Commonwealth Numbered Regulations - Explanatory Statements

[Index] [Search] [Download] [Related Items] [Help]


NATIONAL HEALTH SECURITY AMENDMENT REGULATIONS 2008 (NO. 1) (SLI NO 269 OF 2008)

EXPLANATORY STATEMENT

 

Select Legislative Instrument 2008 No. 269

 

National Health Security Act 2007

 

National Health Security Amendment Regulations 2008 (No. 1)

 

Section 95 of the National Health Security Act 2007 (the Act) provides that the Governor-General may make regulations prescribing matters required or permitted by the Act to be prescribed, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.

 

Part 3 of the Act provides a legislative response to some of the recommendations made by the Council of Australian Governments (COAG) in the Report on the Regulation and Control of Biological Agents of 2007.

 

The object of Part 3 of the Act is to give effect to Australia’s obligations to establish controls for the secure handling of certain security-sensitive biological agents (SSBAs) that could be used as weapons by providing for:

·        the collection, and recording on a National Register of SSBAs, of information about the nature and location of SSBAs legitimately handled by entities in Australia;

·        standards for secure handling of SSBAs;

·        monitoring of compliance with reporting and handling requirements through an inspection program; and

·        restrictions in handling of SSBAs.

 

The Regulations amend the National Health Security Regulations 2008 to provide further operational detail to Part 3 of the Act and implements other recommendations of the COAG Report. The Regulations deal with:

o       additional content of the National Register;

o       additional exempt entities;

o       additional reportable events;

o       time frames for reporting events;

o       the form of an inspector’s identity card; and

o       the agencies that the Secretary of the Department of Health and Ageing may give a report to.

 

A Proclamation will fix 31 January 2009 as the date of commencement of Part 3 of the Act. The Regulations will be phased-in to coincide with the commencement of another legislative instrument (the Security-sensitive Biological Agent Standards) which also provides operational detail to the regulatory scheme.

 

The regulatory scheme will apply to entities which handle one or more of the agents included as either an agent in Tier 1 or in Tier 2 on the List of SSBAs (the List). The List will be established under section 35 of the Act by the Minister for Health and Ageing.

 

Initially the regulatory scheme will apply only to entities that handle Tier 1 agents included on the List. Entities that handle Tier 2 agents will need to comply with the regulatory scheme in 2010.


Details of the Regulations are set out in the Attachment.

 

Commencing with their first meetings in April 2008, there has been extensive consultations on the development of the Regulations with the Department of Health and Ageing’s advisory groups: the Implementation Advisory and Consultative Committee (IACC) and the Regulation and Standards Working Group (RSWG). The IACC is a committee chaired by the Department to provide advice on implementation of the regulatory scheme and comprises representatives of twelve government agencies including the Department of Foreign Affairs and Trade, Department of Infrastructure, Transport, Regional Development and Local Government, Department of Agriculture, Fisheries and Forestry, Department of Prime Minister and Cabinet, Australian Quarantine Inspection Service, Australian Customs Service, Office of the Gene Technology Regulator, Attorney-General's Department, Defence Science and Technology, the Australian Chemical, Biological, Radiological and Nuclear Data Centre (CBRN Data Centre) and the Australian Security Intelligence Organisation.

 

Members of the RSWG are a group of technical experts who represent the Animal Health Committee, the Office of the Gene Technology Regulator, Department of Foreign Affairs and Trade, and the Public Health Laboratory Network.

 

Consultations also occurred in April and May 2008 with the States and Territories law enforcement and counter terrorism agencies on specific law enforcement issues. Road shows of the SSBA Regulatory Scheme were conducted in September 2008 to further consult affected stakeholders in all States and Territories. Representatives from laboratories in the areas of animal health, defence, diagnostics, public health and research attended the road show.

 

Public consultations that included the States and Territories, on an exposure draft of the proposed Regulations, were undertaken from 2 to 22 October 2008.

 

There has been wide dissemination about the early commencement of the SSBA Regulatory Scheme. Commencing in April 2008, all material (newsletters, website and mailouts) produced by the Department, has stated that regulation of Tier 1 agents will occur from January 2009. This was particularly emphasised during the SSBA Regulatory Scheme road shows conducted during September 2008.

