Un.ted States
tnvironmental Protection
Agency
Office of
Toxic Substances
Washyiqton DC 20460
July 1978
Toxic Substances
SEPA
TSCA Confidential
Business Information
Security Briefing
Booklet
-------�
"Because it's so important for us to have this {confidential business]
information to carry out TSCA, we have made considerable effort to
develop security procedures for handling it that we believe are second
to none, in government or in industry. But any security system of this
kind is only as good as the people who maintain it. Its effectiveness
depends on constant, careful adherence to established procedures by
each and every person involved. I urge you to study and leam these
procedures and to encourage those who work with you to do the
same."
From remarks by Steve Jellinek, Assistant Administrator for
Toxic Substances, in the preface to the TSCA Confidential
Business Information Security Manual.
-------�
TSCA CONFIDENTIAL BUSINESS INFORMATION
SECURITY BRIEFING BOOKLET
"You are responsible and accountable for all
TSCA Confidential Business Information that you receive"
INTRODUCTION
The TSCA Confidential Business Information Security Manual
prescribes minimum standards and establishes responsibility and ac-
countability for the control and physical security of documents that
contain confidential business information received under the Toxic
Substances Control Act (TSCA).
You as an authorized person,** must know the requirements of the
Manual. This booklet summarizes some important points for you but
is not intended to be a substitute for thorough knowledge of the
Manual.
When you have any questions about security procedures or need
clarification or interpretation of points in this Booklet or in the
Manual, ASK YOUR DOCUMENT CONTROL OFFICER JDCO).
He/she is the person responsible for the overall security, control and
distribution of confidential business information received in his/her Of-
fice, Region or Laboratory.
**Only authorized persons should receive TSCA Confidential Business
Information. However, all employees are bound by section 14 of
TSCA and by the procedures in the Manual. If, through error or
negligence, an unauthorized employee receives any TSCA Confidential
Business Information, he/she should take it immediately to the
nearest Document Control Officer (DCO), or, if there is no DCO, to
his/her supervisor.
-------�
POLICY
It is the policy of EPA to take all reasonable measures to prevent the
unauthorized disclosure of Confidential Business Information. EPA
employees are prohibited from disclosing, in any manner and to any
extent not authorized by law or EPA regulations, any TSCA Confiden-
tial Business Information coming to them in the course of their
employment or official duties.
TSCA Confidential Business Information is to be held in confidence,
and handled in accordance with the procedures set forth in the TSCA
Confidential Business Information Security Manual.
TREATMENT OF VIOLATIONS
A "violation" is the failure to comply with any provision in the TSCA
Confidential Business Information Security Manual, whether or not
such failure leads to actual unauthorized disclosure of TSCA Con-
fidential Business Information.
-------�
If you violate the procedures in the Manual, you may be removed
from the authorized access list and be subject to disciplinary action
with penalties up to and including dismissal, under policies and pro-
cedures in the EPA Conduct and Discipline Manual.
If you willfully make any unauthorized disclosure of TSCA Confidential
Business Information, you may be subject to a fine of not more than
$5,000 or imprisonment for not more than one year or both, in addi-
tion to Administrative disciplinary action.
EMPLOYEE RESPONSIBILITIES
You are responsible for the control and security of all TSCA Confiden-
tial Business Information you receive. Specifically, you shall:
Discuss TSCA Confidential Business Information only with
authorized persons.
"Actually it's not so bad. You get used to it very quickly"
-------�
Safeguard TSCA Confidential Business Information when in ac-
tual use by:
keeping it under constant surveillance and being in a position
to exercise direct physical control over it.
Covering it, turning it face down, placing it in approved
storage containers, or otherwise protecting it when unauthor-
ized persons are present.
Returning it to approved storage containers when not in use
and at close of business.
Store TSCA Confidential Business Information when not in use
and at close of business, at a minimum, within a metal cabinet
with a bar and a three-way changeable combination padlock ap-
proved by the Security and Inspection Division (SID).
