Classified and Non-Public Information in National and Federal Council

Federal Law Gazette (BGBl.) II No. 58/2015 as amended by BGBl. II No. 248/2017

Be it decreed, in conjunction with the chairperson of the Federal Council, on the basis of Art. 30 (6) Federal Constitutional Law (B-VG), Federal Law Gazette No. 1/1930 as last amended by Federal Law Gazette I No. 102/2014, and of § 26 Information Rules Act, Federal Law Gazette I No. 102/2014, that

§ 1. Scope of Application

(1) This decree shall apply to the spheres of the National and Federal Councils.

(2) Whenever this decree refers to provisions of federal laws, they shall be applied as amended.

§ 2. Security Briefing

(1) Any person who under the Information Rules Act is granted access to classified information shall be briefed on the handling of such information, and their awareness of threats to the security of classified information shall be raised as appropriate to the respective classification level. The security briefing is to ensure that security standards are complied with to prevent classified information being disclosed to persons not authorised under §§ 13, 14 and 16 Information Rules Act.

(2) Persons granted access to EU Classified Information shall also be briefed on compliance with EU requirements.

(3) The security briefing shall be communicated in writing before access to classified information is granted and shall in any case be repeated at the beginning of each legislative period of the National Council and whenever the respective rules and obligations are amended or complemented. Evidence of the security briefing having been given shall be laid down in writing.

(4) The security briefing shall also pertain to the sanctions for violation of secrecy provisions.

§ 3. List of Authorised Persons

Each of the Registries under § 21 Information Rules Act shall keep a permanent list of persons who under the Information Rules Act are granted access to classified or non-public information.

§ 4. Marking

(1) Classified information shall be marked clearly and visibly with the classification levels defined in § 4 Information Rules Act.

(2) The following information shall be marked “non-public” if it is unsuitable for publication (§ 3 para 2 Information Rules Act):

1. Bills, Documents, Reports, Items of Information and Communications on projects within the framework of the European Union or within the framework of the European Stability Mechanism insofar as they have not already been appropriately marked;

2. Requests and notifications in connection with the public prosecution of Members under § 10 paras 2, 3 and 5 Rules of Procedure Act 1975, Federal Law Gazette No. 410/1975, requests of authorities under Art. 63 para 2 B-VG as well as requests for the authority to prosecute persons for insulting the National Council under § 117 para 1 Criminal Code, Federal Law Gazette No. 60/1974;

3. Information provided under the Incompatibility and Transparency Act, Federal Law Gazette No. 330/1983, on which the Incompatibility Committee of the National or Federal Council has to decide, without prejudice to the provisions of § 9 of the Federal Constitutional Act on the Limitation of Emoluments of Holders of Public Offices, Federal Law Gazette I No. 64/1997;

4. Information whose inspection and distribution has been restricted by committee decision under § 14 Information Rules Act, in which case the marking shall include the committee name.

 
(3) Information classified at level 2 or higher shall bear the date, a reference number and the name of the originator and, on each page, the name of the recipient, the classification level, consecutive page number and, if appropriate, the serial number of the copy. If, in individual cases, such marking is impossible, other suitable methods of marking shall be used as determined by the person in charge of the Registry.

(4) § 21 para 5 of Annex 1 to the Rules of Procedure Act 1975 notwithstanding, further details, e.g. pertaining to the recipient, may be indicated if so provided by service regulations issued under § 13 [3].

§ 5. Secured Areas

(1) Office areas in the Parliament buildings, committee rooms and areas specifically designated for handling and storage of classified information, as well as the areas immediately surrounding such areas, may be established as administrative areas in terms of § 20 [1] Information Rules Act.

(2) Areas within administrative areas may be established as specially secured areas in terms of § 20 [2] and [3] Information Rules Act if they are fitted with appropriate devices, in particular a locking system or electronic access control system, ensuring that unescorted access is granted only to persons who are specifically authorised.

§ 6. Storage and Handling

(1) Classified information shall be stored in locked containers in accordance with its respective classification level. Accordingly, storage shall be effected as follows:

1. classified information of level 1 in the administrative area in suitable, locked items of office furniture or in the specially secured area,

2. classified information of level 2 or 3 in the specially secured area in a security container or strong room

3. classified information of level 4 in the specially secured area in

a) a security container with continuous protection or verification or an approved IDS in combination with response security personnel or

b) an IDS-equipped strong room in combination with response security personnel.

 
(2) Information classified at level 1 may temporarily be stored outside the secured areas if it is carried in a cover that prevents observation of its contents and the holder of that information has been duly briefed under § 2 and can warrant a security standard equal to that of the secured areas.

(3) Classified information shall in principle be handled in secured areas, the handling of

1. classified information up to level 2 being permitted in the administrative area on condition that it is secured from access by unauthorised persons, while

2. classified information of levels 3 and 4 shall be handled exclusively in the specially secured areas.

 
(4) Classified information up to level 2 may be handled outside the secured areas if

1. it is carried in a cover that prevents observation of its contents and the holder of that information has been duly briefed under § 2 and can warrant a security standard equal to that of the secured areas and

2. in the case of classified information of level 2 the information is at all times under the holder’s personal control.

(5) Classified information should not be read or discussed in public places.

§ 7. Distribution and Carriage

(1) Distribution of EUCI of level 1 shall be effected through the databases under § 2 paras 2 and 3 EU Information Act, Federal Law Gazette I No. 113/2011.