 

The Office of Best Practice Regulation has agreed that the Business Cost Calculator (BCC), which accompanied the exposure draft of the proposed Regulations during public consultation, provides sufficient regulatory analysis of the Regulations as they affect business.

 

The Act specifies no conditions which need to be satisfied before the power to make the Regulations may be exercised.

 

The Regulations are a legislative instrument for the purposes of the Legislative Instruments Act 2003.

 

Regulations 1 to 3 and Schedule 1 commence on the commencement of Part 3 of the Act. A Proclamation fixes 31 January 2009 as the date of commencement of Part 3 of the Act. Schedule 2 commences on 1 July 2009 to coincide with the commencement of Parts 3 to 8 of the Security-sensitive Biological Agent Standards.


ATTACHMENT

 

Details of the National Health Security Amendment Regulations 2008 (No. 1)

 

Regulation 1 – Name of Regulations

 

This regulation provides that the title of the Regulations is the National Health Security Amendment Regulations 2008 (No. 1).

 

Regulation 2 – Commencement

 

This regulation provides for regulations 1 to 3 and Schedule 1 to commence on the commencement of Part 3 of the National Health Security Act 2007. A Proclamation fixes 31 January 2009 as the date of commencement of Part 3.

 

Schedule 2 commences on 1 July 2009 to coincide with the commencement of Parts 3 to 8 of the Security-sensitive Biological Agent Standards (the SSBA Standards).

 

Regulation 3 – Amendment of National Health Security Regulations 2008

 

This regulation provides that Schedules 1 and 2 to the Regulations amend the National Health Security Regulations 2008.

 

Schedule 1 – Amendments commencing on the commencement of Part 3 of the National Health Security Act 2007

 

To incorporate the provisions of the Regulations, items [1] to [5] amend the National Health Security Regulations 2008 by substituting headings, renumbering regulations and inserting new definitions. There are no substantive changes to the provisions of the National Health Security Regulations 2008.

 

Item [6] After Part 2

 

This item inserts a new ‘Part 3 – Regulation of security-sensitive biological agents’.

 

Division 3.1 National Register

 

Division 3.1 deals with the National Register of SSBAs which is established by Division 4 in Part 3 of the Act. The National Register of SSBAs collects and records information about the nature and location of SSBAs legitimately handled by entities in Australia. Section 37 of the Act provides for the content of the National Register. Paragraph 37(f) provides that other particulars are able to be prescribed by the regulations.

 

Regulation 3.01 Content of National Register

 

This regulation provides further particulars to be recorded on the National Register in addition to those required in paragraphs 37(a) to (e) of the Act. These further particulars are necessary to enhance the elements that are provided by the Act to achieve the object of establishing controls for the security of SSBAs. In particular, further details to specifically identify an entity or facility are required. Paragraph (e) of this regulation refers to persons required to be appointed under the SSBA Standards and is included in Schedule 2.

 

Division 3.2 Exempt entities

 

Unless an entity is an exempt entity, section 39 of the Act applies the regulatory requirements of reporting and compliance with the SSBA Standards, to entities that handle one or more SSBAs at one or more facilities. Paragraph 40(1)(b) of the Act provides that regulations may prescribe that an entity is an exempt entity.

 

Regulation 3.02 Application of Division 3.2

 

This regulation provides that for paragraph 40(1)(b) of the Act, this Division prescribes entities to be exempt entities.

 

Regulation 3.03 Law enforcement agencies

 

This regulation exempts a law enforcement agency that handles an SSBA in the course of carrying out a function under a law of the Commonwealth, State or Territory. However, the law enforcement agency is not exempt if it handles the SSBA as a control sample for testing or carrying out diagnostic analysis. A control sample is an SSBA which is used as a reference for confirmation; handling such samples are subject to the regulatory requirements.

 

This exemption broadly reflects the COAG Report’s recommendation that SSBAs should not be regulated when held for law enforcement and evidentiary purposes. The prescribed law enforcement agencies have stringent security arrangements for storage. Therefore it is unnecessary to impose an additional regulatory burden on them so as not to impede performance of their law enforcement and regulatory functions.

