< Previous7-2 Safety Management Manual (SMM) can be confident that safety data and safety information will be used exclusively for maintaining and improving safety, unless one of the principles of exception applies. 7.2.4 Annex 19 does not provide protection to individuals or organizations mentioned in the report. However, States can extend the protection to individuals or organizations mentioned in the report. 7.2.5 It is important that both individuals and organizations are protected, as well as the safety data and safety information they report. Individuals and organizations are protected by: a) ensuring they are not punished on the basis of their report; and b) limiting the use of reported safety data and safety information to purposes aimed at maintaining or improving safety. These protections apply unless one of the principles of exception discussed below is applicable. 7.2.6 Annex 19 requires States to ensure that safety data and safety information are not used for the purposes other than those set out in the principles of protection unless a principle of exception applies. The principles of exception set out the circumstances in which a departure from those protective principles may be permissible. 7.2.7 Preventive, corrective or remedial action, based on reported safety data and safety information, may necessarily be taken by States and service providers for the purposes of maintaining or improving safety — that is, to allow States and service providers to take appropriate steps to: a) guard against the potential for immediate harm or injury as a result of a safety risk until that risk can be identified and mitigated; b) ensure that appropriate action is taken to minimize the likelihood that such a risk might occur again in the future; c) prevent exposure to an unmitigated safety risk; or d) ensure the integrity of the reporting system itself and the larger system of which the reporting system is a part. 7.2.8 Because such actions are fundamental to the objectives and efficacy of any safety management system, Annex 19 expressly provides that preventive, corrective or remedial action to maintain or improve aviation safety shall not be prevented. Such actions may be taken as a function of applicable safety management processes and are therefore not subject to the principles of exception set out in Annex 19. 7.2.9 Preventive, corrective or remedial action may entail restricting, limiting or preventing2 the exercise of certain privileges3, the performance of services or the operation of aircraft, until the safety risks identified have been effectively addressed. When taken for these purposes, under established protocols, protective or precautionary actions are not to be regarded as punitive or disciplinary. The purpose of such actions is to prevent or minimize the exposure to an unmitigated safety risk. 7.2.10 The principles related to the protection of safety data and safety information, and of their sources, contained in Annex 19 provide for more clarity and transparency, as well as a level playing field, with a view to facilitating the exchange of safety data and safety information between States as required by Annex 19. 2 Preventing the exercise of privileges may include the suspension or revocation of license privileges. 3 Privileges of an authorization holder are specified by the licence or certificate issued by State aviation regulatory authorities. Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-3 7.3 SCOPE OF PROTECTION 7.3.1 Scope of safety data and safety information covered by the principles of protection 7.3.1.1 Protection applies to safety data captured by, and safety information derived from, voluntary safety reporting systems and related sources. This may apply to mandatory safety reporting systems where it is applicable (refer to 7.4.3 below). Sources of safety data and safety information can be individuals or organizations. 7.3.1.2 In some States, safety reporting systems may include the reporting of data to safety investigations by State authorities or aviation service providers, data and information captured by self-disclosure reporting systems (including automatic data capture systems and manual data capture systems) or other relevant safety data and information. The principles of protection and exception therefore may be extended to safety data and safety information captured by those systems as well. 7.3.1.3 There are other cases when the principles of protection and exception will apply. For example, Annex 6 — Operation of Aircraft, Part I — International Commercial Air Transport – Aeroplanes provides that sources of flight data analysis (FDA) programmes should be protected in accordance with the principles contained in Annex 19. 7.3.1.4 The type of safety data and safety information that can be captured by, and the kinds of systems that can be part of, safety reporting systems may evolve over time along with the evolution of safety management systems themselves. Safety data, safety information and safety reporting systems that are not expressly identified in Annex 19 today may be governed by Annex 19 in the future. 7.3.2 Interaction with the principles of protection contained in other Annexes 7.3.2.1 Certain types of safety data and safety information that are protected under Annex 19 may, in certain circumstances, be subject to other protection requirements. 7.3.2.2 In particular, Annex 19 specifies that when an investigation under Annex 13 has been instituted, accident and incident investigation records listed in Annex 13 are subject to the protections accorded in Annex 13, not those in Annex 19. 