National Health Security Amendment Regulations 2008 (No. )

Schedule 1 Amendments commencing on commencement of Part 3 of National Health Security Act 2007

(regulation 3)

[1] Regulation 1, heading

substitute

Part 1 Preliminary

1.01 Name of Regulations

[2] Regulation 2

Renumber as regulation 1.02

[3] Regulation 3, heading

substitute

1.03 Definitions

[4] Regulation 3, after definition of Act

insert

Australian Quarantine and Inspection Service means the operating group within the Department that is responsible for administration of the Quarantine Act 1908.

[5] Regulation 4, heading

substitute

Part 2 Public health surveillance

2.01 Prescribed intelligence agencies

[6] After Part 2

insert

Part 3 Regulation of security‑sensitive biological agents

Division 3.1 National Register

3.01 Content of National Register

For paragraph 37 (f) of the Act, the following particulars are prescribed:

(a) if an entity is located in a place other than a facility where the entity handles security‑sensitive biological agents:

(i) the address of the place at which the entity is located; and

(ii) the entity’s postal address;

(b) the entity’s contact telephone number, fax number and email address;

(d) for each facility of the entity:

(i) the geographic coordinates of the facility, expressed in terms of the Geocentric Datum of Australia 1994; and

(ii) the fax number;

(f) if the Secretary decides to vary the National Register temporarily to take account of a reportable event mentioned in paragraph 48 (1) (a) or subparagraph 48 (1) (d) (i) of the Act — a statement to that effect.

(g) if the Secretary decides to vary the National Register to take account of a reportable event for the entity under subsection 49 (1) of the Act — details of the reportable event;

Note The Geocentric Datum of Australia 1994 was published in Gazette No. GN35 of 6 September 1995.

Division 3.2 Exempt entities

3.02 Application of Division 3.2

For paragraph 40 (1) (b) of the Act, this Division prescribes entities to be exempt entities.

3.03 Law enforcement agencies

(1) A law enforcement agency that handles a security‑sensitive biological agent is an exempt entity if it handles a security‑sensitive biological agent in the course of carrying out a function under a law of the Commonwealth, or of a State or Territory.

(2) However, the law enforcement agency is not an exempt entity if it handles the security‑sensitive biological agent for the purpose of using it as a control sample for testing or carrying out diagnostic analysis.

(3) In this regulation:

law enforcement agency means:

(a) the Australian Federal Police; or

(b) a police force of a State or Territory; or

(d) the Australian Quarantine and Inspection Service.

3.04 Depot or warehouse licence holders

An entity that handles a security‑sensitive biological agent is an exempt entity if the entity:

(a) holds either a depot licence under section 77G of the Customs Act 1901 or a warehouse licence under section 79 of that Act; and

(b) handles the security‑sensitive biological agent in accordance with the licence.

3.05 Disease or injury

(1) A person who suffers an occurrence of disease or injury from a security‑sensitive biological agent is an exempt entity while suffering the disease or injury.

(2) An entity is an exempt entity if:

(a) the entity destroys an animal that is suffering from an occurrence of disease or injury from a security‑sensitive biological agent; and

(b) the entity’s destruction of the animal is carried out because of the disease or injury.

3.06 Treatment of disease or injury

An entity is an exempt entity if:

(a) the entity provides treatment to a person or to an animal for an occurrence of disease or injury from a security‑sensitive biological agent; and

(b) the entity handles the security‑sensitive biological agent:

(i) while the security‑sensitive biological agent is in the body of the person or the animal; or

(ii) while taking a sample from the person or the animal for the purposes of the treatment.

Division 3.4 Reportable events

3.16 Application of Division 3.4

For paragraph 48 (1) (h) of the Act, this Division prescribes events to be reportable events.

3.22 Attempt to steal SSBA

It is a reportable event for a registered entity if there has been an attempted theft, at a facility of the entity, of a security‑sensitive biological agent that the entity handles at the facility.