 

Regulation 3.04 Depot or warehouse licence holders

 

This regulation provides that certain entities that are licensed under the Customs Act 1901 and handle SSBAs in accordance with the licences, are exempt from the regulatory requirements. These are private entities which may hold SSBAs on their premises at which Customs performs their regulatory functions. In holding these SSBAs, these depots and warehouses are considered to be handling an SSBA.

 

However, given the controlled environment of the Customs warehouses and depots and the processes already in place for reporting and handling imports of biological agents, it is assessed that the risk of SSBAs posing a security concern while at these premises is low and should not be subject to the regulatory scheme.

 

Regulation 3.05 Disease or injury

 

This regulation deals with disease or injury resulting from an SSBA. A person who suffers an occurrence of disease or injury from an SSBA is an exempt entity while suffering the occurrence or injury. The regulation reflects the COAG recommendation not to regulate situations of an inadvertent possession of an agent, including an infected person.

 

In addition, entities, such as abattoirs, that destroy animals which are infected or injured by an SSBA where and the destruction is carried out because of the disease or injury to the animal, is exempt from the regulatory requirements.

 

Regulation 3.06 Treatment of disease or injury

 

This regulation deals with the treatment of a person or animal for disease or injury caused by the SSBA. An entity is exempt from the regulatory requirements if it provides treatment to a person or to an animal suffering disease or injury from an SSBA. The entity is also exempt when it handles an SSBA while the agent is in the body of the person or the animal; or while taking a sample from the person or the animal for the purposes of the treatment.

 

This exemption reflects some aspects of the COAG recommendation that regulation should be sufficiently flexible that in the event of a disease outbreak, they should not impede diagnosis and treatment.

Division 3.4 Reportable events

 

Section 48 of the Act provides that an entity registered on the National Register must report any changes in their handlings of SSBAs to the Secretary of the Department of Health and Ageing (the Secretary). This Division contains regulations that deal with the reportable events provided under paragraphs 48(1)(g) and (1)(h) of the Act.

 

The reportable event provided by paragraph 48(1)(g) of the Act deals with a person’s access to an SSBA and the access is unauthorised under the regulations. Regulation 3.15 in Subdivision 3.4.1 of the Regulations deals with unauthorised access by reference to Part 3 of the SSBA Standards and is set out in Schedule 2 to the Regulations.

 

Under paragraph 48(1)(h) of the Act, regulations may prescribe any other event as a reportable event. Subdivision 3.4.2 of the Regulations deals with reportable event and provides for additional reportable events that augment the reportable events already provided in the Act.

 

Regulation 3.16 Application of Division 3.4

 

For paragraph 48(1)(h) of the Act, this regulation provides that this Division prescribes events to be reportable events.

 

Regulation 3.22 Attempt to steal SSBA

 

This regulation provides for a reportable event by a registered entity if there has been an attempted theft of an SSBA that the entity handles. This additional reportable event augments the Act’s requirement to report the theft of an SSBA in paragraph 48(1)(f) of the Act.

 

Regulation 3.25 Accidental release of SSBA

 

This regulation provides that it is a reportable event for a registered entity if the SSBA for which it is registered to handle is accidentally released during its handling by a person at the facility. Such an event is necessary to be reported to assess if a security risk, if any, is posed by an accidental release of the SSBA.

 

Regulation 3.26 Infection of a person

 

This regulation provides that it is a reportable event by a registered entity, if a person who has been to the facility suffers an occurrence of disease, is injured or dies as a result of the entity’s handling of the SSBA at the facility. This regulation reflects the COAG Report’s recommendation that inadvertent possession of an agent (for example, an infected person or where the agent occurs naturally in the environment) is not intended to be covered by the regulatory scheme. However, such an event should be reported to assess if a security risk, if any, is posed by the event.

 

Regulation 3.27 Change in particulars

 

This regulation provides that it is a reportable event if there are any changes to the particulars of an entity and of a facility of the entity. Those changes need to be reported for a meaningful National Register to be maintained. Other reportable events that rely on the requirements in the SSBA Standards are included at Schedule 2.

 

Division 3.5 Requirement to report changes

 

Subsection 48(1) of the Act sets out reportable events that must be reported by a registered entity to the Secretary with additional reportable events by Division 3.4 of the Regulations. Subsection 48(3) of the Act enables regulations to prescribe a period within which a registered entity must provide a report about the reportable event to the Secretary.

