Evaluation procedure VRD - Main contents

Document date	23-10-2009
Publication date	27-10-2009
Reference	6661/1/09 REV 1 ADD 5 REV 1
From	Presidency
To	Ad Hoc Group on Information Exchange
External link	original PDF
Original document in PDF

COUNCIL OF PUBLIC Brussels, 23 October 2009

THE EUROPEAN UNION

6661/1/09 REV 1 ADD 5 REV 1

LIMITE

CRIMORG 25 ENFOPOL 39

ADDENDUM TO THE NOTE

From : Presidency

To : Ad Hoc Group on Information Exchange

Subject : Evaluation procedure VRD

• 1. 

  Questionnaire

As soon as a Member State believes it fulfils the prerequisites for sharing Vehicle Registration Data (VRD), it shall answer the ‘Questionnaire on Exchange of Vehicle Registration Data pursuant to

Article 12 of Council Decision 2008/615 i/JHA’ (doc. 6661/1/09 REV 1 ADD 4 REV 1 CRIMORG 25 ENFOPOL 39) and send it to the Council Secretariat (prum@consilium.europa.eu).

Upon receipt, the Council Secretariat will inform the Sub Group on VRD’s lead experts so that the VRD-evaluation procedure for the concerned Member State can start.

By filling out and presenting the questionnaire on exchange of VRD 1 (after the generic questionnaire on data protection 2 ) to the Council Secretariat a Member State expresses its wish to

be evaluated. From that point onwards, the Member State concerned and the lead experts on VRD shall have at least four weeks to deal with all practical arrangements for the evaluation visit to take place. Furthermore, the Sub Group on VRD will draft a tentative calendar of Member States’ target

1 Document 6661/1/09 REV 1 ADD 4 REV 1 CRIMORG 25 ENFOPOL 39

2 Document 6661/1/09 REV 1 ADD 1 REV 1 CRIMORG 25 ENFOPOL 39

6661/1/09 REV 1 ADD 5 REV1 GB/hm 1 dates for implementation of the VRD-exchange system.

• 2. 

  Pilot run

2.1. The acceptance procedure to be passed by the Member States to receive approval of the

EUCARIS Nominated Party for Operation (NPO) will constitute the first step of the pilot run.

Since Member States are in this phase not yet allowed to use operational data, they need to perform tests inquiring so-called dummy-data (fabricated data) available in the permanent test environment of the Member State nominated for the task ‘Operation’ by EUCARIS. Currently, this task lies with the Netherlands. The Netherlands has accepted to function as permanent VRD/Test-Member State as long as RDW ( i.e. the Dutch Vehicle Registration Authority) is the EUCARIS NPO.

From at operational perspective, this acceptance procedure is lead by the NPO but takes place under the auspices of the VRD lead experts and follows a test plan delivered by the NPO. The test between the Member State concerned and the EUCARIS NPO consists, for each service, of

• - 

  deliverance by the Member State of a help file to be included in the EUCARIS system containing detailed information on the provided information

• - 

  inquiries made by the Member State in the test database of the EUCARIS NPO

• - 

  inquiries made by the EUCARIS NPO in the test database of the Member State

• - 

  a production test report by the NPO

• - 

  the deliverance of a production certificate by the NPO

Upon receiving the approval by the NPO it is thereby established that:

• - 

  the network connection functions well

• - 

  the security functions well (server certificate, XML signing)

• - 

  the interface between the EUCARIS application and the national application / database functions well

• - 

  the national databases are "available” and provide correct data

• - 

  the user interface is able to send correct requests to other Member States

• - 

  in case a customized client application is used, this application is also able to send correct requests to other Member States.

2.2. The production test report will be submitted to the evaluation team at least two weeks ahead of the evaluation visit. Once the production certificate has been received the specific Member State can start with the implementation of its production environment.

When the production environment is in place the NPO will execute as the second step of the pilot run a brief preproduction test to assure that everything is in place for the evaluation visit. During this preproduction test only the NPO is authorised to access the production environment of the respective Member State. A few tests will be executed with production data of persons involved in the preproduction test.

• 3. 

  Evaluation visit

The evaluation visit shall ideally take place as close as possible to the acceptance procedure by the EUCARIS NPO (cf. pilot run).

The evaluation team shall consist of 3 experts, ideally a member of the lead experts' MS and 2 experts of MS taking part in the VRD exchange. The experts shall have experience regarding the

VRD exchange and shall have the appropriate national security clearance. The Commission shall be invited to the evaluation visit as an observer. The evaluation team and/or the concerned MS may invite/request a representative of EUCARIS to be present during the visit. All members of the evaluation team will respect the confidential nature of the information they acquire when carrying out their task. As regards the costs involved for the experts (travel expenses, hotel, …), the evaluated Member State shall come to an agreement with the members of the evaluation team.

The work of the evaluation team will be based on a ‘Checklist Exchange of Vehicle Registration

Data’ (cf. Annex) which is common for all VRD-evaluation visits and focuses on functional and technical topics. Regardless of the generic questionnaire on data protection for all three fields (i.e.

DNA, fingerprints and VRD), a special focus shall be reserved for the protection of personal data in the Member State concerned.

The evaluation team shall visit both the contact point for incoming requests and one or more organisations performing outgoing requests. During the evaluation, the following will be checked:

• - 

  whether the correct matches can be found on known data ( the appropriate legal and administrative regulations must be in place to allow such testing with real data);

• - 

  whether the logging system provides information according to Article 30 of the Council

  Decision 2008/615 i/JHA; - the business processes.

The evaluation team will produce a report within one month of the visit and the report will be forwarded to the concerned Member State for its comments. If appropriate, the evaluation team will revise the report on the basis of the Member State's comments and then submit it to the Lead Experts.

• 4. 

