The classified information is any information worthy of protection due to the damage or risk that its disclosure or unauthorized access may cause to the interests of the State, reason for which it is assigned, with the legal requirements and guarantees, a security classification.

The Spanish Constitution is no stranger to the specific protection required by classified information. Article 105 (b) states that a law shall regulate the access of citizens to administrative records and records, "except as regards the security and defence of the State ...". Law 19/2013, of 9 December, of transparency, access to public information and good governance, responds to the constitutional mandate and points out in Article 14 (1), "Limits to the right of access", that the right of access may be limited when access to information is detrimental to national security, defence, external relations or public security.

The regime for the protection of classified information has been based on the national or international level of the information. This distinguishes two main types: (a) classified information at national level; (b) classified information at international level.

The Spanish legislation for the protection of classified information is contained in Law 9/1968 of 5 April on Official Secrets (hereinafter Law 9/1968 of 5 April), as amended by Law 48/1978 of 7 October, and Decree 242/1969, of 20 February, for which the provisions of Law 9/1968 are developed, of 5 April.

Decree 242/1969 of 20 February, in Article 9 thereof, provides for the existence of services for the protection of classified information in the ministerial departments, such as central units or dependencies affecting the ministers, and establishes their tasks.

In the field of classified information at international level, the Ministry of Industry, Energy and Tourism has been with the main NATO Subregister since 1991 to ensure that classified information from the International organizations are managed and managed safely in the Department.

Law 11/2002, of May 6, regulator of the National Intelligence Center, in its article 4, entrusts to this body the function of " Velar for the compliance of the regulations regarding the protection of the information ". The Secretary of State Director of that body is the National Authority for the Protection of Classified Information in Spain.

This work of protection is manifested, in particular, through the National Authority's Standards for the Protection of Classified Information approved by the Secretary of State Director of the National Intelligence Center. (last revision of 15 December 2012) which "constitute the basic rules for the protection of classified information, irrespective of their origin and classification ...". These rules should be observed by public administrations and public law entities linked to or dependent on the former.

The aforementioned National Authority rules incorporate and regulate, in addition to the secret and reserved degrees, two degrees of classification of information that did not contemplate Law 9/1968, of 5 April, or its Development Decree: the confidential degree and degree of limited dissemination, for matters, acts, documents, information, data and objects whose knowledge by unauthorised persons may affect the security of the State, threaten its interests or hinder the enforcement of their mission.

In the light of the above, this ministerial order is dictated, which aims to regulate the protection of classified information in the Ministry of Industry, Energy and Tourism, in particular its protection infrastructure, the (a) the conditions for the private security of classified information, and the authorities and procedures for the classification of national information in the confidential grades and limited dissemination in the framework of the competences of this ministry.

This ministerial order is structured in two clearly differentiated parts. A first part containing general provisions on classified information (Articles 1 to 13) and a second part regulating the authorities and procedures for the classification of information at national level (Articles 14 to 16).

In its virtue, with the prior approval of the Minister of Finance and Public Administrations, I have:

CHAPTER I

General provisions on classified information

Article 1. Object and scope of application.

The object of this ministerial order is to regulate the protection of classified information within the competence of the Ministry of Industry, Energy and Tourism, in particular, the protection infrastructure, the conditions of security, and the authorities and procedures for classification of information in the degrees of confidential and limited dissemination.

This ministerial order will be applied in the Ministry of Industry, Energy and Tourism and in the public bodies attached to it.

Article 2. Definitions.

For the purposes of this Ministerial Order and in accordance with the Rules of the National Authority for the Protection of Classified Information approved by the Secretary of State Director of the National Center for Intelligence (hereinafter the National Authority for the Protection of Classified Information), the definitions of the concepts used in this order are listed below in accordance with these rules:

a) Information Security (Safety Standard in NS/04 Information: Information Security is the condition that is reached when a set of measures and procedures are applied for the correct handling and control of the information, throughout its life cycle, as well as to prevent and detect possible compromises of the same, which may affect their confidentiality, integrity or availability.

b) Information (NS/04 Information Security Standard): information is all knowledge that can be communicated, presented or stored in any form.