Safeguard combinations to locks, safes, and rooms that contain
TSCA Confidential Business Information, and have them
changed once each year or every time a person who knows the
combination terminates or transfers, whichever comes first.
Immediately report possible violations of TSCA or of the pro-
cedures in the TSCA Confidential Business Information Security
Manual to SID.
Not reproduce TSCA Confidential Business Information
documents. Copies must be obtained through a DCO.
Not destroy TSCA Confidential Business Information documents
except upon approval by and under the supervision of a DCO.
Not discuss TSCA Confidential Business Information over the
telephone except with the written approval of an Assistant Ad-
ministrator, Head of Staff Office, Regional Administrator, or
Laboratory Director.
-------�
HANDLING OF INCOMING MAIL
If your incoming mail contains any TSCA Confidential Business Infor-
mation, take it to your DCO immediately upon receipt so that it may
be entered into the document control system. If you open any incom-
ing mail and discover an inner envelope, take the inner envelope to
your DCO to be opened. Any correspondence from industry that is
marked "confidential," "priorietary information," "company secret,"
etc., or otherwise contains a request for confidential treatment,
should also be taken to your DCO.
Any registered mail received should be opened immediately by the ad-
dressee or his/her secretary. If it contains any confidential business in-
formation, it should be taken to the DCO immediately. Any registered
mail that is not addressed to a specific person should be taken to the
DCO immediately. Do not leave registered mail in in-boxes overnight!
For the period of time that you hve "unlogged" confidential business
information in your possession, you are responsible for safeguarding
it. If you do not take it immediately, ,o your DCO, you are guilty of a
violation of security.
-------�
AUTHOR/ZED
PERSONS
SECRETARIAL PROCEDURES
If you are responsible for typing anything which contains TSCA Con-
fidential Business Information, you must safeguard the original and all
"mag" cards, one-time ribbons that can be read backwards, drafts,
scratch paper, notes and any other materials which may contain con-
fidential business information. Do not make any carbons or copies of
the document.
You must ensure that no unauthorized person can see what you are
typing.
If you must stop before the task is finished (lunch or close of
business, for instance), take all materials that may contain confidential
business information to the author for safeguarding. Leave nothing in
your typewriter or on your desk which might lead to the unauthorized
disclosure of TSCA Confidential Business Information.
When the typing is completed, take the original and all other materials
to the author who will in turn take them to the DCO. The DCO will
enter«the original into the document control system and destroy all
other materials.
-------�
GAINING ACCESS TO
TSCA CONFIDENTIAL BUSINESS INFORMATION
When you require access to TSCA Confidential Business Information
to perform your official duties, you should request the required docu-
ment from your DCO. The DCO will:
verify that you are on the authorized access list, and if you request
access to Special Category** information, that such access has
been approved.
obtain the document and make a copy of it.***
enter the appropriate information in the User Copy Sign Out Log
(EPA Form 7710-11) and on the Cover Sheet (EPA Form 7710-6).
The document you receive should have a document control number, a
Cover Sheet and a TSCA Confidential Business Information stamp.
If you have appropriate storage capability, you may sign the docu-
ment out for a maximum of 30 days. Otherwise, the document must
be returned to the DCO by the close of business that same day.
MEETINGS
If you are the chairperson for any meeting, symposium, panel discus-
sion or seminar at which TSCA Confidential Business Information will
be discussed, you shall:
Provide a sign-in sheet, including the date, time, place and sub-
ject of the meeting and require all attendees to sign it and record
their EPA identification badge number. The sign-in sheet should
be given to the appropriate DCO who will retain it for one year.
**Special Category TSCA Confidential Business Information relates to
a) confidential chemical identities, b) product formulations, and c)
specific processes used in manufacturing or processing chemical
substances. Requests for access to this information must be specific,
in writing, and approved by the Assistant Administrator for Toxic
Substances before the DCO will permit access.
***The original remains with the DCO.
-------�
"Before we begin our meeting, let's review our responsibilities"
Ensure that only authorized persons are present and announce
that confidential business information is to be discussed.
