Protection of Information: International Best Practices: Ministry of State Security briefing

Meeting report

Committee status
Mr C Burgess (ANC) advised that the House had resolved on 17 March 2011 that the ad hoc Committee was now reconstituted, and may proceed with its work. It must report back to the National Assembly by no later than 24 June 2011.

Dr M Oriani Ambrosini (IFP) believed that a new Chairperson needed to be formally appointed. He nominated Mr C Burgess (ANC).

Ms M Smuts (DA) seconded that proposal.

Mr Burgess thanked Members and said that he had understood that his appointment had been confirmed.

International Best Practice on Protection of Information: Ministry of State Security (MSS) briefing
The Chairperson noted that the Minister of State Security, Hon Siyabonga Cwele, had given his full support to the presentation, but was unable to be present as he was at a Cabinet meeting.

Mr Dennis Dlomo, Advisory Services, Ministry of State Security, tabled the presentation, and noted that this was prepared as a follow up on the Minister’s offer to the ad hoc Committee, on 22 October 2011, that the Ministry present a study on international best practices. He said that this study also attempted to deal with some issues raised during public hearings, and had been adapted also to take account of Members’ queries, especially those around timelines relating to protection of information. He pointed out that many of the protection of information regimes that he would describe were brought into being prior to the 9/11 attacks,  and some countries had found it necessary to amend their laws to address them. He emphasised that protection of information in South Africa was firmly lodged within a human rights context.

Mr Dlomo reported that more than 86 countries already had “right to information” or “right of access to information” laws, which went hand-in-hand with protection of information. Most recently, former Eastern Bloc countries seeking to join the European Union (EU) and African countries had been putting them in place. Academic work was also being done, leading up to the adoption of the Johannesburg Principles, which essentially distilled court decisions and best practice worldwide, and conferences were also being held on these issues.

Mr Dlomo noted that his presentation would look at various aspects. The first related to what had to be protected. Various dispensations classified things associated with the generation, development, storage, transfer, copying, conveying, protecting, processing and using of information. There were three main approaches, informed by each government’s policy around national security. Some countries adopted a narrow definition of national security, some had a broad definition, and others adopted a broad definition of national security, but limited the role of intelligence and security structures in issues of national security, and brought non-traditional bodies into advancement and protection of national security. For example, prior to 9/11, institutions dealing in commerce and finance were not traditionally at the core of protection of information, but the need to address the financing of terrorism resulted in financial intelligence centres becoming more involved. Elsewhere, departments dealing with protection of the environment had to be included to address environmental disasters.

In every country, no matter what approach was adopted, there must be a legitimate public interest in providing a higher level of protection to sensitive information held by public bodies, which constituted a restriction on the right of access to information. Protection of this type of information was couched in the form of exceptions in freedom of information (FOI) regimes. Some core elements used to justify limitation of the right of access were always present, such as national security, defence, foreign relations, public safety, or public order. In the United Kingdom of England and Wales (UK), the “interests of the country” were defined by the economy, the country’s ability to make sovereign decisions and to be able to defend itself, and advancement of values. Other countries might focus on public interest, and view provision of security as a public interest, or focus on the right of access to information. Other countries emphasised a “vital interest”, which was the continued existence of State, its economic wellbeing, safety of people, or the ability to exercise foreign policy without undue pressure. Other countries referred to “permanent interest”, and this would usually apply in a bi-party system, where the two leading parties would define the interest, so that no matter which party was in power, those interests would be applied consistently. Other possibilities were to define “fundamental interests”, “interest of importance” or “essential interest”. In most countries, the key issue was to ensure that there was a balance. Mr Dlomo said that when he dealt with the individual case studies, he would indicate which definitions were used in the selected countries.

Most countries were guided by a number of international and regional instruments that provided for protection. National security protection emanated from the International Universal Declaration on Human Rights and African Charter for Human and People’s Rights, but other grounds were indicated (see attached presentation for details).

The essence of every secrecy law was that some sets of information had to be protected in the interests of the public, country and nation, to avoid threats or harm caused by disclosure to unauthorised persons.

The second question to be answered related to who classified the information. There were three main trends. The first was the “Prior Classification System”, under which the classifying authority would determine the categories or file series in advance, balancing harm and public interest. Once those were set, a manual would be compiled and its procedures must be followed. The second system was the “Originator Classification System”. Here the author of the document would do the classification. In some dispensations, this would need to be confirmed by a senior person. After this, anyone else using the information to compile a new product must derive the classification from the original classification which was found in source documents. The emphasis was on classifying the individual piece of information. The third system was the “Classifying Authority System”, where a certain person would be given the power to classify certain information, and the person could then either delegate to a limited extent, or create manuals with derivative authority to classify.