 

This Division prescribes the time periods on the basis of reporting events as they occur (in Subdivision 3.5.2) or reporting events for a period (in Subdivision 3.5.3). To enhance the security of the regulatory scheme most of the reportable events are to be reported as they occur. Reporting events for a period are for reportable events that refer to administrative changes, such as changes in the particulars of the entity or facility.

 

Because some regulations refer to reportable events that rely on the SSBA standards for operational detail, those regulations are included at Schedule 2.

 

Subdivision 3.5.1 Preliminary

 

Regulation 3.40 Application of Division 3.5

 

This regulation provides that for subsection 48(3) of the Act, this Division prescribes the period within which a report about a reportable event must be given by an entity to the Secretary.

 

Subdivision 3.5.2 Reporting events as they occur

 

Regulation 3.41 Handling SSBA

 

Paragraphs 3.41(1)(a) and (b) respectively provides that the reportable events mentioned in paragraph 48(1)(a) and subparagraph 48(1)(d)(i) of the Act must be reported by an entity within 2 business days after the entity starts to handle the SSBA. Those provisions of the Act respectively provide for reportable events when an entity starts to handle an SSBA for which it has not been registered to handle, and if an entity starts to handle an SSBA for which it is registered for a purpose other than the purpose specified in the National Register.

 

Subregulation 3.41(2) provide that the reportable event mentioned in subparagraph 48(1)(d)(ii) must be reported by an entity within 2 business days after the entity stops handling the SSBA. That latter provision refers to a reportable event if an entity stops handling an SSBA for which it is registered for the purpose specified in the National Register.

 

Regulation 3.42 Transfer or disposal of SSBA

 

Regulation 3.42 provides that an entity must report the following reportable events set out in paragraphs (a), (b) and (c) within 2 business days after the event takes place. Paragraph 3.42(a) refers to the reportable event mentioned in paragraph 48(1)(b) of the Act which refers to an entity’s disposal of its entire holdings of the SSBA for which it is registered.

 

Paragraph 3.42(b) refers to the reportable event mentioned in paragraph 48(1)(c) of the Act which refers to an entity’s disposal of toxins resulting in less than a reportable quantity. The reportable quantity of a toxin is set out in the List of Security-sensitive Biological Agents which is established by the Minister under section 31 of the Act. The List only sets out tier 1 agents and a copy of the List is available on the Department of Health and Ageing website at: http://www.health.gov.au/ssba.

 

Paragraph 3.42(c) refers to the reportable event mentioned in paragraph 48(1)(e) of the Act which refers to an entity’s transfer of an SSBA for which it is registered to another entity or to another facility of the entity.

 

Regulations which provide for the reporting time frame for reportable events which rely, for operational detail, on the SSBA Standards have been included at Schedule 2.

 

Regulation 3.44 Loss, theft and unauthorised access etc

 

Regulation 3.44 sets out the reportable events that must be reported by an entity within 2 business days after the entity becomes aware of the event. The reportable events include the reportable event if an SSBA is lost or stolen that is provided in paragraph 48(1)(f) of the Act, and reportable events provided in the Regulations of attempted theft, accidental release, and if a person suffers an occurrence of disease, is injured or dies.

 

Other reportable events that rely on the SSBA Standards for operational detail are included at Schedule 2.

 

Subdivision 3.5.3 Reporting events for a period

 

This subdivision sets up the reporting periods for reportable events that must be provided annually or biannually depending on whether the entity handles a tier 1 or tier 2 agent.

 


Regulation 3.46 Definitions

 

This regulation provides the definitions used in this subdivision. Subregulation 3.46(1) provides that ‘year’ means a calendar year. Subregulation 3.46(2) provides that a tier 1 agent is an SSBA that is identified as being a tier 1 agent in the List of Security-sensitive Biological Agents. Subregulation 3.46(3) provides that a tier 2 agent is an SSBA that, after 31 January 2010, is identified as being a tier 2 agent in the List of Security-sensitive Biological Agents. Tier 1 SSBAs pose the highest biosecurity risk and are subject to the highest level of security and reporting. Tier 2 agents would pose a moderate biosecurity risk and would be subject to a proportionately moderate level of security and reporting.