3.25 Accidental release of SSBA

It is a reportable event for a registered entity if:

(a) a security‑sensitive biological agent is included on the National Register in relation to the entity and a facility; and

(b) the security‑sensitive biological agent is accidentally released during its handling by a person at the facility.

3.26 Infection of a person

It is a reportable event for a registered entity if:

(a) a security‑sensitive biological agent is included on the National Register in relation to the entity and a facility; and

(b) a person who has been to the facility suffers an occurrence of disease, is injured, or dies, as a result of the entity’s handling of the security‑sensitive biological agent at the facility.

3.27 Change in particulars

(1) It is a reportable event for a registered entity if there are any of the following changes:

(a) a change to the entity’s name;

(b) if the entity is located in a place other than a facility where the entity handles a security‑sensitive biological agent:

(i) a change to the location of the entity; or

(ii) a change to the entity’s postal address;

(d) a change to the entity’s ABN, ACN or ARBN.

(2) It is a reportable event for a registered entity if there is a change to the name, location or fax number of a facility of the entity.

Division 3.5 Requirement to report changes

Subdivision 3.5.1 Preliminary

3.40 Application of Division 3.5

For subsection 48 (3) of the Act, this Division prescribes the period within which a report about a reportable event must be given by an entity to the Secretary.

Subdivision 3.5.2 Reporting events as they occur

3.41 Handling SSBA

(1) An entity must report the following reportable events within 2 business days after the entity starts to handle the security‑sensitive biological agent:

(a) a reportable event mentioned in paragraph 48 (1) (a) of the Act (entity starts to handle a security‑sensitive biological agent);

(b) a reportable event mentioned in subparagraph 48 (1) (d) (i) of the Act (entity starts to handle a security‑sensitive biological agent for a purpose not specified in the National Register).

(2) An entity must report a reportable event mentioned in subparagraph 48 (1) (d) (ii) of the Act (entity stops handling a security‑sensitive biological agent for a purpose specified in the National Register) within 2 business days after the entity stops handling the security‑sensitive biological agent.

3.42 Transfer or disposal of SSBA

An entity must report the following reportable events within 2 business days after the event takes place:

(a) a reportable event mentioned in paragraph 48 (1) (b) of the Act (entity disposes of its entire holdings of a security‑sensitive biological agent);

(b) a reportable event mentioned in paragraph 48 (1) (c) of the Act (disposal of toxins resulting in less than a reportable quantity);

(c) a reportable event mentioned in paragraph 48 (1) (e) of the Act (entity transfers a security‑sensitive biological agent).

3.44 Loss, theft and unauthorised access etc

An entity must report the following reportable events within 2 business days after the entity becomes aware of the event:

(a) a reportable event mentioned in paragraph 48 (1) (f) of the Act (security‑sensitive biological agent is lost or stolen);

(e) a reportable event mentioned in regulation 3.22 (attempted theft of a security‑sensitive biological agent);

(i) a reportable event mentioned in regulation 3.25 (accidental release of a security‑sensitive biological agent);

(j) a reportable event mentioned in regulation 3.26 (person suffers an occurrence of disease, is injured, or dies).

Subdivision 3.5.3 Reporting events for a period

3.46 Definitions

(1) In this Subdivision:

year means a calendar year.

(2) A tier 1 agent is a security‑sensitive biological agent that is identified as being a tier 1 agent in the List of Security‑sensitive Biological Agents.

(3) A tier 2 agent is a security‑sensitive biological agent that, after 31 January 2010, is identified as being a tier 2 agent in the List of Security‑sensitive Biological Agents.

3.47 Reportable events to which this Subdivision applies

The following are the reportable events to which this Subdivision applies:

(a) a reportable event mentioned in subregulation 3.27 (1) (details of an entity);

(b) a reportable event mentioned in subregulation 3.27 (2) (details of a facility of an entity).

