Directorate General of Administration

Directorate of Information Technology

CONFIDENTIALITYAGREEMENT TO BE SIGNED BY THIRD-PARTY CONTRACTORS WORKING IN THE COUNCIL OF EUROPE

Ithe undersigned,______,

employed by the company ______,

exercising the functions of ______

Contract reference:______

hereby declarethat I have read Instructionno.47 of 28 October 2003 on the use of theCouncil of Europe's Information Systemappended to thepresentagreement. I accept to be bound by the rules set out in thatinstruction and I am aware of the sanctions applicable in the event of my failure to comply with them.

In this connection, I undertake to observe the utmostdiscretionwithin the framework of the tasks assigned to me within theCouncil of Europe,particularly in respect of any departmentalmatters or data that are recorded or are to be recorded of which I might become aware.

Unless expressly authorised to do so by the Council of EuropeSecretary General, I shall refrain, in all circumstances, from passing on anyinformation which has not been made public and of which I become aware through my dealings with the Council of Europe to any physical individual or corporate entity, government orauthorityoutsidethe Council of Europe. Furthermore, I may not seek togainany private advantage from such information. Neither the expiry nor thetermination by theCouncil of Europeof the contract binding the Company employing me to theCouncil of Europe shall make these obligations cease.

The IT media provided by theCouncil of Europeand all documents of whatever nature generated by mywork shall remain the property of theCouncil of Europe.

The data contained in those media and documents are strictly governed by professional secrecy. I hereby undertake to take all necessaryprecautionstokeep those data secure and, in particular, to preventthem beingdistorted, damaged or communicated to persons not authorised by theCouncil of Europe.

Accordingly, I undertake tocomply absolutely with the following obligations:

i.not to take any copies of documents, software or data mediaentrusted to me by the Council of Europe and used by me, except for thosenecessary for the performance of the duties assigned to me by my Company;

ii.not to use the documents and informationprocessed for purposes other than those specified in myremit;

iii.not to disclose those documents or informationto other persons, whether private or public, physical individuals or corporate entities;

iv.to take all necessary steps to avoid any misuse or fraudulent use of IT fileswithin the framework of my remit;

v.to take all necessary steps, including physicalsecuritymeasures, to ensure thepreservation of the documents and informationprocessed throughout my assignment within theCouncil of Europe;

and at the end of my assignment:

  • to destroy or have destroyed all physical or computerised data input files in my possession

and/or

  • to hand back all of the data media in question in accordance with the instructions given by theCouncil of Europe.

The present confidentiality agreement, applicable throughout my assignment at theCouncil of Europe, shall remain in effect indefinitely where the said agreement concerns the use and communication of personal data.

I am aware that, in the event of failure on my part to comply with the aforementioned provisions, thecompany employing me may be held liableand theCouncil of Europemayimmediately terminate the contractsignedby my employer, without paying compensation, for a violation ofprofessional secrecy or failure to comply with the aforementioned provisions.

Done in______Date______

Signature preceded by the handwritten words "Read, understood and approved"

March 2013 Version

1

Instruction No. 47 of 28 October 2003 on the use of the Council of Europe’s Information System

1. Purpose

2. General restrictions on the use of the Council of Europe Information System

3. Rights and obligations of Council of Europe Information System users

4. Monitoring

5. Consequences

The Secretary General of the Council of Europe,

CONSIDERING it necessary to establish guidelines for the use of the Council of Europe’s Information System,

HAVING CONSULTED the Staff Committee in accordance with Article 5 paragraph 3 of the Regulations on staff participation,

DECIDES AS FOLLOWS:

1. Purpose

1.1 This Instruction:

  • establishes the rules governing the use of the Council of Europe’s computer and telephone systems (hereafter the Information System) for users in all departments;
  • clarifies users’ responsibilities.

1.2 It replaces and rescinds the current text entitled “User Charter for the use of computer resources and Internet services”.

1.3 This Instruction applies to all Council of Europe Information System users, i.e. all Council of Europe staff members, whatever their category or grade, and any other person to whom access to the Council of Europe’s Information System has been granted by the Secretary General.

1.4 The Council of Europe Information System, and all associated facilities, may only be used in accordance with the rules laid down in this Instruction. Any exceptions to these rules must be authorised by the Secretary General or his/her representative and may only be granted if they are both necessary and urgent. If an exception is needed as a result of a general problem, the Department for Information Technology (hereafter the DIT) will take steps to amend this Instruction.