 

The List of Security-sensitive Biological Agents is defined in section 3 of the Act to mean the list established under section 31, as the List is in force from time to time. A copy of the List is available on the Department of Health and Ageing website at: http://www.health.gov.au/ssba.

 

Regulation 3.47 Reportable events to which this Subdivision applies

 

This regulation sets out the reportable events to which this Subdivision applies.

 

Regulation 3.48 Tier 1 agents—reporting periods

 

This regulation deals with the reporting periods for entities that handle tier 1 agents. Subregulation 3.48(1) provide the reporting periods for reportable events about tier 1 agents which are called the first reporting period and the second reporting period. The first reporting period is the period commencing on 1 April in a year and ending on

30 September in the year. The second reporting period is the period commencing on 1 October in a year and ending on 31 March in the following year.

 

Subregulation 3.48(2) provides that if, in a year, a reportable event occurred during the first reporting period, the due date for a report about the event is 31 October in the year. Therefore on 31 October, an entity reports reportable events that have occurred for the period from 1 April to 30 September with the month of October provided as a period to collate and provide the report to the Secretary.

 

Subregulation 3.48(2) also provides for the second reporting period, if a reportable event occurred after 1 October in a year, the due date for a report about the event is 30 April in the following year. Therefore on 30 April, an entity reports reportable events that have occurred for the period from 1 October of the preceding year to 31 March of the current year with the month of April provided as a period to collate and provide the report to the Secretary.

 

Regulation 3.49 Tier 2 agents—reporting period

 

This regulation deals with the reporting periods for entities that handle tier 2 agents. Subregulation 3.49(1) provides that the reporting period for a reportable event about a tier 2 agent commences on 1 April in a year and ends on 31 March in the following year.

 

Subregulation 3.49(2) provides that if a reportable event occurred after 1 April in a year, the due date for a report about the event would be 30 April in the following year. Therefore on 30 April, an entity reports reportable events that have occurred for the period from 1 April of the preceding year to 31 March of the current year with the month of April in that year provided as a grace period to provide the report to the Secretary.

 

Regulation 3.50 When entity must report

 

Subregulation 3.50(1) provides that an entity must report a reportable event mentioned in regulation 3.47. The reportable events concern details of an entity or of a facility of an entity.

 

Subregulation 3.50(2) provides for the due date or reporting for an event that concerns an SSBA that is a tier 1 agent. The entity must report the event by 31 October in the year or 30 April in the following year depending on whether the event occurred during a first reporting period or a second reporting period.

 

Subregulation 3.50(3) provides that for an event that concerns an SSBA that is a tier 2 agent, the entity must report the event before the end of 30 April in the following year.

 

Subregulations 3.50(4) and (5) deal with a reportable event mentioned in paragraphs 3.47(a) or (b) which refer to reportable events that do not concern an SSBA. Those reportable events refer to changes to details of an entity or of a facility of the entity.

 

Subregulation 3.50(4) provides that if the entity handles a tier 1 agent (whether or not it also handles a tier 2 agent), a reportable event about changes to the details of the entity or of its facility is taken to be an event that concerns an SSBA that is a tier 1 agent. For example, an entity that handles both tier 1 and tier 2 agents and has changed its name, is required to report that change for the reporting period within either of the due dates, as applicable, provided in subregulations 3.48(2)(a) or 3.48(2)(b).

 

Subregulation 3.50(5) provides that a reportable event mentioned in regulation 3.47 is taken to be an event that concerns an SSBA that is a tier 2 agent if:

(a) the entity handles a tier 2 agent; and

(b) subregulation (4) does not apply to the entity.

This means that entities whose details change and who only handle tier 2 agents, would report those changes in accordance with regulation 3.49.

 

Subregulation 3.50(6) clarifies that entities need only provide a single report about reportable events for each reporting period.

 

Division 3.7 Miscellaneous

 

To monitor compliance with the regulatory scheme, the Secretary may appoint inspectors who are issued with an identity card. Subsection 64(2) of the Act provides that the identity card must be in the form prescribed by the regulations.

 

Regulation 3.70 Identity cards

 

This regulation provides for information that must be contained in an identity card issued to an inspector.