(c) Material (NS/04 Information Security Standard): the material concept encompasses any documentation, piece, equipment, substance, program, development, armament, system or similar, manufactured or in the process of manufacture, that may be a carrier of an information or constitute an information in itself.

d) Classified information (NS/04 Information Security Standard): classified information is any information or material in respect of which it is decided that it requires protection against its unauthorized disclosure or access, by the damage or risk that this would entail to the interests of the State, and to which it has been assigned, with the formalities and requirements laid down in the legislation, a security classification.

(e) Classified materials (NS/04 Information Security Standard): as defined in Law 9/1968 of 5 April on Official Secrets, as amended by Law 48/1978 of 7 October, such as matters, acts, documents, information, data and objects whose knowledge by unauthorised persons may damage or endanger the security and defence of the State, and which are classified in degrees of secrecy and reserved, in consideration of the degree of protection they require.

(f) Materials subject to internal reservation (NS/04 Information Security Standard): such matters, acts, documents, information, data and objects whose knowledge by unauthorised persons may affect the State security, threatening their interests or making it difficult to fulfill their mission. They are classified in the degree of confidentiality and limited dissemination, in attention to the degree of protection they require.

g) Handling of classified information (Security Standard in the NS/04 Information): for the handling of information the storage, custody, processing, processing, use, presentation, reproduction, access, transport, destruction or transmission of the same, whatever the method used.

h) National Authority for the Protection of Classified Information (National Infrastructure Standard for the Protection of Classified Information NS/01): the structure responsible for ensuring adequate protection of the the classified information that the international organizations of which Spain is a part entrust to our country. This function is attributed to the Secretary of State Director of the National Intelligence Center.

(i) National Security Office for the Protection of Classified Information (National Infrastructure Standard for the Protection of Classified Information NS/01): the National Security Office for the Protection of the Classified Information (hereinafter the National Security Office) is the body of the National Authority for the Protection of Classified Information and is responsible for the performance of its tasks and the execution of its tasks. decisions.

j) Service for the protection of classified information (National Infrastructure Standard for the Protection of Classified Information NS/01): a protection service is a structure constituted by a decision of the head of a a given body or entity of the highest level, in order to ensure adequate protection of the classified information that it has in charge throughout its organisation and of which it is responsible.

k) Principal Sub-register (National Infrastructure Standard for the Protection of Classified Information NS/01): within the corresponding service of protection of classified information of an organism or entity, the sub-registers They are responsible for executing and guaranteeing the protection of classified information from international organizations of which Spain is a party, in the Public Administrations, Armed Forces, public agencies linked or dependent, and in all other entities, public or private, in which they are established.

l) Restricted access zone (Physical Security Standard, NS/03): facilities where classified information is stored or handled, usually classified as confidential or equivalent or higher, so they must be adequate and adequate security measures and procedures to ensure the protection of classified information at all times.

(m) Classification (NS/04 Information Security Standard): classification is the formal act by which the competent authority assigns to an information a degree of classification in regard to the risk posed by its disclosure not authorised for the security and defence of the State or its interests, in order to protect it.

n) Reclassification (NS/04 Information Security Standard): reclassification is the formal act by which the classification authority modifies the classification of a classified information.

or) declassification (NS/04 Information Security Standard): declassification is the formal act by which the classification authority withdraws any classification grade assigned to an information.

p) Classification Proposal (NS/04 Information Security Standard): the classification proposal is the document for which the corresponding classification authority is submitted for approval, the allocation of a grade of classification to individual or grouped information in a set, as well as its validity.

q) Classification dialling (NS/04 Information Security Standard): classification diligence is the document certifying approval by the classification authority of a classification proposal and the conditions of application of the same are defined.

r) Classification Guide (NS/04 Information Security Standard): the classification guide is the document that lists and describes the classified elements of a subject, contract or classified program, with specification of the grades assigned to each of them. It collects the relevant information of the classified information (the classification grades assigned to it, the vigencies of the classifications, the empowered authorities that have classified it, etc.), and serves as a reference for the marking of the documents.

s) Classification Directive (NS/04 Information Security Standard): the classification directive is the document by which the classification authority assigns a degree of classification to the information which, by its nature, and in the judgment of that authority, does not require the preparation of the classification proposal, formally constituting the classification diligence of the same.

