Regulation on the Procedures and Principles to be Applied in Confidential Documents (“Regulation”) has been published in the Official Gazette dated April 26, 2022 and numbered 31821. The Regulation determines the procedures and principles to be applied for confidential documents according to their content or actuality and to ensure the unity of application in confidential documents and covers the public institutions and organizations.
Firstly, with the Regulation, the definition of confidentiality level was made, and it was specified that there were three national secrecy levels as Top-Secret, Confidential, and Service Specific. With this respect, it has been stated that the Top-Secret level is used for documents that, if disclosed or learned by unauthorized persons, could significantly harm Turkey’s foreign relations, national defense, national security, and activities with the allies. In addition, the Confidential level is used for documents that may harm the interests of Turkey, security, intelligence, and technology activities if disclosed without permission or learned by unauthorized persons. Finally, another level, Service Specific, is used for documents that, if disclosed or learned by unauthorized persons, may harm any administrative activity, natural or legal person, administrative investigation, judicial investigation, and prosecution.
Pursuant to Regulation, if necessary, a document is granted a level of confidentiality appropriate to its contents. A higher or lower confidentiality level is not assigned to the document than the quality of the information it contains to complete the transactions related to the document on time, to prevent the confidentiality levels from becoming ordinary, and to prevent the disclosure of confidential information. Furthermore, if the administration considers that the confidential document has a greater or lower level of confidentiality based on the nature of the information it contains, the administration should notify the document's owner.
What is more, while only the unit manager has the power to grant the Confidential level of confidentiality to a document, if the unit manager accepts its usage, authorization can be delegated to sub-unit managers. Although the papers that employ the Confidential level are stated, documents relating to intelligence activity can be used as examples. Besides that, the unit or sub-unit manager is authorized to assign the Service-Specific level of confidentiality to a document, and documents containing information that must be safeguarded by the appropriate laws are examples of documents in which the Service-Specific level is applied.
Within the scope of the Regulation, the confidentiality level should be marked in red in all capital letters in the center of the top and bottom margins of each page of the document. Graphics, maps, pictures, drawings, and other similar materials should be conspicuously labeled at the border or title block so that the level of confidentiality is obvious while open and folded. The electronic material in which a confidential document is kept is assigned a level of confidentiality based on the level of confidentiality of the document it contains. This level of confidentiality must be both physically and electronically accessible.
The general security measures for these documents have been specified in detail. Security measures for confidential documents address the physical and technological elements of restricting access to confidential documents based on the need-to-know principle, as well as discouraging, preventing, and detecting unwanted acts. Furthermore, physical and technical security measures adequate to the relevant confidentiality level should be implemented for the building, office, room, cabinet, safe, and other areas where confidential documents are created, studied, or kept, including areas containing communication and information systems. Measures that can be taken in devices used for Top-Secret and Confidential documents are also specified in this context, such as the lack of any hardware components that could permit wired or wireless network connection in the computer, printer, and copier.
As specified by the Regulation, the Ministry of Foreign Affairs, Turkish Armed Forces, the Presidency of National Intelligence Organization, General Directorate of Security, Gendarmerie General Command, and Coast Guard Command are authorized to make coded or encrypted communication within the electronic communication service, and public institutions and organizations that use coded or encrypted electronic communication systems belonging to these institutions can perform transactions regarding confidential documents on devices connected to a closed network, provided that necessary security measures are taken.
Furthermore, the Regulation establishes provisions for confidential document evaluation commissions. In this regard, the "Top-Secret Documents Evaluation Commission" decides to retain the Top-Secret document's confidentiality level the same, to decrease it, remove it, or destroy the Top-Secret document. These commissions are made up of three persons and are led by the administration's top manager or the manager authorized under the Top-Secret document. The Regulation also governs the commission's meeting times. Moreover, the "Confidential and Service-Specific Documents Evaluation Commission" also decides to keep or remove the confidentiality level of the Confidential or Service-Specific document. The commissions are made up of three people and are led by the director of the unit that holds the Confidential and Service Specific documents or the director to whom he or she delegated. The administration determines the timing and frequency of meetings of the "Confidential and Service-Specific Documents Evaluation Commission."