 

A note informs that paragraph 64(2)(b) of the Act provides that an identity card issued to an inspector must contain a recent photograph of the inspector.


Regulation 3.71 Confidentiality of information

 

Subsection 85(1) of the Act enables the Secretary to give a report to certain agencies so that they may be able to assess the security risks posed by an SSBA and take action in relation to those risks. For those purposes, paragraph 85(1)(a) enables regulations to prescribe intelligence agencies and paragraph 85(1)(b) enables regulations to prescribe law enforcement agencies.

 

Subregulation 3.71(1) provides that for paragraph 85(1)(a) of the Act, the Australian Security Intelligence Organisation is prescribed.

 

Subregulation 3.71(2) provides that for paragraph 85(1)(b) of the Act, the Australian Federal Police and the police force of each of the States and Territories is prescribed. A note informs that the Australian Federal Police operates the Australian Chemical, Biological, Radiological and Nuclear Data Centre.

 

Schedule 2 Amendments commencing on 1 July 2009

 

The operational details of these regulations rely on Parts 3 to 8 of the SSBA Standards which will commence on 1 July 2009.

 

The SSBA Standards were determined on 13 November 2008 by the Minister for Health and Ageing under section 35 of the Act. Part 1 of the SSBA Standards deals with the Scope and definitions, and Part 2 deals with Risk and Incident Management. Both of those Parts will commence on the date that Part 3 of the Act commences which has been fixed, by Proclamation, for 31 January 2009. Parts 3 to 8 of the SSBA Standards, which will commence on 1 July 2009, will deal with requirements for ensuring personnel, physical, information management, inactivation and decontamination, and transport security when handling, storing, disposing and transporting SSBAs.

 

Item [1] Regulation 1.03, after definition of Australian Quarantine and Inspection Service

 

This item inserts a definition of the term ‘sensitive information’ which is used in the regulations that deal with unauthorised access to sensitive information.

 

Item [2] After paragraph 3.01(d)

 

This item inserts paragraph (e) into regulation 3.01 (as inserted by Schedule 1 to the Regulations) which provides further particulars for the content of the National Register. Paragraph 3.01(e) refers to the contact details of a responsible officer and deputy of a facility of an entity and who are persons appointed under Part 8 of the SSBA Standards.

 

Item [3] Division 3.4 heading

 

This item substitutes a new heading to Division 3.4 of ‘Reportable events etc’ to include the reportable events that rely on the SSBA Standards for operational detail. This Division contains regulations in subdivisions 3.4.1 and 3.4.2 that deal with the reportable events provided by regulations that are made respectively under paragraphs 48(1)(g) and (1)(h) of the Act.


Division 3.4 Reportable events etc

 

Subdivision 3.4.1 Unauthorised access

 

Regulation 3.15 Unauthorised access

 

For paragraph 48(1)(g) of the Act, this regulation provides that a person’s access to an SSBA is unauthorised if the person enters a place where an SSBA is handled and subregulation 3.15(2) applies to that person. Subregulation 3.15(2) broadly applies if the person is not authorised or approved by the entity in accordance with Part 3 of the SSBA Standards, to enter the place.

 

Part 3 of the SSBA Standards deals with Personnel and requires persons to be authorised or approved by an entity to handle SSBAs, to access facilities where SSBAs are handled and to access sensitive information related to SSBAs.

 

Item [4] Regulation 3.16

 

Subdivision 3.4.2 Reportable events

 

This item substitutes a new regulation 3.16 to replace the one inserted by Schedule 1 to the Regulations, which provides that this Subdivision prescribes events to be reportable events.

 

Regulation 3.17 Transfer—SSBA successfully received

 

This regulation provides that an SSBA that has been successfully transferred is a reportable event for the receiving entity or the entity in relation to the other facility, if they have verified that the SSBA has been received in accordance with clause 6.5 of the SSBA Standards.

 

Clause 6.5 of the SSBA Standards requires the receiving facility to verify that the shipment of the SSBA has been successful. This will include verification that the complete shipment of the SSBA (quantity and type), as covered in the shipment documents, has been received; and there is no evidence of tampering of the shipping container.