2. General restrictions on the use of the Council of Europe Information System

2.1 The Council of Europe’s Information System may only be used by authorised persons and such persons may not allow anyone else access to the system, even temporarily.

2.2 The Information System is the property of the Council of Europe and is intended for its staff members’ professional activities. Private use of the Information System is acceptable if it does not affect:

  • users’ professional activities
  • the Information System’s efficiency
  • the Council of Europe’s good name,

and provided that it does not cause the Council of Europe more than a marginal cost. Subject to these conditions, users may create their own “private” files. Such files will still be subject to checking, in accordance with the rules laid down in the section4 (“Monitoring”) of this Instruction.

2.3 Users should be aware that as a consequence of the DIT’s obligation to monitor the performance of the entire Information System, identifiable individual uses of the Information System could become known to the system administrators (see section4, “Monitoring”).

2.4 Due care must be taken when making expensive telephone calls, such as international calls or calls from fixed phones to mobile phones. Where the facility is available, personal calls must be made using the staff member’s personal code (see the Telephone User Guide on the DIT site –

3. Rights and obligations of Council of Europe Information System users

3.1 All users are responsible for the use of computer equipment allocated to them. In particular, they must comply with the security rules and recommendations issued by the DIT. They must also keep abreast of any changes in this Instruction or developments in the Information System, whose smooth running requires their active participation by consulting the DIT site regularly, as well as of any specific instructions issued by individual bodies or departments, such as the European Court of Human Rights, the European Audiovisual Observatory or the European Directorate for the Quality of Medicines – EDQM.

3.2 Users also have the duty to contribute to the security of the Information System in the manner appropriate to their level. Should users identify any security problems, they must report them to the DIT.

3.3 Users must refrain from any activity that:

  • makes it unsafe to use the Information System;
  • endangers security of access;
  • generates costs caused by a misuse of the Information System;
  • harms the Council of Europe’s good name by a conduct that is unlawful or may cause material or non-material damage.

a.To avoid risks to the functioning of the Information System, users must not install any equipment or software without the formal approval of the DIT. Users will be held responsible for any damage to the Information System caused by unauthorised use of equipment or software. In particular:

  • the DIT is authorised to take action - without prior warning - to disconnect equipment or destroy software installed in breach of the above rules and that could pose a risk to the functioning of the Council of Europe’s Information System;
  • users undertake not to interfere deliberately with the Council of Europe’s Information System through either the mishandling of equipment or the introduction of viruses, Trojan horses, logic bombs and so on.

Although technical barriers have been erected against viruses, users must be particularly cautious about opening dubious e-mails or attachments. If they have any doubts or there is a clear risk of a virus, they must contact their Computer Correspondent, who will if necessary warn the DIT. Warnings to other users are exclusively the responsibility of the DIT.

b.Non-authorised persons are prohibited access to the Information System equipment and any information contained in the system.

  • Access to the Information System is controlled via the authorised use of a personal user name and password. For access to be properly controlled it is essential for users to keep their password secret. Passing on a user name and password to another person could make the owner of the user name and password liable for any action taken with their aid. If a user name and password are accidentally given to another person, the user must contact the DIT immediately so that it can freeze the account and supply the user with a new password. In the event of prolonged absence making it necessary for another person to manage the user’s mailbox or use other available technical resources such as the Out-of-Office Assistant or Auto forward, the user must implement the shared mailbox procedure, where this facility is available.
  • When using mobile equipment offering remote access to the Council of Europe’s Information System, users should install a password to avoid unauthorised access, particularly as a result of loss or theft. Users are also responsible for taking additional confidentiality measures, depending on the sensitivity of the data stored.
  • Users must not send confidential information by e-mail without using the coding facilities offered by the system and must also make sure that they do not use erroneous e-mail addresses or send material to inappropriate recipients.

c.Use of the Council of Europe’s Information System must not entail unnecessary costs:

  • The sending, downloading, printing or transferring to CD of very large files must be confined to cases of absolute necessity.
  • Downloading, printing or transferring to CD for private use is prohibited if this interferes with one’s professional activities (see section 2, "General restrictions").

d.Users must not process, send or search for illegal information (for example, child pornography, religious or xenophobic extremism, etc.)