7.3.2.3 This principle applies from the time an accident or incident under Annex 13 occurs and remains applicable even after the publication of the Final Report. Guidance on protection of accident and incident investigation records is provided in the Manual on Protection of Safety Information (Doc 10053). 7.3.2.4 Similarly, while Annex 19 provides protection to recorded data when it is used for safety management purposes, Annex 6 affords protection to the flight recorder recordings in normal operations, outside of Annex 13 type investigations. 7.3.2.5 Annex 6 addresses the use of cockpit voice recorders (CVRs) and airborne image recorders (AIRs) which should be limited to safety-related purposes with appropriate safeguards for inspections of flight recorder systems, or when associated recordings or transcripts are sought for criminal proceedings. Such criminal proceedings are introduced into the amendment as an exception to the protections accorded to CVRs and AIRs in order to allow competent authorities to access and use this type of recordings and their transcripts without restriction in cases where criminal offences are committed and crew members involved may not have consented to such use (e.g. cases of hijacking). 7.3.2.6 Likewise, the use of flight data recorders (FDRs), aircraft data recording systems (ADRS) as well as Class B and C AIR and airborne image recording systems (AIRS) should be limited to airworthiness or maintenance purposes, including FDA programmes, with appropriate protections accorded by Annex 19. 7.3.2.7 The following flow chart provides general guidelines regarding the interaction between the protective frameworks in Annexes 6, 13 and 19 and is meant to be used in consultation with applicable provisions. 7-4 Safety Management Manual (SMM) 7.3.2.8 With respect to FDA programmes, the sources remain, in any situation, protected by the principles contained in Annex 19. 7.3.3 Application of Annex 19 principles to service providers 7.3.3.1 Annex 19 describes a reporting environment that fosters trust as an environment “where employees and operational personnel may trust that their actions or omissions that are commensurate with their training and experience will not be punished”. An action or omission is commensurate with a person’s training and experience where it is reasonable to anticipate that a person with the same level of experience and training might do or fail to do, the same thing. Such an environment is fundamental to effective and efficient safety reporting. 7.3.3.2 Encouraging people to report relevant safety data or safety information requires that the sources of those reports are protected from actions taken by a State in accordance with Annex 19, as well as from actions taken within their working environment. 7.3.3.3 The Annex provisions are designed to provide the minimum requirements to be met by all States, regardless of the size and complexity of their civil aviation activities. Individual States are responsible for developing requirements sufficient to ensure satisfactory compliance by the State and its service providers. 7.3.3.4 The principles of protection and exception applied to safety data, safety information and related sources under Annex 19 should be implemented by States and service providers alike. To ensure the achievement of this objective, States are expected to adopt relevant national laws, regulations and policies to ensure that their service providers implement the provisions contained in Annex 19. Figure 17. Guidelines on the interaction of protective provisions Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-5 7.4 LEVEL OF PROTECTION 7.4.1 Conditions to qualify for the protection under Annex 19 7.4.1.1 Annex 19 requires States to determine the conditions under which safety data and safety information qualify for protection. In doing so, States are expected to consider whether: a) safety data or safety information is covered under the scope of Annex 19; b) there are circumstances under which Annex 6 or Annex 13 would take precedence over Annex 19; and c) a principle of exception applies. 7.4.2 Actions necessary for maintaining or improving aviation safety 7.4.2.1 Annex 19 ensures that States and service providers are not prevented from using safety data or safety information to take any preventive, corrective, or remedial action that is necessary to maintain or improve aviation safety. Consistent with that objective, such action, when taken, should avoid wherever possible financial, reputational or other adverse impacts on the source of the safety data or safety information. 7.4.2.2 Preventive, corrective or remedial action aims to address circumstances or conditions that present unacceptable risks to aviation safety. 7.4.2.3 Preventive action may be understood to involve action taken to prevent the occurrence or recurrence of an event or a hazard that poses a risk to safety. 7.4.2.4 Corrective action may be understood to involve action taken to address particular safety related shortcomings or deficiencies, such as an authorization holder who is unable to demonstrate compliance with applicable safety or competency standards. Corrective action may be necessary to bring an authorization holder back into compliance. 7.4.2.5 Remedial action may be understood to involve action taken to address the underlying causes of particular safety-related shortcomings or deficiencies, such as training. Remedial action might also involve restricting, limiting, suspending or revoking the privileges of an authorization, certificate or license holder who fails to continue to meet the necessary qualifications to exercise those privileges. 