The third question to be answered related to when the information was classified. The Constitutions in most countries provided that any information held by the State would be classified until a request was made to de-classify it. This was a Classification by Default System. At the point when the request was made, a decision would be taken whether the information could be revealed. The Multiple Layer Dispensation provided for different categories of information, setting out what had to be disclosed, what may be disclosed and what had to remain fully protected. In all systems, including Classification by Default, the need for the information to be protected had to be proved. 

The fourth question related to where information was to be classified. In all systems, information would be classified at the venue of its creation. In the Classification by Default System, the decision would be taken as soon as the information was created, and this would apply, for instance, to cases involving field agents, defence intelligence agents on the battlefield and crime intelligence agents, to ensure that they could have access.

The fifth question was how information would be classified. Mr Dlomo reiterated that various instruments, international law and jurisprudence would provide guidelines for how information would be protected. This would further be set out in Constitutional provisions, national laws, subordinate legislation a supportive activities and documents, including training and advisory services, security audits and manuals.  He emphasised  that these systems could only apply properly if there was proper training, usually done by a State’s security body, who would establish manuals.

Mr Dlomo then discussed the provisions of international law, highlighting some of the international treaties, which included International Universal Declaration on Human Rights, the International Covenant on Civil and Political Rights (ICCPR), the African Charter for Human and People’s Rights, and other regional documents. Any restrictions on access to information must be prescribed by law, in a clear and precise manner. There must be legal certainty and foreseeability, and any restriction must also be genuinely directed to achieving a legitimate interest. Two main elements to be proven were social need, and proportionate limitation.

International best practices provided for tests to be applied to information needing to be classified or declassified. Not all dispensations applied both criteria. The first was the “Harm Test”. This had two main aspects: namely, gravity of harm, and the probability of harm resulting from unauthorised disclosure of information. There must always be justification of the reason for non-disclosure. In rare cases, the information was so sensitive that the information officer was permitted neither to confirm nor to deny the existence of the information. This had been criticised as a “double-bind” provision.

The second test was the “Public Interest Test: Mr Dlomo stressed that this did not mean interest to the public, but in the interest of the public. This test would arise when access to information was required, and there was a need to weigh the factors in favour of or against disclosure. Once again, there must be justification for the decision. Mr Dlomo said that restrictions did not necessarily apply only to information held by a public body, but could also cover other matters, such as weapons. A number of Court decisions had established what could be included in the “public interest”. In the Spycatcher case (UK), the European Courts said that information about activities and possible wrong-doing of the security services was in the public interest. In the Sunday Times matter, the European Court of Human Rights concluded that matters pertaining to the settlement of negotiations, concerning the health risks of legal drugs and the locus of legal and moral responsibility for resulting injuries, also was in the “public interest” and therefore should be disclosed. Criticism of the police department (Mr Dlomo suggested also that this could be extended to security services) was dealt with in the Thorgeirson case. Published opinions alleging a court’s lack of impartiality was dealt with in the Barford case. The South African Constitution already covered some of these tests.

Mr Dlomo then examined elements of review systems. He noted four main drivers. Regular reviews would be set in the legislation. Random checks would be used to ensure that information was being kept properly. A Self-tasking Review would apply when there had been a failure of the system or some breach. Reviews on request would follow requests for access to information. Post-review obligations would apply to the originators of documents, who would have to inform relevant persons of any changes.

Mr Dlomo emphasised that classification was a restriction of the right to information. In order that the right to information should not be an empty right, there must be a certain period of time at which the information would become available. There were two main drivers for review – the first being the end of the period specified, and the second being a time when the probability and gravity of harm had reduced to such an extent that the information no longer needed to be protected, in which case the information would be downgraded or declassified. He provided some examples of varying time frames, from Lithuania, which held information for 95 years, to Mexico, which would hold it for 12 years. Shorter periods of time usually applied to information held by international organisations, because issues at that level tended to be resolved more quickly. For instance, the African Union had been preoccupied with issues in Mauritania, but once these problems had been addressed, the information previously classified as Top Secret was made available.

Mr Dlomo noted that some information was protected for ever, typically information about sources, methods and security services. Exceptions were found in the former Eastern Bloc countries, as during the German reunification process a number of former East German sources were exposed as the archives were opened up. Generally release of this kind of information would be linked to human rights violations that took place prior to the new systems. He mentioned that the recent dissolution of the State Security service in Egypt had doubtless sparked considerable on how to handle the archives and the challenge.

When information was classified, there was a requirement that those who had access would continue to protect the information. Access was generally linked either to election to a public office, or to security clearance. He noted that Members of the Joint Standing Committee on Intelligence in South Africa would have access to classified information. Those with Top Secret clearance had access to Top Secret and all other categories of information, provided that it was relevant to their work, and this would not extend to other unrelated areas. In South Africa, Partial Access (Secret / Confidential / Restricted) gave access to information below the Top Secret classification. Other systems could have more levels. Conditional Access would not necessarily be linked to security clearance, but information could be given if one person vouched for another, and this generally pertained to contractors brought on board for a project, or those holding public office.