  Report to the Council

The evaluation team, with the support of the Council Secretariat, will prepare the report to the

Council, which will consist of:

• - 

  a cover note containing a management summary and the recommendation to the Council

• - 

  the report of the evaluation team

• - 

  the report of the Member State on the pilot run

• - 

  the Letter of Intent 3

The general report shall be submitted to the Ad Hoc Group on Information Exchange with a view to preparing the relevant Council Decision. Where necessary or appropriate, the subgroup of VRD experts may be consulted on the report.

3 Letter of Intent : document that reflects the commitment of the MS as regards the availability of

the national systems. ( see annex ) ANNEX

Checklist Exchange of Vehicle Registration Data

Preliminary remark

The main goal of this VRD-evaluation checklist consists of providing the Council with sufficient information on the implementation of the EUCARIS/Prüm system (EUCARIS2) at Member States’ level in order for the Council to be able to grant Member States concerned authorization to start with the actual VRD-exchange in conformity with Council Decisions 2008/615 i/JHA and 2008/616/JHA (Prüm Decisions). More specifically, this checklist intends to:

• give a general introduction to the set-up of the EUCARIS/Prüm system (EUCARIS2) at Member

States’ level (competent authorities, accesses, ...)

• reflect in detail the data security and related technical measures the evaluated MS has put in

place.

Contacts

MEMBER STATE SUBJECT TO EVALUATION: ……………………………………………...

Organisations/ Role in Name and surname Email address agencies/… visited in the EUCARIS/Prüm of the contact person evaluated Member State information flow

• 1. 

  Generic functionalities

1.1 Describe the use purposes of the EUCARIS/Prüm-system in [the evaluated MS] in view of Art. 12 of Council Decision 2008/615 i/JHA.

1.2 Is access to the EUCARIS/Prüm system (EUCARIS2) only being given to law enforcement

personnel at a central level or has access been de-decentralized to, for instance, local police units as well?

1.3 Describe the designation and role of the ‘specially authorised officers’ mentioned in Art. 30, (2)

(a) of Council Decision 2008/615 i/JHA.

6661/1/09 REV 1 ADD 5 REV1 NP/hm 6 ANNEX

1.4 List of [the evaluated MS] national authorities competent to use the EUCARIS/Prüm system

(EUCARIS2) at national level for outgoing requests:

• ... • ... • ...

1.5 Does the EUCARIS/Prüm system (EUCARIS2) allow the competent authorities at national

level to exchange request and response messages in an interactive way (i.e.real time )?

1.5 What type of statistics of use does [the evaluated MS] provide?

1.6 Describe in the box below the functional and technical architecture of the EUCARIS/Prümsystem

in [the evaluated MS]. Please include visualization as well in order for the evaluation committee to get a firm idea of your national set-up.

• 2. 

  Evaluation data security measures

2.1 Describe the measures [the evaluated MS] took to ensure that personal data is effectively

protected against accidental or unauthorised destruction, accidental loss, unauthorised access, unauthorised or accidental alteration and unauthorised disclosure (Art. 29,(1) of Council

Decision 2008/615 i/JHA).

2.2 Does access to the EUCARIS/Prüm-functionalities foresee in sufficient user authentication (at

least two-factor authentication by username and password) in [the evaluated MS]?

2.3 Describe the logging facilities (including the back-up system, if any, for the log files) that have

been put in place in [the evaluated MS], both for outgoing and incoming requests. This description should also address the system that allows for linking outgoing requests to

individual files and/or end-users.

6661/1/09 REV 1 ADD 5 REV1 NP/hm 7 ANNEX

• 3. 

  Evaluation questionnaire on the exchange of vehicle registration data

  YES NO N/A 1. ORGANISATIONAL

1.1 Is the National Contact Point (NCP) for incoming requests in place?

1.2 Is the National Contact Point (NCP) for outgoing requests (i.e. the organization that is in charge of the log files of outgoing requests) in place?

• 2. 

  FUNCTIONAL

2.1 In case [the evaluated MS] opted for an entirely automated requesting procedure, has a specially authorised officer at the NCP for outgoing requests been designated?

2.2 In case [the evaluated MS] (1) also is a EUCARIS-MS and (2) uses an customized client application, does the customized client-application connected to the EUCARIS/Prüm-system allow distinguishing between

EUCARIS- and Prüm-searches when using the system?

• 3. 

  TECHNICAL

Network

3.1 Can the NCP for incoming requests connect to the TESTA-network?

• Via direct access • Via a local secure link

3.2 Can the NCP for outgoing requests connect to the TESTA-network?

• Via direct access • Via a local secure link

Availability- Letter of Intent

3.3 Can the EUCARIS/Prüm system be consulted by other MS 24/7, apart from scheduled maintenance?

3.4 Can the EUCARIS Prüm system guarantee a sufficient level of availability:

• with a maximum recovery time of less than one day? • with a response time by the system of maximum 5 seconds for

a single request? Other

3.5 Has the standard EUCARIS/Prüm (EUCARIS2) web client been chosen or has a customised web client been developed at national level or both?

3.6 (a) Has the EUCARIS/Prüm (EUCARIS2)-core been connected to the back-end legacy, i.e. the (mandatory) data as listed in the data set in Chapter 3.1 of the Annex to Council Decision 2008/616 i/JHA? (b) Has this connection been tested? (c) If so, were the tests satisfactory? 3.7 Has [the evaluated Member State] obtained the production certificate from the EUCARIS NPO?

3.8 In case [the evaluated Member State] indicated problems with the security features in its questionnaire on the exchange of vehicle registration data, give an appreciation of these.

………………………………………………………………………………………………………...

………………………………………………………………………………………………………...

6661/1/09 REV 1 ADD 5 REV1 NP/hm 8