7.4.2.6 Although they may be specified as serving one or another purpose, such actions may serve more than one purpose. For example, action may be taken by a regulator or a service provider, requiring the holder of a licence or certificate to undertake additional training, and to refrain from exercising the privileges of that licence or certificate until such training is successfully completed. Action may also be taken by a regulator to revoke, remove or suspend certain privileges of an organization’s certificate. Such actions, while remedial because they address the underlying cause of a safety issue, may also be considered corrective because they address a particular deficiency. Regardless of the characterization of the action taken, there should be a clear and demonstrable link between the particular action taken and the maintenance or improvement of safety. 7.4.2.7 Safety data or safety information might reveal hazards or deficiencies that necessitate remedial or corrective action to maintain safety or identify areas where preventive action would enhance aviation safety by addressing potential or emerging risks. To substantiate the underlying condition or hazard warranting the preventive, corrective, or remedial action, States may need to use the safety data or safety information. For example, safety data and safety information may be necessary to establish the basis for an administrative license action or satisfy requisite burdens of proof. Or safety data and safety information may be necessary to establish the need for additional training of a licensee or changes to an operator’s systems. It may also be necessary to use safety data or safety information to ensure the integrity and proper operation of the reporting system, and the larger system of which the reporting system is a part. 7-6 Safety Management Manual (SMM) 7.4.2.8 Depending on the circumstances, preventive, corrective or remedial actions, while not intended to be, may be perceived as punitive by the individual or the service provider, subject to such action. Indeed, some may view any license actions taken to address competency deficiencies as punitive, rather than an action necessary to correct or remediate a risk to safety. 7.4.2.9 Despite these perceptions, Annex 19 does not prevent States from using safety data and safety information to support action necessary to maintain or improve aviation safety. Where actions are needed to maintain or improve the level of aviation safety or to prevent the safety of the aviation system from deteriorating in the short term or over a longer term, States may use safety data or safety information to support those actions, provided that they have a demonstrably preventive, corrective or remedial objective and effect. In such cases, States should consider taking the necessary measures to clearly communicate the rationale behind the action taken, in order to demonstrate the safety purpose and minimize any adverse impact on future reporting. On the other hand, the use of safety data and safety information to take actions that cannot be shown to serve one or more of these purposes, and which can be shown instead to have a purely punitive or disciplinary objective and effect, should be prohibited, unless one of the principles of exception applies. 7.4.3 Protection of mandatory reporting systems 7.4.3.1 Annex 19 specifies different requirements for the protection of safety data, safety information and related sources captured by voluntary and mandatory safety reporting systems. Protecting safety data and safety information captured by voluntary safety reporting systems is a Standard, to ensure the continued availability and greater uniformity among States, whereas for mandatory safety reporting systems the provision of such protection is a Recommended Practice. 7.4.3.2 In certain jurisdictions, safety data and safety information captured by mandatory and voluntary safety reporting systems are subject to different levels of protection, offering greater protection to safety data and safety information from voluntary systems compared to safety data and safety information from mandatory ones. This distinction can be justified by the need to incentivize the voluntary provision of safety data or safety information in ways that are not seen to be necessary in the case of a mandatory reporting system. 7.4.3.3 Other States offer the same high level of protection to safety data and safety information in both mandatory and voluntary safety reporting systems. This can be justified by the recognition that requiring reporting by law may not, in itself, be sufficient, to ensure that relevant safety data and safety information are reported and that the value of a trustworthy environment is fundamental to any kind of reporting. Extending protections to mandatory reporting systems may also encourage reporters to supply additional details that they may otherwise not provide if those protections were not available. 7.4.3.4 If a State extends the protection afforded to safety data and safety information captured by voluntary safety reporting systems to mandatory safety reporting systems, the principles of protection and exception contained in Annex 19 should apply to safety data and safety information captured by both of those systems as well as to their respective sources. 7.4.4 Protection of data and information that are in public domain 7.4.4.1 There may be cases in which safety data or safety information is available in the public domain. In some cases, it may be that such safety data or safety information is not sensitive and its further disclosure will not adversely impact the continued availability of safety data or safety information. Safety data and safety information related to weather may be an example of such non-sensitive data and information. 