PDF Printable version of SSBA Guideline 1 - Entities and Facilities - January 2014 (PDF 366 KB)
Release Date: January 2014
This guideline provides information to entities, facilities and individuals to determine what is an entity or a facility for the purposes of the Security Sensitive Biological Agents (SSBA) Regulatory Scheme. It is guidance material only and is provided to assist in understanding the SSBA Regulatory Scheme.
Entities and Facilities
The National Health Security Act 2007 (NHS Act) recognises that SSBAs are handled in a range of physical structures legally owned by persons or bodies. The National Register of SSBAs records the registration of an entity in relation to one or more SSBAs handled by an entity at one or more of its facilities.
An entity is defined as any of the following:
- an individual
- a body corporate
- an agency or instrumentality of the Commonwealth, a State or Territory.
An entity is legally responsible for complying with the requirements of the NHS Act, the National Health Security Regulations 2008 (NHS Regulations) and the SSBA Standards. The entity takes ultimate responsibility for reporting and compliance and is liable for the offences provided in the NHS Act.
A facility is defined to include:
- a building, or part of a building; and
- a laboratory including a mobile laboratory.
The definition of a facility is very important as you must register your facilities with the Department of Health (Health). While entities take ultimate responsibility for the handling of SSBAs, generally SSBAs are handled within a facility and so a number of the physical and information security requirements in the SSBA Standards apply at the facility level.
- is the physical space in which the SSBAs are handled (handling includes receiving, holding, using and storing SSBAs);
- must be able to meet and comply with the specific facility requirements of the SSBA Standards for physical and information security. This includes having:
- a clearly defined secure perimeter that allows control of access to the secure area. This secure perimeter must fully enclose the area where the SSBAs are handled (see Defining the Secure Perimeter below).
- lockable doors when a facility is unattended.
- windows that are non-opening and sealed at all times.
For example, an entity may be a university and the facility may be a research laboratory within the university.
Defining the Secure Perimeter
The SSBA Standards require an entity to clearly define the secure perimeter of the area in which the SSBAs are handled. A marked floor plan may be helpful in achieving this.
When deciding on where the secure perimeter of the facility should be, entities should take into account:
- Access to the secure area must be restricted to Authorised and Approved persons (as defined under the SSBA Standards).
- For all facilities handling SSBAs, at least one form of access control must be at the secure perimeter to control and record entry.
- For facilities handling Tier 1 SSBAs the access controls at the secure perimeter must also record exit of personnel. There is also a requirement for secondary access controls to further restrict access to the SSBA. These secondary access controls can be within the secure area, for example at the last access barrier to the SSBA, such as a freezer door or internal room door.
- Tier 1 SSBAs must be stored within the secure perimeter, while for Tier 2 SSBAs, storage must either be within the secure perimeter or within a linked storage unit that meets the full requirements of SSBA Standards clause 4A.5 - Storage of Tier 2 SSBAs.
- Movements of SSBAs outside the secure area are subject to reporting and transport requirements.
For these reasons, entities should try to be as specific as possible when defining the secure area.
For example, if an entity registers a facility with Health and defines the secure area as “First Floor, Laboratory Building” then it is expected that all of the first floor will meet all the requirements of the SSBA Standards, including requirements relating to access, authorised and approved persons and transport of SSBAs. If, however, the SSBAs are only handled in Rooms 1.01, 1.02 and 1.03, then only these rooms should be registered (either as one facility if they can all be isolated within a single secure perimeter or as separate facilities if they cannot). This would mean that the rest of the first floor would then be excluded from the requirements of the SSBA Standards for secure areas.
If you are unsure about how to define the secure area, please contact the SSBA Regulatory Scheme at (firstname.lastname@example.org) or on 02 6289 7477 before submission of registration paperwork.
It should be noted that sensitive information, either in hard copy or electronic form, does not necessarily need to be held within the secure perimeter, but must have the appropriate security to prevent unauthorised access, such as being kept in locked cabinets, password protection, etc. Part 5 of the SSBA Standards sets out the requirements for information security.
Leasing a Facility from Another Entity
If you are leasing a facility from another entity, measures must be put in place to ensure that the requirements of the SSBA Regulatory Scheme are met and will continue to be met. For example, if your risk assessment indicates that electronic locks must be placed on all doors to the facility, you must be able to do so under the lease conditions. If maintenance or security of the facility is handled by the lessor, then measures must be in place to ensure that the SSBA Standards will not be breached through delays in providing the equipment or minor works. These measures may include:
- specific clauses in the lease contract to maintain biosecurity
- alternative procedures, if required
- removing SSBAs from the facility, if security is at risk.
Sharing Facility with Another Entity
If an entity shares a facility with another entity, measures will be needed to ensure that the requirements of the SSBA Regulatory Scheme are met and will continue to be met. Risks of using a shared facility should be considered as part of the facility’s risk assessment. Entities will need to consider how access to the shared space will be handled, including if personnel from the other entity will be required to become Authorised or Approved persons.
Entities will need to ensure that physical security requirements can be met and may include measures such as those outlined above under Leasing a facility from another entity.
The entity must register the SSBAs that it handles in the facility, but are not required to register any SSBAs handled by the other entity.
Separate inspections will be conducted for each entity, but the inspections for both entities may take place concurrently. Each entity will receive a separate inspection report that relates to the findings from their entity and facility only.