  • Accessing and downloading files whose content users know to be illegal or capable of causing material or non-material damage to the Council of Europe or to a third party is strictly prohibited. If, in exceptional cases, access to illegal contents is necessary for professional reasons, users may request a derogation from the Directorate of Human Resources (hereafter the HRD). If such a derogation is granted, the DIT will arrange the necessary access.
  • In accordance with this principle, the Council of Europe bars access to sites suspected of illegality or of containing compromising material. Attempts to access such sites are blocked by the DIT and a warning message is displayed in the user’s Internet navigator. The user’s identity will not be retained or communicated to any authority within the Council of Europe.
  • Users must observe copyright. It is forbidden to copy software installed by the DIT for the Council of Europe’s Information System. It is also forbidden to copy Internet files protected by copyright without prior authorisation.
  • Users must not record or disclose data on identified or identifiable persons (personal data) without obtaining the prior agreement of their superior and must comply with data protection law and Council of Europe internal regulations. More restrictive measures may be imposed in specific areas of the Council of Europe’s work that deal with particularly sensitive data.

3.4 Users must not voluntarily break the authorisation limits for access to personal data files in the Council of Europe’s Information System. If they access such files accidentally they must not use them and should contact the DIT. The DIT will then take steps to ensure that such incidents do not recur.

4. Monitoring

4.1 The technical maintenance and management of the Information System require the DIT to undertake regular analysis of the use made of available equipment and software and of the flow of information circulating on the network.

4.2 General matters

  • As far as possible, monitoring will be anonymous and automatic. However, users must bear in mind that in monitoring overall system performance System Administrators may become aware of an individual user’s personal use of the Information System. This possibility extends to explicitly or recognisably private files or communications.
  • The System Administrators will not carry out personalized checks on communications or data storage, particularly in the case of explicitly or recognisably private data, unless such checks are necessary for the smooth running of the Information System or are requested by a competent authority of the Council of Europe responsible for the relevant staff member’s work performance or for managing expenditure, maintaining the Council of Europe’s good name or ensuring the lawfulness of its activities.
  • System Administrators may only disclose personal information in the event of serious threats to the Council of Europe’s interests, such as suspicion of illegal conduct that requires the Secretary General to be immediately informed. Whenever the DIT becomes aware of irregularities in the use of the Information System it will ask the individual concerned to provide an explanation. If the DIT is not satisfied with the explanation or the irregularities continue, the DIT will inform the individual’s immediate superior or, in the case of users who are not Council of Europe staff members, the Secretary General, who will take the necessary steps in accordance with the applicable rules to ensure compliance with this Instruction.

4.3 Sending and receiving e-mails

  • It is clear from the above that checks cannot be made on the contents of users’ mailboxes unless they are suspected of breaches of the rule prohibiting them from sending out or seeking illegal information (for example, child pornography, religious or xenophobic extremism, etc.)
  • The DIT will only check the contents of mailbox messages at the request of a competent Council of Europe authority. If it is necessary to check data files, the individual concerned and staff representatives will be given prior warning unless measures need to be taken immediately to protect the Council of Europe from serious risks or the individual concerned cannot be identified or contacted despite repeated efforts. In this case, he or she will be informed as soon as possible. If necessary, the DIT may take appropriate measures, such as freezing the relevant account, to maintain the integrity of the data to be checked or of the system itself.

4.4 Telephone

The DIT may carry out checks on telephone numbers called where the cost of calls is abnormally high.

5. Consequences

5.1 All Council of Europe Information System users accept that in the event of a serious infringement of the rules in this Instruction, their access to the Information System may be frozen pursuant to the joint decision of the DIT and the HRD, and any decision to reopen this access will be taken jointly by the two departments.

The following are regarded as serious infringements:

  • deliberately disclosing a user name or password;
  • illegally disclosing confidential information or accessing by unauthorised way confidential or private information;
  • attempting, without authorisation, to access or download from sites whose content is illegal (for example, child pornography, xenophobic or religious extremism, etc) or capable of causing material or non-material damage;
  • sending messages that are illegal or capable of causing material or non-material damage to the Council of Europe or to a third party.

5.2 Where appropriate, disciplinary measures will be taken in accordance with the Staff Regulations.

5.3 Any disputes between the Secretary General and users regarding protection of personal data may be submitted to the Data Protection Commissioner, pursuant to Article 6 paragraph (a) of the appendix to the Regulation of 17 April 1989 outlining a data protection system for personal data files in the Council of Europe.

Done at Strasbourg, 28 October 2003

Secretary General

Walter SCHWIMMER

Instruction No. 47 of 28 october 20031