(2) Except for the cases of § 6 paras 2 and 4, distribution and carriage of classified information shall be strictly reserved to the Registries under § 21 Information Rules Act.

(3) Delivery of classified information of level 2 or higher shall be acknowledged by a certificate of receipt. Carriage of such information shall be reserved to persons who are security cleared to the respective classification level.

(4) For carriage within and between Parliament buildings, classified information of levels 1, 2 and 3 shall be covered in such manner as to prevent observation of its contents. Classified information of level 4 shall be carried in a secured envelope.

§ 8. Oral Communication

(1) Classified information of levels 2 and 3 may be orally communicated only in secured areas and only in the presence of persons who are security cleared to the respective classification level.

(2) Such information may only in extraordinary and urgent cases be the subject of telephone conversations without anti-tapping protection. Such conversations shall be conducted with such discretion as to ensure that no third person can understand the facts.

(3) Oral communication of classified information of level 4 shall require additional measures protecting against eaves-dropping.

§ 9. Electronic Processing

(1) When electronically processing classified Information, compliance with the security standards specified in the Information Rules Act and in the description of measures under para 2 below should be ensured in order to prevent classified information being disclosed to persons not authorised under §§ 12 to 16 Information Rules Act. For this purpose, the authorised persons shall be given an appropriate briefing. Classified information of level 2 or higher may not be processed electronically, except for the purpose of preparing verbatim and summary records and of having copies made by the registry.

 
(2) Security measures shall depend on the degree of interconnectivity, the storage capacity and the local conditions. Their final design and update shall be based on a description of measures, jointly prepared by the Parliamentary Administration and the parliamentary groups, which shall in any case provide that:

1. Appropriate provisions shall be made to ensure the detection of damaging software. Each ICT system must provide for adequate protection against other, potentially unsafe networks or connected computers.

2. Communication of classified information of level 1 (electronic transmission or transport on external storage devices outside secured areas) shall be effected by means of cryptographic products and processes. Unencrypted file names, headings, markings etc. must not betray the classified contents.

3. For transmission within secured areas, encryption may be dispensed with.

4. For transmission outside secured areas, a cryptographically secured transmission path or end-to-end-encryption shall be provided. When printing classified documents, it shall be ensured that access to the printout shall be restricted to authorised persons and that the printout is marked in accordance with § 4.

 
(3) It shall be ensured that access to non-public or classified information in ICT systems shall only be granted subject to the provisions of §§ 12 to 16 Information Rules Act. Each ICT system processing non-public or classified information shall be provided with appropriate access protection. Each user must be uniquely identified.

§ 10. Registration

(1) Classified information of levels 2, 3 and 4 shall be registered. Registration shall take the form of recording the classified information in dedicated journals for each of the classification levels. Each of the Registries under § 21 Information Rules Act shall keep its own journals which shall be exclusively used for the sphere of the respective Registry.

(2) The journals under para 1 shall themselves be assigned a classification level. Journals for the registration of information of classification level 2 or 3 shall at least be classified at level 1. Journals for the registration of information of classification level 4 shall be classified at level 3.

(3) Registration shall evidence the creation or receipt of registrable classified information, its reproduction (copying), translation, distribution, return, re-classification, declassification and destruction.

 
(4) Each registrable classified information shall be marked with a reference number and shall indicate the date of creation or receipt, its originator, the subject matter, classification level, the serial number of the copy in question, the name of the recipient and the dates of communication, return, re-classification, declassification and destruction.

(5) If information is re-classified, it shall be recorded in the journal dedicated to the former classification level as well as in that dedicated to the new one. Recipients of registered classified information shall be informed of the re-classification or declassification.

(6) Whenever EUCI of classification level "Très Secret UE/EU Top Secret" is communicated by an agency other than the Central Registry in the Federal Ministry of European and International Affairs the latter shall demonstrably be informed of said communication without delay.

§ 11. Copies and Translations

(1) Copies and translations of classified information of level 2 or higher shall only be produced by the responsible Registry in specially secured areas. Each copy shall be designated as such and individualised by serial numbers.

(2) Copies and translations of classified information of level 4 shall only be made with the approval in writing on the part of the originator.

(3) Except for the cases of § 21 para 1 (2) of Annex 1 to the Rules of Procedure Act 1975, it shall not be permitted to make hand-written copies of classified information of level 2 or higher or to take notes of the content which was the cause of the document being classified.

(4) All provisions pertaining to the original of classified information shall likewise apply to all copies, notes and translations.

§ 12. Destruction

(1) Classified information shall be destroyed by appropriate processes. Registrable classified information shall be destroyed exclusively by the responsible Registry.

(2) Destruction of registrable classified information shall be evidenced in a destruction record that is to be kept on file in lieu of the classified information destroyed. Destruction records in respect of classified information of levels 2 and 3 shall be retained for at least five years, those of classified information of level 4 for a minimum of ten years.

§ 13. Service Regulations

Service regulations shall in particular define

1. Administrative areas and specially secured areas and, in coordination with the persons having authority over the respective rooms, the management of the respective keys and codes,

2. Samples of forms for evidencing security briefing, registration information, confirmation of receipt and the destruction record,

3. Further details pertaining to the recipient, such as in particular the name of the National Council group, Federal Council group or Parliamentary Administration, for individual marking of copies in accordance with § 4.