Protective security agreements – are you keeping an eye on your classified information?

Today, security issues are more topical than ever. We frequently hear and read media reports about hacking, and providers must keep in mind information security in their day-to-day work to an ever greater extent.

In 2019, new protective security legislation entered into force which, to the highest degree, has an impact on the work of many of the country’s providers to the public sector. The primary tool for protective security procurement is the security agreement which is entered into between the provider and the procuring authority.

We asked members of the Swedish Bar Association Christoffer Stavenow and Max Thimmig at Stavenow law firm to explain the most basic aspects of a protective security agreement and what should be kept in mind when entering into a protective security agreement. They have also recently come out with a book, “Säkerhetsskyddad upphandling – juridik och praktik” [Protective Security Procurement – Law and Practice]” and, in the autumn, they will provide a unique training opportunity for SBSC’s customers.

What is a protective security agreement?                      

A protective security agreement is entered into in parallel with the general commercial agreement which is executed in conjunction with the relevant procurement and governs the framework of the protective security routines applicable to the provider in a situation involving security-sensitive information.

The purpose of a protective security agreement is to address the interests covered by the protective security legislation with the same level of protective security irrespective of where, when and how the activity is conducted. Accordingly, it is vital that the provisions of the agreement are correct from the outset.

What information must be included in the protective security agreement?

If it has not already done so, the procuring authority must analyse the information in its activities which should be classified for protective security, the level at which the information is to be classified, and why a protective security agreement might be needed before a provider receives the information.

For example, information may be involved which relates to airports, drinking water supplies, or ports. The procuring authority is to also map out socially important operations which need security protection.

Which situations require a protective security agreement?                  

This is a highly relevant question. A protective security agreement must be prepared for all procurements or similar involving security-sensitive information in the “restricted” and higher security classes or for security-sensitive activities of comparable significance to Sweden’s security.

According to law, the authority’s information security officer or person responsible for security must be involved in the negotiations. In the event the tender documentation contains classified information, a protective security agreement must be entered into before the documentation is released to the bidder. Where, on the other hand, the tender documentation does not contain classified information, the protective security agreement must be concluded before the commercial agreement has been entered into. This is to ensure that sound protective security is in place before the company acquires classified information.

Furthermore, the procuring authority must verify that the provider complies with the protective security agreement. The procuring authority – and not the Swedish Security Service or any other supervisory authority as one might expect – is also responsible for the negotiations with providers regarding the protective security agreement.

Are there any special requirements regarding how the protective security agreement is written?

There are certain formal requirements that must be fulfilled by a protective security agreement including the requirement that the agreement must be in writing. In addition, the agreement should contain provisions concerning the manner in which the protective security organisation, protective security instructions, information security, authorisation, restrictions on access, supervision, training and verification, duty of confidentiality and security clearances are applied during the term of the agreement. The protective security agreement constitutes the basis for assigning the engagement to a security class and decisions regarding background checks.

Forms for the format of the protective security agreement may be obtained from the Swedish Security Service. There are three variations, one for each protective security agreement level, and they must always be adapted to the relevant engagement and the protective security measures which are considered necessary. The three levels of protective security agreement are to be used in various situations depending on where the engagement involving security-sensitive information is to be performed and the types of information covered by protective security involved. Is it classified “secret” or “confidential”? Is the engagement to be performed at the provider or at the procuring authority? These are important details which must be established in order to be able to use the right level of protective security agreement.

Who is covered by the agreement?

The protective security agreement covers the main provider and any sub-contractors who receive classified information in the course of the engagement. Anyone who is involved in the relevant engagement and who may be expected to acquire classified information are to be subjected to background checks. The individuals who will receive classified information or who participate in the activities shall also be notified of the duty of confidentiality applicable to the engagement in question.

In certain cases, a protective security agreement will be drawn up as a result of different types of consultations with the supervisory authority relevant to the respective authority. For example, governmental authorities who will carry out a security-sensitive procurement with a level 1 protective security agreement must consult with the Swedish Security Service and prepare a special security analysis before procurement is initiated. Other procuring authorities are obliged to notify the supervisory authority when the protective security agreement has been entered into or terminates.

In addition to the protective security agreement, what else can be done to increase protective security?                                 

The protective security agreement establishes a framework for the way in which the collaboration regarding protective security between the provider and procuring authority will be arranged. In order to achieve complete protective security and avoid undesired consequences such as those experienced by the Swedish Transport Agency, it is important to keep in mind the protective security risks and protective security rules and regulations when you are engaged in the procurement process. This is best done by means of training and collaboration with supervisory authorities and providers.

What more can we learn by buying your book?

Buyers of our book will learn more about the practicalities and underlying legal considerations in security-sensitive procurement processes. The book takes the reader through a step-by-step, pedagogical approach to a security-sensitive procurement process so that a provider has a full view of what will be requested by the procuring authority in a procurement involving security-sensitive information. The book goes through the entire process from preparatory work carried out before the procurement is announced to what happens upon conclusion of the engagement. The goal of the book, among other things, is to create added value for both parties in a public transaction involving security-sensitive information by means of increased awareness.

Get our newsletter

Stay updated on the latest developments in the areas of fire safety and security certification.