Procedure for Protection of State Secrets and Classified Information of Foreign States
Passed 20.12.2007 No. 262
RT I 2007, 73, 449
Entry into force 01.01.2008
Amended by the following legal instruments (show)
| Passed | Published | Entry into force |
|---|---|---|
| 11.12.2008 | RT I 2008, 55, 312 | 01.01.2009 |
| 17.12.2009 | RT I 2009, 65, 448 | 01.01.2010 |
| 06.01.2011 | RT I, 14.01.2011, 6 | 17.01.2011 |
| 15.03.2012 | RT I, 19.03.2012, 1 | 22.03.2012 |
| 14.08.2014 | RT I, 19.08.2014, 17 | 22.08.2014, The words 'defence forces' have been replaced by the words 'Defence Forces' in the corresponding case throughout the Act. |
| 23.09.2016 | RT I, 27.09.2016, 5 | 30.09.2016 |
| 20.10.2016 | RT I, 26.10.2016, 2 | 29.10.2016 |
| 17.11.2016 | RT I, 22.11.2016, 7 | 01.01.2017 |
| 25.05.2017 | RT I, 31.05.2017, 7 | 03.06.2017 |
| 22.06.2017 | RT I, 28.06.2017, 40 | 01.07.2017, The words 'The Information Board' have been replaced by the words 'The Estonian Foreign Intelligence Service' in the corresponding case throughout the text. |
| 21.06.2018 | RT I, 28.06.2018, 6 | 01.07.2018 |
| 02.08.2018 | RT I, 07.08.2018, 2 | 10.08.2018 |
| 28.02.2019 | RT I, 06.03.2019, 7 | 09.03.2019 |
| 04.10.2021 | RT I, 06.10.2021, 1 | 09.10.2021 |
| 23.12.2021 | RT I, 31.12.2021, 18 | 03.01.2022 |
This Regulation is established based on subsection 1 of § 11, subsection 5 of § 13, subsection 4 of § 14, subsections 4 and 5 of § 15, subsections 4 and 6 of § 20, subsection 13 of § 27, subsection 5 of § 31, subsection 3 of § 36, subsection 1 of § 39, subsection 6 of § 41, subsection 4 of § 42, subsection 4 of § 46 and subsection 6 of § 51 of the State Secrets and Protection of State Secrets and Classified Information of Foreign States Act.
Chapter 1 GENERAL PROVISIONS
§ 1. Scope of application of Regulation
This Regulation establishes the procedure for the protection of state secrets and classified information of foreign states, and the subcategories of information classified as a state secret, and the levels and terms of classification of subcategories of information.
§ 2. Definitions
In this Regulation, the following definitions are used:
1) classified information – state secrets or classified information of foreign states;
2) processing unit – an agency, constitutional institution or legal person which processes classified information or a natural person who processes classified information based on a Facility Security Clearance;
3) administrative area – an area with clear external borders used by a processing unit, in which all persons and vehicles which enter such area shall be identified and in which the processing of information classified at the “restricted” level is permitted;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
4) public area – an area which is not a security area nor an administrative area;
5) correction of classification data – declassification of information which has been processed as state secret without a legal basis; modification of the level, legal basis or term of state secret that has been classified at the incorrect level, on an incorrect legal basis or for an incorrect term;
6) open storage area – a security area where the use of safes or, lockable cabinets or drawers is not required;
7) courier – a person who forwards classified media.
§ 21. Estonian National Security Authority
The Estonian National Security Authority is a structural unit of the Estonian Foreign Intelligence Service.
[RT I, 22.11.2016, 7 – entry into force 01.01.2017]
§ 3. Authorisation of secretary general of a ministry
A minister may authorise the secretary general of the ministry to perform all acts and take all decisions which the minister, as the head of the authority, is authorised to perform and take.
Chapter 2 SUBCATEGORIES OF STATE SECRETS
§ 4. Subcategories of state secrets related to foreign relations
(1) With respect to information related to international relations created by bodies conducting foreign relations and information created by bodies conducting foreign relations, whose disclosure would significantly damage the foreign relations of the Republic of Estonia, the following shall be a state secret:
1) information received by an employee or representative of a body conducting foreign relations during an international meeting or information related to such meeting, the disclosure of which may significantly damage national security. Such information shall be classified as secret for 50 years;
2) information received by an employee or representative of a body conducting foreign relations during an international meeting or information related to such meeting, the disclosure of which may damage national security or significantly damage foreign relations. Such information shall be classified as restricted until the arrival of the date or event agreed upon by the parties participating in the meeting but not for longer than for 50 years;
3) information created by a body conducting foreign relations related to the preparation and conduct of international negotiations or meetings, whose disclosure before the holding of the negotiations or meetings may damage national security or significantly damage foreign relations. Such information shall be classified as restricted until the holding of the meeting or for 50 years if the disclosure of the information after the meeting or in the case of cancelling the meeting would damage national security or significantly damage foreign relations;
4) information concerning the preparation or conduct of international visits or ceremonies (hereinafter in this clause events) unless the disclosure of such information damages national security or significantly damages foreign relations. Such information shall be classified at the restricted’ level until the holding of the event or for 50 years if the disclosure of the information after the event or in the case of cancelling the event would damage national security or significantly damage foreign relations;
5) information received during an international meeting or information concerning such meeting created by a body conducting foreign relations which is subject to protection against disclosure according to international practices, or whose protection has been agreed upon by the participants in the meeting or other event. Such information shall be classified at the level and for the term determined on an agreement between the participants or pursuant to international practices, but not at a level of classification higher than secret and not for longer than for 50 years;
6) information created by a body conducting foreign relations which concerns international relations, a foreign state or international organisation or a representative thereof if disclosure of the contents of the information, the manner of forwarding or the source of the information would damage national security or significantly damage foreign relations. Such information shall be classified as restricted for 50 years.
(2) With respect to information collected and prepared by the Strategic Goods Commission operating at the Ministry of Foreign Affairs concerning the import, export and transit of strategic goods, export of services related to military goods and the end use of strategic goods, the following shall be a state secret:
1) information about the import, export and transit of strategic goods, the export of services related to military goods and end-use of strategic goods collected by the Strategic Goods Commission, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 30 years;
2) information about the import, export and transit of strategic goods, the export of services related to military goods and end-use of strategic goods collected by the Strategic Goods Commission, which analyses the dissemination of strategic goods and the related danger to security. Such information shall be classified as confidential for 30 years;
3) information concerning refusal by the Strategic Goods Commission to issue an import or export licence, transit permit or document on supervision of end-use of military goods, except materials, construction works and equipment related to weapons of mass destruction, forwarded to an international control system of strategic goods control – Wassenaar Arrangement Participating States – and the EU Working Group on Conventional Arms Export; as well as information concerning the contents of the meeting of the Strategic Goods Commission which discussed such refusal. Such information shall be classified as restricted for 10 years;
4) information concerning refusal to issue an import or export licence, transit permit or document on supervision of end-use of materials, construction works and equipment related to weapons of mass destruction prepared by the Strategic Goods Commission and forwarded to the international strategic goods control system – the Nuclear Suppliers' Group and the Australia Group; as well as information concerning the contents of the meeting of the Strategic Goods Commission which discussed such refusal. Such information shall be classified as confidential for 20 years.
§ 5. Subcategories of state secrets related to national defence
(1) With respect to information concerning the preparation, management and operations of national defence, the following shall be a state secret:
1) The wartime unit´s standard table of equipment specified in the statutes of the Defence Forces.
Such information shall be classified as restricted for 10 years. Classification of such information shall expire upon public use of such information after the declaration of mobilisation;
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
11) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
2) [Repealed – RT I 2008, 55, 312 – entry into force 01.01.2009]
3) information reflecting the nationwide operational planning and operational control of the national military defence activities of the Defence Forces. Such information shall be classified as secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
31) information reflecting the operational planning and operational control of the national military defence activities of the Defence Forces based on territorial division. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
4) information reflecting the duties of an armed service, command, brigade of the Defence Forces and military intelligence collecting information in a manner specified in clauses 1, 2 and 5 of subsection 1 and subsection 2 of § 37 of the Defence Forces Organisation Act or information reflecting operational planning and operational control of a unit performing the duty to organise special operations. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
5) information concerning operational planning and operational control of the wartime unit of the Defence Forces, which is not classified on the basis of clauses 3–4. Such information shall be classified as restricted for 30 years;
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
6) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
7) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
8) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
9) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
10) information reflecting the participation in a military operation of the Defence Forces the disclosure of which may endanger the organisation of the operation or damage the security of the participating unit. Such information shall be classified as confidential for 10 years as of the end of the military operation;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
11) The number and staffing of wartime posts of military rank in the wartime unit of the Defence Forces. Such information shall be classified as restricted for 10 years. The number of wartime posts of military rank in the standard composition of the military unit is not a state secret;
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
12) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
13) information concerning wartime radio frequencies. Such information shall be classified as secret for 50 years;
14) the parameters and operational capacity of the data transmission equipment of the maritime surveillance systems of the Defence Forces. Such information shall be classified as confidential for 10 years;
15) the measurement results of the magnetic and acoustic fields of military vessels of the Defence Forces. Such information shall be classified as secret for 10 years;
16) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
17) the rules for the use of force by the Defence Forces, except information the disclosure of which would not damage the security of the Republic of Estonia. Such information shall be classified as confidential for 10 years.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
18) [RT I, 26.10.2016, 2 – entry into force 29.10.2016]
19) The composition and staffing of the permanent structural unit performing the duty to organise special operations of the Defence Forces as well as of the wartime unit, except the post of the head of the unit, and of their subunits, information concering functions and duties of the servants, breakdown of budgetary expenditure, budget execution reports, budget planning and investments, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 25 years;
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
20) information concerning the methods and means used for execution of the duty of a structural unit organising special operations of the Defence Forces, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 25 years.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(2) Regarding information on the preparation and conduct of mobilisation, the state secret is:
1) the set of data entered in the state central registry of mobilisation. Such information shall be classified as secret for 30 years;
2) [Repealed – RT I, 28.06.2018, 6 – entry into force 01.07.2018]
3) [Repealed – RT I, 28.06.2018, 6 – entry into force 01.07.2018]
4) the set of data on the current equipment of the wartime units of the Defence Forces. Such information shall be classified as secret for 30 years.
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
5) the set of data on the current equipment of one wartime unit of the Defence Forces. Such information shall be classified as confidential for 20 years;
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
6) the set of data reflecting combat readiness of the wartime units of the Defence Forces. Such information shall be classified as secret for 30 years.
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
7) the set of data reflecting combat readiness of one wartime unit of the Defence Forces. Such information shall be classified as confidential for 20 years;
[RT I, 28.06.2018, 6 – entry into force 01.07.2018]
8) [RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(3) With respect to information concerning the mobilisation stockpile, the information concerning the general quantities of the mobilisation stockpile and means shall be a state secret. Such information shall be classified as secret for 10 years.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(4) Regarding the information concerning the military weapons and munitions of war of the Defence Forces and the National Defence League, the following shall be a state secret:
1) information concerning the consolidated data and division of the military weapons and munitions of war of the Defence Forces and the National Defence League, except the information which is subject to disclosure based on an international agreement. Such information shall be classified as secret for 20 years;
2) [Repealed – RT I 2008, 55, 312 – entry into force 01.01.2009];
3) tactical data of the weapons systems of the Navy, except tactical data of coastal defence weapons systems. Such information shall be classified as confidential for 10 years.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(5) With respect to information collected by radars and surveillance systems, the following shall be a state secret:
1) [Repealed – RT I, 14.01.2011, 6 – entry into force 17.01.2011]
2) capacity parameters of air surveillance radars of the Air Force, whose disclosure may damage air surveillance. Such information shall be classified as restricted for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
3) the consolidated parameters of the air surveillance system of the Air Force and capacity parameters of radars, whose disclosure may damage air surveillance. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
4) technical specifications of electronic warfare measures and equipment of a radar. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
5) the results of the test on electronic warfare capability of a radar. Such information shall be classified as secret for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
6) the operating modes, filtered areas and target criteria of radars. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
7) the operational status and times for scheduled maintenance of a radars during the general defence readiness. Such information shall be classified as restricted for one year;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
8) operational status of a radar and times for scheduled maintenance of a radar during the increased defence readiness, state of war, state of emergency and mobilisation. Such information shall be classified as secret for one year;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
9) the planned location of a radar and air surveillance system for the period of increased defence readiness, state of war, state of emergency and mobilisation with the accuracy of more than one second. Such information shall be classified as confidential for 10 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
10) information concerning the code name of the air defence system. Such information shall be classified as restricted for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
11) results of the maintenance and analysis of a radar. Such information shall be classified as confidential for five years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
12) crypto devices and cryptokeys enabling establishment of identification criteria of a secondary radar. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
13) integrated radar data collected and processed by the air surveillance system. Such information shall be classified as confidential for five years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
14) information concerning the location of the air surveillance system with the accuracy of more than one second and concerning the responsibility and surveillance areas. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
15) information concerning the operational status of the air surveillance system during the general defence readiness. Such information shall be classified as restricted for one year;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
16) information concerning the operational status of the air surveillance system during the increased defence readiness, state of war, state of emergency and mobilisation. Such information shall be classified as secret for one year;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
17) information collected and analysed by means of marine surveillance equipment. Such information shall be classified as secret for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
18) information concerning the capacity of marine surveillance system to identify and analyse a maritime picture. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
19) information concerning the settings of marine surveillance systems installed on ships under specific operating conditions. Such information shall be classified as confidential for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(6) With respect to information concerning inventions and research related to national defence and the outcomes thereof, information concerning inventions and research related to national defence, except information whose disclosure would not damage the security of the Republic of Estonia, is deemed to be a state secret. Such information shall be classified as secret or at a lower level of classification for up to 30 years.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(7) With respect to information collected and synthesised by a structural unit of the Defence Forces which deals with military intelligence, the following shall be a state secret:
1) information collected by means of communications intelligence or information synthesised on the basis thereof which allows establishing the method of collection. Such information shall be classified as top secret for 50 years;
2) information collected by means of electronic intelligence or information synthesised on the basis thereof. Such information shall be classified as secret for 30 years;
3) information collected by covert surveillance or information synthesised on the basis thereof. Such information shall be classified as secret for 30 years;
31) information collected by human intelligence or information synthesised on the basis thereof, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
32) security intelligence or information synthesised on the basis thereof, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
4) information specified in clauses 3–32 if the disclosure thereof would endanger the life or health of a person. Such information shall be classified as top secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
5) information which reflects the sources of threat to national security. Such information shall be classified as confidential for 15 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
6) information concerning foreign states, international organisations, foreign military factors and activities. Such information shall be classified as restricted for 15 years;
7) information concerning the threat assessment prepared by a structural unit of the Defence Forces executing military intelligence. Such information shall be classified as secret for 50 years;
8) information collected in the course of intelligence and counterintelligence operations organised by security authorities or information synthesised on the basis thereof. Such information shall be classified as secret for 30 years;
9) information of a foreign state, international organisation, institution founded by an international agreement or a security authority, whose source data is classified at a higher level or for a longer period than provided in clauses 5–6. Such information shall be classified based on the state secret subcategory that prescribes the highest level and longest term of classification for the source data;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
10) information collected through photo intelligence or information synthesised on the basis thereof, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 15 years.
[RT I 2008, 55, 312 – entry into force 01.01.2009]
(8) With respect to information related to the composition, tasks and distribution of the budget of a structural unit of the Defence Forces, which collects information in a manner specified in clauses 1, 2 and 5 of subsection 1 and subsection 2 of § 37 of the Defence Forces Organisation Act, the following shall be a state secret:
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
1) the structure of a structural unit or subunits, information concerning the composition of staff and the breakdown and location of posts in a structural unit separately and as a set of data, except the posts of commanders of structural units and information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 25 years.
2) the duties of a structural unit or subunit and of their servants and information concerning their duties, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 25 years;
3) consolidated data concerning the servants in a structural unit or subunit, as well as the data with regard to the recruitment statistics and the staffing and occupancy of posts in the Defence Forces intelligence. Such information shall be classified as secret for 25 years.
4) the breakdown of budgetary expenditure of a structural unit or subunit, budget execution reports, budget planning and investments, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as secret for 25 years.