3.48 Tier 1 agents — reporting periods

(1) The reporting periods for reportable events about tier 1 agents are as follows:

(a) the period commencing on 1 April in a year and ending on 30 September in the year (the first reporting period);

(b) the period commencing on 1 October in a year and ending on 31 March in the following year (the second reporting period).

(2) The due date for a report about a reportable event is:

(a) for a reportable event that occurs in the first reporting period — 31 October in the year when the first reporting period ends; or

(b) for a reportable event that occurs in the second reporting period — 30 April in the year when the second reporting period ends.

3.49 Tier 2 agents — reporting period

(1) The reporting period for a reportable event about a tier 2 agent:

(a) commences on 1 April in a year; and

(b) ends on 31 March in the following year.

(2) The due date for a report about a reportable event is 30 April in the year when the reporting period ends.

3.50 When entity must report

(1) An entity must report a reportable event mentioned in regulation 3.47.

(2) For an event that concerns a security‑sensitive biological agent that is a tier 1 agent, the entity must report the event:

(a) if it occurs during a first reporting period — before the end of the day described as the due date in paragraph 3.48 (2) (a); or

(b) if it occurs during a second reporting period — before the end of the day described as the due date in paragraph 3.48 (2) (b).

(3) For an event that concerns a security‑sensitive biological agent that is a tier 2 agent, the entity must report the event before the end of the day described as the due date in subregulation 3.49 (2).

(4) If the entity handles a tier 1 agent (whether or not it also handles a tier 2 agent), a reportable event mentioned in regulation 3.47 is taken to be an event that concerns a security‑sensitive biological agent that is a tier 1 agent.

(5) A reportable event mentioned in regulation 3.47 is taken to be an event that concerns a security‑sensitive biological agent that is a tier 2 agent if:

(a) the entity handles a tier 2 agent; and

(b) subregulation (4) does not apply to the entity.

(6) An entity must submit a single report to the Secretary for:

(a) a first reporting period that applies to the entity under paragraph (2) (a); or

(b) a second reporting period that applies to the entity under paragraph (2) (b); or

Division 3.7 Miscellaneous

3.70 Identity cards

For paragraph 64 (2) (a) of the Act, an identity card issued to an inspector must be in a form that contains the following information:

(a) the full name of the inspector;

(b) a statement that the person to whom the card is issued is appointed under subsection 63 (1) of the Act;

(c) for the photograph required under paragraph 64 (2) (b) of the Act, an image showing the inspector’s full face, head and shoulders;

(d) the date the card was issued;

(e) the date the card expires.

Note Paragraph 64 (2) (b) of the Act provides that an identity card issued to an inspector must contain a recent photograph of the inspector.

3.71 Confidentiality of information

Intelligence agency

(1) For paragraph 85 (1) (a) of the Act, the Australian Security Intelligence Organisation is prescribed.

Law enforcement agencies

(2) For paragraph 85 (1) (b) of the Act, the following agencies are prescribed:

(a) the Australian Federal Police;

(b) the police force of each of the States and Territories.

Note The Australian Federal Police operates the Australian Chemical, Biological, Radiological and Nuclear Data Centre.

Schedule 2 Amendments commencing on 1 July 2009

(regulation 3)

[1] Regulation 1.03, after definition of Australian Quarantine and Inspection Service

insert

sensitive information, for a security‑sensitive biological agent an entity handles at a facility, means any of the following:

(a) the entity’s storage records for the security‑sensitive biological agent handled at the facility;

(b) an entity’s risk assessment plan for the security‑sensitive biological agent handled at the facility;

(d) any other information that the entity identifies as being sensitive information under clause 5.3 of the SSBA Standards because it could compromise the security of the security‑sensitive biological agent handled at the facility.