t) Need to know (Safety standard in the staff, NS/02): the "need to know" is defined as the positive determination by which it is confirmed that a possible recipient requires access to, knowledge of, or possession of information to carry out official services, tasks or tasks. In this way, no person may have access to information classified solely on account of their position or position, or to be in possession of a Personal Security Enablement, without the necessary need to know.

u) Enabling Security Personnel (HPS) (Staff Safety Standard, NS/02): is the positive determination by which the National Authority, on behalf of the Government of the Kingdom of Spain, formally recognises capacity and the suitability of a person to have access to classified information in the field, or areas, and maximum authorised degree, which are expressly indicated, having passed the appropriate security accreditation process and having been adequately (a) the commitment of the reserve to which it acquires and the responsibilities arising from its failure.

v) Figure Material (Glossary of Definitions of the National Authority's Standards for the Protection of Classified Information. Definition n. 36): is any device, key, or document related to the encryption of the documentation.

Article 3. Director of Classified Information Security of the Ministry of Industry, Energy and Tourism.

Is designated as Director of the Security of Classified Information in the Ministry of Industry, Energy and Tourism to the holder of the Secretariat and is entrusted with the functions of ensuring compliance with this order. ministerial, and define and create the infrastructure of protection of classified information in the Ministry of Industry, Energy and Tourism.

Article 4. Grades of classification.

1. In accordance with the provisions of Law 9/1968 of 5 April 1969, Decree 242/1969 of 20 February on the implementation of the provisions of Law 9/1968 of 5 April and of the NS/04 rule of the Rules of the National Authority for the Protection of Classified Information, as well as depending on the seriousness of the threat or the harm that may result from its unauthorised disclosure, the information may be classified according to the following grades:

a) secret.

b) reserved.

c) confidential.

d) limited broadcast.

2. The classification of secrecy shall apply to information that requires the highest degree of protection, as long as its unauthorised disclosure or improper use affects the national defence or security, and may cause a danger, threat, aggression or extremely serious injury to the state defense.

3. The classification of the reservation will apply to information that requires a high degree of protection, since its unauthorized disclosure or improper use can cause serious damage to the national defense.

4. The classification of confidentiality shall apply to information that requires protection and whose unauthorised disclosure or misuse may cause a threat or prejudice to the interests of the State or its General Administration, or can lead to the disclosure of classified information or classified information.

5. The limited dissemination classification shall apply to information whose unauthorised disclosure or misuse may adversely affect the interests of the State or its General Administration.

Article 5. Security principles on the staff.

1. The handling of classified information shall be based on the principle of "need to know", and access to such information shall be limited exclusively to persons whose work, tasks or destination so requires, which have been expressly authorised and instructed, and which are in possession of the relevant Personal Security Enablement (HPS), if required.

2. No person shall have access to information classified solely on account of his or her charge, or for being in possession of an HPS.

3. To have access to classified information of a confidential or higher degree must be in possession of a HPS of the same or higher degree.

4. To have access to classified information of limited diffusion degree will not be necessary HPS. However, persons in need of such information may access the information provided that they are expressly authorised, after having been instructed about their responsibilities in the protection of the information.

5. The HPS shall be granted by the Secretary of State Director of the National Intelligence Center as the National Authority for the Protection of Classified Information in Spain.

Article 6. Infrastructure for the protection of classified information of the Ministry of Industry, Energy and Tourism.

The infrastructure for the protection of classified information of the Ministry of Industry, Energy and Tourism encompasses all personnel, resources and procedures used in the protection of classified information in the Department. This infrastructure includes the Central Classified Information Protection Service, the OTAN/EU Principal Sub-Register, and the local classified information protection services and other control bodies that are in agreement with the Rules of the National Authority for the Protection of Classified Information.

Article 7. Services for the protection of classified information in the Ministry of Industry, Energy and Tourism.

1. On the basis of the OAN/EU Principal Subregister of the Ministry of Industry, Energy and Tourism, the Central Service for the Protection of Classified Information of the Department, attached to the Technical Cabinet of the Secretariat, is established.

2. Local protection services may be provided for the functionally dependent classified information of the Central Protection Service, where further subdivision into the distribution of the classified information is necessary.