Discussion
Professor L Ndabandaba (ANC) asked for more clarity on concepts of traditional and non-traditional protection, the interest of the country versus public interest, the rights of the country, and relationships with human rights in general.

Mr Dlomo said that the traditional or narrow definition of security would pertain to military defence of a country. However, a wider approach would include environmental security, food security, human security and similar concepts. This wider approach was adopted by a panel chaired by former UN Secretary-General Kofi Annan. “National security” had traditionally been utilised in repressive societies to deny rights to individuals, and the mere description of something as “national security” meant that no further information would be given. The Universal Declaration on Human Rights did provide for limitation of rights, but initially there had been no clear guidance on this. Documents such as the Johannesburg Principles had later attempted to set clearer parameters, correlating international jurisprudence, and the issue of “public interest” was then brought to the fore. Mr Dlomo reminded Members that national security was part of the public interest. However, there was a need to weigh and balance all rights, so that information would find its way into the public domain if the benefit of doing so outweighed the need to keep it secret. Chapter 11 of the South African Constitution obliged the Security Services to do their work in the context of international and South African law, and expressly provided that no illegal instructions could be accepted. If something did not comply with human rights perspectives, it would be contrary to the Bill of Rights and would not be permitted. That was the reason for the emphasis on the human rights context.

Ms M Smuts (DA) referred to slides on page 4, and asked about the reference to “demonstrable social need” and “good morals”, and why it was necessary to include these. ICCPR and other instruments noted that right of access to information should only be limited when this was necessary for national security.

Mr Dlomo responded that the issue of “social need” flowed from the original provision in the Universal Declaration on Human Rights, which provided for restrictions on “moral grounds”. Some countries took the approach that security was a service provided to society. Social Contract theorists would argue that the whole basis for the existence of the State was to provide security, and were therefore opposed to privatisation of security, which they believed gave rise to unequal treatment and denied people their right to life.

Ms Smuts noted a reference on page 5 to the public interest test that must be applied at the point when access to information was requested. She asked whether any other jurisdiction had encountered anything over and above the public interest defence that could be used in Court.

Mr Dlomo said that this would be dealt with later in the presentation, when he presented the case study on Canada. The United Kingdom (UK) was the first country to have the public interest defence, but it had later been amended. Canada applied it only in a limited way, to information under permanent secrecy provisions. He had been advised that Germany might have similar provisions, but had not yet found any in his research to date, but would be continuing to search German search engines as well.

Ms Smuts referred to the slide listing the time frames, and asked whether the last four time frames mentioned (of five down to two years) applied to any countries in particular.

Mr Dlomo said that he would also deal with this later in the presentation.

Ms M Mentor (ANC) asked for confirmation that the “originator” was not an individual, but an office or the title, so as to avoid any problems when it came to declassification.

Mr Dlomo confirmed that it generally referred to the originating office. However, as long as the incumbent with the power to classify still held the post, and was not disabled, the responsibility would stay with that one individual, to avoid the situation where conflicting decisions might come from more than one individual. Once that individual no longer held the office, the responsibility would be transferred to the successor. He noted, however, that in some dispensations the authority would continue only if other preconditions – notably training or renewal – were also present. In America (USA), a person who did not have at least two years’ training would lose the right to classify, and Top Secret classification depended on attendance of annual training.

Ms Mentor thought that whilst it was useful to have international benchmarks, she asked whether comment could be made on the proposed definition of “national security” in South Africa.

Ms Mentor noted the differing lengths of classification in various countries, but felt it would be useful also to know whether longer time frames might lead to hampering of human rights. For instance, she wondered if development and stability in Sweden were in any way linked to classification of information.

Ms Smuts raised a point of order. She had thought that the purpose of this presentation was to present international best practices. Mr Dlomo had not been asked to comment on, and she therefore did not believe that it was appropriate for him to deal with, any of the Bill’s content or definitions. She was also not sure whether he would be able to answer the questions on links between time frames and stability.

The Chairperson believed that the question on time frames was useful, although he would not have limited the answer to the example given. However, Mr Dlomo would not be required to answer any question calling for his personal opinions.

