In Germany, regulations on classified information and its protection are laid down in particular in the Security Surveillance Act (SÜG) and the Federal Government's Classified Information Directive (VSA) issued on the basis of Section 35 of the SÜG, as well as corresponding laws and directives of the Länder.
Classification
Classified information is classified according to its need for protection by an official agency of the Federal Government or at its instigation into four classification levels (Section 4 (2) VSA). The grades are based on the possible consequences for the Federal Republic of Germany or one of its Länder of unauthorised persons gaining knowledge of the information (Section 2 (2) VSA).
| Classification | Abbreviation | Classification principle |
| VS-ONLY FOR OFFICIAL USE | VS-NfD | may be detrimental to the interests |
| VS-CONFIDENTIAL | VS-Vertr. | may be detrimental to interests |
| SECRET | Go. | may endanger safety or cause serious damage to interests |
| TOP SECRET | Str. Go. | can endanger the existence or vital interests |
The publisher of a classified document shall determine the level of classification. The publisher is the department that creates a classified document or arranges for it to be created. Classification shall be used only to the extent necessary (Article 15 VSA).
The classification period shall be based on the expected duration of the need for protection of the classified information resulting from the justification for classification. The classification of classified information classified for official use only shall be limited to 30 years. It may be shortened but not extended. For higher classification levels, higher time limits may be set for individual classified documents or as a lump sum for the classified documents generated in a given area. The classification ends at the end of the year in which the deadline falls (Section 16 f. VSA). If the need for protection of a classified document changes, the publisher must increase or decrease the classification of this classified document accordingly (Section 18 VSA). If the need for protection of a classified document ceases before the expiry of the classification period, the publisher shall cancel the classification (Section 19 VSA).
A non-classification does not mean that the object in question or its contents may be made accessible to the public. It is subject to general official secrecy. Only the special protection provisions for classified information do not apply to it. The classification of a classified matter remains in force even if it has become known unlawfully (Section 2(3) VSA).
In the case of classified information classified VS-VERTRAULICH or higher, the level of classification shall be indicated by the words 'officially classified' at the top of each page described (in the case of documents).
Protection
Authorities and other public bodies (e.g. constitutional bodies) are obliged to protect classified information by measures of material secrecy in such a way that breaches of their confidentiality are counteracted and to work towards ensuring that such attempts can be detected and cleared up. This also applies to the disclosure of classified information to non-public bodies (Section 4 (4) SÜG).
Any person who obtains access to classified information in an authorised manner is obliged to maintain secrecy about the information thus obtained and must ensure, by complying with the protective measures, that no unauthorised person obtains knowledge of the classified information (Section 4(3) SÜG). Before a person is given access to classified information classified VS-NUR FÜR DEN DIENSTGEUCH, he/she shall be bound by the "VS-NfD-Merkblatt". Before a person is given access to classified information classified VS-VERTRAULICH or higher, he shall be cleared by the Security Officer. At the same time, he/she must be instructed about the special provisions of confidentiality, committed to confidentiality to the necessary extent and informed about the recruitment methods of foreign intelligence services as well as the possibility of punishment under criminal and disciplinary law or measures under labour law in the event of violations of confidentiality regulations (Section 4 (2) VSA).
The Federal Office for Information Security and the intelligence services of the Federation and the Länder shall cooperate in the protection of classified information (Section 5 VSA).
When handling classified information, technical and organisational measures are taken which, in their interaction, are intended to reduce the risks of an attack and, in the event of a successful attack, to limit the negative consequences. The security measures take into account the aspects of prevention, detection and reaction (Section 6 VSA).
The head of the department is responsible for the implementation of these classified information instructions within his area of responsibility and must create the conditions to ensure the material protection of secrets. It may delegate its duties in whole or in part to employees of its department (Section 7 VSA). Departments that handle classified information classified as VS-VERTRAULICH or higher shall appoint security officers and persons authorised to represent them (Section 8 (1) VSA). They shall also appoint security registrars and persons authorised to represent them to ensure the proper management of such classified information (Section 10 VSA).
The subject of a classified document shall be worded in such a way that it is not in itself classified (Section 20(5) VSA). The reproduction of TOP SECRET classified information requires the consent of the publisher (Section 22(4) VSA). Permanent storage of classified information classified CONFIDENTIAL or higher shall take place in classified information registries. Storage outside the VS registry is permissible only for the period for which continued access to the classified information by the processor is necessary (Section 23 (1) VSA). Before disclosing classified information, each person must ensure that the intended recipient is authorised to receive or take cognisance of it (Section 24(2) VSA). When discussing classified information, the principle of "knowledge only when necessary" must be observed. Discussion in public is to be refrained from (§ 29 para. 1 VSA).