7.4.4.2 In other cases, safety data and safety information normally subject to the principles of protection may find its way into the public domain, for instance, through a leak to the media. In such cases, States should refrain from further disclosure of the leaked data and information as the principles of protection will not be automatically waived. Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-7 7.5 PRINCIPLES OF PROTECTION 7.5.1 Application of the principles of protection 7.5.1.1 The protection of safety data, safety information and related sources should be the default position for a State. A State may provide effective protection by law, supported by comprehensive and clear procedures. 7.5.1.2 The basic purpose of providing protection is to ensure the continued availability of safety data and safety information by encouraging individuals and organizations to identify, report, analyse and correct deficiencies. This requires that all involved know the governing rules and processes for protection in advance. Such rules and processes should be formalized, and they should not be open to arbitrary application if they are to serve as the foundation of a system based on trust. 7.5.1.3 In protecting safety data or safety information, consideration should be given to the objective such protection is meant to achieve. The objective may be evident from the type of data and information to be protected. In many cases, protection aims to prevent safety data and safety information from being used against the individual or organization that reported the specific data or information. In other cases, it may be important to shield safety data or safety information from general publication or use in non-safety related contexts, such as local land use controversies concerning airport operations and noise abatement issues. 7.5.1.4 State action is central to creating protective provisions. In formal proceedings where there are rules governing what evidence is allowed to be presented, only State action can provide the necessary protection by the enactment of appropriate legislation or regulations that either prohibit or strictly limit admissibility of protected information. For example, in criminal proceedings against an individual, the use of a voluntary report filed by the accused person should be prohibited if it is not directly related to the alleged criminal act. 7.5.1.5 In civil proceedings against a service provider, a rule should, at a minimum, require a rebuttable presumption4 that protected information may not be used. In an action against an airline for damages sustained as a result of an occurrence, a plaintiff may seek general access to the operator’s SMS files to attempt to discover general information that might not be directly related to the incident, but which might tend to cast the operator in an unfavourable light. The established procedure for determining such questions should direct the competent authority (in this case most likely a court) that is tasked with applying the principles of exception, (discussed more fully in section 7.6) to require the plaintiff to show precisely what information is intended to be discovered and to demonstrate the relevance of the information to the action, as well as demonstrating the unavailability of alternative sources for the same or similar information. The competent authority might also ask a plaintiff to show how they are prejudiced by not having access to the information. Where the decision is to allow such access, formal safeguards should be imposed by the competent authority in accordance with applicable procedural requirements, such as a protective order to preclude publication generally and restricting access to the relevant portions of the proceedings. 7.5.1.6 In administrative proceedings where particular operational or technical qualifications, competencies and capabilities of an individual or an organization are in question, safety will almost invariably be at issue. Use of safety data or safety information may be required in such cases, but enforceable requirements should provide for the controlled and limited use of such data and information. Where safety data or safety information provide the basis for decision in such safety-related cases, extraordinary care should be required to prevent adverse or prejudicial consequences to the source of the information as a result of the use of said data and information. Generally, individuals and organizations who are encouraged to report under a protected reporting scheme will recognize that there are circumstances in which action in the interest of safety must be taken, based, in whole or in part, on a protected report. Enforceable requirements should ensure that such action complies with fundamental fairness in pursuit of the objective of maintaining or improving safety. 7.5.1.7 An example of such a situation might be a report by an air traffic controller who lost consciousness for a short period of time while working. No separation was lost and the only proof that the event occurred was the controller’s own report. For safety-related purposes, analysis of that report required further investigation, which in turn 4 Rebuttable presumption is an assumption that is held to be true unless refuted by evidence. 7-8 Safety Management Manual (SMM) required that the reporting individual be identifiable by some process. Immediate correction might involve removal of the controller from active duty (without financial or reputational disadvantage) while a comprehensive medical examination and review is conducted. Upon completion of the medical review, the result may entail medical clearance, medical treatment or medical retirement (again, without financial or reputational disadvantage). If the controller were simply discharged, it is highly unlikely that similar reports from others would be forthcoming in the future. 