Project Acts

Home

  

 

Motives
To the draft Law on the Protection of Classified Information

The development of a legal and institutional basis relative to classified information in the Republic of Bulgaria is a strategic priority of the Government in the process of integration with NATO and a key element of the Action Plan for NATO Membership.

The objective is to redefine the priorities and the fundamental concepts, to identify the competent authorities and regulate their powers, to set out in detail the procedures and principles of protection of classified information, while bringing all these elements into line with NATO policy and standards and ensuring the implementation of the Security Agreements between the Republic of Bulgaria and NATO or other Member States and partners.

Accordingly, a new objective of partnership has been identified, namely PGG 0360 I.

The Republic of Bulgaria announced its orientation towards NATO in the Declaration of the National Assembly of 21 December 1993. However, domestic political conditions in that respect only became present in the beginning of 1997. Thus, an appropriate new legal and organisational framework for the country's security standards had to be put in place within the shortest possible period.

Right after Decision of the Council of Ministers No. 192 of 17 February 1997 on Full Membership of NATO, a National Programme for Preparation and Accession to the Alliance was adopted ("National Programme"), and an Interagency Committee for Integration with NATO ("Interagency Committee") was set up. Subsequently, a National Security Concept Paper and a Military Doctrine of the Republic of Bulgaria were approved and legislative amendments were initiated, so as to ensure the harmonisation of Bulgarian law with NATO policy and standards. Steps were also undertaken to improve the organisation of the national system of protection of State secrets. The Law on the Ministry of Interior passed at the end of 1997 entrusted the National Security Service with the administration and control of the national system of protection of facts, data and items constituting a State secret.

By virtue of a decision of the Interagency Committee dated 13 January 1998, the National Security Service also became a National Security Authority for the provision and exchange of classified information to and with NATO and WEU.

These were the first steps during the pre-accession period.

In 1999, preparation was launched for a radical change in the security system. These efforts developed along several parallel lines:
- screening the entire existing legislation of the Republic of Bulgaria in this area;
- analysing the legislation and the organisation of information security systems existing in NATO Member States, in particular the Czech Republic, Hungary and Poland, which had been admitted to NATO at the summit in Washington;
- comparing those national approaches, regulations and practices with the supranational requirements contained in the document C-M (55)15 (FINAL).

The analysis revealed that the existing domestic legislation concerning information security equally impedes the day-to-day practice in the country and the provision and exchange of information with NATO. The current legal framework in the Republic of Bulgaria fails to provide comprehensive and detailed rules on the protection of information classified as a State or official secret. There are no accurate criteria for the classification of information. The starting point in assessing the need for protection is the List of Facts, Data and Items Constituting State Secret adopted by a Decision of the National Assembly in 1990. The levels of information classification are now governed by the Rules Implementing the Law on the Ministry of Interior but they are inconsistent with the classification used in NATO and its Member States. As there is no modern and democratic regulatory framework aligned with NATO policy and standards in this area, the practice of the country is still based on in-house regulations issued during the eighties.

Besides, the conclusion was made that the rules on the protection of information constituting an official secret are far from comprehensive. The legislation gives discretion to organisations, agencies and legal persons to compile in-house lists of facts and secrets constituting a State or official secret but no clear criteria and requirements exist on the affixing of security marks in line with the levels of classification. Similarly, no rules exist on the control and protection of information constituting an official secret. In reality, the legislative rules in force concern solely the criminal liability for disclosure of official secrets.

The major finding of the analysis was that a Law on the Protection of Classified Information should be drafted and adopted, so as to cover comprehensively the social relations relative to the production, registration, storage, use, provision, transformation, declassification and destruction of information classified as a State or official secret.

In view of those considerations, by a decision of the Interagency Committee dated 20 September 2000, an Interagency Task Force was set up to draft the bill referred to above.

The present Draft Law on the Protection of Classified Information (hereinafter referred to as "the draft" or "draft law") puts in place a new regulatory framework conforming to NATO policy and standards and to the principles on which any modern democratic State should rely in this area. Throughout the drafting process, the legislative experience of a number of European countries has been used, with particular reference to the newly-adopted members of NATO - the Czech Republic, the Republic of Poland and the Republic of Hungary.

The draft law is based on the following major principles:
a) the rules are intended to cover all aspects of the protection of classified information;
b) all persons who have access to classified information in the course of fulfilling their official duties are placed under an obligation to protect it;
c) access to classified information should only be given to persons who are both reliable and trained, and then only in the amount and to the degree necessary to fulfil official duties linked to their position or a specific task assigned (the need-to-know principle);
d) ensuring concordance with NATO policy and standards for the protection of classified information as defined in C-M (55)15 (FINAL) and other directives or as required by ratified international agreements;
e) making the same system of principles and measures applicable to the protection of national and foreign classified information;
f) delineating the territorial scope of application of the rules: the law shall apply in the territory of the Republic of Bulgaria and in all cases of producing or storing information classified as a State or official secret.

