Confidentiality and Other Distribution
Assessment of financial system vulnerabilities necessarily involves discussion with the authorities of sensitive information on prudential policies and financial soundness. To ensure that sensitive information that is provided by national authorities to FSAP teams is appropriately protected, the Fund and Bank have drawn up a confidentiality protocol (see 2000 FSAP review documents and Fund-Bank documents on records and information security). This protocol brings together the already-existing confidentiality policies
in the two institutions in one document to facilitate understanding by national authorities, the Bank-Fund staff members, and the experts who may be FSAP team members from cooperating institutions. All such experts are required to certify that they are familiar with the policies set out in the protocol.
The protocol outlines the levels of classification for sensitive information—not for public use, confidential, and strictly confidential—and the procedures for handling each classification. The main elements of the protocol are summarized in the following discussion, and each FSAP document’s classification is presented in table A.2. FSAP team leaders are responsible for the confidentiality classification of FSAP information. The confidentiality classification is decided in consultation with the provider of the sensitive information.
Documents that contain sensitive information must be marked with the same security classification as the original information. The presumption is that FSAP documents are classified Confidential, although in some cases they may be classified Not for Public Use, which is the least strict of the three classifications available. However, certain elements of data and information (e. g., stress tests results, information on specific institutions, and highly market-sensitive information) must be classified as Strictly Confidential. Strictly confidential information is restricted solely to persons with a specific need to know and is not circulated for review, except as prescribed in the confidentiality protocol.
The basic principle followed in determining confidentiality classifications, as well as circulation of documents within the Bank and Fund, is that of “need to know.” Staff members who have a legitimate interest in specific FSAP documents or in groups of documents, as part of their work responsibilities should be permitted access. For example, Bank and Fund staff members and experts working on the country should be permitted access, if they request it through proper channels, to all FSAP documents with the only exception being any highly sensitive information that they do not specifically need to know.
Similarly, a staff member undertaking research in connection with Bank and Fund operations, such as preparing a Board paper by reviewing detailed assessments of one or more financial sector standards, should be given access to the relevant documents. In general, it would be expected that individual countries’ experiences would not be identified by name in any such documents unless the authorities have agreed or the information is available in published documents. The staff members to whom documents are made available should be informed at the time as to the confidentiality classification of those documents and, further, that they should not provide the documents—or copies of them—to any other third parties in the Fund or outside without appropriate authorization. Guidance to the Bank-Fund staff on how to apply the confidentiality protocol and the related review and clearance procedures are contained in various internal memoranda (see FSAP intranet sites of the Bank and Fund).