7.5.1.8 Up to this point, the focus has been on direct State action to provide necessary and appropriate protection. In practice, much of the safety data and safety information for which protection is required is within the operational environment of a service provider and involves relations between employers and employees. Protection in these situations may not always be provided for in legislation or other forms of enforceable State requirements. Even in such cases, however, States may be in a position to require effective protection through their certification, approval and continuing surveillance processes. Annex 19 requires specified service providers to implement an effective SMS. Effective safety management is based on data collection, analysis and protection. Without data the system would lose effectiveness. The SSP should allow States to direct organizations to implement policies that provide protection to their employees as an element of their SMS. 7.5.1.9 One way of providing for such protection might involve de-identification of the reporter. While confidentiality of reports is a useful strategy, complete de-identification, where possible, removes the opportunity for follow-up during the analysis phase. Policies should focus on what use the competent authority may make of, and allow for, the safety data and safety information in question. The discussion above (refer to 7.5.1.6) in relation to administrative proceedings is equally applicable in the employer/employee context. Again, those from whom reports are necessary will be reluctant to provide such reports if those reports, or other data or data capture, is used to support a punitive or disciplinary suspension or discharge. 7.5.1.10 The capture of safety data and safety information by automatic means, such as FDRs, voice or video recorders or air traffic environment recorders, should be part of any protection policy or regulation. Use of these devices as a part of SMS data capture where allowed by regulation or policy must fully respect the principles of protection in the same way voluntarily submitted reports are respected. The trust of the reporting population is fundamental to effective safety management. 7.5.2 Proceedings 7.5.2.1 Annex 19 requires States to ensure that safety data and safety information are not used in disciplinary, civil, administrative and criminal proceedings against employees, operational personnel or organizations, unless a principle of exception applies. 7.5.2.2 The term “proceeding” may be more comprehensive and broader in scope than the term “action”. It may also refer rather more narrowly to the processes of a particular body to review or enforce “actions” that have been taken by another authority (or an agency within the same authority). In a general sense, the terms “proceeding” and “action” may be understood to encompass all the steps taken or measures adopted in order to initiate, give effect to, or review a decision of an authority affecting a person’s rights, privileges, legitimate interests or reasonable expectations (as these may be identified under applicable laws). In view of the different legal systems, the nature and scope of particular actions or proceedings may vary. For example, in some States: • Criminal and civil actions or proceedings usually involve judicial authorities. These proceedings may include the commencement of the action, the appearance of the defendant, all ancillary or provisional steps, the pleadings, the trial discovery processes and other formal inquiries. As a consequence of such actions or proceedings, a person may be subject to monetary damages, fines or in some cases incarceration. • Administrative actions or proceedings may involve an inquiry, investigation or hearing before a regulator or a tribunal that relates to action to vary, suspend, revoke or cancel an authorization (for demonstrably safety-related purposes in some cases, and for punitive purposes in others). Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-9 • Disciplinary actions or proceedings may refer to the process by which an employer responds to actual or apparent violations or breaches of rules and procedures by an employee. The result of such actions or proceedings may be to absolve an employee of the alleged misconduct, or to discipline or discharge an employee if the allegations are substantiated. Other authorities may be involved in the actions and proceedings mentioned above, such as administrative tribunals, professional, ethical bodies or other review bodies within an organization. 7.5.2.3 Other authorities may be involved in the actions and proceedings mentioned above, such as administrative tribunals, professional, ethical bodies or other review bodies within an organization. 7.5.2.4 It is important to remember that the principles of protection do not apply when States take a preventive, corrective or remedial action that is necessary to maintain or improve aviation safety (refer to 7.4.2 above). This also applies to any proceeding, action or measure associated with a preventive, corrective or remedial action taken for purposes of maintaining or improving safety. For example, the use of safety data or safety information to justify the adoption of a preventive, corrective or remedial action is allowed in proceedings initiated by an individual or an organization seeking to challenge the said action. 7.5.2.5 While there may be cases when safety data or safety information is used in litigation initiated by a third party against the source of the report, States are encouraged to take all necessary measures to ensure that safety data and safety information is not used for purposes other than maintaining or improving aviation safety (unless a principle of exception applies). 