As regards its structure, the draft contains eight chapters and covers the following areas:
- sphere of regulation, definitions and major principles;
- authorities in charge of the protection of classified information;
- classification of information;
- procedure and conditions to receive access to classified information, including foreign classified information, and security clearance procedure;
- production, registration, storage, use, provision, transformation, declassification and destruction of classified information;
- types of protection of classified information;
- provision and exchange of classified information between the Republic of Bulgaria and other States or international organisations;
- the organisation of control relative to the protection of classified information.

The draft Law on the Protection of Classified Information introduces new concepts and categories, e.g. "classified information", "physical protection", "personal security", information security", etc. These are defined in the Additional Provisions of the draft and fully conform to NATO standards.

As the subject matter tackled is of fundamental importance, the Transitional and Final Provisions purport to amend a number of existing legislative instruments. Likewise, a mechanism is suggested for transition from the present system of protecting information classified as a State secret to the system introduced by the law.

A List of Categories of Classified Information Constituting State Secret, and a Questionnaire to be filled out during the clearance procedure form integral parts of the draft. It is suggested that the questionnaire to be used in the context of industrial security certificates for access to classified information could also become an integral part of this draft.
Chapter One lays down the basic general provisions of the law and, in particular, defines its subject matter, scope and principles.

Chapter Two institutionalises the authorities in charge of the protection of classified information. The divisions of that chapter list in detail the tasks and activities of the various bodies.

According to Division I of Chapter One, a National Information Security Authority (NISA) shall be set up as a body having a nation-wide competence to carry on the activities relative to the protection of classified information. The Authority shall have a status under the Law on Administration. It shall be a legal person with the Council of Ministers funded through the State budget and shall have its seat in Sofia.

NISA is entrusted with functions relative to the organisation, implementation, co-ordination and control of the protection of classified information. It should also ensure uniform protection of classified information and interact with the bodies of the Ministry of Defence, the Ministry of Interior, the Ministry for Foreign Affairs, and the security services.

Division II lists the functions of the security services in a number of aspects: security clearance procedure, authorising their own servants and job applicants to have access to classified information, clearance of natural and legal persons - traders, applying to enter into or performing contracts that involve access to classified information, and grant of certificates. The security services are under an obligation to assist NISA with the fulfilment of its tasks.

Division III lists the functions entrusted to public order services.

Division VI introduces a new element in the institutional system for the protection of classified information - authorised information security officers - while also defining their tasks and activities under the law. The authorised security officers should be servants of the respective organisational entity and should, under the methodological guidance of NISA, carry on the activities relative to the protection of classified information.

Specific provisions laid down in Division VII make it possible for the authorised officer to be assisted by an administrative unit in charge of information security.

Chapter Three of the draft covers the types of classified information and the levels of information security classification.
Division I of that chapter provides a legal definition of the concept and lists the types of "classified information". Subject to a clear criterion, classified information is divided into State secret and official secret. The distinction between the two types is based on the significance of the interest protected and the degree of risk or harm that unauthorised access might entail.
Division II introduces the following levels of security classification: "TOP SECRET", "SECRET", "CONFIDENTIAL", and "OFFICIAL USE ONLY".

It is suggested that the security marks "TOP SECRET" and "SECRET" be affixed to designate classified information constituting a State secret, whereas the marks "CONFIDENTIAL" and "OFFICIAL USE ONLY" should be used to designate classified information constituting an official secret.

The abstract criterion used to distinguish between the types of classified information is complemented by a Schedule to the draft, viz. a List of Categories of Classified Information Constituting State Secret.

For the first time now, a law would regulate the equalisation of the levels of security classification of foreign classified information received and/or classified information provided by the Republic of Bulgaria to another State or international organisation in implementation of an international agreement that has come into effect for both the Republic of Bulgaria and the corresponding foreign State or international organisation. Such equalisation shall take place subject to the provisions of the agreement in question.

Chapter Four governs the classification of information constituting a State or official secret. The fundamental principles of classifying information introduced here are identical to those in Directive C-M (55)15 (FINAL). The intention is to set out the procedure for affixing security marks while bringing it into line with the need for protection of the specific type of classified information. The principle enshrined in the draft law is that the level of classification should be determined by the person entitled to sign the document that contains classified information.