[RT I 2008, 55, 312 – entry into force 01.01.2009]
(9) [Repealed – RT I 2008, 55, 312 – entry into force 01.01.2009]
(10) With respect to information reflecting the collection of information by a structural unit of the Defence Forces executing military intelligence, collecting information in a manner specified in clauses 1 and 2 of subsection 1 and subsection 2 of § 37 of the Defence Forces Organisation Act, including information concerning the methods and means used for collecting information and objects under surveillance the following shall be a state secret:
1) the methods, tactics and means used for covert collection of data by a structural unit and the information reflecting thereof. Such information shall be classified as secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
2) information concerning the capacity of the signals intelligence and other technical means of intelligence. Such information shall be classified as secret for 50 years;
3) systems or means ensuring the capacity of the signals intelligence or other technical means of intelligence. Such information shall be classified as confidential for 20 years;
4) information concerning the decisions made to commence and terminate collection of information. Such information shall be classified as secret for 50 years;
5) information with regard to a person involved in secret cooperation by the Defence Forces on the basis of the Defence Forces Organisation Act. Such information shall be classified as secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
6) information which indicates the connection with the Defence Forces of a legal person simulated by the Defence Forces, its structural unit, body, subsidiary of a company or undercover agent. Such information shall be classified as secret for 50 years.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(11) With respect to information concerning the international cooperation in the area of military intelligence, the following shall be a state secret:
1) information concerning international relations if it does not include information specified in clauses 2–4 of this subsection or does not damage national security. Such information shall be classified as restricted for 30 years;
2) information concerning cooperation with a foreign state and international organisation if it does not include information specified in clauses 3 and 4 of this subsection. Such information shall be classified as confidential for 50 years unless otherwise agreed upon. The information shall not be classified if it is publicised lawfully;
3) information covertly collected in the course of international cooperation and information reflecting the exchange of such information. Such information shall be classified as secret for 50 years unless otherwise agreed upon;
4) information in the area of intelligence and counterintelligence which was covertly collected together with the police and security authority of a foreign state and the information reflecting the collection thereof. Such information shall be classified as top secret for 50 years unless otherwise agreed upon.
[RT I 2008, 55, 312 – entry into force 01.01.2009]
(12) Regarding the information concerning military geography of the Defence Forces and the National Defence League, the following shall be a state secret:
1) the database containing spatial data (Feature Data Dictionary) of the defence forces (Feature Data Dictionary) in the scale of 1: 50 000, three-dimensional landscape models, processed remote surveillance data. Such information shall be classified as restricted for 10 years;
[RT I 2008, 55, 312 – entry into force 01.01.2009]
2) landscape analyses of the strategic and tactical level concerning the territory of Estonia, geo-coordinated plans of national defence objects and three-dimensional geographical models of national defence objects prepared by the Defence Forces. Such information shall be classified as confidential for 30 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
3) landscape analyses of the strategic and tactical level concerning the territory of a foreign state, geo-coordinated plans, processed remote surveillance data and three-dimensional landscape models of national defence objects, prepared by the Defence Forces. Such information shall be classified as secret for 30 years.
§ 6. Subcategories of state secret in area of maintenance of law and order
(1) With respect to information collected by surveillance agencies during surveillance, and information concerning the methods, tactics and means used for the collection of such information, the following shall be a state secret:
1) information collected in the course surveillance for the conduct of witness protection. Such information shall be classified as secret for 25 years;
2) information collected by surveillance agencies by way of surveillance. Such information shall be classified as restricted for 25 years. Classification of such information shall expire to the extent in which it is entered in the criminal file or is communicated to the person who was under surveillance, or to the person whose private or family life was violated by surveillance;
3) information received from a person recruited for secret cooperation in surveillance by a surveillance agency. Such information shall be classified as restricted for 50 years;
4) information collected in the course of surveillance which is reflected in the threat assessments and reviews concerning organised crime and other serious crime prepared by the Police and Border Guard Board. Such information shall be classified as restricted for 50 years;
[RT I 2009, 65, 448 – entry into force 01.01.2010]
5) information reflecting the methods, tactics and means used in surveillance, except information which can be derived from the information collected by surveillance which has been made public lawfully. Such information shall be classified as restricted for 25 years;
6) information concerning the remuneration paid to a person who has been recruited by a surveillance agency for secret co-operation in surveillance, compensation and taxes paid on such sums, and the documents reflecting them. Such information shall be classified as restricted for 25 years;
7) information concerning a person or body simulated by a surveillance agency, which may disclose the connection thereof to the surveillance agency. Such information shall be classified as restricted for 25 years.
(2) With respect to information concerning persons who have been recruited for secret cooperation by a surveillance agency and undercover agents, the information concerning the identity of the persons who have been recruited for secret co-operation by a surveillance agency and undercover agents shall be a state secret. Such information shall be classified as restricted for 75 years. Classification shall expire if twenty years have passed since the death of such person but not less than 50 years since classification of the information.
(3) Information concerning police agents of surveillance agencies is a state secret. Such information shall be classified as restricted for 75 years. The classification of such information shall expire to the extent that it is entered in a criminal file. Classification of information not entered in a criminal file shall expire if twenty years have passed since the death of a person specified in this clause but not less than 50 years since the classification of the information;
(4) Regarding information concerning the structure, staff and tasks of the structural unit of the Police and Border Guard Board dealing with witness protection, information reflecting the structure and staff of a structural unit of the Police and Border Guard Board dealing with witness protection, the persons occupying the posts in that unit, and their duties shall be a state secret to the extent determined by a directive of the head of the Police and Border Guard Board. Such information shall be classified as secret for 50 years.
[RT I 2009, 65, 448 – entry into force 01.01.2010]
(5) Regarding the property at the disposal of a structural unit of the Police and Border Guard Board dealing with witness protection and the distribution of the budget thereof, the following shall be a state secret:
1) information concerning the means of transport used by a structural unit of the Police and Border Guard Board dealing with witness protection if disclosure of such information would endanger the application of witness protection or the safety of the structural unit dealing with witness protection or of a person placed under protection. Such information shall be classified as confidential for 10 years;
2) information concerning the property used by a structural unit of the Police and Border Guard Board dealing with witness protection if disclosure of such information would endanger the application of witness protection or the safety of the structural unit dealing with witness protection or a person placed under protection. Such information shall be classified as secret for 25 years;
3) the classification of budget expenditure and reports on the implementation of the budget of a structural unit of the Police and Border Guard Board dealing with witness protection.
Such information shall be classified as secret for 25 years.
[RT I 2009, 65, 448 – entry into force 01.01.2010]
(6) Regarding the information concerning the protective measures related to witness protection the following shall be state secret:
1) information concerning the methods and tactics of application of protective measures related to witness protection. Such information shall be classified as secret for 50 years;
2) format of the protection agreement of witness protection established by a regulation on the basis of subsection 6 of § 14 and § 19 of the Witness Protection Act and the procedure for keeping and storing of the protection file. Such information shall be classified as restricted for 25 years.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(7) Regarding the information concerning the application of protective measures related to witness protection to a specific person, the following shall be a state secret:
1) information reflecting the application of protective measures related to witness protection to a specific person, except information which reflects only the fact of placing such person under witness protection. Such information shall be classified as top secret for 75 years. Classification shall expire when 20 years have passed since the death of the person placed under witness protection but not less than 50 years since the classification of information;
2) the breakdown of budgetary expenditure and reports on the implementation of the budget of a structural unit of the Police and Border Guard Board dealing with witness protection, if they reflect the protective measures applied with respect to a specific person. Such information shall be classified as top secret for 75 years. Classification shall expire when 20 years have passed since the death of the person placed under witness protection but not less than 50 years since the classification of the document.
[RT I 2009, 65, 448 – entry into force 01.01.2010]
(8) Regarding the information concerning operation during a state of emergency or state of war described in the national crisis management plan, the information concerning operation during a state of emergency and war-time described in the national crisis management plan, except information whose disclosure does not damage the security of the Republic of Estonia, shall be a state secret. Such information shall be classified as top secret for 50 years. Classification shall expire upon the public use of such information during a state of emergency or state of war.
(9) [Repealed – RT I, 27.09.2016, 5 – entry into force 30.09.2016]
(10) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
§ 7. Subcategories of state secret regarding security authorities
(1) With respect to information related to the international cooperation of security authorities, the following shall be a state secret:
1) information concerning foreign relations in the area of security prepared by a security authority unless it contains information specified in clauses 2–4 of this subsection. Such information shall be classified as restricted for 30 years;
2) information concerning security cooperation between the security authority and a foreign state or international organisation unless it contains information specified in clauses 3 and 4 of this subsection. Such information shall be classified as confidential for 50 years unless otherwise agreed. Such information shall not be classified if it has been made public lawfully;
3) covertly collected information to be transmitted in the course of international cooperation of the security authority and information concerning the exchange of such information. Such information shall be classified as secret for 50 years unless otherwise agreed;
4) information collected covertly by the security authority together with a foreign police or security authority and information reflecting the collection of information or information exchanged in the course thereof. Such information shall be classified as top secret for 50 years unless otherwise agreed.
(2) Regarding the information reflecting the property used by a security authority and distribution of the budget of the security authority, the following shall be a state secret:
1) information concerning the property used by a security authority if disclosure of such information would endanger the performance of the function of the security authority or the security of the security authority. Such information shall be classified as confidential for up to 25 years or until the termination of the possession of the building or construction works;
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
2) information concerning the technical means used for the covert collection of information if disclosure of such information would endanger the performance of the function of the security authority. Such information shall be classified as secret for 50 years;
3) the classification of budget expenditure and reports on the implementation of the budget of a security authority. Such information shall be classified as secret for 50 years.
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
(3) Regarding information reflecting the operation of a security authority in resolving an emergency the information reflecting the operation of the security authority upon resolving an emergency, including the methods and tactics used, and the code of conduct for officials participating in resolving the emergency shall be a state secret. Such information shall be classified as confidential for 20 years. Classification shall expire upon the public use of the information in an emergency.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(4) With respect to information covertly collected upon the performance of the tasks of a security authority and the information concerning the collection thereof, the following shall be a state secret:
1) information which has been and is being covertly collected based on the Security Authorities Act, and the work organisation for collection thereof. Such information shall be classified as secret for 50 years. Classification shall expires if, according to a decision of the director general of the security authority, the public use of such information is necessary for the performance of the functions of the security authority. This clause does not apply to the logs automatically saved in the equipment of an electronic communications undertaking or a processor of personal data;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
2) information specified in clause 1 if the disclosure thereof would pose a threat to the life or health of a person or to the protection of information classified as top secret. Such information shall be classified as top secret for 50 years;
3) methods and tactics of the collection of information specified in clause 1. Such information shall be classified as secret for 50 years;
4) information reflecting the methods and sources of signals intelligence. Such information shall be classified as top secret for 50 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
5) reports containing the lists of acts of covert collection of data based on the Security Authorities Act, which do not reflect information classified as top secret. Such information shall be classified as secret for 25 years;
6) tasks for the collection of information assigned by the Government of the Republic and the Security Committee of the Government of the Republic to a security authority. Such information shall be classified as secret for 25 years;
7) information which is received by the Estonian Internal Security Service in the course of covert collection of information based on the Security Authorities Act concerning committed or prepared crimes which does not fall within the investigative jurisdiction of the Estonian Internal Security Service, provided that such information does not reveal the sources of information, tactics of the collection of information or information specified in clauses 2–6 of this subsection. Such information shall be classified as restricted for 25 years.
(5) With respect to information analysed and synthesised in the course of performance of the functions of a security authority, the following shall be a state secret:
1) information analysed and synthesised in the course of performance of the functions of a security authority which concerns foreign states, foreign factors or activity. Such information shall be classified as restricted for 50 years;
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
2) information analysed and synthesised in the course of performance of the functions of a security authority which reflects internal or foreign sources of danger. Such information shall be classified as confidential for 50 years;
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
3) threat assessments prepared by a security authority, except threat assessments specified in clause 31 of this subsection. Such information shall be classified as secret for 50 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
31) -threat assessments prepared by a security authority concerning the crimes within the investigative jurisdiction of the security authority. Such information shall be classified as restricted for 25 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
4) threat assessment prepared by a security authority with the aim of provision of security protection to an event or a person. Such information shall be classified as restricted for 15 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
5) information analysed and synthesised by a security authority, whose source data is classified at a higher level or for a longer period than provided in clauses 1–4, shall be classified based on the state secret subcategory that prescribes for the highest level and longest term of classification for the source data;
6) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
7) proposal or task of a governmental authority to a security authority to analyse or synthesize information specified in clauses 1–3 or to prepare the threat assessment specified in clauses 31 and 4, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified based on the proposal or task at the level and for the term determined in clauses 1–4.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(51) On the basis of subsection 5 information which is prepared with the aim to prevent threat or damage to the interests of the state by means of informing the public of the activities of the security authority shall not be classified. Neither is classified part of the classified information which is entered in the criminal file.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(6) With respect to information concerning structural units and staff of security authorities, and their functions, the following shall be a state secret:
1) the structure of a security authority, with the exception of the structural units which are published in the statutes of the corresponding security authority. Such information shall be classified as secret for 50 years;
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
2) the functions of structural units and employees of a security authority, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as secret for 50 years;
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
3) the consolidated data concerning the staff of a security authority and the composition of staff performing duties related solely to the covert collection of data. Such information shall be classified as secret for 50 years;
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
4) [Repealed – RT I, 14.01.2011, 6 – entry into force 17.01.2011]
5) assessments given and analyses made in the course of the technical security check by the security authority. Such information shall be classified as restricted for 25 years.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(7) Information concerning a person recruited for secret co-operation by the security authority and an undercover staff official or employee of the security authority, except for information specified in subsection 2 of § 6, shall be a state secret. Such information shall be classified as top secret for seventy-five years. Classification shall expire if twenty years have passed since the death of such person but not earlier than fifty years since classification of the information.
[RT I, 28.06.2017, 40 – entry into force 01.07.2017]
(8) Information concerning a person who has submitted a personal confession concerning service in security or intelligence organisations or cooperation therewith to the Estonian Internal Security Service pursuant to the procedure provided in clause 1 of subsection 2 of § 5 of the Procedure for Registration and Disclosure of Persons who Have Served in or Cooperated with Intelligence or Counter-intelligence Organisations of Security Organisations or Military Forces of States which Have Occupied Estonia Act, unless the person who was in service in security or intelligence organisations or cooperated therewith, in relation to such service or cooperation, has committed an offence which, according to the law in force in the Republic of Estonia, is punishable as a criminal offence of the first degree or has committed crimes against humanity or war crimes and the committing of an offence or crime by the person has been proved by court with a judgment which has entered into force, or unless the person who was in service in the security or intelligence organisations or cooperated therewith was the President of the Republic, a member of the Riigikogu or the Government of the Republic, or a justice of the Supreme Court shall be a state secret. Such information shall be classified as secret for 50 years. Classification shall expire if 20 years have passed since the death of such person but not earlier than 50 years since classification of the information.
(9) With respect to information concerning the coordination of the activities of security authorities, their cooperation with the Defence Forces and the work of the Security Committee of the Government of the Republic, the following shall be a state secret:
1) information reflecting foreign relations in the area of security prepared by the officials of the Government Office conducting the coordination of work of the security authorities and the organisation of work of the Security Committee of the Government of the Republic or by the officials and employees related to organisation and coordination of work of the security authorities in the Ministry of the Interior and the Ministry of Defence unless it contains information specified in clause 2 of this subsection. Such information shall be classified as restricted for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
2) information reflecting cooperation with a foreign state or international organisation in the area of security of a structural unit of the Government Office conducting the coordination of work of the security authorities and the organisation of work of the Security Committee of the Government of the Republic or a structural unit in the Ministry of the Interior and the Ministry of Defence executing the organisation and coordination of work of the security authorities. Such information shall be classified as confidential for 50 years unless otherwise agreed. Such information shall not be classified if it has been made public lawfully;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
3) information concerning the topics discussed in the meetings of the Security Committee of the Government of the Republic and its sub-committees, except information which is not deemed as state secret by a decision of the Security Committee of the Government of the Republic or which is published with the aim to prevent threat or damage to the interests of the state. Such information shall be classified as restricted for 25 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
4) the tasks of a structural unit of the Government Office executing the coordination of work of the security authorities and the organisation of work of the Security Committee of the Government of the Republic and the public servants thereof or a structural unit in the Ministry of the Interior and the Ministry of Defence conducting the organisation and coordination of work of security authorities and servants thereof, except information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 25 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
5) threat assessments and the plan regarding the obtaining and analysis of state security information prepared by a structural unit of the Government Office conducting the coordination of work of security authorities and the organisation of work of the Security Committee of the Government of the Republic. Such information shall be classified as secret for 50 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
6) information analysed and prepared on the basis of security information by a structural unit of the Government Office conducting the coordination of work of the security authorities and the organisation of the work of the Security Committee of the Government of the Republic. Such information shall be classified as secret for 50 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
61) information reflecting the organisation and coordination of work of a security authority prepared by the Ministry of the Interior and the Ministry of Defence, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as secret for 25 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
62) information reflecting the supervisory control or audit of a security authority, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 25 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
7) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(91) Information whose source data have been classified at a higher level of classification or for the longer term than provided in clauses 3 and 6–62 of subsection 9 shall be classified based on the state secret subcategory that prescribes for the highest level and longest term of classification for the source data.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(10) With respect to information concerning the persons and bodies simulated and shadow information used by security authorities, the information which demonstrates the connection of the bodies simulated and shadow information used with the security authority shall be a state secret. Such information shall be classified as secret for 50 years.