7.5.3 Authoritative safeguards 7.5.3.1 Certain factors may mitigate the negative consequences associated with the disclosure or use of safety data or safety information for purposes other than maintaining or improving aviation safety. It might be possible to limit any potential damage from the proposed disclosure or use by putting in place safeguards to further limit the disclosure or use of safety data and safety information. A State may include in its legislation or regulations, pursuant to which the application of the principles of exception is considered, the power for the competent authority to impose requirements for the safety data or safety information to be kept confidential following a decision to allow access. 7.5.3.2 De-identification of the source of the safety data and safety information is another safeguard that may be used before release for purposes other than maintaining or improving aviation safety is granted by a competent authority. De-identification may however be difficult where the sources providing the safety data or safety information may be readily ascertainable from the substance of the data or information reported. For example, the report of an occurrence involving a type of aircraft that is used only by a single operator within a particular jurisdiction may immediately point to that operator (or even to an individual employee) simply by identifying the type of aircraft involved. In such cases, how and where the safety data or safety information is proposed to be disclosed or used, and the nature of the information involved, would be of especial significance. 7.5.3.3 If the safety data or safety information is proposed to be used in a forum where knowledge of the persons or organizations connected to the data or information is limited, then the competent authority might be confident that de-identification would provide a sufficient safeguard for the sources. Similarly, if the nature of the information is primarily technical, then there may not be much identifying information in the safety data or safety information that needs to be removed or redacted, making the protective task more easily achievable. The competent authority should also consider whether the forum of the proposed disclosure or use of the data or information and the nature of the information, will affect the degree to which the sources can be identified, and whether removing identifying information would be enough. If the proposed disclosure or use may adversely affect a company or organization, such as an aircraft operator, then the competent authority should decide whether de-identification of the data or information would provide reasonable protection similar to that which the company or operator would have obtained if the disclosure or use had not been allowed. 7.5.3.4 If the competent authority considers that the de-identification of the safety data and safety information may prevent the intended or otherwise permissible use of safety data or safety information, de-identification will not be appropriate. Therefore, States may opt to implement different kinds of safeguards (or 7-10 Safety Management Manual (SMM) combinations of safeguards) to allow limited disclosure for a specific purpose while preventing wider use or public disclosure of the safety data or safety information. Protective orders, closed proceedings, in camera review and summaries are examples of such safeguards. 7.5.3.5 States and organizations may also adopt best practices such as ensuring that the environment in which information is collected, stored, processed and transmitted is sufficiently secure, and that controls over access and authorization are sufficient to protect the safety data and safety information. 7.6 PRINCIPLES OF EXCEPTION 7.6.1 The principles of protection apply to safety data, safety information and related sources, unless a competent authority determines that one of three principles of exception applies. The custodian of SDCPS should be aware of the protections applied to safety data, safety information and related sources and ensure that they are released and used in accordance with the Annex 19 provisions. 7.6.2 Designation of a competent authority 7.6.2.1 As the principles of exception will be administered for a range of different purposes, the competent authority will be different depending on the nature of the data or information in question and the type of use that is being sought. In each particular case, the task of the competent authority will be to decide whether a particular principle of exception applies. The competent authority will need to be capable of balancing competing interests, such as right-to-know laws, regulations unrelated to aviation safety, litigation disclosure rules and others in order for the public to have confidence in its decision-making capabilities. Competent authorities could include judicial authorities, regulatory authorities or those otherwise entrusted with aviation responsibilities designated in accordance with national laws and other enforceable requirements. 