3. Each central or local service for the protection of classified information shall be the responsibility of a Head of Security, who shall be directly responsible for the enforcement of the legislation for the protection of classified information in its scope of action.

4. The security chiefs of the classified information protection services shall have preferential dedication to that service in accordance with the National Authority's Standards for the Protection of Classified Information (Infrastructure Standard). National of the Protection of Classified Information NS/01). The protection services shall be provided by an alternate who shall address the alternate in the absence of the holder.

5. The Deputy Secretary shall appoint the Head of Security of the Central Protection Service and his/her deputy, once the National Authority for the Protection of Classified Information has approved the candidate proposed by the latter.

6. The Principal Subregister OAN/EU of the Ministry of Industry, Energy and Tourism will guarantee the protection of classified information from those two international organizations of which Spain is a part or of others that is necessary include after the approval of this ministerial order.

Article 8. Functions of the services of protection of classified information.

Classified information protection services have the following functions:

a) Ensure appropriate treatment of classified information in its field of competence.

(b) To provide adequate guidance to staff who have access to classified information in respect of the standards of protection of such information.

c) Advising in the drafting of the classification guidelines proposals.

d) Arrange for personal security clearance requests from staff assigned to the Department and keep updated records of staff enabled.

e) Credit the restricted access zones (hereinafter ZAR) in the organizations of their field of competence.

f) To process requests for visits by dependent personnel when they involve access to classified information in other agencies.

g) Arrange for the appointments of those responsible for the Services for the Protection of Classified Information in their field of competence.

h) Ensure the recording, handling, distribution, control and archiving of classified information in the field of their competence.

i) Ensure the maintenance of the established physical security means to protect classified information under the conditions outlined in this order, including the protection of the material.

j) Manage the investigation of security incidents that occur in your field of competence.

k) Monitor in the field of their competence the execution of security measures and procedures of information and communications systems that handle classified information.

l) Develop training programmes, which are mandatory for staff with access to classified information covering all areas for the protection of classified information.

Article 9. Security in the information and communications systems.

1. The Central Classified Information Protection Service shall be responsible for monitoring the correct application of the rules for the protection of classified information in the information and communications systems, and in particular of the regulations for the protection of figure material.

2. In each body that needs to handle figure material, there will be a specific security structure, responsible for the control and management of the figure material.

3. The Head of Security of the Central Protection Service shall coordinate the actions with the General Subdirectorate of Information and Communications Technologies of the Ministry in the process of processing the accreditation of the information and communications to handle classified information in accordance with the National Authority's Standards for the Protection of Classified Information.

Article 10. Handling of classified information.

1. The classified information shall be handled with the protective measures corresponding to its classification level. Additional or more restrictive measures may be established in certain areas or circumstances.

2. In order to avoid access by unauthorised persons, the following criteria are set out in general:

(a) Secret classified information may only be handled in the restricted access zones (ZARs) duly accredited to that degree.

(b) The classified information reserved must be handled in the ZARs duly accredited to that degree or higher. In exceptional circumstances, and with the express permission of the security chief of the appropriate protection service, access may be permitted, but not storage, outside these areas.

(c) Classified information of confidentiality shall be handled in restricted access zones (ZARs) duly accredited to that degree or higher. The security chief of the protection service of the relevant classified information may authorise, on the express request of the person concerned, that classified information classified as confidential is held by a user outside the ZAR, provided that the security conditions have been assessed, conclude that the risk assumed is minimal and acceptable, informing the user of the custody obligations that he/she assumes.

d) classified information of limited dissemination shall be managed, at least, in administrative areas of protection.

3. The organisation of activities in which classified information of a confidential or higher degree is handled requires that the participants in the activities are in possession of the corresponding HPS.

Article 11. Record of the Classified Information.

1. Classified information protection services shall keep the record of all classified information that is in charge of the information.

2. Classified information will circulate through the protection services of classified information. Limited-spread classified information may circulate among previously instructed users in their management.

Article 12. Restricted access zones (ZARs).