(11) Information available in the document registry of the security authority is a state secret. Such information shall be classified as secret for 25 years or at a higher level of classification and for a longer term if the registry contains information with the appropriate classification level and term.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
§ 8. Subcategories of state secret regarding infrastructure and data protection
(1) With respect to information concerning the security, alarm, communication and information systems of the Office of the President of the Republic, the Government Office, a security authority, the Ministry of Defence, the Defence Forces, the Defence League, the Defence Resources Agency, the Information Systems Authority, Eesti Pank, the Ministry of the Interior, the Police and Border Guard Board and the Ministry of Foreign Affairs, including the foreign representations and missions, and the state agencies administered by such governmental authorities, the following shall be a state secret:
[RT I, 22.11.2016, 7 – entry into force 01.01.2017]
1) consolidated information concerning the electronic access or security system of a building or area in the possession of an authority specified in the introductory part of this subsection to the extent of one building or area or part thereof considered to be an integral whole, which contains data concerning the location, type, linkages between them and other technical indicators of the equipment which constitute a system, including the central processing equipment, or data concerning the security areas or zones or a general description of the system, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
2) analyses and assessments concerning the operation and efficiency of the electronic access or security /video surveillance system of a building or area/premises in the possession of an authority specified in the introductory part of this subsection, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
3) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
4) consolidated information concerning the electronic access control or security system of a building or area in the possession of an authority specified in the introductory part of this subsection to the extent of one building or area or part thereof considered to be an integral whole, which contains data concerning the location and type of the terminal equipment (sensors, cameras or other devices/) and concerning the setting of the security areas or zones or system created thereby, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
5) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
6) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
7) the set of information processed by the electronic access control or security system of a building or area in the possession of an authority specified in the introductory part of this subsection, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
8) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
9) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
10) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
11) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
12) consolidated information concerning the automatic fire alarm systems of a building or area/premises in the possession of an authority specified in the introductory part of this subsection to the extent of one building or area or part thereof considered to be an integral whole, which contains data concerning the location, type, the linkages between them and other technical indicators of the equipment which constitute a system, or a general description of the system, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
13) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
14) the analyses and assessments concerning the physical security measures of a building or area/premises in the possession of an authority specified in the introductory part of this subsection, which reflect the functioning and efficacy of the security measures, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
15) information concerning the radio frequencies permanently used for signals intelligence, air surveillance, marine surveillance, security and guarding of objects and military defence of the state and direction thereof in the Defence Forces. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
16) consolidated information concerning Communication and Information Systems (CIS) of the Ministry of Defence, the Defence Forces, the Defence League, the Defence Resources Agency and other possessors of information in the area of government of the Ministry of Defence, including the consolidated information of the structure of each CIS and the information concerning CIS security measures. Such information shall be classified as confidential for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
17) [Repealed – RT I, 19.08.2014, 17 – entry into force 22.08.2014]
18) information concerning the technical data and security measures of CIS used for processing data intended for internal use of the Ministry of Defence, the Defence Forces, the Defence League, the Defence Resources Agency and other possessors of information in the area of government of the Ministry of Defence, in which information reflecting classified data, technical data and security measures are not processed. Such information shall be classified as restricted until the use of the communications network or processing system or part thereof expires, but not for longer than 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
19) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
20) information concerning the description of the crypto device used in the communications system of the air surveillance system of the air forces. Such information shall be classified as confidential for 10 years;
21) information concerning the description of an unkeyed crypto device used in the communications system of the air surveillance system of the air forces. Such information shall be classified as confidential for 10 years;
22) information concerning the description of a keyed crypto device used in the communications system of the air surveillance system of the air forces. Such information shall be classified as secret for 10 years;
23) information concerning the schemes of the communications links used in the communications system of the air surveillance system of the air forces. Such information shall be classified as confidential for 10 years;
24) information concerning the parameters and operational capacity of the data transmission equipment of the air surveillance systems. Such information shall be classified as confidential for 10 years;
25) information of the authority specified in the introductory part of this subsection concerning the cabling of the networks to the extent of one building or area or part thereof considered to be an integral whole, except information whose disclosure does not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 30 years or until the network is transferred or its use is terminated;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016).
251) information of the authority specified in the introductory part of this subsection concerning the cabling of the CIS classified as confidential and higher level of classification to the extent of one building or area or part thereof considered to be an integral whole. Such information shall be classified as confidential for 30 years or until the network is transferred or its use is terminated;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
26) information concerning the methods and means used by the Estonian Foreign Intelligence Service for organising and control of special telecommunications. Such information shall be classified as confidential for 30 years.
27) technical information and working parameters of surveillance and security systems of the Police and Border Guard Board intended for surveillance of external borders, which are not available from public sources and whose disclosure would damage the safeguarding/ensuring internal security. Such information shall be classified as restricted for 10 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
28) consolidated information concerning the structure and technical parameters of surveillance and security systems of the Police and Border Guard Board intended for surveillance of external borders, which includes the general description of the systems or data concerning the precise technical indicators of the equipment included in the system. Such information shall be classified as confidential for 10 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
29) the results of the tests reflecting the coverage areas of the surveillance and security systems of the Police and Border Guard Board intended for surveillance of external borders. Such information shall be classified as restricted for 10 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
30) a set of data concerning the detailed technical structure or security methods of data communication intended for surveillance of external borders. Such information shall be classified as restricted for 10 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
31) a set of data concerning the detailed structure or security methods of the operational radio communication, except for the consolidated figures of the structure of the network. Such information shall be classified as restricted for 20 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
32) Cyber security risk assessments of the Information System Authority, surveillance information and items of information collected in the course of surveillance acts concerning the critical vulnerability of information systems insofar as they include technical information regarding the critical vulnerability of the information systems of constitutional institutions, governmental authorities, authorities under their administration, providers of a vital service and international organisations that are located in Estonia and whose security is guaranteed by Estonia, and the becoming known thereof to unauthorised persons shall create a risk of security incident in these areas, except information the disclosure of which would not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 10 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
33) a set of data reflecting the structure of the control system of surveillance and security systems of the Police and Border Guard Board intended for surveillance of external borders. Such information shall be classified as restricted for 20 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
34) information contained in the database of the state information system on the use of shadow information and covert measures with regard to a person recruited for secret cooperation by the Defence Forces, a surveillance agency, a security authority or a witness protection authority, an undercover staff official or employee of a security authority, an undercover agent, a police agent, a person associated with the application of witness protection or a natural person associated with a simulated legal person, its structural unit, body or subsidiary of the company, except for information whose disclosure would not damage the security of the Republic of Estonia. Such information shall be classified as restricted for up to 50 years.
[RT I, 31.12.2021, 18 – entry into force 03.01.2022]
(11) For the purposes of the National Defence Act with regard to information concerning the national defence objects, except information concerning the security and alarm systems and protective measures for national defence objects in the possession of authorities specified in subsection 1 of this section and for national defence objects essential for ensuring public order, the following shall be state secret:
1) consolidated data concerning the electronic access or security systems of a national defence object and minimum measures of physical protection and additional security measures of a national defence object in the risk assessment and security plan of a national defence object in the possession of a public authority or related to the provision of a vital service or ensuring internal security, except information the disclosure of which would not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 10 years;
2) information concerning a national defence object, its exact location and links with other national defence objects, which would endanger the implementation of protective measures, except information the disclosure of which would not damage the security of the Republic of Estonia. Such information shall be classified as restricted for 20 years.
[RT I, 27.09.2016, 5 – entry into force 30.09.2016]
(2) With respect to information concerning the processing systems (CIS) processing state secrets and classified information of foreign states, the following shall be a state secret:
1) security requirements established by the minister in charge of the policy sector for the processing and protection cryptographic material. Such information shall be classified as restricted for 30 years;
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
2) requirements for ensuring emission security established by the minister in charge of the policy sector. Such information shall be classified as restricted for 30 years;
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
3) emission security measuring results of the equipment used in CIS unless such results have been disclosed by the manufacturer, and the emissioon security measurement results of the rooms zoning results) in the location of CIS. Such information shall be classified as confidential for 25 years;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
31) data concerning the registration of cryptographic material of the processing unit, including the entries in the document registry used for registration. Such information shall be classified as restricted for 30 years;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
4) a set of data in the Estonian Foreign Intelligence Service concerning the registration of cryptographic material. Such information shall be classified as confidential for 30 years;
5) the software source code specially created for the persons in possession of classified information for processing of classified information. Such information shall be classified as restricted for 30 years;
6) information concerning the technical data and security measures pertaining CIS processing information classified as restricted. Such information shall be classified as restricted for 30 years;
7) the conditions for processing information by CIS for information classified as confidential or a higher level of classification, and the division of tasks between the users upon processing of classified information. Such information shall be classified as restricted for 30 years;
8) information reflecting the technical data and security measures pertaining to CIS processing information classified as confidential. Such information shall be classified as confidential for 30 years;
9) information reflecting the technical data and security measures pertaining to CIS processing information classified as secret. Such information shall be classified as secret for 50 years;
10) information reflecting the technical data and security measures pertaining to CIS processing information classified as top secret. Such information shall be classified as top secret for 50 years.
(3) The information reflecting the technical data and security measures pertaining to CIS specified in clause 18 of subsection 1 and clauses 6 and 8–10 of subsection 2 shall mean information which sets out:
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
1) [Repealed – RT I, 14.01.2011, 6 – entry into force 17.01.2011]
2) the technical specification of the CIS;
21) analyses and assessments reflecting the operation and efficiency of the CIS;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
3) network scheme of the CIS;
4) technical information concerning interconnection of the CIS with another information processing system and information concerning security measures applied;
5) settings of the software for administration of the electronic encrypting keys within the CIS;
6) security measure to be applied in compensation of failure to comply with an electronic information security requirement provided by legislation;
7) results of the risk analysis of the CIS;
8) estimated residual risks of the CIS;
9) results of the vulnerability analysis of the CIS.
(4) With respect to information concerning the buildings and construction works in the use of a structural unit of the Defence Forces which executes military intelligence the information concerning buildings and premises adjusted for special needs of the structural unit, except for information whose disclosure would not damage the security of the Republic of Estonia, shall be state secret. Such information shall be classified as confidential for 50 years or until the possession of the building or construction works terminates.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(5) With respect to information concerning the storage facilities for weapons and munitions of war of the Defence Forces and the National Defence League, the following shall be a state secret:
1) information concerning special requirements for guaranteeing the safety of the storage facilities for weapons or munitions, except for the requirements established for security systems. Such information shall be classified as restricted for 10 years or until the termination of the possession of the storage facility for weapons or munitions;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
2) a set of data pertaining to the storage facilities for military weapons and munitions of the Defence Forces and the National Defence league. Such information shall be classified as restricted for 20 years.
(6) With respect to evacuation of classified media of possessors of information, the information regarding the evacuation of the media containing information classified as confidential or a higher level of classification shall be a state secret. Such information shall be classified as confidential for 20 years.
(7) With respect to information concerning the security and alarm/intrusion detection systems of the security area of the possessor of information, the following shall be state secret:
1) information which contains data concerning the location, type, connections between and other technical indicators of the equipment which constitute an electronic access or security system of the security area of a holder of classified information or data concerning security areas or zones or the general description of the system. Such information shall be classified as confidential until the termination of using the area as a security area but not for longer than 30 years;
2) analyses and assessments concerning the operation and efficiency of the electronic access or security system of the security area of the holder of classified information. Such information shall be classified as confidential until the termination of using the area as a security area but not for longer than 30 years;
3) the analyses and assessments of physical security measures of the security area of the holder of classified information, which reflect the functioning and efficiency of security measures. Such information shall be classified as confidential until the end of using the premises as a security area but not for longer than 30 years.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(71) If the electronic access or security system of the security area of the holder of information is a part of a larger system, only information reflecting the equipment located within the security area shall be classified.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(8) With regard to information concerning the cash transportation by Eesti Pank, the following shall be state secret:
1) information concerning the time of the cross border cash transportation by Eesti Pank and the amount of cash transported. Such information shall be classified as restricted until the end of transport.
2) information concerning the route and securing of cross-border cash transportation by Eesti Pank. Such information shall be classified as confidential for 10 years.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(9) With regard to information concerning organisation of uninterrupted communication, a set of information concerning the procedure for organisation of uninterrupted communication and the requirements for uninterrupted information and the list of objects supplied with uninterrupted communication and their communication means shall be state secret. Such information shall be classified as restricted for 25 years.
[RT I, 19.03.2012, 1 – entry into force 22.03.2012]
Chapter 3 Declassification, Change of Basis, Level and Term for Classification of State Secret
Subchapter 1 Premature Declassification of State Secret
§ 9. Submission of application for premature declassification
(1) An agency or constitutional institution that has no competence to declassify a state secret created thereby before the expiry of the term shall submit, in the case provided for in subsection 4 of § 13 of the State Secrets and Classified Information of Foreign States Act, an application for the premature declassification of the state secret to the Government of the Republic through the minister into whose area of government it belongs. If the agency or constitutional institution does not belong in the area of government of any ministry, it shall submit the application to the Government of the Republic through the Minister of the Interior.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(2) The application shall set forth the reasons for the need for premature classification, the agency or constitutional institution to whom such information has been forwarded, and specify whether, after declassification, such information will become information intended for internal use. Any objections submitted to the application shall be appended to the application. In the case of information specified in subsection 2 of § 13 of the State Secrets and Classified Information of Foreign States Act, the written consent of the person shall also be appended to the application.
(3) A minister has the right to send the application to the Security Committee of the Government of Republic to obtain its opinion.
§ 10. Submission of objections to application
(1) Before application for declassification, the agency or constitutional institution specified in subsection 1 of § 9 shall inform all the agencies and constitutional institutions to whom a medium containing the state secret has been forwarded of the intention to submit such application, and shall grant them a term of at least one month for submission of objections. The agencies and constitutional institutions whose functions such information may concern shall also be given notice as necessary.
(2) The notice on the intention to prematurely declassify information shall set forth the reasons for the need for premature declassification and specify whether, after declassification, such information will become information intended for internal use.
(3) An agency or constitutional institution which receives such notice shall submit its objections to the premature declassification of a state secret not later than within the term granted on the basis of subsection 1 of this section.
(4) Upon submission of the application to the Government of the Republic, the minister shall consider the objections submitted to the application.
§ 11. Notification of intention to declassify by agency competent to declassify
(1) An agency or constitutional institution who is competent to declassify a state secret created thereby before the expiry of the term shall inform all the agencies and constitutional institutions to whom a medium containing the state secret has been forwarded of the intention to submit such application, and shall grant them a term of at least one month for submission of objections. The agencies and constitutional institutions whose functions such information may concern shall also be given notice as necessary.
(2) A notice on the intention to declassify shall set forth the reasons for premature declassification, the planned date of declassification and an explanation whether, after declassification, such information will become information intended for internal use.
(3) An agency or constitutional institution which receives such notice shall submit its objections to the premature declassification within the term granted on the basis of subsection 1 of this section.
(4) Upon deciding on premature declassification, the head of the agency or constitutional institution specified in subsection 1 shall consider the objections by agencies and constitutional institutions.
