulations, an individual’s financial and medical background may also be considered relevant during the security investigation.
9.
Where appropriate and in accordance with national laws and regulations, a spouse’s, cohabitant’s or close family member’s conduct and circumstances may also be considered relevant during the security investigation.
Investigative requirements for access to EUCI
Initial granting of a security clearance
10.
The initial security clearance for access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET shall be based on a security investigation covering at least the last 5 years, or from age 18 to the present, whichever is the shorter, which shall include the following:
(a)
the completion of a national personnel security questionnaire for the level of EUCI to which the individual may require access; once completed, this questionnaire shall be forwarded to the competent security authority;
(b)
identity check/citizenship/nationality status — the individual’s date and place of birth shall be verified and his identity checked. Citizenship status and/or nationality, past and present, of the individual shall be established; this shall include an assessment of any vulnerability to pressure from foreign sources, for example, due to former residence or past associations; and
(c)
national and local records check — a check shall be made of national security and central criminal records, where the latter exist, and/or other comparable governmental and police records. The records of law enforcement agencies with legal jurisdiction where the individual has resided or been employed shall be checked.
11.
The initial security clearance for access to information classified TRÈS SECRET UE/EU TOP SECRET shall be based on a security investigation covering at least the last 10 years, or from age 18 to the present, whichever is the shorter. If interviews are conducted as stated in point (e), investigations shall cover at least the last 7 years, or from age 18 to the present, whichever is the shorter. In addition to the criteria indicated in paragraph 7 above, the following elements shall be investigated, to the extent possible under national laws and regulations, before granting a TRÈS SECRET UE/EU TOP SECRET PSC; they may also be investigated before granting a CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET PSC, where required by national laws and regulations:
(a)
financial status — information shall be sought on the individual’s finances in order to assess any vulnerability to foreign or domestic pressure due to serious financial difficulties, or to discover any unexplained affluence;
(b)
education — information shall be sought to verify the individual’s educational background at schools, universities and other education establishments attended since his 18th birthday, or during a period judged appropriate by the investigating authority;
(c)
employment — information covering present and former employment shall be sought, reference being made to sources such as employment records, performance or efficiency reports and to employers or supervisors;
(d)
military service — where applicable, the service of the individual in the armed forces and type of discharge shall be verified; and
(e)
interviews — where provided for and admissible under national law, an interview or interviews shall be conducted with the individual. Interviews shall also be conducted with other individuals who are in a position to give an unbiased assessment of the individual’s background, activities, loyalty, trustworthiness and reliability. When it is national practice to ask the subject of the investigation for referrals, referees shall be interviewed unless there are good reasons for not doing so.
12.
Where necessary and in accordance with national laws and regulations, additional investigations may be conducted to develop all relevant information available on an individual and to substantiate or disprove adverse information.
Renewal of a security clearance
13.
After the initial granting of a security clearance and provided that the individual has had uninterrupted service with a national administration or the GSC and has a continuing need for access to EUCI, the security clearance shall be reviewed for renewal at intervals not exceeding 5 years for a TRÈS SECRET UE/EU TOP SECRET clearance and 10 years for SECRET UE/EU SECRET and CONFIDENTIEL UE/EU CONFIDENTIAL clearances, with effect from the date of notification of the outcome of the last security investigation on which they were based. All security investigations for renewing a security clearance shall cover the period since the previous such investigation.
14.
For renewing security clearances, the elements outlined in paragraphs 10 and 11 shall be investigated.
15.
Requests for renewal shall be made in a timely manner taking account of the time required for security investigations. Nevertheless, where the relevant NSA or other competent national authority has received the relevant request for renewal and the corresponding personnel security questionnaire before a security clearance expires, and the necessary security investigation has not been completed, the competent national authority may, where admissible under national laws and regulations, extend the validity of the existing security clearance for a period of up to 12 months. If, at the end of this 12-month period, the security investigation has still not been completed, the individual shall be assigned to duties which do not require a security clearance.
Authorisation procedures in the GSC
16.
For officials and other servants in the GSC, the GSC Security Authority shall forward the completed personnel security questionnaire to the NSA of the Member State of which the individual is a national requesting that a security investigation be undertaken for the level of EUCI to which the individual will require access.
17.
Where information relevant for a security investigation becomes known to the GSC concerning an individual who has applied for a security clearance for access to EUCI, the GSC, acting in accordance with the relevant rules and regulations, shall notify the relevant NSA thereof.