 

A note informs that the event in paragraph (1)(b) is a reportable event for the entity that transfers an SSBA under paragraph 48(1)(e) of the Act.

 

Where a facility of an entity transfers an SSBA to another facility of the same entity, it is not intended that the successful transfers of SSBA should be reported by that entity in addition to reports by the facilities. In practice, a report provided by the receiving facility will satisfy the requirement that the event is to be reported by the entity mentioned in paragraph (2)(b). A report by the transferring facility will satisfy the requirement in paragraph 48(1)(e) of the Act.

 

Regulation 3.18 Unsuccessful transfer of SSBA

 

This regulation provides that if an SSBA has been unsuccessfully transferred and its receipt has not been verified in accordance with clause 6.5 of the SSBA Standards, it is a reportable event for the receiving entity, the other facility of the entity and the entity in relation to the facility from which the SSBA is transferred.


Clause 6.5 of the SSBA Standards requires the receiving facility to verify that the shipment of the SSBA has been successful. This will include verification that the complete shipment of the SSBA (quantity and type), as covered in the shipment documents, has been received; and there is no evidence of tampering of the shipping container.

 

Where a facility of an entity transfers an SSBA to another facility of the same entity, it is not intended that unsuccessful transfers of SSBA should be reported by that entity in addition to reports by the facilities. In practice, reports provided by the receiving facility and transferring facility will satisfy the requirements that the event is reported by the entity mentioned in subparagraphs (2)(b)(i) and 2(b)(ii).

 

A note informs that subsection 42(1) of the Act imposes reporting obligations on an unregistered entity.

 

Regulation 3.19 Transfer—SSBA not received

 

This regulation provides for a reportable event where there has been a transfer of the SSBA and it is not received by the receiving entity or other facility at the time notified by the entity transferring the SSBA in accordance with clause 6.4 of the SSBA Standards.

 

Clause 6.4 of the SSBA Standards deals with the transport of SSBAs including verification and notification of the transfer. The sending (or transferring) facility is required to notify the receiving facility of the shipment details at the time of shipment.

 

A note informs that the event mentioned in paragraph (1)(d) is a reportable event for the entity that transfers an SSBA under paragraph 48(1)(f) of the Act. That provision refers to reportable events where the SSBA is lost or stolen.

 

Where a facility of an entity transfers an SSBA to another facility of the same entity, it is not intended that such transfers (where the SSBA is not received), should be reported by that entity in addition to a report by the receiving facility. In practice, a report provided by the receiving facility will satisfy the requirement that the event is to be reported by the entity mentioned in paragraph (2)(b).

 

A note informs readers that event mentioned in paragraph (1)(d) is a reportable event for the entity that transfers an SSBA under paragraph 48(1)(f) of the Act. That provision refers to reportable events where the SSBA is lost or stolen.

 

Regulation 3.20 Unauthorised handling etc

 

This regulation provides for a reportable event by a registered entity where there has been an unauthorised handling of an SSBA by a person at a facility of the entity. Subregulation 3.20(2) broadly provides that the person’s handling of the SSBA at the facility was not authorised or approved if their handling was not in accordance with the authorisation or approval issued by the entity.

 

Part 3 of the SSBA Standards deals with Personnel and requires persons to be authorised or approved by an entity to handle SSBAs.

 


Regulation 3.21 Unauthorised access to sensitive information

 

This regulation provides for a reportable event by a registered entity where there has been unauthorised access to sensitive information. Subregulation 3.21(1) broadly provides that a person’s access to sensitive information is unauthorised if their access was not authorised by the entity or in accordance with the authorisation issued by the entity under Part 3 of the SSBA Standards.

 

Part 3 of the SSBA Standards deals with Personnel and requires persons who access sensitive information related to the SSBAs to be authorised or approved by the entity.

 

The term ‘sensitive information’ which is defined at regulation 1.03 includes matters in Part 5 of the SSBA Standards that deals with Information Management. In particular, clause 5.3 requires the entity to identify sensitive information relating to the security of SSBAs.

 

Item [5] After regulation 3.22

 

This item inserts regulations 3.23 and 3.24 that deal with reportable events and rely, for operational detail, on Part 3 of the SSBA Standards which deals with unauthorised access.