Divisions II and III of Chapter Four lay down the procedure and time limits for the storage and protection of classified information. Information classified as a State secret should be protected for a period of 50 years as from the date on which it is produced. Official secrets shall be protected for either 5 or 2 years, depending on the level of classification ("confidential" or "official use only"). The person affixing the security mark must review the time limits of protection of any material or document at least once in every 2 years in order to identify any need to change the level of classification and verify the continuing existence of legal grounds for affixing the security mark in question.

Chapter Five governs the conditions and procedure for receiving access to classified information.

The Council of Ministers should, on a proposal from the heads of State authorities and of authorities of local self-government, approve a list of positions and tasks that require access to a given level of classified information constituting a State secret.
The heads of organisational entities are equally obliged to determine the positions and the tasks that require access to a given level of classified information. The same power is vested in the Minister of Defence, with respect to the structures of the Ministry of Defence and the Bulgarian Army, and in the heads of security or public order services, with respect to those services.

The principle is introduced that the grant of access to classified information should be mandatorily preceded by a security clearance of any candidate. In line with the recommendations of the Progress Report on Bulgaria's participation in the Membership Action Plan, 2000 (PO 2000 72), the draft sharply reduces the number of positions which entail access to classified information by operation of law, that is without prior security clearance. Exceptions in this regard are only provided for the Speaker of the National Assembly, the President of the Republic of Bulgaria and the Prime Minister. This is just one option to regulate the matter. The studies of the national systems in all Member States have made it clear that various approaches exist to the officials entitled to have access to classified information solely by virtue of their position.

Division I of that Chapter sets detailed requirements to be satisfied by persons seeking authorisation to work with classified information.

Where an international agreement exists to which the Republic of Bulgaria is a party, and on the basis of reciprocity arrangements, the security requirements shall not apply to nationals of other States who fulfil in the Republic of Bulgaria tasks assigned by the corresponding State or international organisation, provided that the person in question holds an authorisation issued by the competent security information authority of that State or international organisation.

The "need-to-know" principle is introduced for the first time. It mirrors the equivalent "need-to-know" principle existing in NATO which confines access only to specific classified information and only to persons whose official duties or specific tasks assigned require such access.

The division lays down clear criteria to assess the reliability of persons in terms of security and their capability of keeping a secret.

Security clearance is governed by Division II. For the first time, the prior written consent of the person is required to launch the procedure and such consent may be withdrawn at any stage. If consent is withdrawn, the procedure is immediately discontinued, any material and documents submitted for the purposes of the clearance are returned to the person, and the data gathered by the State authority in the context of the procedure must be destroyed forthwith.

Division III of that Chapter regulates the three types of clearance applicable to persons. The criteria to distinguish among them is the level of classification to which access is sought. The following types of clearance are provided for:
a) standard clearance: for access to information constituting an official secret. Such clearance is carried out by the authorised information security officer following a written order from the head of the organisational entity;
b) extended clearance: for access to information classified as "SECRET". Extended clearance is then carried out by the security services and the public order services, within the ambit of their powers under the law;
c) special clearance: for access to information classified as "TOP SECRET". Special clearance is entrusted to the security services and the public order services, within the ambit of their powers under the law.

Any clearance procedure shall include, inter alia, the filling out of a questionnaire in a form set in Schedule 2 to the draft law.
The clearing authority shall open, store, maintain, update, card-index and close the security clearance files.

Division IV sets time limits for carrying out the clearance and for the grant or refusal of authorisation.

Division V governs the procedures for the grant, withdrawal, termination and refusal of authorisations for access to classified information.

The authorisations for access to classified information shall be granted, withdrawn, terminated or refused by the National Information Security Authority or, respectively, by the security services or the public order services in accordance with their powers. Authorisations granted shall always have a limited period of validity.

An act whereby authorisation is refused, withdrawn or terminated shall not be reasoned but should only refer to the legal ground. The suggestion of the draft is that acts whereby authorisations are withdrawn or refused should only be subject to appeal before an administrative body. This is in harmony with the relevant legal rules in NATO Member States.

Division VI governs the storage, maintenance, updating, card-indexing and closure of files which contain security clearance material.

Chapter Six of the draft lists the types of protection of classified information, i.e. physical protection, documentary protection, personal security, cryptographic protection, industrial security and protection of automated information systems or networks.
According to Division I, physical protection is a system of measures barring unauthorised access to material, documents, equipment and facilities constituting a State or official secret in order to prevent espionage, loss, theft, damage or destruction.

Physical protection means, which should be certified for each level of security classification, must be determined in a list approved by NISA.

Division II, Documentary Protection, governs the measures, means and devices to protect classified information during the production, processing and storage of documents, as well as the organisation and operation of classified information registries.