18.
Following completion of the security investigation, the relevant NSA shall notify the GSC Security Authority of the outcome of such an investigation, using the standard format for the correspondence prescribed by the Security Committee.
(a)
Where the security investigation results in an assurance that nothing adverse is known which would call into question the loyalty, trustworthiness and reliability of the individual, the GSC Appointing Authority may grant the individual concerned authorisation for access to EUCI up to the relevant level until a specified date.
(b)
Where the security investigation does not result in such an assurance, the GSC Appointing Authority shall notify the individual concerned, who may ask to be heard by the Appointing Authority. The Appointing Authority may ask the competent NSA for any further clarification it can provide according to its national laws and regulations. If the outcome is confirmed, authorisation shall not be granted for access to EUCI.
19.
The security investigation together with the results obtained shall be subject to the relevant laws and regulations in force in the Member State concerned, including those concerning appeals. Decisions by the GSC Appointing Authority shall be subject to appeals in accordance with the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 ( 1 ) (‘the Staff Regulations and Conditions of Employment’).
20.
National experts seconded to the GSC for a position requiring access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL and above shall present a valid Personnel Security Clearance Certificate (PSCC) for access to EUCI to the GSC Security Authority prior to taking up their assignment, on the basis of which the Appointing Authority shall issue an authorisation for access to EUCI.
21.
The GSC will accept the authorisation for access to EUCI granted by any other Union institution, body or agency, provided it remains valid. Authorisation will cover any assignment by the individual concerned within the GSC. The Union institution, body or agency in which the individual is taking up employment will notify the relevant NSA of the change of employer.
22.
If an individual’s period of service does not commence within 12 months of the notification of the outcome of the security investigation to the GSC Appointing Authority, or if there is a break of 12 months in an individual’s service, during which time he has not been employed in the GSC or in a position with a national administration of a Member State, this outcome shall be referred to the relevant NSA for confirmation that it remains valid and appropriate.
23.
Where information becomes known to the GSC concerning a security risk posed by an individual who has authorisation for access to EUCI, the GSC, acting in accordance with the relevant rules and regulations, shall notify the relevant NSA thereof and may suspend access to EUCI or withdraw authorisation for access to EUCI.
24.
Where an NSA notifies the GSC of withdrawal of an assurance given in accordance with paragraph 18(a) for an individual who has authorisation for access to EUCI, the GSC Appointing Authority may ask for any clarification the NSA can provide according to its national laws and regulations. If the adverse information is confirmed, authorisation shall be withdrawn and the individual shall be excluded from access to EUCI and from positions where such access is possible or where he might endanger security.
25.
Any decision to withdraw or suspend an authorisation from a GSC official or other servant for access to EUCI and, where appropriate, the reasons for doing so shall be notified to the individual concerned, who may ask to be heard by the Appointing Authority. Information provided by an NSA shall be subject to the relevant laws and regulations in force in the Member State concerned, including those concerning appeals. Decisions by the GSC Appointing Authority shall be subject to appeals in accordance with the Staff Regulations and Conditions of Employment.
Records of security clearances and authorisations
26.
Records of PSCs and authorisations granted for access to information classified as CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be maintained respectively by each Member State and by the GSC. These records shall contain as a minimum the level of EUCI to which the individual may be granted access, the date the security clearance was granted and its period of validity.
27.
The competent security authority may issue a PSCC showing the level of EUCI to which the individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date of validity of the relevant PSC for access to EUCI or authorisation for access to EUCI and the date of expiry of the certificate itself.
Exemptions from the PSC requirement
28.
Access to EUCI by individuals in Member States duly authorised by virtue of their functions shall be determined in accordance with national laws and regulations; such individuals shall be briefed on their security obligations in respect of protecting EUCI.
IV. SECURITY EDUCATION AND AWARENESS
29.
All individuals who have been granted a security clearance shall acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. A record of such a written acknowledgement shall be kept by the Member State and by the GSC, as appropriate.
30.
All individuals who are authorised to have access to, or required to handle EUCI, shall initially be made aware, and periodically briefed on the threats to security and must report immediately to the appropriate security authorities any approach or activity that they consider suspicious or unusual.
31.
All individuals who cease to be employed in duties requiring access to EUCI shall be made aware of, and where appropriate acknowledge in writing, their obligations in respect of the continued protection of EUCI.