1. In accordance with the principle of need to know, the ZARs will be organized according to one of the following job configurations:

a) CLASS I AREA: Zone in which classified information is handled in such a way that entry into it assumes, for all intents and purposes, access to such information, so that only duly trained personnel can be allowed to enter enabled and authorized.

b) CLASS II AREA: Zone in which classified information is handled such that entry into it does not imply access to such information, so access to duly controlled visitor personnel may be admitted.

2. In accordance with the classification level of the maximum information authorised to be handled in the restricted access area, they shall be accredited to the extent of:

a) secret.

b) reserved.

c) confidential.

3. A restricted access zone will always be under control of a classified information protection service.

Article 13. Classified contracts.

1. Where any of the bodies to which this order applies to them requires the promotion of a classified contract, it shall ensure that the contractors who bid for the contract are granted the security clearance of the undertaking and, in their case, the security clearance of establishment of the appropriate degree to the classification of the contract. The certification that a contractor has such ratings will always be done by the National Security Office of the National Intelligence Center.

2. The delivery to the contractor of classified information shall be carried out by the classified information protection services of the contracting entity after the approval of the classification guide.

CHAPTER II

Classification authorities and procedures

Article 14. Classification authorities.

1. In accordance with article 3.1.3. of the Rules of the National Authority for the Protection of Classified Information, the Minister, the Secretaries of State and the Undersecretary and other senior positions with that rank in the Ministry of Industry, Energy and Tourism will have the power to classify information in the degrees of confidentiality and limited dissemination within the framework of their competencies.

2. In the framework of this power, the classification authorities shall carry out the following tasks:

a) Approve or reject the classification proposals.

b) Issue classification diligence.

c) Modify the degree of classification of the information or its term of validity.

d) Approve the classification directives.

e) Delegate the classification faculty.

3. If information is needed to be classified in the degree of secrecy and reserved the proposal for classification to the Council of Ministers will be carried out through the Minister, with the technical support of the Central Service for the Protection of the Classified Information.

Article 15. Classification procedure.

1. Any information deemed to be classified must be subject to a classification procedure by means of the corresponding classification proposal. Guidelines for the classification of information are included in the Annex to this ministerial order.

2. The classification proposal will be accompanied by a supporting document with an in-depth presentation of the threats or damages to the interests of Spain that are intended to be conjure with the classification of the information. The proposal shall include the degree of classification and, where possible, a period of duration of the classification, with a reference to whether it could be suppressed or downgraded.

3. The classification proposal shall be approved by the classification authority by issuing the relevant classification diligence.

4. The classification proposal shall require the prior report of the security chief of the relevant protection service.

5. Classification authorities may approve classification directives, which are documents by which certain matters, matters or elements are classified in a generic manner, due to their particular nature, in such a way as to information including or dealing with such matters, subjects or items may be classified individually to the extent indicated.

6. The adoption of a classification directive will require the prior report of the security chief of the relevant protection service.

7. All decisions taken in respect of the classification of documents shall be communicated within 15 days to the head of security of the protection service concerned, who shall record the information in an information register. classified.

8. Once the degree of classification is assigned to a given information, it shall be marked with such a degree in an appropriate and clearly visible manner.

9. The security chief of the relevant protection service is responsible for verifying that the classified information corresponds to some of the criteria or elements contained in a classification directive or a classification. If this is not the case, a classification proposal must be made and raised to the appropriate classification authority.

Article 16. Declassification of information.

1. The classification authority may point out in the classification diligence or directive the length of time of the degree of classification it has given to the information, or the circumstances that condition it.

2. The classification authority may also maintain or, at any time, amend the classification of the information or declassify the information.

Single additional disposition. Duty of collaboration of the organs and units of the Department.

All units and organs of the Department will lend their collaboration to the Department's Classified Information Protection Service.

Final disposition first. Rules for extra-age.

The provisions of the sectoral regulations and the rules of the National Authority for the Protection of Classified Information shall not be included in this rule.

Final disposition second. Development and execution.

The holder of the Secretariat of Industry, Energy and Tourism, as the Director of the Security of Classified Information in the Ministry, is empowered to establish the measures and to approve as many resolutions as possible. necessary for the development and execution of the provisions of this Order.

Final disposition third. Amendment of Order IET/1934/2014 of 14 October establishing the information security policy in the field of electronic administration of the Ministry of Industry, Energy and Tourism.