Mr Dlomo said that there had been some studies on the links between national security laws and stability. Researchers had indicated that there had never been any famine in open, democratic societies where information was freely available. That, from a food and human security perspective, was quite telling. In addition, before the government of India had adopted a right to information law, there were numerous problems in indigent people getting access to basic rights and services, but once the right to information laws came into effect, marked improvements were noted, particularly at local government level, in access to services and the ability of non government organisations to get people registered for social security. There was therefore demonstrable evidence to support a balance between protection of national security and access to information. He added that further research on intelligence oversight had noted that if democratic Parliamentary oversight structures did not have adequate access to information, they were not able to carry out their work effectively. For instance, despite the existence of oversight committees in both houses of Parliament in Iran, the Iran Contra scandal resulted from the outdated notion that covert actions could be undertaken without approval by Parliament. This resulted in adoption of the principle that the President could authorise covert operations, provided that both houses were informed of this, within a stated period. There was some debate whether this applied to the current situation in Libya. He added that developments in China were also noteworthy, since that country had come up with Right to Information legislation that included detailed and ground-breaking guidelines. This was an indication that the “Twitter, Facebook and SMS Revolutions” were beginning to influence thinking across the globe. It also indicated a need to look not only to traditionally democratic countries, but to the wider world, to examine developments.

Specific Case Studies : Part II of presentation
Mr Dlomo’s first case study related to the UK. This country was guided by international instruments and its own domestic laws, which included the Official Secrets Act, the Data Protection Act, and the Freedom of Information Act. He added that there were also a Whistleblowers Act, and environmental information legislation. All this was incorporated into the operational document entitled “HMG Security Policy Framework” (SPF), which was the equivalent of South Africa’s Minimum Information Security Standards (MISS). The SPF provided guidance on creation, storage, transmission and destruction of documents. The Prime Minister and Government had overall security responsibility. Some elements were delegated to Heads of Departments. However the SPF also emphasised that security was the responsibility of everyone, and that “government assets” must be protected, including buildings, employees, leaders in government, information driving government work, and weapons systems.

There were four tiers of the SPF. Firstly, security was now looked at as a business enabler. Mr Dlomo noted that during the early days of democracy in South Africa, many of the Presidential projects had failed because community projects were not adequately secured against theft and destruction. He emphasised that everyone was responsible for security in its broadest sense. Secondly, certain core security principles were advocated, including accountability at senior levels, collective responsibility of staff and contracts, and the need to employ trustworthy people. Thirdly, a document guided all other departments on the minimum standards (which included spot checks on the effectiveness of systems). In addition, every organ of State must look at its own specific risks that might require additional protection measures. There were seven sub-policies, covering governance, risk management and compliance, protective marking and asset control, personnel security (vetting), information security and assurance, physical security (provision of safes, perimeter fencing and security guards), counter- terrorism measures (manuals to guide procedures) and business continuity. All of these protected information against loss. Other countries could adopt additional measures – for instance, in the USA a person creating a document was never able to delete it, to ensure business continuity.

The second case study examined Croatia. This country classified information that pertained to the national security and vital interests of Croatia. It included protection of the structure of the State as laid down in the Constitution (as opposed to information about it. Croatia required protection of its independence, integrity and security, its international relations, defence capability and its security intelligence systems, and well as public security, and the basis of the economic and financial system of the country. Scientific discoveries, inventions and technologies of significance to national security were also protected. The scope of protected documents included those pertaining to defence, security intelligence systems, foreign affairs, public security, criminal processes, science and technology, public finance and economics impacting on security interest. Croatia used the Originator System. The originator would determine the lowest degree of secrecy that would secure the interest.

Mr Dlomo stressed that it was common practice to look at the minimum security required. This would enable a balance between what needed to be in the public domain and what needed to be protected.

In Croatia, Top Secret and Secret classification may be done by the President of the Country, President of Parliament, or President of the Government of Croatia, as well as by the Chief State Attorney, the Head of General Staff of the Armed Forces, and Heads of certain authorities. Heads of other State Authorities could classify Confidential and Restricted information. No State or public entity associated with a department had any power to classify, because the classification must be determined only by the Head of the organ and above, so these entities had only derivative classification authority, not authority in their own right. This differed from the position in South Africa where the Security Services, as defined in Chapter 11 of the South African Constitution, had the right to determine Top Secret and Secret information, whilst all other organs of State could only deal with Confidential and Restricted matters.

In Croatia, the information was classified at the point of creation by the originator. Croatia, as a Member of the UN, also received information from that sources and was expected to follow the classifications applied by those supplying that information, then domesticate them. Information would be classified if it affected the national security and vital interests of the Republic of Croatia. Details of threats against national security were listed as information needing to be protected. Croatia followed the “harm test” – applying the lowest degree of secrecy needed to protect the interest. The “need to know” principle was also applied, so that people had access to classified information where it was relevant to their jobs. Personnel security clearance was a prerequisite. Oversight and appeals were done by the Office of the National Security Council.

At this point the Chairperson interjected and noted that the House would be sitting shortly, and several Members needed to make statements. He therefore asked that the presentation stop at this point, and resume at the next meeting, in the following week, probably on Friday, to cater for Members’ attendance at other meetings.

The meeting was adjourned.