§ 12. Notification of agencies and constitutional institutions specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act of premature declassification
If an agency or constitutional institution who has received a notice specified in §§ 10 and 11 has forwarded the said state secret to the agency or constitutional institution specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act, it shall notify such agency or constitutional institution of having received the notice on the intention to prematurely classify a state secret. An agency or constitutional institution notified in this manner has the right to submit its objections pursuant to the same procedure and during the term granted by the agency or constitutional institution intending to submit an application for the premature declassification or to prematurely declassify information.
§ 13. Notification of premature declassification
(1) If an agency or constitutional institution declassifies a state secret created thereby before the expiry of the term, it shall immediately give notice thereof to all units in possession of a medium containing such state secret.
(2) If the Government of the Republic declassifies a state secret before the expiry of the term based on an application submitted or forwarded by a minister, the minister shall immediately give notice of the declassification of the state secret to all agencies and constitutional institutions to whom a medium containing such state secret has been forwarded.
(3) An agency or constitutional institution who has forwarded a declassified medium to an agency or constitutional institution specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act, shall also immediately inform such agency or constitutional institution of the declassification.
Subchapter 2 Extension of Term of Classification of State Secret
§ 14. Application for extension of term of classification
(1) An agency or constitutional institution that has no competence to extend the term of classification of a state secret created thereby shall submit an application for the extension of the term of classification to the Government of the Republic through the minister into whose area of government it belongs. If the agency or constitutional institution does not belong to the area of government of any ministry, it shall submit the application to the Government of the Republic through the Minister of the Interior.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(2) An application for extension of the term of classification of information classified as state secret shall be submitted to the Government of the Republic, if possible, at least three months prior to the expiry of the term of classification.
(3) The application shall set forth the reasons for the need to extend the term of classification and specify the agencies and constitutional institutions to which such information has been forwarded. Any objections to the application shall be appended to the application.
(4) A minister has the right to send the application to the Security Committee of the Government of Republic to obtain its opinion.
§ 15. Submission of objections to extension of term of classification
(1) Before application for extension of the term for classification, the agency or constitutional institution specified in subsection 1 of § 14 shall inform all the agencies and constitutional institutions to whom media containing the state secret has been forwarded of the intention to submit such application, and shall grant them a term of at least one month for responding.
(2) A notice on intention to extend the term for classification shall set forth the reasons for extension of the term for classification.
(3) An agency or constitutional institution which receives such notice shall submit its objections to the extension of the term of classification within the term granted on the basis of subsection 1 of this section.
(4) Upon submission of the application to the Government of the Republic, the minister shall consider the objections submitted to the application.
§ 16. Notification of extension of term of classification
(1) If an agency or constitutional institution has extended the term of classification of a state secret created thereby, it shall immediately give notice thereof to all units in possession of a medium containing such state secret.
(2) If the Government of the Republic extends the term of classification of a state secret based on an application submitted or forwarded by a minister, the minister shall immediately give notice of the extension of the term of classification to all agencies and constitutional institutions to whom a medium containing such state secret has been forwarded.
(3) An agency or constitutional institution who has forwarded a classified medium whose term of classification has been extended to an agency or constitutional institution specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act, shall also immediately inform such agency or constitutional institution of the extension of classification.
Subchapter 3 Correction of Classification Data
§ 17. Submission of application for correction of classification data
(1) An agency or constitutional institution whose employee or public servant has no competence to correct classification data shall submit, in the case provided for in subsection 1 of § 15 of the State Secrets and Classified Information of Foreign States Act, an application for the correction of classification data correspondingly to the Government of the Republic or the Minister of the Interior through the minister into whose area of government it belongs. A person holding a Facility Security Clearance shall submit the application through the agency which supported the grant of Facility Security Clearance for the processing of state secrets to such person.
(2) The application shall set forth the reasons for correction of classification data and provide an explanation whether such data will thereafter become public information without any restrictions to access, internal information or classified information, specifying the basis and term for classification, and specify the agencies and constitutional institutions to which such data has been forwarded. Any objections to the application shall be appended to the application.
(3) A minister has the right to send the application to the Security Committee of the Government of Republic to hear its opinion.
§ 18. Notification of intention to submit application for correction of classification data
(1) Before submission of an application for the correction of classification data, notice shall be given to all agencies and constitutional institutions to whom media containing the corresponding state secret has been forwarded, and a term of one month shall be granted for responding to such agencies and institutions.
(2) A notice on correction of classification data shall set forth the reasons for correction of the classification data together with an explanation whether such data will thereafter become public information without any restrictions to access, or internal information or classified information, specifying the basis and term for classification.
(3) An agency or constitutional institution which receives such notice shall submit its objections to the correction of the data related to the classification of a state secret not later than within the term granted on the basis of subsection 1 of this section.
(4) Correction of classification data shall be decided based on the application and any objections submitted thereto.
§ 19. Notification of intention to correct classification data related to self-created state secrets
(1) Before correction of classification data related to a state secret created by a processing unit, the processing unit shall notify all the agencies and constitutional institutions to whom media containing the state secret has been forwarded of such intention, and shall grant them a term of at least one month for responding.
(2) The notice shall set forth the reasons for correction of the classification data together with an explanation whether such data will thereafter become public information without any restrictions to access, or internal information or classified information, specifying the basis and term for classification.
(3) An agency or constitutional institution which receives such notice shall submit its objections to the correction of the classification data within the term granted on the basis of subsection 1 of this section.
(4) Upon deciding on the correction of the classification data, the processing unit specified in subsection 1 shall consider any objections submitted by other agencies and constitutional institutions.
[RT I 2008, 55, 312 – entry into force 01.01.2009]
§ 20. Notification of agencies and constitutional institutions specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act of intention to correct classification data
If an agency or constitutional institution who has received the notice specified in §§ 10 and 11 has forwarded the state secret to the agency or institution specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act, is shall notify such agency or constitutional institution of having received the notice on the intention to correct the data related to the classification of a state secret. An agency or constitutional institution notified in this manner has the right to submit, during the term granted for submission of objections to the correction of classification data, its objections pursuant to the same procedure as the agencies and constitutional institutions who have received a notice on the intention to correct classification data.
§ 21. Notification of correction of classification data
(1) If a processing unit corrects classification data, it shall immediately give notice thereof to all the processing units to whom media containing the corresponding state secret has been forwarded.
(2) If correction of classification data has been decided by the Government of the Republic based on an application, the ministry who submitted the application shall inform all the processing units to whom media containing the corresponding state secret has been forwarded.
(3) If classification data is corrected by a resolution in a misdemeanour matter or a court judgment, the Estonian Internal Security Service shall inform all the processing units to whom media containing the corresponding state secret has been forwarded.
(4) A processing unit that has forwarded a classified medium whose classification data has been corrected to an agency or constitutional institution specified in subsection 3 of § 35 of the State Secrets and Classified Information of Foreign States Act, shall immediately inform such agency or constitutional institution, as well as the ministry that has forwarded a state secret classified as confidential or at a lower level of classification to its division, shall immediately notify such agency or constitutional institution of the amendment of classification data.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
Chapter 4 Requirements for Organisation of Protection of Classified Information
§ 22. Requirements for guidelines for protection of state secrets of agencies, constitutional institutions and legal persons in possession of state secrets
(1) The guidelines for the protection of state secrets of agencies, constitutional institutions and legal persons in possession of state secrets shall regulate the following issues, taking account of the specific character of the processing unit:
1) procedure for receipt and forwarding of classified media arriving from and to be sent outside;
2) procedure for registration of classified media;
3) procedure for storage of the key and access code to a safe;
4) procedure for handling Personnel Security Clearances and Personnel Security Clearance Certificates;
5) procedure for correction of classification data;
6) procedure for holding classified meetings;
7) location of the security area;
8) guarding of the security area, procedure for entry into, moving within and leaving the security area;
9) plan for protection of classified information in emergencies;
10) notifying of a person who has attempted, in any manner, to gain unlawful access to classified information, and notification of violation of the requirements of the State Secrets and Classified Information of Foreign States Act or legislation issued on the basis thereof;
11) list of all such procedures, guidelines and other rules regulating the processing of state secrets in force in the agency, constitutional institution or legal person;
12) method of and procedure for destruction of classified media;
13) extent of the administrative area;
14) procedure for bringing weapons, technical means or other objects that could be used as technical means for wiretapping or recording into the security area;
15) procedure for notification of the loss, doubt of loss or other loss of possession of entry permits or means granting entry;
16) appointment of a person with whom spare keys of the lock and lock codes for the safe used to store media classified as confidential or at a higher level of classification shall be deposited for safekeeping.
(2) In addition to the issues specified in subsection 1, the guidelines for the protection of state secrets may provide for, for example:
1) procedure for the receipt and forwarding of classified media within the processing unit (within the limits of the security area, through the administrative area);
2) a specific procedure for forwarding classified media;
3) procedure for reproduction of classified media;
4) procedure for inspection rounds by the local manned guard;
5) specifics of the entry permits of persons who have the right to independently enter the security area compared to the persons who work at the same processing unit;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
6) specifics of allowing visitors to enter the security area compared to the persons working at the same processing unit;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
7) establishment of Security Operating Procedures for the implementation of security requirements for a CIS processing state secrets.
(3) The part of the guidelines for the protection of state secrets which is required to be classified shall be established as an annex to the guidelines or as a separate document.
§ 23. Requirements for activity of person or structural unit organising protection of state secret in agency, constitutional institution and legal person in possession of state secrets
A person or structural unit organising the protection of state secrets in an agency, constitutional institution or legal persons in possession of state secrets shall:
1) organise the protection of state secrets and adherence to the requirements of the State Secrets and Classified Information of Foreign States Act and legislation issued on the basis thereof;
2) advise employees in the processing of classified information;
3) organise the training of persons with the right of access in issues of protection of classified information, including in the area of electronic information security;
4) organise the work of guards who are guarding security areas and supervise their activities unless such duty is assigned to another official;
5) verify compliance with formal requirements of applications for clearance, approvals, Personnel Security Clearance and Facility Security Clearance and for the extension of the period of their validity and of the forms to be filled out by an applicant for Personnel Security Clearance and Facility Security Clearance before forwarding such documents;
6) keep record of the Personnel Security Clearances and Personnel Security Clearance Certificates held by the employees;
7) maintain a record of classified media;
8) keep a list of persons who use safes;
9) communicate every 90 days information to the Estonian Internal Security Service, the Defence Forces or the Estonian Foreign Intelligence Service respectively concerning the appointment of persons who do not hold Personnel Security Clearance to posts where the right of access to state secrets classified as restricted is required, as well as information on the release from the post of a person in such post and on the decisions to approve the access to state secrets classified as restricted to persons outside the service;
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
10) organise fulfillment of the requirements of electronic information security and communicate corresponding information to the Estonian Foreign Intelligence Service at their request;
11) document information concerning CIS processing classified information and elements of the CIS pursuant to the system specific Security Operating Procedures;
12) develop the Security Operating Proceduresin cooperation with the system or network administrators and ensure the introduction and availability thereof;
13) determine the persons who have the right of access to the CIS or a part thereof, and the content and extent of the right of access unless it has been determined by the head of the processing unit;
14) issue passwords and other physical and electronic means which grant access to information and ensure the periodic changing and keeping records of such means;
15) monitor and document the maintenance and repair of processing systems and the modification of the configuration thereof;
16) maintain records of the parts of the CIS which contain classified information, including removable media and other storage media and the users thereof and periodically verify the actual existence, content, storage conditions and marking of the storage media;
[RT I 2008, 55, 312 – entry into force 01.01.2009]
17) ascertain the circumstances of non-occurrence of an event or process or the unauthorised use of the processing system;
18) immediately inform the Estonian Internal Security Service and correspondingly, the Defence Forces, the Estonian Foreign Intelligence Service or the National Security Authority of becoming aware of a violation of the requirements arising from the State Secrets and Classified Information of Foreign States Act or legislation issued on the basis thereof or of the disclosure of classified information to a person who has no right of access to information of the corresponding level of classification;
[RT I, 19.08.2014, 17 – entry into force 22.08.2014
181) notify immediately in writing the Estonian Internal Security Service and, in the case of communicating information of a foreign state, the National Security Authority of the use of exemption provided for in subsection 2 of § 103 of this regulation and of the person who has used it except in the cases provided for in subsection 3 of § 52 of the State Secrets and Classified Information of Foreign States Act;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
182) organise the storage and destruction of such information which is submitted concerning travelling to such countries which are subject to notification obligation;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
19) collect explanations from persons who have violated the requirements of the State Secrets and Classified Information of Foreign States Act or legislation issued on the basis thereof.
Chapter 5 Requirements for Processing Classified Information and Classified Media
Subchapter 1 Security Areas
Division 1 General Requirements for Security Areas
§ 24. General requirements for security areas
(1) A security area shall have a clearly defined and protected perimeter, and the possibility to monitor all entrances and exits, and a system for monitoring entry into and exit from the security area which guarantees that only persons with the requisite level of right of access can independently enter the security area.
(2) The use of the area as a security area shall be approved beforehand by the Estonian Internal Security Service, the Defence Forces or the Estonian Foreign Intelligence Service respectively.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(3) The Estonian Internal Security Service, the Defence Forces or the Estonian Foreign Intelligence Service may grant derogations from the requirements for security areas provided for in this Regulation with respect to a specific building or processing unit if the application of the requirements is not technically possible or is impossible due to reasons arising from law, or if the conformity of the security area may be guaranteed by other means.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(4) The general requirements for security areas shall apply to temporary and mobile security areas unless otherwise provided by this Regulation.
(5) Upon termination of the use of an area as a security area, the authority which granted its approval for such use shall be informed thereof within 30 days after the end of the use.
§ 25. Location of security area
(1) A security area shall be located in premises which are in the direct possession of the processing unit in possession of a state secret. Information may be processed outside of a security area in the direct possession of a processing unit only within the security area of a processing unit which has the need and right to access the specific information.
(2) Before starting to plan the establishment of a security area, the representatives of the authority competent to grant approval shall be consulted in order to determine the best possible location for a security area in the building,
(3) Where possible, a security area should not be established on the first or last floor of a building.
(4) Where possible, the location of a security area in a building shall be selected such that any windows would face a territory in the possession of the agency processing the state secrets.
(5) Persons and structural units which process state secrets or classified media should, if possible, be situated in a close proximity of each other, for example in one and the same room or one and the same wing of a building in the agency.
§ 26. Mobile and temporary security area
(1) As an exception, a security area may also be established on moving platforms (hereinafter mobile security area) or areas which are not usually used as security areas (hereinafter temporary security area). A vehicle, trailer, ship, bunker, container, site accommodation, tent, or other existing construction works suitable for such function may be used as mobile or temporary security areas. Permanent structures shall be used for a temporary security area, where possible.
[RT I 2008, 55, 312 – entry into force 01.01.2009]
(2) The introduction of such security area shall be approved beforehand by the Estonian Internal Security Service, the Defence Forces or the Estonian Foreign Intelligence Service respectively, and also by the National Security Authority if classified information of foreign states is processed in the security area. An agency seeking approval for a mobile or temporary security area shall submit, for obtaining such approval, a written application to the approving authority for at least 30 days before commencing the use of such security area.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(21) A security authority may take into use a mobile or temporary security area by the decision of the head of their authority or a person authorised thereby without the approval of the other security authority provided for in subsection 2. In such case also the taking into use of the mobile or temporary security area where classified information of foreign states is processed shall be approved by the National Security Authority. Upon taking into use of the mobile or temporary security area the security authority shall notify the other security authority in writing at the first opportunity.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(3) In case of emergency situation, the term specified in subsection 2 may be reduced with the consent of the approving authority.
(4) Where possible, all the requirements for security areas shall be applied to mobile and temporary security areas and, if this is not possible, the security of classified information shall be guaranteed by other means.
(5) During an emergency situation, a state of emergency, increased defence readiness, state of war, mobilisation and demobilisation the mobile and temporary security areas may be established based on an oral order of the head of the agency in possession of a state secret or classified information of a foreign state. An order given orally shall be recorded also in writing at the first opportunity. Agencies whose activities presume, under such circumstances, the establishment of a mobile or temporary security area shall provide information to this effect in the crisis management plans of the agencies themselves, as well as in the plans of other levels, such as counties and ministries, and inform the approving agency thereof.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(6) Only the classified media needed for the performance of a particular task shall be processed within a mobile or temporary security area. The classified media shall be moved to a permanent security area immediately after the need for processing has ended.
(7) In choosing a location for a mobile or temporary security area, the possibility to effectively and safely perform the task shall be the first priority.