[2] After paragraph 3.01 (d)

insert

(e) for each facility of the entity — the name, contact telephone number, after hours contact telephone number, and email address at the facility, of:

(i) the person who is the responsible officer (within the meaning of the SSBA Standards) for the facility; and

(ii) the person who is the deputy responsible officer (within the meaning of the SSBA Standards) for the facility;

[3] Division 3.4, heading

substitute

Division 3.4 Reportable events etc

Subdivision 3.4.1 Unauthorised access

3.15 Unauthorised access

(1) For paragraph 48 (1) (g) of the Act, access to a security‑sensitive biological agent is unauthorised if:

(a) a person at a facility of a registered entity enters a place where a security‑sensitive biological agent is handled; and

(b) subregulation (2) applies to the person.

(2) This subregulation applies if:

(a) the person is:

(i) not authorised by the entity, in accordance with Part 3 of the SSBA Standards, to enter the place; or

(ii) not approved by the entity, in accordance with Part 3 of the SSBA Standards, to enter the place; or

(b) if the person holds an authorisation, issued by the entity under Part 3 of the SSBA Standards, to enter the place — the person enters the place not in accordance with the authorisation; or

(c) if the person holds an approval, issued by the entity under Part 3 of the SSBA Standards, to enter the place — the person enters the place not in accordance with the approval.

[4] Regulation 3.16

substitute

Subdivision 3.4.2 Reportable events

3.16 Application of Subdivision 3.4.2

For paragraph 48 (1) (h) of the Act, this Subdivision prescribes events to be reportable events.

3.17 Transfer — SSBA successfully received

(1) Subregulation (2) applies if:

(a) an entity is included on the National Register in relation to a facility and a security‑sensitive biological agent; and

(b) the entity transfers the security‑sensitive biological agent to:

(i) another facility of the entity; or

(ii) another registered entity (the receiving entity); and

(c) the receiving entity, or the entity in relation to its other facility, verifies, in accordance with clause 6.5 of the SSBA Standards, that the security‑sensitive biological agent has been received by the receiving entity or at the other facility.

(2) The event mentioned in paragraph (1) (c) is a reportable event for:

(a) if the security‑sensitive biological agent is transferred to another entity — the receiving entity; or

(b) if the security‑sensitive biological agent is transferred to another facility of the entity — the entity in relation to the other facility.

Note The event mentioned in paragraph (1) (b) is a reportable event, for the entity that transfers a security‑sensitive biological agent, under paragraph 48 (1) (e) of the Act.

3.18 Unsuccessful transfer of SSBA

(1) Subregulation (2) applies if:

(a) an entity is included on the National Register in relation to a facility and a security‑sensitive biological agent; and

(b) the entity enters into an arrangement:

(i) for another facility of the entity; or

(ii) with another entity (whether or not registered) (the receiving entity); and

(c) the arrangement concerns the transfer of the security‑sensitive biological agent to the receiving entity or the other facility; and

(d) the receiving entity, or the entity in relation to its other facility, is unable to verify, in accordance with clause 6.5 of the SSBA Standards, that the transport to it of the security‑sensitive biological agent is successful.

(2) The event mentioned in paragraph (1) (d) is a reportable event for:

(a) if the security‑sensitive biological agent is being transferred to another entity and that entity is registered — the receiving entity; or

(b) if the security‑sensitive biological agent is being transferred to another of the entity’s facilities:

(i) the entity in relation to its other facility; and

(ii) the entity in relation to the facility from which the security‑sensitive biological agent is transferred.

Note For the obligations of an unregistered entity, see subsection 42 (1) of the Act.

3.19 Transfer — SSBA not received

(1) Subregulation (2) applies if:

(a) an entity is included on the National Register in relation to a facility and a security‑sensitive biological agent; and

(b) the entity enters into an arrangement:

(i) for another facility of the entity; or

(ii) with another registered entity (the receiving entity); and

(c) the arrangement concerns the transfer of the security‑sensitive biological agent to the receiving entity or the other facility; and

(d) the security‑sensitive biological agent is not received by the receiving entity or at the other facility at the time notified, in accordance with clause 6.4 of the SSBA Standards, by the entity transferring the security‑sensitive biological agent.

