Better health and ageing for all Australians

Health Emergency Preparedness and Response

SSBA Guideline 11 SSBAs and Other Regulatory Schemes - March 2012

In this section:

    PDF printable version of SSBA Guideline 11 SSBAs and Other Regulatory Schemes - March 2012 (PDF 251 KB)

    Release Date: March 2012

    Introduction

    This guideline covers situations where entities/facilities are required to provide access to secure SSBA areas or information that is considered sensitive under the Security Sensitive Biological Agents (SSBA) Regulatory Scheme to other regulatory schemes, in particular the Office of the Gene Technology Regulator (OGTR) and the Australian Quarantine and Inspection Service (AQIS). It is guidance material only and is provided to assist in understanding the SSBA Regulatory Scheme.

    The aim of the SSBA Regulatory Scheme is to limit opportunities for acts of bioterrorism or biocrime involving SSBAs. The Department of Health and Ageing administers the scheme.

    SSBA Standards Requirements

    Entities and facilities handling SSBAs are required to comply with the National Health Security Act 2007 (NHS Act), the National Health Security Regulations 2008 (NHS Regulations) and the SSBA Standards. Some of the SSBA Regulatory Scheme requirements that may impact on the requirements of other regulatory schemes could include:
    • clearly defining a perimeter that encloses the secure area where SSBAs are handled and restricting access to the secure area or linked storage units to Authorised or Approved Persons.
    • prohibiting unauthorised recording, photography or filming within the secure area.
    • identifying sensitive information relating to the security of SSBAs and restricting access to this information to those who need to know and have been permitted access by the Responsible Officer.

    Sensitive Information

    The NHS Regulations define ‘sensitive information’ as:
    • the entity’s storage records (including inventory records or other records of storage) for any SSBAs handled at the facility;
    • the entity’s risk assessment plans for any SSBAs handled at the facility;
    • the entity’s risk management plans for any SSBAs handled at the facility; and
    • any other information identified by the entity that could compromise the security of the SSBAs handled at the facility under clause 5.3 of the SSBA Standards. Additional sensitive information could include:
      • lists of authorised and approved persons; and
      • floor plans that outline the secure area.
    Sensitive information may be either hardcopy or electronic documentation.

    Clause 5.3 of the SSBA Standards covers the requirements for Information Security and states that the entity must identify and control access to sensitive information. Access must be limited to persons who have a need to know, and have been granted access by the Responsible Officer. Access permissions must be reviewed 6 monthly for facilities handling Tier 1 SSBAs and 12 monthly for facilities handling Tier 2 SSBAs. Sensitive information related to Tier 1 SSBAs must be stored in a secure system and securely backed up at regular intervals.

    Complying with Other Regulatory Schemes

    A facility regulated under the SSBA Regulatory Scheme may also be subject to requirements of other commonwealth regulatory schemes or legislation which could include, but is not limited, to:
    • the Gene Technology Act 2000 (GT Act) which regulates genetically modified organisms in Australia and is administered by OGTR.
    • the Quarantine Act 1908 and Export Control Act 1982 which are administered by AQIS which is a part of the Australian Government Department of Agriculture, Fisheries and Forestry (DAFF).
    To comply with the requirements of other regulatory schemes, an SSBA facility might be required to allow Regulatory Officers into the secure area where SSBAs are held or access to documents that are considered sensitive information.

    Registered facilities may allow other Regulatory Officers into an SSBA registered facility as an Approved Person. Clause 3.4 of the SSBA Standards deals with the requirements for Approved Persons and states that an entity must put in place processes to ensure that contractors, visitors, suppliers, students and other such persons do not compromise the facility’s SSBA security. An entity can approve an Approved Person to:
    • handle SSBAs;
    • access the facility where SSBAs are handled;
    • access sensitive information related to SSBAs.
    An Approved Person can be approved to do one or any combination of the above.

    Approved Persons in a Tier 1 SSBA facility must be escorted (line of sight) by an Authorised Person at all times while in the secure area or handling sensitive information. An Approved Person in a Tier 2 facility must be supervised by an Authorised Person at all times, the degree of supervision must be determined through the facility’s risk assessment.

    For example, if a Regulatory Officer from another regulatory scheme is required to inspect the facility where SSBAs are handled and to view records relating to SSBAs, then the Responsible Officer may approve them as an Approved Person to access the facility and to access sensitive information and this must be included in the Approved Persons list.

    When determining access requirements, facilities may also need to take into consideration biosafety requirements such as the need for the Regulatory Officer to know in advance of the visit any biosafety risks in the facility.

    Top of Page

    Providing copies of Cocuments Relating to SSBAs

    The facility may be required to provide evidence of compliance with other regulatory schemes and the Regulatory Officer may request to keep copies of documents provided for this purpose. If these documents are considered sensitive information under the SSBA Regulatory Scheme it is recommended that the facility:
      • ask the Regulatory Officer to sight the information only and rather than keep the actual record, what documentation has been sighted and verified. OR
      • supply de-identified copies of the records. OR
      • provide a version of the document/s that have had the sensitive information removed. OR
      • ask the Regulatory Officer to store the information securely. It is recommended that information is held at the PROTECTED level in accordance with the Australian Government Protective Security Policy Framework, which involves:
      • persons accessing information holding a Baseline Vetting security clearance.
      • storing information in a PROTECTED classified file.
      • storing information in a Class C container or, at a minimum, a lockable container.
      • ensuring a clear desk policy.
      • destroying information using a Class B shredder or ASIO approved destruction service.

    Further Information

    Further information can be obtained from the SSBA Regulatory Scheme on (02) 6289 7477 or ssba@health.gov.au

    Help with accessing large documents

    When accessing large documents (over 500 KB in size), it is recommended that the following procedure be used:

    1. Click the link with the RIGHT mouse button
    2. Choose "Save Target As.../Save Link As..." depending on your browser
    3. Select an appropriate folder on a local drive to place the downloaded file

    Attempting to open large documents within the browser window (by left-clicking) may inhibit your ability to continue browsing while the document is opening and/or lead to system problems.

    Help with accessing PDF documents

    To view PDF (Portable Document Format) documents, you will need to have a PDF reader installed on your computer. A number of PDF readers are available through the Australian Government Information Management Office (AGIMO) Web Guide website.