Technical means for the protection of classified information are, for example, security deposit boxes, security key containers, burglary and hold-up alarm systems, access control systems, security transport containers, security packaging, security doors and locks. This also includes means for the destruction of classified information. Classified storage facilities are specially secured rooms, cabinets or other containers for the storage of classified information. Each classified information registry shall have at least one classified information depository.
Departments must take precautions to ensure that their telecommunications and information technology cannot be misused to eavesdrop on room and telephone conversations. Rooms in which conversations with classified or higher content are frequently or regularly conducted must be bug-proof, in the case of TOP SECRET content, bug-proof (Section 41 VSA). They must be subjected to an anti-eavesdropping test prior to initial use and thereafter on a random basis (Section 48 VSA). Departments that are particularly targeted by attacks on the confidentiality, availability, integrity and authenticity of classified information may be designated as "departments with special security needs" (Section 43 VSA).
Security check
→ Main article: Security check
Anyone who has access to or is able to gain access to classified information which is classified at least as VS-VERTRAULICH or who works in an authority which has been declared a "security area" as a "national security authority" is engaged in a security-sensitive activity (Section 1 (2) SÜG). In accordance with the intended security-sensitive activity, either a "simple security clearance", an "extended security clearance" or an "extended security clearance with security investigations" is carried out. For this purpose, the persons must submit a security declaration (Section 13 SÜG). By evaluating the information in the security declaration in terms of security, taking into account further findings (e.g. by obtaining information, inquiries or security investigations), the constitutional protection authorities ("cooperating authorities"; BfV, LfV, MAD) determine whether there are security-relevant findings on a person, i.e. indications of a security risk. A security risk exists if there are actual indications of doubts about the reliability of the person concerned in the performance of a security-sensitive activity, a particular danger to the person concerned, in particular concerns about the possibility of blackmail, in the case of possible attempts to initiate or recruit by foreign intelligence services, criminal, terrorist or extremist associations or doubts about the commitment to the free democratic basic order (Section 5 SÜG).
Secure areas
Security areas shall be established in departments where the volume and importance of the classified information held there so require. These may be individual or several rooms as well as buildings or groups of buildings. They shall be protected against access by unauthorised persons by personnel, organisational and technical measures. Access to these areas may only be possible at points where there is a reliable check of access authorisation, e.g. on the basis of a service ID card. Visitors and external personnel must always be supervised during their stay in the security area after their identity has been established (Section 39 (3) f. VSA).
Warning and blocking notes
Warning and blocking notices limit the group of recipients of a classified document who are authorised to access it. In particular, the following warning notices may be used:
- "CRYPTOSECURITY" or "CRYPTO" or "CRYPTOSECURITY" or "CRYPTO"
- "Controlled COMSEC Item or CCI.
- "Atomic"
- "Evaluation matter (protection word)", "PROTECT", "PROTECT-VS" or "SW-VS".
In particular, the following can be used as blocking notes:
- "<some authority> internal"
- "For Secret Protection Officers"
- "Germans only to know" or "GE eyes only"
- "Passed on to <any name>"
- "FOR Crypto Custodian" or "for crypto custodian".
- "For your information only"
- "The making of copies of this VS is prohibited."
Bundestag and Bundesrat
The Rules on the Protection of Classified Information of the German Bundestag shall apply to classified information originating within the Bundestag or forwarded to the Bundestag, its committees or members of the Bundestag. As far as exclusively the area of the administration of the Bundestag is concerned, the regulations of the Classified Information Instruction for Federal Authorities apply. Classified information of the classification levels TOP SECRET or SECRET may only be inspected in the rooms of the secret registry.
Classified information originating within the Federal Council or forwarded to the Federal Council shall be governed by the Federal Council's Rules on the Protection of Classified Information. For the Secretariat of the Bundesrat, the regulations of the Classified Information Instruction for the Federal Authorities apply in principle.
Secret archive of the Federal Archives
As a matter of principle, federal agencies shall offer their classified information classified VS-VERTRAULICH or higher that is no longer required to the Federal Archives (Secret Archives) for archiving (Section 31 VSA). Classified information that the responsible archive does not take over must be destroyed in such a way that the content is neither recognisable nor can be made recognisable (§ 32 VSA). The Federal Archives shall apply the legal provisions of the Federation on secrecy as well as the Classified Information Instruction from the time of taking over (§ 6 para. 3 Federal Archives Act - BArchG).