(8) The head of an agency shall appoint a person who shall be responsible for the security measures to be applied for the protection of classified media within a mobile or temporary security area (hereinafter responsible person).
(9) If discrepancies from the data submitted for approval become evident upon use of a security area, the responsible person shall notify the approving authority thereof in writing no later than within thirty days after such change took place.
§ 27. Walls, ceiling and floor of security area
(1) The walls, ceiling and floor of a security area shall be made of concrete, steel or stone such that the details of which the walls, ceiling or floor consists could not be easily removed from outside.
(2) A wall between two security areas or an internal wall within a security area may be a lighter structure. The outer walls, ceiling or floor of a security area may be a lighter structure if a permanent manned guard is present in the building or if they have been strengthened by adding physical barriers or technical security equipment.
(3) A security area must be sound-proofed to the extent where sounds originating from such area would not be heard in the neighbouring premises.
§ 28. Door of security area
(1) The door at the perimeter of a security area (hereinafter door to security area) must be, in the opinion of the approving authority, be sufficiently secure to allow the security guards to react to attempted intrusion before the intruder has crossed the physical barriers.
(2) The door to a security area, at the side of the hinges shall be fitted with security tenons which withdraw inside the doorjamb when the door closes. The door of a security area shall have an automatic latch which makes the door close automatically after a certain period of time and a sensor which gives a signal if the door has been open for longer than assigned.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(3) If a conforming door to the security area cannot be installed, the door of the security area shall be guarded by additional security and intrusion detection system equipment.
(4) The door of a security area shall be fitted with at least two locks one of which must lock automatically, and with at least one mechanical security lock. The tumbler of the security lock must be protected.
(5) It must not be possible to open the mechanical locks of the security area with a key with which other locks in the building can be opened. If this requirement cannot be fulfilled, the keys must be stored under the same conditions with the keys to a safe.
§ 29. Window of security area
(1) A security area window located at an easily accessible place like a roof, terrace or extension shall be fitted with anti-burglar security elements. Other physical barriers or security and intrusion detection system equipment shall be used to increase the safety of a window, where necessary.
(2) The windows of a security area shall be covered with a curtain or opaque film in order to render the inside of the security area invisible.
§ 30. Other openings of security area
Other openings located in a security area shall be protected by physical barriers or security and intrusion detection system equipment to prevent the unlawful installation of technical equipment in the security area or other danger to the information contained in the classified media stored within the security area.
§ 31. Open storage area
The outer walls, ceiling or floor of an open storage area must not be a light structure.
§ 32. Structural protection of mobile and temporary security areas
(1) A mobile or temporary security area shall have a perimeter clearly defined and protected by a physical barrier which allows control over all entries and exits. At the demand of the approving authority, the location of the security area shall be changed, the structure of the security area shall be strengthened and additional barriers shall be used.
(2) The structure of a mobile or temporary security area shall guarantee that access or danger to classified information from outside of the security area is precluded.
§ 33. Evacuation plan
(1) A plan for evacuation of classified media in the case of emergency situation shall be prepared with respect to a security area.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(2) The evacuation plan shall set out all possible emergencies in the case of which classified media must be evacuated or destroyed.
(3) For every emergency defined based on subsection 2, the course of evacuation or destruction, the persons who have the right to give the corresponding order, the persons to carry out such order, the means for carrying out such order and the place where the classified media shall be evacuated shall be specified.
Division 2 Requirements for Guarding Security Areas
§ 34. General requirements for guarding security areas
(1) A security area shall be equipped with an intrusion detection system (hereinafter detection system) and have a manned guard on site.
(2) The requirement for the presence of a manned guard on site does not apply if the electronic security equipment and measures for physical protection allow the manned guard to react to attempted intrusion before the intruder has crossed the physical barriers.
(3) At times when a security area or a part thereof is empty of persons, it must be placed under surveillance.
§ 35. Requirements for electronic security systems
(1) An electronic security system shall:
1) give an alarm signal in the case of an intrusion or attempted intrusion;
2) allow the manned guard to react before the intruder has crossed the physical barriers;
3) allow the surveillance of the security area to be switched on and off separately and later to electronically establish the time of switching on and off, and the time of when the alarm signal was given. Data reflecting such acts shall be preserved for at least one year;
4) identify the failures in the system automatically.
(2) In the case of a failure of the electronic security system, the system shall immediately send an alarm signal to the manned guard.
(3) The alternate power supply of an electronic security system used for the protection of state secrets shall guarantee the functioning of the system in case of the failure of the main power supply system until the time the security area is placed under manned guard.
§ 36. Manned guard of mobile and temporary security areas
(1) A mobile or temporary security area shall be protected by mobile or stationary armed guards who shall monitor the whole protected area. Exceptions to such requirement may be made only with the permission of the approving authority based on the risk assessment of the location of the security area. Security guards as well as instructed persons who work within the security area on a twenty-four hour basis may be used for guarding a security area.
(2) If it is not possible to ensure continuous manning of a mobile or temporary security area, it shall be equipped with an intrusion detection system to send an alarm signal to instructed persons, that is, to the security guards or employers of the security area who must be able to reach the security area within the prescribed reaction time approved by the approving agency. The reaction time shall not be longer than the time during which an intruder is able to cross the physical barriers.
§ 37. Patrolling of on-site manned guards
(1) On-site security guards shall patrol outside working hours, on days off and on public holidays at different intervals. The interval between patrols shall not exceed two hours unless security cameras are used.
(2) On-site manned guards shall check all the persons working within the security area and their workplaces. During each subsequent patrol, the rooms where persons were working during the previous patrol shall be checked.
(3) During subsequent patrols, on-site manned guards shall check all rooms over the course of three patrols and the rooms to be checked during each patrol shall be chosen at random. The patrols shall also make sure that there are no signs of intruders in the security area being patrolled and that all doors, windows and other means of entry to the security area on the route of the patrol are closed and intact.
(4) Based on the right for access and the need to know, the head of a processing unit may restrict the access of manned guards to the security area or a part thereof.
§ 38. Right of on-site manned guards to access state secrets
On-site manned guards patrolling a security area shall have permission to access state secrets at least of the level of classification of the state secrets which are processed within the security area.
Division 3 Presence and Working of Persons in Security Areas
§ 39. Presence of persons in security area
The procedure for presence of persons in a security area shall take account of the right of access and need to know of persons, and shall specify the entry to and exit from the security area by persons.
§ 40. Access of persons with independent right of access to security area
(1) A person who has an independent right of access to a security area shall be issued an entry permit which shall set out the number of the permit. An entry permit need not be issued if the security area consists of only one or two rooms.
(2) A processing unit shall keep record of the entry rights, means of entry and entry permits of persons with the right to access the security area.
(3) A person who works at a security area shall carry an entry permit in a visible manner in order to enable him or her to be identified. The requirement to carry an entry permit in a visible manner does not apply to security authorities. An entry permit shall not be carried in a visible manner outside a security area or administrative area.
(4) The procedure for entry to and exit from a security area shall ensure the identification of persons with an independent right of access upon entry and exit.
(5) In the case of loss, suspected loss or loss of other possession of an entry permit or an object ensuring entry, notice thereof shall be immediately given to the duly appointed person of the processing unit who shall take measures for preventing the use of the entry permit or object ensuring entry.
§ 41. Presence of visitors in security area
(1) A visitor may be permitted to a security area pursuant to the procedure provided by the guidelines for the protection of state secrets of the processing unit.
(2) A visitor is issued a numbered visitor's permit which shall bear the word KÜLALINE [visitor] and enables the identification of the person who received the permit. A visitor shall carry the visitor's permit in a visible manner.
(3) A visitor's permit need not be issued if the security area consists of only one or two rooms.
(4) The issue and return of a visitor’s permit, the time the visitor arrived and left, the visitor's given name and surname shall be registered. Identification of a visitor shall take place on the basis of valid identity document.
(5) A visitor may move within a security area only together with the person who receives the visitor or with the person assigned to escort the visitor. It is prohibited to leave a visitor alone in a security area unless he or she has right of access to the corresponding classification of state secrets which are processed in the security area, considering the principle of need to know.
§ 42. Requirements for working in mobile and temporary security areas
(1) In the case of removals, the person responsible for a temporary security area shall review the abandoned security area and make sure that no classified media remain in the area.
(2) After work is finished in a temporary security area, classified media shall be transferred to the permanent security area of the agency for comparison of data and destruction of the materials which have fulfilled their purpose.
(3) Measures of physical security existing within a temporary security area shall be strengthened as necessary also after the use of the security area has been approved.
Division 4 Requirements for Conduct of Meetings on Classified Information
§ 43. General requirements for conduct of meetings
In order to organise a discussion, meeting, conference, etc. (hereinafter meeting), the following requirements shall be fulfilled:
1) the person organising a meeting dealing with classified information shall guarantee that only persons who have the right of access to the information to be discussed at the meeting and a need to know such information can access the meeting;
2) what takes place within the meeting room cannot be heard or seen from outside.
§ 44. Holding of meetings within security areas and administrative areas
(1) The premises used for holding meetings shall be located within a security area or administrative area.
(2) Rooms which are used for the conduct of a meeting on state secrets classified as restricted may also be located in an administrative area and the requirements provided in this Subchapter need not apply to the rooms.
§ 45. Periodic checking of meeting rooms
Meeting rooms shall be periodically checked in order to prevent prohibited audio or video recording. No technical equipment or object which has not undergone prior checks or which could be used for wiretapping or prohibited recording shall not be present in a meeting room during a meeting.
§ 46. Registration of notes made at meeting
The organiser of a meeting shall review all notes and summaries made by the participants at a meeting and other such material, and shall return or forward them to the participants only after the notes containing a state secret have been correspondingly marked and registered.
Subchapter 2 Registration of Classified Media
§ 47. General requirements for registration of classified media
Classified media shall be registered based on the Public Information Act and on the legislation issued on the basis of Public Information Act and Archives Act with the exceptions provided in this Regulation.
[ RT I, 31.05.2017, 7 – entry into force 03.06.2017]
§ 48. Original documents
In the case a classified document created in several copies, the first original copy is deemed to be the original document. The other documents are deemed to be copies and shall be processed as such.
§ 49. Registry of classified media
(1) All agencies, constitutional institutions and persons in possession of state secrets shall establish registries of classified media (hereinafter registries) for the registration of classified media.
(2) Depending on the volume of classified media, separate registries may be established for the registration of media classified as top secret, secret, confidential and restricted.
(3) Media classified as restricted may, with the permission of the head of the processing unit, also be registered in the general document registry provided that this does not result in the classified information becoming known to unauthorised persons.
(4) A sub-registry of classified media may be established in each structural unit of an agency by the decision of the head of the processing unit.
§ 50. Requirements for registry
(1) A registry of classified media may be maintained on computer or on paper.
(2) Where possible, a registry entry itself should not contain classified information.
(3) A processing unit shall ensure the permanent preservation of registry data.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
§ 51. Data subject to entry in registry
(1) The following shall be entered in the registry of classified media:
1) data necessary for the identification of a medium: registration number, date of registration, date of preparation, the name of the agency that sent the media, the registration number of the forwarding agency, and for a document also its title and the name of the originator of the document and the signatory. Each copy need not be given a new registration number if the consecutive number of the copy is specified;
2) the type of a medium;
3) the basis for classification of a media, level of and term for classification, any amendments thereto and the basis for the amendments;
4) the number of and consecutive numbers of the copies; the number of copies need not be entered in the registry for media classified as restricted or confidential;
5) the number of the parts of a medium, and number of pages of the document. If a document has been prepared on both sides of a page, the number of pages of such document shall be registered in the registry of classified media, with a note that the document has been prepared on both sides of a page;
6) the number of copies; the number of copies need not be entered in the registry for media classified as confidential or at a lower level of classification;
7) the name of the processing unit to whom the classified medium or a copy thereof has been forwarded and the time of forwarding; the signature of the recipient or number of the instrument of delivery and receipt;
8) a corresponding notice if the other processing unit has been given permission to forward the classified information contained in the classified medium to a third processing unit;
9) a notice concerning destruction.
10) the name of the person to whom the medium classified as secret or at a higher level of classification was forwarded or to whom it was introduced and the time of forwarding or introducing thereof.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(2) The following shall be entered in a registry of classified media concerning removable electronic storage media:
1) the type of storage medium – for example a hard drive, memory stick;
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
2) the registration number;
3) the registration date;
4) the highest level of classification of the information contained in the storage medium;
5) the processing unit to which the storage medium was forwarded and the time of forwarding.
§ 52. Registration of classified media
(1) A classified medium shall be registered on the day of its preparation or arrival.
(2) Generally, a classified medium shall be entered in the registry once. A classified medium registered in the central registry need not be registered in the sub-registry of the same processing unit.
(3) If a set of classified media also contains unclassified media, the unclassified media belonging to the set may be registered in the registry of classified media. If a set consists of classified documents which are used separately, then each document which constitutes a part of the set may be registered separately.
(4) If the medium contains both the state secret and classified information of a foreign state, the medium shall be registered in the registry of state secret of the corresponding level.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
§ 53. Registrar
The person who makes entries in the register (hereinafter registrar) shall have right of access which corresponds to the highest classification of the media to be registered. The registrar or registrars and, where necessary, their substitutes shall be appointed by the head of the processing unit.
§ 54. Confirmation of access to classified medium
(1) A respective notice shall be made with regard to examination of information contained in a medium classified as secret or at a higher level of classification. The person examining the media shall give his or her signature concerning the examination of paper medium on the registration sheet or on the medium itself. Examination of electronic medium is enabled if the establishment of the identity of the person examining and the time of examination is ensured electronically.
(2) Data concerning examination of a medium shall be preserved for the same period as the registry data. Registration sheets and other data concerning the examination of a medium shall be preserved for the same period of time as the registry data.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
Subchapter 3 Marking of Classified Media
Division 1 General Requirements for Marking
§ 55. Marking of classified media containing state secret
(1) In cases where marking does not endanger the classification of a state secret, the classified medium shall be marked with a clearly visible classification marking "top secret", "secret", "confidential" or "restricted":
1) printed in double-spaced bold capital letters of at least size 16, or
2) by a clip-mark, sticker or in other such manner, printed in red colour, the same size and same form.
(2) If a medium cannot be marked due to its size, the marking may be made on a label attached to the medium. In small media and justified cases, the marking may be made smaller than provided in clause 1 of subsection 1 provided that the marking is clearly visible and legible.
(3) The basis for classification of information shall be entered on a classified medium containing a state secret in the following form: "State secret pursuant to...". A reference to this Regulation, the corresponding section, subsection and clause shall be entered in the gap. If a classified medium has been classified on several bases, all such bases shall be entered in the medium.
(4) The date, number and term of classification of the medium shall also be entered on a classified medium.
(5) The general classification of medium shall correspond to the highest classification of any of its separate parts.
(6) If a medium containing a state secret is to be forwarded to a foreign state or an international organisation, classification markings corresponding to the requirements of the international agreement shall be made on the medium and a notation in English shall be made on the front page stating that the information contained in the medium belongs to the Republic of Estonia.
§ 56. Marking of media containing classified information of foreign states
(1) Media containing classified information of foreign states shall be marked with the level of classification of the originator of the classified information of foreign states provided that this is prescribed by an international agreement, and the marking indicating the corresponding level of state secret.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(2) The upper right corner of the front page of the media shall be additionally marked with the words " SALASTATUD VÄLISTEAVE " [classified information of foreign states] in capital letters together with the name of the originator of the classified information of foreign states, the level of classification and the term for classification if the term for classification has been given by the originator of the foreign information.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(3) If the medium contains classified information of several originators, the marking specified in subsection 2 shall be made for each originator of information separately.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(4) Information of different originators may be marked by text paragraphs and illustrations, placing the notation concerning the level of classification of the originator at the beginning of the first row and at the end of the last row or before and after the illustration. The marking of the originator and level of classification shall be written in capital bold letters in square or curved brackets.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(5) By the written approval of the National Security Authority electronic information may be left unmarked according to the requirements provided for in subsections 1–3 if the information has been marked pursuant to the procedure provided for in subsection 1 of § 70.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
§ 57. Marking of copies of and extracts from classified media
(1) A copy shall be marked with the word " KOOPIA " [copy]. If the notations entered on a document are not automatically transferred to a copy upon reproduction, the copy shall be marked in the same manner as the original document.
(2) An extract shall be marked with the word " VÄLJAVÕTE " [extract], together with the name of original document of which the extract was made and the classification markings of the original document.
