Council Decision 2009/968/JHA of 30 November 2009 adopting the rules on the confidentiality of Europol information was published yesterday on the website of the Official Journal of the European Union. As the title suggests, it has some relevance to data protection. Article 10 refers to ‘Basic protection level, classification levels and security packages’ and reads, in relevant part:
“1. All information processed by or through Europol, with the exception of information which is expressly marked or is clearly recognisable as being public information, shall be subject to a basic protection level within Europol and in Member States.
2. In accordance with Article 3 [which imposes on Member States the responsibility to make sure that Europol information is protected to the level specified in these rules], Member States shall ensure the application of the basic protection level referred to in paragraph 1, by a variety of measures in accordance with national legislation and regulations, including the obligation of
discretion and confidentiality, limiting access to information to authorised personnel, data protection requirements as far as personal data are concerned and general technical and procedural measures to safeguard the security of the information, taking into account Article 41(2) of the Europol Decision”.
So now you know. The best thing about this document is actually the table of terminologies that are used in Member States to describe the different levels of classification. In the UK the range of classification goes (in descending order) Top Secret, Secret, Confidential and Restricted. In Ireland, both Confidential and Restricted are termed Confidential, which might just cause confusion one day.