7.6.2.2 States and organizations will need to identify competent authorities appropriate to the task of applying the principles of exception for different purposes. Table 9 below provides examples of possible competent authorities and situation examples. Example Situation Possible Competent Authority Where disclosure or use of safety data or safety information is sought by a member of the public pursuant to right-to-know laws5. Government department or administrative body If the question of the disclosure or use of the data or information in itself becomes the subject of litigation brought under the same right-to-know laws, or if the safety data or safety information is sought for use in judicial proceedings. Court or administrative tribunal Where action is to be taken by a regulatory authority to maintain or improve safety. CAA In the case of disclosure or use of safety data or safety information in the custody of an organization. Person in the organization who is responsible for aviation safety, such as a manager or a panel comprised of management, an employee representative and, in some States, a representative of the regulator Table 9. Example situations and possible competent authorities 5 For further information regarding right-to-know laws refer to Section 1.7 of this Chapter. Chapter 7. Protection of Safety Data, Safety Information and Related Sources 7-11 7.6.2.3 Where an organization identifies its competent authority, the responsible exercise of discretion of the competent authority on the application of the principles of exception and the principles of protection may well provide sufficient self-policing within the organization. The final determination of the competent authority for each specific purpose remains a matter for each State and organization, depending on the applicable laws and policies. 7.6.2.4 Permanent designation of the office and jurisdiction of the competent authority (e.g., judicial authorities for matters involving litigation, the CAA for matters involving regulatory actions) may be considered to allow for expeditious decision-making. A permanent designation will also provide certainty in the competent authority’s standing and experience in dealing with these matters. Furthermore, it is critical that the competent authority has in place rules and procedures governing the decision-making process. These rules and procedures should flow from applicable national laws. This can only be achieved if the designation of the competent authority in a particular area remains constant. 7.6.3 Application of the principles of exception 7.6.3.1 The first case in which a competent authority may determine that an exception to the protection applies is where there are “facts and circumstances reasonably indicating that the occurrence may have been caused by an act or omission considered, in accordance with national laws, to be conduct constituting gross negligence, wilful misconduct or criminal activity”. The appropriate competent authority for undertaking such a determination will, in most cases, be a judicial, administrative or prosecutorial authority. 7.6.3.2 Because an assessment of the substance of the safety data or safety information in question will often determine whether the conduct involved satisfies one or another of the conditions for exceptional use, it is not, therefore, necessary that facts and circumstances of the case make it unequivocally clear that such exceptional conduct has occurred. Rather, it is only necessary that those facts and circumstances provide a reasonable basis on which it could be found that the occurrence may have been caused by such conduct. Where the competent authority determines that, on the basis of the facts and circumstances of a case, an occurrence may have been the result of either gross negligence, wilful misconduct or criminal activity — as these terms are understood under national law — a principle of exception applies and the safety data, safety information or related sources may be released. 7.6.3.3 Different legal systems may have different understandings under national law as to what is meant by these terms. In general, gross negligence refers to an act or omission undertaken with a serious disregard or indifference to an obvious risk, regardless of whether the risk was fully appreciated by the actor. This is sometimes described as reckless conduct. Wilful misconduct is a wrongful act or omission which the actor either knows to be wrongful, or is consciously indifferent to the question of whether it is wrongful or not. Knowledge and intent in such cases may also sometimes have regard to the consequences of the conduct, as opposed to its formal depiction as unlawful. In any case, the evidentiary tests and measures applicable in making a determination as to the nature of the conduct involved should be consistent with the laws of the relevant jurisdiction. Also, because the exception principle differentiates between conduct constituting “gross negligence” or “wilful misconduct”, on the one hand, and “criminal activity” on the other, it is clear that conduct that might constitute either “gross negligence” or “wilful misconduct” (however such conduct may be described under the applicable national law) is meant to be assessed on the basis of a civil, as opposed to a criminal, standard. 7.6.3.4 The second case in which a competent authority may determine that an exception to the protection rule applies is where, having reviewed the safety data or safety information in question, the competent authority determines that release of such data or information is “necessary for the proper administration of justice” and “the benefits of its release outweighs the adverse domestic and international impact such release is likely to have on the future collection and availability of safety data and safety information”. 7.6.3.5 This involves a two-step assessment process, in which the competent authority must consider first, whether the data or information is “necessary for the proper administration of justice”, which may not be the case if alternative sources for the same information are available; and second, if it finds that the release is necessary for the proper administration of justice, whether, on balance, the value of such data or information outweighs the prejudice its release is likely to have on the future collection and availability of safety data and safety information for the purposes of maintaining or improving safety. Next >