(2) The event mentioned in paragraph (1) (d) is a reportable event for:

(a) if the security‑sensitive biological agent is being transferred to another entity — the receiving entity; or

(b) if the security‑sensitive biological agent is being transferred to another of the entity’s facilities — the entity in relation to the other facility of the entity.

Note The event mentioned in paragraph (1) (d) is a reportable event, for the entity that transfers a security‑sensitive biological agent, under paragraph 48 (1) (f) of the Act.

3.20 Unauthorised handling etc

(1) It is a reportable event for a registered entity if:

(a) a person at a facility of the entity handles a security‑sensitive biological agent that is included on the National Register in relation to the entity and that facility; and

(b) subregulation (2) applies to the person.

(2) This subregulation applies if:

(a) the person is:

(i) not authorised by the entity, in accordance with Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility; or

(ii) not approved by the entity, in accordance with Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility; or

(b) if the person holds an authorisation, issued by the entity under Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility — the person handles the security‑sensitive biological agent not in accordance with the authorisation; or

(c) if the person holds an approval, issued by the entity under Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility — the person handles the security‑sensitive biological agent not in accordance with the approval.

3.21 Unauthorised access to sensitive information

It is a reportable event for a registered entity if:

(a) a person at a facility of the entity accesses information about a security‑sensitive biological agent handled by the entity at the facility; and

(b) the information is sensitive information; and

(i) is not authorised by the entity, in accordance with Part 3 of the SSBA Standards, to access the information; or

(ii) if the person holds an authorisation, issued by the entity under Part 3 of the SSBA Standards, to access the information — accesses the information not in accordance with the authorisation.

Note Sensitive information is defined in regulation 1.03.

[5] After regulation 3.22

insert

3.23 Attempt to access or handle SSBA

(1) It is a reportable event for a registered entity if:

(a) a person attempts to access a security‑sensitive biological agent that the entity handles at a facility; and

(b) access to the security‑sensitive biological agent by the person at the facility is unauthorised.

Note See regulation 3.15 for when access to a security‑sensitive biological agent is unauthorised.

(2) It is a reportable event for a registered entity if:

(a) a person attempts to handle a security‑sensitive biological agent that the entity handles at a facility; and

(b) subregulation (3) applies to the person.

(3) This subregulation applies if:

(a) the person is:

(i) not authorised by the entity in accordance with Part 3 of the SSBA Standards; or

(ii) not approved by the entity in accordance with Part 3 of the SSBA Standards; or

(b) if handling by the person is authorised by the entity under Part 3 of the SSBA Standards — the person’s attempt is not in accordance with the authorisation; or

(c) if handling by the person is approved by the entity under Part 3 of the SSBA Standards — the person’s attempt is not in accordance with the approval.

3.24 Attempt to access sensitive information

It is a reportable event for a registered entity if:

(a) a person attempts to access sensitive information about a security‑sensitive biological agent handled by the entity at a facility; and

(b) access to the information by the person at the facility is:

(i) not authorised by the entity in accordance with Part 3 of the SSBA Standards; or

(ii) if the person holds an authorisation, issued by the entity under Part 3 of the SSBA Standards, to access the information — attempted by the person not in accordance with the authorisation.

[6] Subregulation 3.27 (2)

substitute

(2) It is a reportable event for a registered entity if there are any of the following changes for a facility of the entity:

(a) a change to the name, location or fax number of the facility;

(b) a change to the contact telephone number, after hours contact telephone number, or email address at the facility, of the responsible officer or the deputy responsible officer;

(d) a person who is the deputy responsible officer for the facility ceases to be the deputy responsible officer;

(e) the appointment of a person as the responsible officer or the deputy responsible officer for the facility.

