Access, Dissemination and Data Protection Policy
The sole objective of EASA in processing occurrence reporting data is to use the information to improve the level of civil aviation safety.
As with any comparable safety reporting system, the success of the IORS and the Agency’s safety oversight activities largely depends on the reliability and completeness of occurrence information reported to EASA. This, in turn, requires the continuous development and maintenance of a trust-based “reporting culture” in which all reporting entities can be assured that the provided occurrence data is processed strictly according to the legal framework and is not used in any arbitrary or abusive way by those entrusted to hold, process, access and use the data. (*)
For safeguarding the trust in the aviation safety system, without prejudice to the applicable rules of law, EASA will ensure that the reported occurrence data will not be held against the reporting parties and will be used for the interest of aviation safety.
For its own part EASA confirms that confidentiality of the occurrence information and the protection of personal data in the system are ensured in accordance with the legal framework and assures that those aspects will be taken into account to the fullest possible extent in the set-up and operation of the IORS. EASA also expects that others who hold, process, access and use such data declare their intentions to respect the principles described above.
The implementation of the IORS does not affect any existing legal provisions and obligations, including those on confidentiality and personal data protection, and it does not create new ones. Consequently, it must be acknowledged that the establishment of the IORS does not fundamentally change the existing levels of confidentiality and data protection pertaining to occurrence data.
In the existing legal framework, EASA is bound in all its activities by Regulation (EC) No 1049/2001 on public access to documents and by Regulation (EC) No 45/2001 on protection of personal data. Furthermore, in the framework of occurrence reporting, there are explicit provisions applying specifically to EASA and to its stakeholders, which impose an obligation of information sharing and, at the same time, of confidentiality amongst the involved parties.
These are included in particular in:
- Article 15(1) and (3) and in Article 16 of Regulation (EC) No 216/2008;
- Articles 7 and 8 of Directive 2003/42/EC on occurrence reporting in civil aviation;
Moreover, the Staff Regulations (in particular Articles 16 and 19), imposes on EASA staff members an obligation of confidentiality in the performance of their duties.
Legal provisions on confidentiality binding the EU NAAs are present in the framework service contracts concerning the provision of services to the European Aviation safety Agency by the NAAs, in particular Article II.9 thereof. These provisions will be applicable in case of access to IORS data by NAAs, when providing services to EASA.
Finally, reports received by the Agency become integral part of the Agency’s archive, which is protected by the Protocol on the Privileges and Immunities of the European Communities.
*Access rights to the system are strictly reserved for those EASA employees who are directly involved in working with occurrences. EASA Staff Members are subject to the EU Staff Regulations as well as the Agency’s Code of Conduct, both of which impose obligations regarding confidentiality and/or protection of personal data. External PCMs, experts or Team Leaders working on behalf of EASA have access rights, but strictly limited to occurrences related to their products or organisations only. They are subject to the confidentiality provisions as described in the applicable framework contracts.’