Personal security, as defined in Division III, is a system of principles and measures implemented by the competent authorities vis-a-vis persons, under the established procedure, in order to guarantee their reliability in terms of protecting classified information. Personal security comprises the "need-to-know" principle, the security clearance procedure, the grant of authorisations for access, the training of persons and control for the enforcement of the law and its implementing instruments.

Division IV of that Chapter prescribes a system of methods and means for the cryptographic protection of classified information against unauthorised access during its production, processing, transmission and storage.

Division V requires that a system of measures be put in place to protect classified information produced, processed, stored and transmitted in automated information systems (AIS) or networks. The draft provides that the compulsory general conditions for the security of AIS or networks are to be laid down in an instrument of secondary legislation. By contrast, the specific security requirements at each organisational entity should be defined by the head of that entity and approved by NISA. The specific requirements would depend on the need to protect classified information within a given organisational entity.

Industrial security is governed by Division VI. It is a system of principles and measures applicable to Bulgarian and/or foreign natural persons - traders, and to Bulgarian and/or foreign legal persons applying to enter into or performing contracts that involve access to classified information. Here again, the leading principle is that the general industrial security requirements should be laid down in the draft law and in an instrument of secondary legislation, while specific requirements should be formulated in the contracts. Entry into such contracts should be preceded by a security clearance of the applicant legal person and of the individuals working for that legal person.

Chapter Seven governs the provision or exchange of classified information between the Republic of Bulgaria and another State or international organisation on grounds of an international agreement on the protection of classified information that has come into effect. Classified information should be provided following a decision of NISA to that effect. According to the draft, NISA and the competent authority or body of the foreign State or of the international organisation must satisfy themselves, in advance and on the basis of reciprocity, that the information provided or exchanged would be reliably protected. According to the draft, when classified information is provided or exchanged by an international organisation of which Bulgaria is a member, the principles, rules and procedures for the protection of such information existing within that organisation should apply, subject to the proviso that membership of the Republic of Bulgaria in that organisation entails such a commitment.

Chapter Eight contains the so-called "Administrative Liability Provisions". It prescribes fines and penalty payments for failure of natural and legal persons to comply with the rules of primary and secondary legislation relative to the protection of classified information.

The Transitional and Final Provisions provide for amendments to a series of existing pieces of legislation. For that purpose, a thorough review has been made of current national rules on the protection of State and official secrets. After the law has come into effect, a number of organisational and fiscal measures should be taken. In order to make operational the institutional arrangements for the protection of classified information, a number of instruments of secondary legislation should be issued as well.

The modification of the regulatory framework of the protection of classified information clearly requires amendments to the Criminal Code as well. The idea is to extend the scope of criminal liability, on the one hand, and to make criminal liability adequate to the new rules in the draft Law on the Protection of Classified Information, on the other hand. In fact, the draft Law on the Protection of Classified Information and the amendments to the Criminal Code form a coherent package.
In addition, it is noteworthy that the draft is in full conformity with the principles and standards of protection of classified information within the European Union. The common rules of the acquis in this area could be found in relatively few EU instruments, i.e.:

- Decision of the Secretary-General of the Council/High Representative for the Common Foreign and Security Policy of 27 July 2000 on measures for the protection of classified information applicable to the General Secretariat of the Council;
- Council Decision of 20 December 1993 on public access to Council documents (93/731/EC), as amended by Decision 00/527/EC of 14 August 2000;
- Council Decision of 6 December 1999 on the improvement of information on the Council's legislative activities and the public register of Council documents (2000/23/EC), as amended by Decision 00/527/EC of 14 August 2000;
- Council Decision of 27 April 1998 relating to the procedures whereby officials and employees of the General Secretariat of the Council may be allowed access to classified information held by the Council (98/319/EC);
- Proposal of 21 February 2000 for a Regulation of the European Parliament and of the Council regarding public access to European Parliament, Council and Commission Decisions (COM(2000) 30 final/2);
- Commission Decision of 25 February 1999 relating to the procedures whereby officials and employees of the European Commission may be allowed access to classified information held by the Commission.

In the context of the Individual Security Partnership Programme, this draft should also be provided to the Security Service of NATO, so that specific recommendations could be invited.

Finally, it should be pointed out that the drafting and adoption of a Law on the Protection of Classified Information to implement the main principles, standards and measures for such protection in NATO and EU Member States is a decisive step toward and an essential guarantee for full membership of the Republic of Bulgaria in these international organisations.

 

HOME | ABOUT US | APIA | LEGISLATIVE BASE | LEGAL HELP | TRAININGS | PUBLICATIONS | FAQ | FOIA net | SEARCH | MAP
English Version • Last Update: 05.01.2002 • © 1999 Copyright by Interia & AIP