Review with the attendees their responsibility for safeguarding
confidential business information in any and all forms, including,
but not limited to any notes taken, and any subsequent discus-
sions.
Ensure that no recording is made of the meeting unless you have
authorized it. Any recording must be treated as all other con-
fidential business information and entered into the document
control system.
Ensure that the meeting room is secured after the meeting. This
shall include erasing all blackboards, destroying all tear sheets
and other notes and ensuring that nothing is left in the room
which could lead to the unauthorized disclosure of confidential
business information.
-------�
TRANSMISSION OF
TSCA CONFIDENTIAL BUSINESS INFORMATION i
i
External
Requests for TSCA Confidential Business Information which require
the transmission of documents from one EPA facility to another, or to
persons or parties outside EPA must be in writing and signed by the
appropriate Assistant Administrator, Head of Staff Office, Regional
Administrator, or Laboratory Director. Ordinarily, such requests will be
handled through the local DCO. However, where a DCO is not
available, you may have to handle the transmission.
You must transmit TSCA Confidential Business Information by
Registered Mail, return receipt requested, in a double envelope. The
\inner envelope must reflect the address of the recipient with the
following additional wording on the front side:
CONFIDENTIAL BUSINESS INFORMATION
TO BE OPENED BY ADDRESSEE ONLY
The outer envelope must reflect the normal address without the addi-
tional wording.
You may handcarry TSCA Confidential Business Information to other
EPA facilities, or to persons or parties outside EPA, providing the
dispatching DCO maintains a record and obtains a receipt from the
person receiving the information. Information being handcarried
should be packaged in a double envelope as described in the
preceding paragraph.
Internal
Within an EPA installation, you must hand-deliver TSCA Confidential
Business Information to other authorized persons. At no time shall
TSCA Confidential Business Information be transmitted through inter-
office mailing channels.
-------�
Transfer of Custody
Within your Division, you may transfer custody of a confidential
business information document to another authorized person by using
the Loan Receipt for TSCA Confidential Business Information (EPA
Form 7710-14). You must furnish a copy of the Loan Receipt to your
DCO. The secondary recipient shall also sign the Cover Sheet of the
document.
*
GENERATION OF
TSCA CONFIDENTIAL BUSINESS INFORMATION DOCUMENTS
If you generate a new document from extracts of existing TSCA Con-
fidential Business Information documents (except notes covered in
the next paragraph), you must take the newly generated document to
your DCO who shall:
Identify it by stamping it "TSCA Confidential Business Informa-
tion" and "Extracts from document # , dated »
II."
Enter it into the document control system and safeguard it as all
other TSCA Confidential Business Information.
NOTES CONTAINING
TSCA CONFIDENTIAL BUSINESS INFORMATION
If you take notes from a TSCA Confidential Business Information
document, a meeting, or any other source, you must protect the
notes as TSCA Confidential Business Information. If the notes are to
be circulated to other authorized persons, they shall be entered into
the Document control system. Any document generated from the
notes shall be treated as specified in the preceding paragraph.
-------�
LOST OR UNACCOUNTED FOR DOCUMENTS
If you become aware that a TSCA Confidential Business Information
document is lost or otherwise unaccounted for, you should im-
mediately notify the appropriate local DCO who shall notify the OTS
DCO. If the document is not located within a reasonable time, the
matter shall be referred to SID.
WHO CAN I TURN TO?
If you need clarification or interpretation of any of the procedures in
the TSCA Confidential Business Information Security Manual, ASK
YOUR DCO, or in his/her absence the OTS DCO or your supervisor.
Whenever you are uncertain about what to do in a given situation,
ASK YOUR DCO! Better to be safe than sorry!
PEOPLE YOU MAY NEED
LOCAL DCO
OTS DCO
LOCAL SECURITY
REPRESENTATIVE
SECURITY & INSPECTION
DIVISION, EPA
HEADQUARTERS
NAME
PHONE
-------� |