[7] Regulation 3.42

omit

insert

(1) An

[8] Regulation 3.42

insert

(2) An entity must report a reportable event mentioned in regulation 3.17 (transferred security‑sensitive biological agent received) within 2 business days:

(a) for the receiving entity — after the entity verifies that it has received the security‑sensitive biological agent; and

(b) for the entity transferring a security‑sensitive biological agent to another of its facilities — after the entity verifies, at the facility, that it has received the security‑sensitive biological agent.

[9] After regulation 3.42

insert

3.43 Unsuccessful transfer

An entity must report a reportable event mentioned in regulation 3.18 (unsuccessful transfer of a security‑sensitive biological agent) within 2 business days:

(a) for the entity transferring the security‑sensitive biological agent:

(i) after the entity becomes aware that the receiving entity is unable to verify that the transport to it of a security‑sensitive biological agent is successful; and

(ii) if the entity is transferring the security‑sensitive biological agent to another of its facilities — after it is unable to verify at the facility that the transport of the security‑sensitive biological agent is successful; and

(b) for the receiving entity — after the entity is unable to verify that the transport to it of a security‑sensitive biological agent is successful.

Note Verification, of a successful transport of a security‑sensitive biological agent, is provided for under clause 6.5 of the SSBA Standards: see paragraph 3.18 (1) (d).

[10] Regulation 3.44

substitute

3.44 Loss, theft and unauthorised access etc

(1) An entity must report the following reportable events within 2 business days after the entity becomes aware of the event:

(a) a reportable event mentioned in paragraph 48 (1) (f) of the Act (security‑sensitive biological agent is lost or stolen);

(b) a reportable event mentioned in paragraph 48 (1) (g) of the Act (unauthorised access to a security‑sensitive biological agent);

(d) a reportable event mentioned in regulation 3.21 (unauthorised access to sensitive information);

(e) a reportable event mentioned in regulation 3.22 (attempted theft of a security‑sensitive biological agent);

(f) a reportable event mentioned in subregulation 3.23 (1) (attempt to access a security‑sensitive biological agent);

(g) a reportable event mentioned in subregulation 3.23 (2) (attempt to handle a security‑sensitive biological agent);

(h) a reportable event mentioned in regulation 3.24 (attempt to access sensitive information);

(i) a reportable event mentioned in regulation 3.25 (accidental release of a security‑sensitive biological agent);

(j) a reportable event mentioned in regulation 3.26 (person suffers an occurrence of disease, is injured, or dies).

(2) An entity must report a reportable event mentioned in regulation 3.19 (transferred security‑sensitive biological agent not received) within 2 business days:

(a) for the receiving entity — after the entity becomes aware that the transferred security‑sensitive biological agent is lost in transit; or

(b) for the entity transferring the security‑sensitive biological agent:

(i) after the entity becomes aware that the security‑sensitive biological agent transported to another entity is lost in transit; and

(ii) if the entity is transferring the security‑sensitive biological agent to another of its facilities — after the entity becomes aware, at the facility, that the security‑sensitive biological agent is lost in transit.

Note A security‑sensitive biological agent that an entity attempts to transfer, and that is subsequently lost in transit, is reportable by the entity transferring the security‑sensitive biological agent under paragraph 48 (1) (f) of the Act.

3.45 Particulars — responsible officer and deputy responsible officer

An entity must report the following reportable events within 2 business days after the event takes place:

(a) a reportable event mentioned in paragraph 3.27 (2) (b) (change in contact details of the responsible officer and deputy responsible officer);

(b) a reportable event mentioned in paragraph 3.27 (2) (c) (person ceases to be the responsible officer);

(d) a reportable event mentioned in paragraph 3.27 (2) (e) (appointment of a responsible officer or deputy responsible officer).

[11] Paragraph 3.47 (b)

omit

subregulation 3.27 (2)

insert

paragraph 3.27 (2) (a)