V. EXCEPTIONAL CIRCUMSTANCES
32.
Where permissible under national laws and regulations, security clearance granted by a competent national authority of a Member State for access to national classified information may, for a temporary period pending the granting of a PSC for access to EUCI, allow access by national officials to EUCI up to the equivalent level specified in the table of equivalence in Appendix B where such temporary access is required in the interests of the Union. NSAs shall inform the Security Committee where national laws and regulations do not permit such temporary access to EUCI.
33.
For reasons of urgency, where duly justified in the interests of the service and pending completion of a full security investigation, the GSC Appointing Authority may, after consulting the NSA of the Member State of whom the individual is a national and subject to the outcome of preliminary checks to verify that no adverse information is known, grant a temporary authorisation for GSC officials and other servants to access EUCI for a specific function. Such temporary authorisations shall be valid for a period not exceeding 6 months and shall not permit access to information classified TRÈS SECRET UE/EU TOP SECRET. All individuals who have been granted a temporary authorisation shall acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. A record of such a written acknowledgement shall be kept by the GSC.
34.
When an individual is to be assigned to a position that requires a security clearance at one level higher than that currently possessed by the individual, the assignment may be made on a provisional basis, provided that:
(a)
the compelling need for access to EUCI at a higher level shall be justified, in writing, by the individual’s superior;
(b)
access shall be limited to specific items of EUCI in support of the assignment;
(c)
the individual holds a valid PSC or authorisation for access to EUCI;
(d)
action has been initiated to obtain authorisation for the level of access required for the position;
(e)
satisfactory checks have been made by the competent authority that the individual has not seriously or repeatedly infringed security regulations;
(f)
the assignment of the individual is approved by the competent authority; and
(g)
a record of the exception, including a description of the information to which access was approved, shall be kept by the registry or subordinate registry responsible.
35.
The above procedure shall be used for one-time access to EUCI at one level higher than that to which the individual has been security cleared. Recourse to this procedure shall not be made on a recurring basis.
36.
In very exceptional circumstances, such as missions in hostile environments or during periods of mounting international tension when emergency measures require it, in particular for the purposes of saving lives, Member States and the Secretary-General may grant, where possible in writing, access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET to individuals who do not possess the requisite security clearance, provided that such permission is absolutely necessary and there are no reasonable doubts as to the loyalty, trustworthiness and reliability of the individual concerned. A record shall be kept of this permission describing the information to which access was approved.
37.
In the case of information classified TRÈS SECRET UE/EU TOP SECRET, this emergency access shall be confined to Union nationals who have been authorised access to either the national equivalent of TRÈS SECRET UE/EU TOP SECRET or information classified SECRET UE/EU SECRET.
38.
The Security Committee shall be informed of cases when recourse is made to the procedure set out in paragraphs 36 and 37.
39.
Where national laws and regulations of a Member State stipulate more stringent rules with respect to temporary authorisations, provisional assignments, one-time access or emergency access by individuals to classified information, the procedures foreseen in this Section shall be implemented only within any limitations set forth in the relevant national laws and regulations.
40.
The Security Committee shall receive an annual report on recourse to the procedures set out in this Section.
VI. ATTENDANCE AT MEETINGS IN THE COUNCIL
41.
Subject to paragraph 28, individuals assigned to participate in meetings of the Council or of Council preparatory bodies at which information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is discussed may only do so upon confirmation of the individual’s security clearance status. For delegates, a PSCC or other proof of security clearance shall be forwarded by the appropriate authorities to the GSC Security Office, or exceptionally be presented by the delegate concerned. Where applicable, a consolidated list of names may be used, giving the relevant proof of security clearance.
42.
Where a PSC for access to EUCI is withdrawn for security reasons from an individual whose duties require attendance at meetings of the Council or of Council preparatory bodies, the competent authority shall inform the GSC thereof.
VII. POTENTIAL ACCESS TO EUCI
43.
Couriers, guards and escorts shall be security cleared to the relevant level or otherwise appropriately investigated in accordance with national laws and regulations, be briefed on security procedures for protecting EUCI and be instructed on their duties for protecting such information entrusted to them.
( 1 ) Council Regulation (EEC, Euratom, ECSC) No 259/68 of 29 February 1968 laying down the Staff Regulations and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission ( OJ L 56, 4.3.1968, p. 1 .).