§ 58. Additional marking concerning security measures and persons with right of access
(1) If a medium is marked with an additional mark concerning additional security measures or a group of persons with the right to access the medium, a corresponding notation shall be made next to the notation concerning the basis for classification.
(2) Classified crypto materials shall be additionally marked by the word " KRÜPTO " [crypto].
§ 59. Additional classification marking for packaged media
(1) If a classified medium or set of data is stored in package, is rolled up, placed in a container or box, or is stored in any other manner where the packaging covers the classification marking, then additional classification markings shall be made on the medium or the packaging such that the fact that this is a medium containing a state secret can be established regardless of whether the medium is packed up or unpacked, and also upon processing the medium.
(2) The provisions of Subchapter 7 of this Chapter apply to packing data media for the purpose of forwarding them.
§ 60. Deletion and amendment of marking
(1) Classification markings shall be crossed out after expiry of classification upon expiry of the term of classification.
(2) In the case of premature declassification, the classification marking shall be crossed out and the words " Salastatus kustutatud...alusel " [Declassified based on...] shall be added next to the notation concerning the basis for classification, also indicating the body which made the decision, the requisite data of the decision and the time of entry into force of the decision.
(3) In the case of extension of the term of classification, the words " Salastamistähtaeg pikendatud...alusel " [Term of classification extended based on...] shall be entered next to the notation concerning the basis for classification, also indicating the body which made the extension decision, the requisite data of the decision and the new term of classification.
(4) In the case of correction of classification data, the incorrect marking shall be crossed out and below that, the words " Salastatus parandatud... " [Classification corrected...] shall be entered based on the decision to correct the classification data. The name of the body which made the decision and the requisite information concerning the decision or the title, name and signature of the official who made the decision shall be added to such information.
(41) If the classification marking is amended on the basis of subsection 4 of § 56 of the State Secrets and Classified Information of Foreign States Act, the making of classification marking shall be based on subsections 2–4 of this section but reference shall be made to subsection 4 of § 56 of the State Secrets and Classified Information of Foreign States Act instead of the decision.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(5) New markings to the data specified in subsections 2–4 shall be made pursuant to the general procedure.
Division 2 Marking of Documents
§ 61. Application of general requirements for formalising documents
Classified documents shall be prepared and formalised in based on the general requirements for the preparation of documents with the specifications arising from this Regulation.
§ 62. Numbering of pages
The pages of a classified document shall be numbered starting from the first page and the total number of pages shall be marked on each page. If a document has been formalised on both sides of a sheet, the pages shall be correspondingly numbered and marked.
§ 63. Marking of document
(1) A notation concerning the level and basis of classification, the date of registration of the medium, the number and term of classification shall be made in the upper right corner of the front page of a classified document. All the pages of a document shall be marked, in the centre of the upper and lower margin of the page, with a classification marking corresponding to the highest level of classification of the information contained in that page.
(2) A classified document has, as a whole, the highest level of classification of state secrets of any of its separate parts, concerning which a classification marking shall be made on the first page of the document, as well as the title page, and front and back covers if they exist.
§ 64. Marking of annex to document
If it is possible to use an annex to a written document without the source document, the annex shall be marked and formalised as a separate document.
§ 65. Marking by text paragraph and illustration
If a medium is additionally marked by text paragraph or illustration, the classification marking shall be made at the beginning of the first row and the end of the last row of the classified paragraph, and before and after the classified illustration. The marking indicating the level of classification of information shall be made in bold capital letters in brackets or parentheses. The marking indicating the level of classification can be abbreviated by writing the first letter of the classification level.
§ 66. Marking upon expiry of classification of information contained in document and correction of classification data
(1) A notation concerning the expiry of classification, declassification before the prescribed term or extension of the term of classification of a document, or amendment of the basis or term for classification shall be made on the first page of the document in the upper right corner on a separate line next to the marking concerning the basis for classification of the media.
(2) On other pages, the classification marking shall be crossed out in the upper and lower margin of the page in the case of expiry of classification and declassification.
§ 67. Marking of sets of documents
(1) Sets composed of classified documents shall be marked with the marking indicating the highest classification level of state secret.
(2) If a set of documents has been joined together in a file or is stored between covers in another manner, the classification marking shall be made on the upper and lower margins of the front and back cover of the file.
(3) In other cases, the classification marking shall be made in the upper and lower margins of the first page of the first document in the set.
(4) If the front page of a set does not contain a state secret, an additional notation " Märgistatud riigisaladusena kui kogumi esileht " [Marked as a state secret as the front page of a set] shall be made in the upper right corner of the document.
Division 3 Marking of Other Media
§ 68. Marking of classified photos, transparencies and slides
In the case of classified photos, transparencies and slides, a classification marking shall be made on every photo, transparency and slide.
§ 69. Marking of audio, film and video recording
In the case of audio, film and video recordings, the marking shall be made on the packaging as well as the medium itself, and shall be made clear by the content of the medium upon use thereof.
Division 4 Marking of Electronic Data
§ 70. Marking of files
(1) The classification level of a file containing classified information shall be marked in capital letters at the beginning of the file name and if possible, also in the metadata of the file.
(2) If a file contains a document, then in addition to the file, also the document contained in the file shall be marked in conformity to the requirements for marking documents. In marking documents contained in files, it shall be ensured in the best possible manner, that the classification marking would be permanently visible upon display, projection or other manners of emission for reception of the set of data containing the stat secret.
§ 71. Marking of electronic messages
(1) In the case of electronic messages, the classification marking shall be made in capital letters at the beginning and end of the heading and message body in conformity to the requirements for marking documents.
(2) The heading of a message need not bear a classification marking if the classified medium annexed to the message is encrypted and the uncrypted part of the message does not contain a state secret.
Subchapter 4 Storing of Classified Media
Division 1 Requirements for Storage Conditions and Means of Storage
§ 72. Safe
(1) Media which are classified at confidential or a higher level shall be stored in a safe with a code lock with a burglar resistance of at least corresponding to at least the requirements of class 1 of the standard EVS-EN 1143-1.
(2) Media classified as restricted shall be stored in a locked container, cabinet or drawer which is protected from access by unauthorised persons.
(3) A safe where media classified as confidential or at a higher level is stored shall be located within a security area.
(4) If several persons use one and the same safe, the safe shall be physically divided into parts, based on the need to know. In such case, the safe shall contain separate lockable parts.
(5) With the permission of the approving agency, classified media may be stored within a public storage area. The approving agency shall prescribe the highest permissible level of classification at which information may be processed within such area.
§ 73. Storage of classified media during use
(1) Following removal from a safe or other place of storage, classified media shall be under continuous supervision. If the classified documents are not being used at any given moment, they shall be kept so that an empty page is the uppermost or be covered up.
(2) Upon leaving a room, the classified media shall be locked away in a safe, cabinet or drawer in correspondence to their level of classification.
§ 74. Exceptions to general storage conditions
(1) If it is not possible to meet the requirements for the storage of classified media in a processing unit, the classified media shall be transferred for temporary storage to a state agency where such requirements are met.
(2) An approving agency may allow the use of safes with a lower class of burglar resistance than provided in subsection 1 of § 72 in mobile and temporary security areas.
(3) In exceptional cases, an approving agency may permit the use of other possibilities for storing classified media, such as storage in a packaged state within the security area of the receiving base or headquarters, in a locked metal box, leather pouch or other such place.
(4) In exceptional cases, media classified as secret or confidential may, with the permission of the head of the agency, be stored in a metal filing cabinet or in a drawer for a short time, for example, until a safe of appropriate measurements is found, provided that the place of storage is situated in a security area and is equipped with at least one security device or a three-number combination lock.
Division 2 Protection of Keys and Lock Codes
§ 75. Lock codes of safes
(1) The user of a safe shall be the only person who knows the lock code of the corresponding safe.
(2) A lock code shall not consist of a row of numbers or letters which can easily be guessed, such as dates of important personal days, telephone numbers, arithmetical sequences.
(3) A lock code shall be changed:
1) following a change of user;
2) following opening in the absence of the user;
3) if there is reason to believe that the code has become known to an unauthorised person;
4) twelve months after the previous change.
§ 76. Keys and locks of safes
(1) During work-time, the user of a safe shall keep the keys of the safe.
(2) Upon leaving the workplace, the key shall be locked away in the key cabinet.
(3) The lock of a safe shall be changed if there is reason to believe that an unauthorised person may have gained possession of the key of the safe.
§ 77. Key cabinet
(1) A key cabinet shall be made of metal, be lockable and be under continuous surveillance.
(2) If a key cabinet is used by several persons, it shall be guaranteed that each user gets only the key that he or she needs.
§ 78. Storage of spare keys and lock codes
(1) The spare keys and safe codes of a safe shall be given to the person appointed by the guidelines for protection of state secrets and the person shall keep them in a separate safe.
(2) The spare keys and safe codes of a safe may be kept in a safe deposit box at a bank.
(3) It is prohibited to make other notes of the codes to locks of safes.
§ 79. Keys to cabinets or drawers used for storage of media classified as restricted
The keys to a cabinet or drawer used for the storage of media classified as restricted shall be kept in a manner that prevents access thereto by unauthorised persons.
Subchapter 5 Reproduction of and Making of Extracts from Classified Media
§ 80. Principles of reproduction
(1) Processing units shall prevent the unmonitored reproduction of and making of extracts from classified media.
(2) It is prohibited to reproduce or make extracts from media classified as top secret or secret without the written permission of the processing unit which prepared the media. Classified information may be reproduced without specific consent for the purposes of using it in the processing system of the processing unit.
(21) The prohibition provided for in the first sentence of subsection 2 shall not be applied upon reproduction of the medium or making an extract thereof if it contains:
1) state secret classified as secret communicated to a foreign state, international organisation or an institution established on the basis of an international agreement;
2) information of a foreign state classified as secret unless provided otherwise by international agreement.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(3) Only the registrar may reproduce and make excerpts of media classified as secret or top secret.
(4) Information recorded in the means of reproduction in the course of reproduction shall be protected against unlawful access.
§ 81. Reproduction equipment
(1) Reproduction equipment used for the reproduction of media classified as confidential, secret or top secret shall be situated in a security area and the processing unit shall ensure that unauthorised persons do not have access to such reproduction equipment. Only reproduction equipment prescribed for the reproduction of and making excerpts from classified media shall be used for the reproduction of and making excerpts from classified media.
(2) Reproduction of and making excerpts from media classified as restricted is permitted only by using reproduction equipment used for such purposes which is situated in a security area.
Subchapter 6 Destruction of Classified Media
§ 82. Principles for destruction of classified media
(1) Equipment for the destruction of media classified as confidential or at a higher level of classification shall be located within a security area. With the approval of the coordinating authority of the security area the equipment for destruction of classified media may be located within the administrative area.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(2) Classified media which has become unusable shall be destroyed at the earliest possible opportunity unless it is necessary to preserve it for a specific purpose.
§ 83. Destruction of classified media
(1) A paper shredder used for the destruction of paper media classified as confidential or at a higher level of classification shall shred the paper into pieces not larger than 2 x 15 mm.
(2) A paper shredder used for the destruction of paper media classified as restricted or shall shred the paper into pieces not larger than 4 x 40 mm.
(3) The equipment to be used for the destruction of removable storage media shall be approved by the Estonian Foreign Intelligence Service.
(4) Equipment not specified in subsections 1–3 may be used for the destruction of classified media with the consent of the Estonian Internal Security Service, the Defence Forces or the Estonian Foreign Intelligence Service respectively.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
§ 84. Destruction of classified media by legal persons
(1) Legal persons governed by private law possessing classified information shall forward, for destruction, media classified as confidential or at a higher level of classification, including originals, copies and extracts, to the agency which prepared the classified media or the authority which supported the application for the Facility Security Clearance for processing state secret by the legal person.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(2) A legal person may also independently destroy the classified media specified in subsection 1 in conformity to the requirements established by this Regulation.
§ 85. Natural persons destroying classified media
(1) At least two persons shall participate in the destruction of media classified as confidential or at a higher level of classification, who shall sign the statement concerning the destruction of the classified media.
(2) The persons who participate in the destruction shall have the right of access to state secrets of the corresponding classification level.
§ 86. Statement concerning destruction of classified media
(1) Upon destruction of a classified medium, a statement concerning the destruction of the classified medium shall be compiled.
(2) The following shall be included in the statement concerning the destruction of a classified medium:
1) data which identify the classified medium;
2) the data on the persons who destroyed the medium;
3) the method of destruction.
(3) Statements concerning the destruction of classified media shall be preserved in the security area for at least five years.
(4) Unregistered copies of media classified as confidential or at a lower level of classification may be destroyed without preparing a statement concerning the destruction of classified media.
Subchapter 7 Forwarding of Classified Media
Division 1 General Principles of Forwarding Classified Media
§ 87. Right of recipient to access classified information of relevant level of classification
A possessor of a state secret shall ascertain before forwarding the classified medium that the recipient of the classified medium has the right to access classified information of relevant level of classification.
§ 88. Packaging for forwarding classified media
(1) For forwarding a classified medium, such medium shall be contained in non-transparent packaging.
(2) The classified medium shall be packed in a safe manner which enables the fact of the packaging being opened to be subsequently ascertained. Additional measures shall be taken to protect the contents of the package against access by unauthorised persons, where necessary,
(3) The outer package shall set out the name of the processing unit, the registration numbers of the media contained in the package and where necessary, an address.
(4) The inner packaging shall set out, as the addressee, the registry for classified media of the receiving processing unit, the level of classification of the medium in the package, the registration number and number of units.
§ 89. Organisation of forwarding
(1) Upon forwarding a classified medium, the unit forwarding the medium and the unit receiving the medium shall agree on the forwarding in conformity to the requirements provided for by this Regulation.
(2) If the processing unit cannot comply with the requirements established for the forwarding classified media, it shall address the Estonian Internal Security Service or the Defence Forces for the organisation of the forwarding of the classified medium.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
§ 90. Manner of forwarding
(1) Classified media shall be forwarded in a manner which takes account of the principle of need-to-know.
(2) Classified media shall be forwarded without delay. Classified media shall be forwarded using the shortest possible journey and safest manner.
(3) A courier shall keep a classified medium in his or her own direct possession at all times until the classified medium has been handed over.
(4) If it is not possible to immediately forward a medium classified as confidential or at a higher level of classification, the medium shall be returned to the registrar or the person organising the protection of state secrets.
(5) Media classified as restricted may also be sent by post as registered items with advice of delivery. The delivery notice shall be stored at the registry.
§ 91. Right of courier to access classified information
A courier shall have the right of access to information of the relevant level of classification in order to forward media classified as confidential or at a higher level of classification.
§ 92. Taking classified media out of security area
Media classified as confidential or at a higher level of classification may be taken out of a security area only at the permission of the head of the processing unit, registrar or other person appointed by the guidelines for the protection of state secrets of a processing unit in a lockable bag or box intended for transportation or in a sealed bag for diplomatic mail.
§ 93. Statement of delivery and receipt of classified media
(1) The person forwarding a classified medium shall prepare a statement of delivery and receipt concerning the forwarding. Such statement need not be prepared concerning the forwarding of a medium classified as restricted.
(2) The following shall set be out in a statement of delivery and receipt:
1) the date of preparation of the medium, registration number, highest level of classification and number of forwarded units. The title of the classified medium contained in the packaging shall not be indicated in the statement of delivery and receipt, nor shall any other reference to the content of the medium be made;
2) the name and address of the processing unit that is the addressee;
3) the name and signature of the recipient;
4) the name and signature of the deliverer.
(3) The recipient shall sign the statement of delivery and receipt after comparing the entries on the forwarded package and in the statement.
(4) Instrument of delivery and receipt shall be preserved with the registry in a security area for at least five years.
(5) One and the same statement of delivery and receipt may set forth the forwarding of several classified media.
§ 94. Obligations of recipient of classified media
(1) Upon receipt of a classified medium it shall be verified whether the consignment is whole, unopened and without traces of tampering.
(2) The registrar or other person provided in the guidelines for the protection of state secrets shall be immediately informed if a consignment has been opened, there are traces of tampering or there is any doubt in this respect.
(3) After opening the outer packaging, the inner package shall be forwarded for registration to the registrar who shall send it forward pursuant to the procedure provided by the guidelines for the protection of state secrets.
(4) The registrar shall verify whether the media and the contents thereof correspond to the number of units set out.