Article 1 of Order IET/1934/2014 is amended from 14 October, and is worded as follows:

" Article 1. Object and scope of application.

1. The purpose of this order is the adoption of the Information Security Policy (hereinafter 'PSI') in the field of electronic administration of the Ministry of Industry, Energy and Tourism, as well as the establishment of the organizational and technological of the same.

2. The PSI which is approved by this order shall be applied by all the central and territorial organs and units of the Ministry of Industry, Energy and Tourism, as well as by the autonomous bodies which are dependent on them (Office Spain of Patents and Brands, Institute for the Restructuring of Coal Mining and Alternative Development of the Mining Comarcas, Spanish Centre of Metrology and Institute of Tourism of Spain), being of application to all its systems of information and must be observed by all personnel assigned to such organs and units, as for people who, although not intended for them, have access to their information systems.

3. The PSI will affect the information processed by electronic means and the information on paper that the Ministry manages in the field of its competences. The taxonomy of the information is defined according to the following rules:

(a) Information containing personal data shall be affected by the Organic Law 15/1999 of 13 December on the Protection of Personal Data and its implementing rules.

b) The information contained in the information systems in the field of electronic administration is regulated by Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of electronic administration. the Electronic Administration.

c) The information produced, preserved or collected, whatever its support, which may be part of the documentary heritage will be affected by the Royal Decree 1164/2002 of 8 November, which regulates the conservation of the documentary heritage with historical value, the control of the elimination of other documents of the General Administration of the State and its public bodies and the preservation of administrative documents in support other than the original.

d) Internal management information is the one that does not occur as a result of the administrative function, although it is necessary to have it for the correct development of the Ministry's competences, such as copies or duplicate original documents that are located and in good conservation status, drafts or first versions of documents, official publications, copies of editions, catalogues and commercial publications, as well as the rest of Support information to be managed by the Department. For the purposes of security, confidentiality and the duty of professional secrecy, internal management information may be classified as protected.

4. The Ministry will apply the security measures on the information, both in electronic and paper support, depending on what is established in its regulatory regulations, and a specific information can be affected by more than one rule ".

Final disposition fourth. No increase in expenditure.

The implementation of this ministerial order will not entail an increase in public spending, and the functioning of the protection infrastructure provided for in this order will be met with the personal, technical and budgetary resources. assigned to the Technical Cabinet of the Secretariat.

Final disposition fifth. Entry into force.

This order will take effect the day following your publication in the "Official State Bulletin".

Madrid, November 5, 2015. -Minister of Industry, Energy and Tourism, José Manuel Soria López.

ANNEX

Guidance for classification of information

Secret

These matters may be considered:

(a) Which may directly threaten the sovereignty or territorial integrity of Spain;

b) That they may seriously impair constitutional order or national security;

c) That they may seriously affect public order, and may cause a wide loss of human life;

d) That may seriously affect the combat capacity or security of the Spanish Armed Forces or their allies;

e) That they may seriously undermine the effectiveness or security of the missions or intelligence operations of the State or its allies.

(f) That may seriously impair the diplomatic relations of the State or situations of crisis or international conflict, or

g) any other whose safeguarding requires the highest protection.

Reserved

These matters may be considered:

a) That they may alter constitutional order or national security;

b) That may cause serious disturbances of public order or of the security or freedom of the citizens;

c) That may alter the combat capacity or security of the Armed Forces of the State or its allies;

d) That may result in a detriment to the effectiveness or security of the missions or intelligence operations or information services of the State or its allies;

e) That may alter the diplomatic relations of the State or situations of crisis or international conflict.

(f) That may seriously impair the economic or industrial interests of a strategic character, or

g) any other whose safeguarding requires a high degree of protection.

Confidential

These matters may be considered:

a) The effective development of State policies or the functioning of the public sector;

b) State trade or political negotiations vis-à-vis other third countries;

c) The economic or industrial interests of the State;

d) The operation of public services;

e) Investigation of crimes, being able to hinder the investigation or facilitating its commission of crimes, or

f) any other whose safeguarding requires protection.

Limited Broadcast

It will apply to information whose unauthorised disclosure or improper use may adversely affect the interests of the State in any of the areas listed in the previous paragraph.