 

Regulation 3.23 Attempt to access SSBA

 

Subregulation 3.23(1) provides for a reportable event by a registered entity if a person attempts to access an SSBA for which the entity has been registered to handle, and the access is unauthorised. Subregulation 3.23(2) provides for a reportable event by a registered entity if a person attempts to handle an SSBA for which the entity has been registered to handle, and the handling is unauthorised or not approved in accordance with Part 3 of the SSBA Standards.

 

A note refers to regulation 3.15 of Schedule 2 to the Regulations which provides for unauthorised access to an SSBA (by entry to a place where an SSBA is handled). Part 3 of the SSBA Standards deals with Personnel and requires persons to be authorised or approved by an entity to handle SSBAs, to access facilities where SSBAs are handled, and to access sensitive information related to SSBAs.

 

Regulation 3.24 Attempt to access sensitive information

 

This regulation provides for a reportable event by a registered entity if a person attempts to access sensitive information about an SSBA handled at the facility and that attempt is not authorised by the entity or is not in accordance with the authorisation that was issued by the entity.

Item [6] Subregulation 3.27(2)

 

This item substitutes new subregulation 3.27(2) of Schedule 1 to the Regulations which includes additional specified changes to a facility or entity that is a reportable event for a registered entity. Paragraphs (2)(b) to (2)(e) refer to the responsible officer and deputy, and their appointment. These persons are required to be appointed under Part 8 of the SSBA Standards that deals with SSBA Management system requirements.

 

Item [7] Regulation 3.42

 

This item is a drafting device that rearranges regulation 3.42 of Schedule 1 to the Regulations into two subregulations.

 

Item [8] Regulation 3.42

 

This item inserts new subregulation 3.42(2) which provides that a receiving entity or the entity transferring an SSBA to another of its facilities is required to make a report about a reportable event mentioned in regulation 3.17 within 2 business days after verifying successful receipt of the SSBA. Regulation 3.17 of Schedule 1 to the Regulations refers to an SSBA that has been verified to be transferred successfully in accordance with clause 6.5 of the SSBA Standards.

 

Item [9] After regulation 3.42

 

This item inserts new regulation 3.43 that deals with the reporting time frame for a reportable event that relies on the SSBA Standards for operational detail.

 

Regulation 3.43 Unsuccessful transfer

 

This regulation provide that the reportable event mentioned in regulation 3.18 of Schedule 1 to the Regulations must be reported within 2 business days by each of the entities or facility in the circumstances set out in subparagraphs (a) (i) and (ii) and (b). Regulation 3.18 provides for a reportable event if there has been an unsuccessful transfer of an SSBA. A note informs that verification of a successful transport of an SSBA is provided for under clause 6.5 of the SSBA Standards.

 

Item [10] Regulation 3.44

 

This item substitutes a new regulation 3.44 to replace the one inserted by Schedule 1 to the Regulations. The new subregulation (1) which deals with reportable events relating to loss, theft and unauthorised access of SSBAs includes reportable events that rely on the SSBA Standards for operational detail. Those new reportable events relate to unauthorised access to, or handling of, SSBAs, and a person’s attempts to access or handle SSBAs which rely on an entity’s authorisation and approval of persons to handle SSBAs.

 

The new regulations include subregulation (2) which provides that the reportable event mentioned in regulation 3.19 which refers to an SSBA that is transferred and has not been received, must be reported within 2 business days by the receiving entity and the entity transferring the SSBA to another of its facilities, after each of them becomes aware that the SSBA has been lost in transit.

 

A note informs readers that an SSBA that an entity attempts to transfer, and that is subsequently lost in transit, is a reportable event by the entity transferring the SSBA under paragraph 48(1)(f) of the Act.

 

This item also inserts new regulation 3.45 to the Regulations. New regulation 3.45 sets out the reportable events relating to the particulars of responsible and deputy responsible officers which must be reported by an entity within 2 business days after the event takes place. Those persons are appointed under Part 8 of the SSBA Standards with their duties specified at Part 3.

 

Item [11] Paragraph 3.47(b)

 

This item inserts into paragraph 3.47(b) (after 1 July 2008) the new reference to 3.27(2)(a) which deals with details of a facility.



[Index] [Related Items] [Search] [Download] [Help]