Division 2 Forwarding of Classified Media from One Security Area to Another through Administrative Area
§ 95. Persons forwarding classified media through administrative area
(1) Classified media may be forwarded through an administrative area in person or through a registrar or courier.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(2) [Repealed – RT I, 14.01.2011, 6 – entry into force 17.01.2011]
§ 96. Preclusion of general requirements for forwarding classified media through administrative area
§§ 88 and 92 do not apply to forwarding of classified media from one security area to another.
Division 3 Forwarding of Classified Media through Public Space
§ 97. Forwarding of classified media by two natural persons
Media classified as secret or at a higher level of classification shall be forwarded by two natural persons. With the permission of the Estonian Internal Security Service, the Defence Forces, the National Security Authority and the Estonian Foreign Intelligence Service, such media may be forwarded by one person.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
§ 98. Use of vehicles in forwarding classified media through public space
(1) As a general rule, media classified as secret or at a higher level of classification shall be forwarded using a motor vehicle.
(2) The windows of the vehicle shall be kept shut and the doors locked and the driver must be in an employment or service relationship with the processing unit.
(3) The persons specified in § 99 shall not drive a vehicle while forwarding the medium.
§ 99. Carrying weapons upon forwarding classified media through public space
A courier forwarding media classified as top secret shall carry a service weapon or a person carrying a service weapon shall accompany the courier.
[RT I, 07.08.2018, 2 – entry into force 10.08.2018]
Division 4 Forwarding of Classified Media to, in and from Foreign States
§ 100. Forwarding of classified media to, in and from foreign states by courier
(1) Media classified as confidential or at a higher level of classification shall be forwarded to, in and from foreign states by diplomatic or military courier who has access to classified information of the relevant level.
(2) The Estonian Internal Security Service, the Defence Forces, the National Security Authority or the Estonian Foreign Intelligence Service correspondingly may give a written permission for forwarding the media specified in subsection 1 without a diplomatic or military courier if using the courier would result in undesirable delay or if the need to use a different manner of forwarding is dictated by the concrete situation.
[RT I, 19.08.2014, 17 – entry into force 22.08.2014]
(21) If a security authority wishes to forward a medium containing classified state secret without a diplomatic or military courier, the written permission shall be given by the head of the security authority forwarding the media or a person authorised thereby.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(3) The permission specified in subsection 2 shall include the requirements which must be observed upon forwarding the consignment, above all concerning the journey and the means of transport to be used for forwarding the consignment.
§ 101. Courier for forwarding classified information to, in and from foreign states
(1) A courier who forwards classified information to, in and from foreign states must have a certificate of diplomatic courier issued by the Ministry of Foreign Affairs, or diplomatic immunity.
(2) For forwarding classified media in areas of military missions, a courier shall have the certificate of a military courier issued by the Ministry of Defence.
Subchapter 8 Electronic processing of classified media
[RT I, 26.10.2016, 2 - entry into force 29.10.2016]
§ 102. Electronic processing
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
Processing of classified information is permitted by using the Communication and Information system (CIS) complying with the requirements for electronic information security, which has a certificate of conformity or a temporary use permit for processing classified information at the relevant level of classification issued by the Estonian Foreign Intelligence Service (hereinafter accredited system) and during the processing they are staying within the administrative or security area dependent on the communicated information, except in the cases provided for in § 103.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
§ 103. Exception of electronic processing
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(1) Information classified as restricted may be processed in public space:
1) In the case of unavoidable necessity for operational communication or reception of the information if CISaccredited for processing information in public space is used.
2) in the case of other necessities for communication or reception of the information only if a mobile phone being a part of the CIS accredited for processing information in public space is used.
[RT I, 06.10.2021, 1 – entry into force 09.10.2021]
(2) If the forwarding of the state secret classified as confidential or a higher level of classification or information of foreign states classified as confidential or a higher level of classification is necessary for the prevention or combating of the immediate threat to the national security, constitutional order or to life, health or property of persons, it may be forwarded and received provided that the CIS is used which is accredited for processing information classified at least as restricted. Each time the person forwarding information and the person receiving information are required to immediately notify the person organising the protection of state secret of the processing unit.
(3) If the person forwarding information or the person receiving information is staying in the public space in the case provided in subsection 1 or 2, he or she is required to:
1) notify the other party of staying in the public space before communicating the information orally;
2) apply all required measures to protect the forwarded information from disclosure and access of persons without the right of access or need to know.
(4) If a failure to operatively forward the state secret specified in clauses 2–5 of subsection 1 and subsection 3 of § 6 or the classified information of foreign states corresponding to its contents would bring about a failure of the surveillance activities or put the participating persons at risk, the forwarding and receiving thereof may take place in a public space and the unaccredited system may be used for forwarding and receiving information.
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
Subchapter 9 Electronic information security
§ 104. Definitions
In this Division, the following definitions are used:
1) "electronic information security" means ensuring availability, confidentiality and integrity of information in the CIS processing classified information;
2) "accreditation of CIS" means the assessment of the conformity of processing systems to CIS security requirements;
3) “availability” means the possibility to use and access information at the request of authorised persons;
4) “confidentiality” means the unavailability or incomprehensibility of information to unauthorised persons;
5) “integrity” means the fact of it being impossible for information to be altered, supplemented or destroyed by unauthorised persons;
6) "threat" means the potential damaging of the availability, confidentiality and integrity of information;
7) “security incident” means a situation where information or system operations and devices which support the protection of information have lost or could have lost their confidentiality, integrity or availability (including loss of information, communication of information to unauthorised persons, amendment or destruction of information by unauthorised persons or attack against the system) due to theft, sabotage, acts of terrorism, other prohibited activities or vulnerabilities;
8) “security risk” means the probability of occurrence of breaches of security;
9) “risk management” means the assessment of assets, information, threats, breaches of security and security risk on the basis of which the security measures for information and system operations and devices which support the protection of information are determined. Risk management includes the planning, organisation, use and monitoring of the security measures of a system in order to prevent security risks exceeding from the acceptable boundaries, and breaches of security;
10) “vulnerability assessment” means the detailed monitoring of the system in order to identify the vulnerabilities of the system, threats to the confidentiality, integrity and availability of information processed in the system and the vulnerability of the system to any attack or threat;
11) "System Specific Security Requirement Statement" means a list of security requirements mandatory for the CIS which provides for how to achieve sufficient security of the system and how to ensure and monitor the security of information in the system;
12) “Security Operating Procedures” means a document which provides a detailed description of the procedure for compliance with the security requirements prescribed in the System Specific Security Requirement Statement and the duties of each specific employee or other person upon ensuring the security of information;
13) "Global Security Environment" means the environment surrounding the location of the system, including the building or area, in which the occurring events may affect the safety of the system;
14) "Local Security Environment" means the premises or area/space bordering on the Global Security Environment where the components of a system are located or used;
15) "Electronic Security Environment" is restricted to the components of the system which are used for the electronic processing of information and in protection of which the personnel operating the system applies electronic security measures.
§ 105. Electronic information security principles
(1) This Subchapter provides electronic information security principles for the protection of electronically proccessed classified information.
(2) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(3) Electronic processing of classified information is permitted only by means of computers and local area networks situated within the Local Security Environment, except under the conditions and pursuant to the procedure provided for in Subchapter 8.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(31) Permission for electronic processing of information classified as restricted in public space shall be granted by the Estonian Foreign Intelligence Service in the course of CIS accreditation.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(4) The processing unit used for processing information classified not higher than at the restricted level of classification shall not subject to Subchapter 7 of Chapter 5 and it may be taken out of the Local Security Environment if:
[RT I, 06.10.2021, 1 – entry into force 09.10.2021]
1) the classified information has been encrypted by the conforming means of encryption or protected from unauthorised access by another method permitted by the Estonian Foreign Intelligence Service;
[RT I, 06.10.2021, 1 – entry into force 09.10.2021]
2) the processing unit bears no marking which would refer to the level of classification of the information processed therein.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(5) Upon ensuring electronic information security for the protection of classified information of foreign states, the requirements prescribed by the originator of the classified information of foreign states shall be taken into account additionally.
(6) Ensuring electronic information security shall, above all, adhere to the following security principles:
1) only the functions, protocols or services which are necessary for the processing of information or ensuring its security shall be used – the Principle of Minimality;
2) managing security risks of the system, including prevention, reduction, diversion and permitted accepting of such risks – the Principle of Continuous Security Risk Management – and regular checking of system security shall be carried out on an ongoing basis;
3) the users and administrators of the system shall have only user privileges needed for the performance of their tasks – the Principle of Least Privilege;
4) all other CIS connected to the system shall be presumed to be unreliable and sufficient security measures shall be applied when exchanging information with them – the Principle of Self-protecting Nodes;
5) if one of the used security measures fails, the entire system must not lose its security -the Principle of Defence-in-Depth.
§ 106. Security requirements for CIS
(1) Systems for processing classified information shall ensure the availability, confidentiality and integrity of information.
(2) A classified CIS shall allow:
1) identification and registration of persons who had or may have had access to system operations and devices which support the protection of classified secrets;
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
2) identification of the users of the system based on their right of access to classified information;
3) access to information and system operations and devices which support the protection of information only upon the existence of the right of access and a justified need to know;
4) verification of the confidentiality, integrity, availability and the origin, reliability and connections of information or system operations and devices which support the protection of information;
5) achievement of a situation where the CIS security mechanisms function in compliance with the requirements during the whole period of use of the system;
6) prevention and elimination of security incident and prevention or reduction of damage caused thereby;
7) handling of security incidents in the course of which threats to the system or parts thereof, and damage caused thereby to information and measures taken for the elimination of the damage are determined and registered.
(3) Information concerning a system shall be documented in the System Specific Security Requirement Statement and the Security Operating Procedures.
(4) Processing units perform continuous risk management of the systems.
§ 107. System Specific Security Requirement Statement
(1) System Specific Security Requirement Statements shall set out:
1) the technical specification of the system;
2) an overview of the results of the risk assessment of the system;
3) the description of the security requirements for the system;
4) a list of security measures applied in the system;
5) the description of organisation of system security.
(2) The System Specific Security Requirement Statements shall be prepared by processing units. Before construction or commencement of use of a new system intended for the processing of classified information, the processing unit shall obtain the approval of the Estonian Foreign Intelligence Service for the Statement.
(3) The System Specific Security Requirement Statement shall be specified in the course of building and use of the system if changes occur, for example, the purpose or structure of the system changes, new significant threats appear or the level of classification of the information processed in the system changes. The processing unit shall obtain the approval of the Estonian Foreign Intelligence Service for the amendments to the System Specific Security Requirement Statement.
§ 108. Security Operating Procedures
(1) The Security Operating Procedures shall set out:
1) the tasks, rights and obligations of the persons responsible for the security of the system;
2) the users of the systems and their tasks, rights and obligations;
3) the description of the configuration administration of the hardware and software of the system;
4) guidelines for the electronic processing of classified information;
5) the description of the processing of the data media used within the system;
6) the description of the review of the log files and incident administration of the system.
(2) A processing unit shall prepare the Security Operating Procedures based on the System Specific Security Requirement Statement and coordinate them with the Estonian Foreign Intelligence Service before the processing of classified information is commenced in the system.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(3) The Security Operating Procedures shall be specified in the course of use of the system if changes occur, for example, the purpose or structure of the system changes, new significant threats appear or the level of classification of the information processed in the system changes. All amendments to the Security Operating Procedures shall be approved by the Estonian Foreign Intelligence Service.
§ 109. Accreditation of CIS
(1) The purpose of accreditation of a system is to demonstrate that the system complies with the requirements established for ensuring information security.
(2) The Estonian Foreign Intelligence Service shall base the CIS accreditation on the following:
1) the physical security measures of the system;
2) security risks related to the system;
3) the System Specific Security Requirement Statement;
4) the Security Operating Procedures;
5) the emmission security zoning measurement results in the location of the system;
6) information on the conformity of the CIS security requirements by the processing unit.
(3) The Estonian Foreign Intelligence Service shall initiate CIS accreditation at the initiative of the processing unit or at its own initiative. The processing unit shall annex the System Specific Security Requirement Statement and Security Operating Procedures to the application for accreditation of the system. The processing unit shall submit the rest of the information specified in subsection 2 at the request of the Estonian Foreign Intelligence Service.
(4) As a result of accreditation, the processing unit is issued a certificate of conformity by a directive of the director general of the Estonian Foreign Intelligence Service.
(5) As a result of accreditation, a temporary permit for use is issued to a system by a directive of the director general of the Estonian Foreign Intelligence Service.
(6) If a system does not conform to the CIS security requirements, the Estonian Foreign Intelligence Service shall refuse to issue a certificate of conformity or temporary permit for use to a system or shall prohibit its use for processing classified information. A corresponding decision is made by a directive of the director general of the Estonian Foreign Intelligence Service.
§ 110. Obligation to provide information
A processing unit is required to immediately provide information, including in written form, at the request of the Estonian Foreign Intelligence Service concerning the system in its possession and the circumstances relating to information security, and to ensure the Estonian Foreign Intelligence Service with access to the parts of the system regardless of their location which, during office hours, must be granted on a continuous basis and during rest days and national holidays shall be agreed upon in advance.
§ 111. Procedure for extension of certificate of conformity and temporary permit for use
(1) A processing unit wishing to extend a certificate of conformity shall submit the Estonian Foreign Intelligence Service a corresponding application at least two months prior to the expiry of the certificate of conformity.
(2) The Estonian Foreign Intelligence Service may extend the term of a temporary permit for use at its own initiative or based on a corresponding application of the processing unit.
(3) The provisions concerning accreditation apply to the extension of certificates of conformity and temporary permits for use.
§ 112. Revocation of certificates of conformity and temporary permits for use
(1) The Estonian Foreign Intelligence Service shall revoke a certificate of conformity or temporary permit for use:
1) based on an application by the processing unit;
2) if the processing unit has failed to comply with a precept issued by the Estonian Foreign Intelligence Service for elimination of a violation of an electronic information security requirement or a danger of such violation;
3) if circumstances which are the basis for refusal to issue a certificate of conformity or temporary permit for use become evident.
(2) A certificate of conformity or temporary permit for use shall be revoked by a directive of the director general of the Estonian Foreign Intelligence Service.
(3) A processing unit shall be notified of the revocation of the certificate of conformity or temporary permit for use in writing.
§ 113. Notification of National Security Authority
If a classified information of foreign states is processed in a system, the Estonian Foreign Intelligence Service shall notify the National Security Authority of the issue of a certificate of conformity or temporary permit for use, and of the extension or revocation of a certificate of conformity.
Subchapter 10 Protection of Classified Information of Foreign States
Division 1 Processing of Classified Information of Foreign States
§ 114. Principles of processing of classified information of foreign states
Classified information of foreign states shall be processed on the same bases and pursuant to the same procedure as the processing of state secrets, taking account of the difference arising from international agreements. The requirements for processing provided in this Subchapter do not apply to crypto materials registered by the Estonian Foreign Intelligence Service and the information specified in subsection 3 of § 52 of the State Secrets and Classified Information of Foreign States Act.
§ 115. Keeping records of media containing classified information of foreign states
Record of media containing classified information of foreign states shall be kept separately from the records concerning state secrets such that restriction of access to registry data and data media based on the need to know and right of access can be guaranteed. Separate record shall be kept in the registry concerning each originator of classified information of foreign states.
§ 116. Central registry of classified information of foreign states maintained by National Security Authority
(1) The National Security Authority shall keep the central registry of classified information of foreign states which registers all the data media containing information of foreign states classified as secret or at a higher level of classification which have been forwarded to the state or have been created in the state, and collects data concerning media containing information of foreign states classified as confidential which have been forwarded to the state or have been created in the state.
(2) The processing units that are the users of the central registry of the National Security Authority are required to perform the requirements provided for in § 51.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
§ 117. Registry of classified information of foreign states maintained by processing units
(1) A unit processing classified information of foreign states shall establish a registry of classified information of foreign states and inform beforehand the National Security Authority in writing.
(2) In order to process information of foreign states classified as top secret and classified information of foreign states bearing a special category marking and to maintain a corresponding registry and its sub-registries the processing unit shall obtain written permission to such effect from the National Security Authority. The National Security Authority shall grant the permission after conducting an inspection in the course of which it shall be established whether the requirements for processing have been met.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
§ 118. Registration of media containing classified information of foreign states
(1) In addition to the registry kept by a processing unit, the processing unit in possession of classified information of foreign states is required to register media containing information of foreign states classified as secret or at a higher level of classification or bearing special category markings in its possession in the central registry maintained by the National Security Authority at the first opportunity but not later than seven days after the creation of a classified medium or arrival of such medium at the processing unit.