Further, natural and legal persons who are likely to have access to confidential documents as part of their duties or responsibilities should adhere to the measures outlined in this Regulation, and necessary steps are being taken to initiate a judicial or administrative investigation against natural or legal persons who violate the confidentiality of the confidential document or disclose the document.
The Regulation requires the establishment of a bureau responsible for recording, sending, receiving, transferring, and preserving the Top-Secret document, as well as its follow-up and management. This bureau performs collaborative actions with the necessary units for the reproduction, translation, access, declassification, destruction, transfer to the archive, and quotation of the Top-Secret document, along with keeping records and keeping track of the records.
Even though the procedures of the bureau are detailed, the bureau to be closed under the Regulation should request information about the up-to-dateness of the documents from the administration or the unit that prepared the Top-Secret documents before the transfer process is carried out. As a consequence of the administrations' or units' evaluations, the bureau carries out the processes of decreasing the secrecy level of Top-Secret documents, removing them and destroying the records or transferring them to the archive.
The bureau in issue should be placed on campuses or in buildings that are only accessible through security control, and the locations of the bureau should be known only to those who need to know. Furthermore, the Regulation extensively governs the security measures to be used in the bureau. For instance, devices that can provide data and information transfer, such as mobile phones, cameras, copying devices, computers, tablets, and weapons that may cause security weaknesses, are not permitted at the bureau's entrance. While the precautions regarding the bureau personnel are also explained, most importantly, a Top-Secret Document Authorization Card should be issued to the bureau personnel.
The Top-Secret document is prepared by processing personnel from the appropriate unit on devices with security measures and in the bureau or a separate room under the supervision of the bureau, and when prepared in the bureau, the processing personnel are accompanied by bureau personnel. When the Top-Secret document is prepared in a separate room under the bureau's supervision, processing personnel may work alone. The Top-Secret document's initial and signing processes are carried out under the supervision of the processing personnel who prepared the document. Transaction personnel will take precautions to ensure that the Top-Secret document is not seen by anybody who is not participating in the initial and signing procedure. After the signing procedure is done, the transaction personnel submit this Top-Secret document, together with the distribution copies, to the bureau.
Further, with the Regulation, arrangements have been made for sending, receiving and transferring, storing and counting, duplicating, translating and quoting, degrading or removing, destroying and breaching the security or disclosure of the Top-Secret document.
Confidential and Service-Specific Documents
While security measures for Confidential and Service-Specific documents are defined, the Regulation requires that Confidential documents be maintained in secure rooms accessible to authorized personnel or in lockers to be retained. Mechanisms based on cutting-edge technology should be employed to ensure that only authorized individuals may access the safe rooms where the Confidential document is stored, and a video recording of the safe rooms' door from the outside should be retained. Furthermore, cabinets with locking mechanisms that can be accessed with a key, magnetic card, or password, that are not visible from the outside and cannot be readily moved, should be utilized to store the Confidential document.
In contrast, the Service-Specific document is kept in Electronic Document Management System (“EBYS”) as encrypted or password protected. Dissemination security measures are implemented in locations where the Service-Specific document is stored and processed. In unusual instances, the Service-Specific document generated in the physical environment should be retained in compliance with the above-mentioned requirements. It should be guaranteed that the data contained in EBYS is periodically backed up so that data loss does not occur.
According to the Regulation on the Procedures and Principles to be Applied in Official Correspondence, the Confidential document should be created in the physical environment, whereas the Service-Specific document should be prepared in the electronic environment. However, in the case of an emergency, a physical copy of the Service-Specific document could be made. In addition, according to the Regulation, during the initial and signature processes of Confidential and Service-Specific documents, it should be prevented from being seen by the person or persons who are not involved in the initialization and signature process of the prepared document.
Further, precise provisions were made with the Regulation for sending, receiving, and transferring confidential and service-specific documents, duplicating, and translating them, removing the confidentiality degree, and transferring them to the institution archive.
Finally, the Regulation requires that administrations complete the security measures to be implemented under the provisions in this Regulation about Top-Secret and Confidential documents, as well as the processes pertaining to the employees to be assigned, within six months.