(2) A processing unit in possession of media containing information of foreign states classified as confidential shall forward information concerning such data media to the National Security Authority within one month after the creation of a classified medium or arrival of such medium at the processing unit.
(3) The media forwarded to a processing unit by the National Security Authority need not be registered by the processing unit in the central registry maintained by the National Security Authority.
(4) A processing unit in possession of classified information of foreign states is required to enter the registration number issued by the National Security Authority on every data medium which contains information of foreign states classified as secret or at a higher level of classification or bearing special category markings.
§ 119. Forwarding of media containing classified information of foreign states
(1) Media containing information of foreign states classified as top secret or bearing special category markings shall be received and forwarded to other processing units only through the National Security Authority except in cases where the National Security Authority has issued written consent to the processing unit maintaining a registry for that purpose.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(2) [Repealed – RT I, 14.01.2011, 6 – entry into force 17.01.2011]
(3) Media containing classified information of foreign states shall be forwarded only to processing units that have established a registry for classified information of foreign states beforehand.
§ 120. Reproduction and destruction of media containing information of foreign states classified as top secret and classified information of foreign states bearing special categorymarking
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(1) Media containing information of foreign states classified as top secret and classified information of foreign states bearing a special category marking shall be reproduced and destroyed only by the National Security Authority.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(2) The National Security Authority may give a state agency written permission for the reproduction or destruction of the data media specified in subsection 1.
§ 121. Return of media containing information of foreign states classified as top secret and classified information of foreign states bearing special category marking
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(1) A processing unit maintaining the registry of media containing information of foreign states classified as top secret and classified information of foreign states bearing a special category marking shall return the media containing such information to the National Security Authority immediately after the need for its use is over.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(2) If it is necessary to use the data medium longer than for one year after receipt of the medium, the keeping of the medium for such extended period shall be registered in the central registry maintained by the National Security Authority.
§ 122. Inspection by National Security Authority
The National Security Authority shall conduct, at least on one occasion over a two year period, an inspection of the security measures applied for the protection of classified information of foreign states and the right of access of the persons processing such information in the processing units possessing classified information of foreign states. The National Security Authority shall conduct such inspection in agencies in possession of information of foreign states classified as top secret or bearing special category markings for at least every 18 months.
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
Division 2 Procedure for Issue, Refusal to Issue, Extension and Revocation of Personnel and Facility Security Clearance Certificates for Access to Classified Information of Foreign States, and Grant, Refusal to Grant and Extension of Right of Access to Classified Information of Foreign States
§ 123. Access to classified information of foreign states
(1) A certificate for access to classified information of foreign states (hereinafter Personnel Security Clearance Certificate or Facility Security Clearance Certificate) shall be issued for accessing classified information of foreign states if an international agreement prescribes the issue of a certificate for access to classified information of foreign states of the corresponding level of classification.
(2) In cases prescribed by international agreements, the National Security Authority shall also issue a confirmation of the right of access to classified information of foreign states (hereinafter confirmation).
(3) The right for persons specified in subsections 1 and 2 of § 27 of the State Secrets and Classified Information of Foreign States Act to access information of the European Union and the North Atlantic Treaty Organisation classified as restricted arises after the persons have been communicated the information specified in § 130, signed the obligation and the notice specified in § 131 has been issued.
(4) The right for natural persons and legal persons in private law to access or process classified information of foreign states arises only based on a Personnel Security Clearance Certificate or a Facility Security Clearance Certificate.
§ 124. Compliance of level of Personnel Security Clearance Certificate and Facility Security Clearance Certificate with level of permit for access to state secret
Personnel Security Clearance Certificate and the Facility Security Clearance Certificate shall not be issued at a higher level of classification than the level of the permit to access (hereafter a Personnel Security Clearance) or process state secrets (hereafter Facility Security Clearance) held by the natural person or processing unit to whom the Personnel Security Clearance Certificate or the Facility Security Clearance Certificate is applied.
§ 125. Term of Personnel Security Clearance Certificates and the Facility Security Clearance Certificates
(1) The National Security Authority shall decide on the term of an access certificate based on the desired term of validity indicated in the application, the term of the right of access to state secrets and the justification of the need to know. A Personnel Security Clearance Certificate or a Facility Security Clearance Certificate shall not have a longer term than the right of the person or the processing unit to access state secrets.
(2) If a person's or processing unit´s right to access state secrets expires before the end of the term of validity specified in the Personnel Security Clearance Certificate or in the Facility Security Clearance Certificate, the Personnel Security Clearance Certificate or the Facility Security Clearance Certificate shall expire.
(3) If a Personnel Security Clearance Certificate or a Facility Security Clearance Certificate becomes invalid on an earlier date than the date of expiry set forth in the certificate, the Personnel Security Clearance Certificate or the Facility Security Clearance Certificate shall be returned to the National Security Authority.
§ 126. Application for Personnel Security Clearance Certificates for natural persons
A processing unit wishing to apply for a Personnel Security Clearance Certificate for a natural person shall submit the following documents to the National Security Authority:
1) a written application which shall set out the originator of the classified information of the foreign state, the level of classification of information for which access is applied for, the requested term of validity of the Personnel Security Clearance Certificate, and the name and personal identification code or, in the absence thereof, date of birth of the person, exact birthplace, citizenship and contact details;
2) a copy of the Personnel Security Clearance or other document in proof of the right of access to state secrets;
3) a copy of both sides of the identity document of the person or from the page of the passport which contains personal data.
§ 127. Application for right of access to information of foreign states classified as restricted
(1) An agency or constitutional institution wishing to apply for the right to access to information of foreign states classified as restricted for a person specified in subsection 3 of § 123 shall submit a written application to the National Security Authority which shall set out the name, personal identification code and position of the person and to which a copy of the document shall be annexed by which the person is granted access to state secrets classified as restricted.
(2) Where necessary, the National Security Authority shall also issue confirmation in proof of the person's right of access to information of foreign states classified as restricted.
§ 128. Application for Facility Security Clearance Certificates for persons or units processing classified information based on Facility Security Clearance
In order to apply for a Facility Security Clearance Certificate for a person or a unit processing classified information based on a Facility Security Clearance, the agency applying for grant of access shall submit the following documents to the National Security Authority:
1) a written application by the processing unit which sets out the level of classification of information for which access is applied for and justifies the need of the person to access classified information of foreign states;
2) a written application by the supporting authority which specifies the originator of the classified information of foreign states and the level of classification for which access is applied for and justifies the need of the person to access classified information of foreign states, unless the supporting authority is the National Security Authority;
3) a copy of the Facility Security Clearance;
4) a copy of the guidelines for protection of state secrets;
5) a copy of the document for appointment of the person organising the protection of state secrets in the legal person, his or her name, and a list of persons who will process classified information of foreign states and, where necessary, the documents needed for application of Personnel Security Clearance Certificates for natural persons to such persons.
§ 129. Deciding on grant of Personnel Security Clearance Certificates and Facility Security Clearance Certificates based on applications
(1) If an application for a Personnel Security Clearance Certificate or a Facility Security Clearance or the documents appended thereto do not confirm to requirements, the National Security Authority shall inform the processing unit who applied for a Personnel Security Clearance Certificate for a natural person or the supporting authority which applied for a Facility Security Clearance Certificate for a processing unit of the deficiencies within ten working days and give them a term for elimination thereof.
(2) The National Security Authority shall decide on the grant of or refusal to grant a Personnel Security Clearance Certificate or a Facility Security Clearance Certificate within one month after the receipt of the conforming application. The term may be extended with good reason by notifying the applying or supporting agency or constitutional institution thereof.
§ 130. Communication of requirements for protection of classified information of foreign states
(1) Before a natural person is granted the right to access information of foreign states classified as restricted or issued an Personnel Security Clearance Certificate for the first time, the National Security Authority or an agency authorised by National Security Authority thereby shall brief the person on his or her responsibilities and bases for protection of classified information of foreign states. Where necessary, the National Security Authority shall also brief the person in the case of renewal of a Personnel Security Clearance Certificate or right of access, or in the case of issue of an confirmation.
(2) If the right to access information of foreign states classified as restricted or a Facility Security Clearance Certificate is granted to a processing unit, the person organising the protection of state secrets in such unit is introduced the bases for protection of classified information of foreign states.
(3) Before handing over a Personnel Security Clearance Certificate or a Facility Security Clearance Certificate or a notice, the National Security Authority shall obtain the signature of the natural person receiving the right of access or Personnel Security Clearance Certificate or in case of a processing unit the signature of the person organising the protection of state secrets, concerning obligation to maintain the confidentiality of the classified information of foreign states which becomes known by virtue of employment or service.
§ 131. Forwarding of Personnel Security Clearance Certificates and Facility Security Clearance Certificates and notices
The National Security Authority shall forward a Personnel Security Clearance Certificate or a Facility Security Clearance Certificate or notice within five days after the creation of the right to access information of foreign states classified as restricted to the processing unit who applied for access or to the authority who supported the access of a legal person. The processing unit whose application for access was supported shall be forwarded a copy of the Facility Security Clearance Certificate.
§ 132. Formalisation of Personnel Security Clearance Certificates and Facility Security Clearance Certificates
(1) A Personnel Security Clearance Certificate and a Facility Security Clearance Certificate shall set out at least the following information:
[RT I, 22.11.2016, 7 – entry into force 01.01.2017]
1) date of issue and number;
2) the given name, surname, date of birth and place of birth of the natural person who obtains the Personnel Security Clearance Certificate or the name, address and registry code of the legal person who obtains the Facility Security Clearance Certificate;
3) the highest level of classification of information of foreign states and special categories of information which the person is permitted to access;
4) the term of validity of Personnel Security Clearance Certificate or Facility Security Clearance Certificate;
5) where necessary, the name, time and place of the event for participation in which access was applied for.
(2) A Personnel Security Clearance Certificate and a Facility Security Clearance Certificate shall be prepared in Estonian and English.
§ 133. Application for and formalisation of confirmation
(1) A processing unit wishing to receive confirmation shall submit an application to this effect and append documents thereto concerning the event for participation in which the confirmation is requested and, at the demand of the National Security Authority, also additional documents if this arises from a foreign agreement.
(2) The requirements specified in subsection 1 of § 132 shall be followed upon formalisation of the confirmation.
[RT I, 22.11.2016, 7 – entry into force 01.01.2017]
§ 134. Revocation of Personnel Security Clearance Certificates and Facility Security Clearance Certificates
A Personnel Security Clearance Certificate or a Facility Security Clearance Certificate shall be revoked if:
1) the person's need to know expires;
2) a new Personnel Security Clearance Certificate or Facility Security Clearance Certificate is issued before the previous Personnel Security Clearance Certificate or Facility Security Clearance Certificate expires;
3) personal information entered in the Personnel Security Clearance Certificate change;
4) a fact precluding the issue of the Personnel Security Clearance Certificate or the Facility Security Clearance Certificate becomes known during the period of validity of the issued Personnel Security Clearance Certificate or Facility Security Clearance Certificate.
§ 135. Notification of expiry of Personnel Security Clearance Certificate, Facility Security Clearance Certificate, right of access or need to access
The processing unit who applied for the grant of the right of access to classified information of foreign states to a natural person or an authority or constitutional institution who supported the application of a processing unit shall immediately inform the National Security Authority of the expiry of the need to access classified information of foreign states, or the expiry of the right of access or the Personnel Security Clearance or the Facility Security Clearance of the person or unit who was granted the right of access.
§ 136. Notification of authority competent to carry out security checks
The National Security Authority shall immediately inform the authority competent to carry out security check with respect to a person or unit of the grant of the right of access to classified information of foreign states or issue of an Personnel Security Clearance Certificate or a Facility Security Clearance Certificate to a natural or legal person, and of the revocation or establishment of the nullity of such right.
Chapter 6 Establishment of Forms for Consent, Confirmation, Applications for Personnel Security Clearance, Facility Security Clearance and Application for Extension thereof, and Forms Completed by Applicants for Personnel Security Clearance and Facility Security Clearance and Applicants for Extension thereof
§ 137. Forms related to Personnel Security Clearance for accessing state secrets
(1) A natural person shall submit an application for a permit to access state secrets (hereinafter Personnel Security Clearance) using the form specified in Annex 1.
(2) A natural person shall submit an application for the extension of a Personnel Security Clearance using the form specified in Annex 2.
(3) Upon application for a Personnel Security Clearance or upon application for the extension of the period of validity thereof, a natural person shall fill out the form completed by applicants for Personnel Security Clearance and for the extension thereof (Annex 3).
[RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(4) [Repealed – RT I, 26.10.2016, 2 – entry into force 29.10.2016]
(5) Upon application for a Personnel Security Clearance or extension of a Personnel Security Clearance, a natural person shall fill out the consent form (Annex 5) annexed to the application form.
(6) Upon application for a Personnel Security Clearance or extension thereof, a natural person shall confirm that he or she is aware of the requirements for the protection of state secrets, the liability for violation of such requirements and the obligation to maintain the state secrets made known to him or her (Annex 6).
(7) A person who is applying for or holding the right of access to state secrets classified as restricted shall fill out the form of consent specified in subsection 5 and give the confirmation specified in subsection 6.
[RT I, 14.01.2011, 6 – entry into force 17.01.2011]
§ 138. Forms related to Facility Security Clearance for processing state secrets
(1) A legal person shall submit an application for a permit to process state secrets (hereinafter Facility Security Clearance) using the form specified in Annex 7.
(2) A legal person shall submit an application for the extension of a Facility Security Clearance using the standard format specified in Annex 8.
(3) Upon application for a Facility Security Clearance or upon application for the extension of the period of validity of thereof, a legal person shall submit the form of the applicant for Facility Security Clearance and for the extension of the period of validity thereof (Annex 9).
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
(4) [Repealed – RT I, 06.03.2019, 7 – entry into force 09.03.2019]
(5) Upon application for a Facility Security Clearance or extension of a Facility Security Clearance, a legal person shall fill out the consent form (Annex 11) annexed to the application form.
(6) Upon application for a Facility Security Clearance or extension thereof, a legal person shall confirm awareness of the requirements for the protection of state secrets, liability for violation of such requirements and obligation to maintain the state secrets made known thereto (Annex 12).
(7) Subsections 1–3, 5 and 6 also apply to self-employed persons.
[RT I, 06.03.2019, 7 – entry into force 09.03.2019]
Chapter 7 Implementation of Regulation
§ 139. Entry into force of Regulation
(1) This Regulation shall enter into force on 1st January 2008.
(2) Clauses 4, 5, 7, 8 and 11 of subsection 1 of § 8 enter into force on 1 January 2009, except regarding information which was a state secret before 1 January 2008.
(3) Subsection 1 of § 70 enters into force on 1 January 2009.
Annex 1 Application for Personnel Security Clearance
Annex 2 Application for extension of Personnel Security Clearance
Annex 3 Form completed by natural person applying for Personnel Security Clearance to state secret classified as top secret, secret or confidential and for extension of Personnel Security Clearance
[RT I, 26.10.2016, 2 - entry into force 29.10.2016]
Annex 4 Form completed by natural person applying for extension of Personnel Security Clearance to state secret classified as top secret, secret or confidential
[Repealed – RT I, 26.10.2016, 2 - entry into force 29.10.2016]
Annex 5 Written consent by natural person for execution of security check
[RT I, 26.10.2016, 2 - entry into force 29.10.2016]
Annex 6 Confirmation by natural person to maintain state secrets made known to him or her
Annex 7 Application for Facility Security Clearance
Annex 8 Application for extension of Facility Security Clearance
Annex 9 Form completed by applicant for Facility Security Clearance and for the extension of the period of validity of Facility Security Clearance
[RT I, 06.03.2019, 7 - entry into force 09.03.2019]
Annex 10 Form completed by applicant for extension of Facility Security Clearance
[Repealed – RT I, 06.03.2019, 7 - entry into force 09.03.2019]
Annex 11 Written consent by applicant for issue or extension of Facility Security Clearance of legal person
[RT I, 06.03.2019, 7 - entry into force 09.03.2019]
Annex 12 Confirmation by legal person to maintain state secrets made becomes thereto
Facebook
Twitter