PDF printable version of Fact Sheet 11 Upgrading a Facility from Tier 2 to Tier 1 SSBAs - September 2013 (PDF 357 KB)
Release Date: September 2013
Tier 1 security sensitive biological agents (SSBAs) are of the highest security concern and Tier 2 SSBAs are of high security concern. This fact sheet outlines the additional requirements for handling Tier 1 SSBAs if you are already registered for handling Tier 2 SSBAs. Refer to the National Health Security Act 2007, the National Health Security Regulations 2008 and the SSBA Standards for requirements that relate to both Tier 1 and Tier 2 SSBAs.
SSBA standards requirements
The clauses outlined below are requirements specific to handling Tier 1 SSBAs under the SSBA Standards.
Part 2 – Risk and incident management
Subclause 2.2.3 – Risk assessment process
A risk assessment and risk management plan must be undertaken and implemented for the Tier 1 SSBAs to be handled. As part of this assessment, a vulnerability analysis must be undertaken for all Tier 1 SSBAs. Vulnerability is defined as any weakness that can be exploited to make an asset susceptible to change. A vulnerability analysis is defined in the SSBA Standards as the determination of how each credible threat can be realised against a critical asset. Further information on the vulnerability analysis can be found under Clause 2.2.3 in the SSBA Standards.
Clause 2.5 – Review
Risk assessment and risk management plans must be reviewed every 12 months for risks involving Tier 1 SSBAs.
Part 3 – Personnel
Clause 3.4 – Approved Persons
Approved persons who will handle or who will have access to a facility that handles or has access to sensitive information about Tier 1 SSBAs, must be escorted by an authorised person at all times when in the facility or when handling or having access to Tier 1 SSBAs or sensitive information about Tier 1 SSBAs. Escorted is defined under the SSBA Standards as remaining in the line of sight of the authorised person at all times in the secure area or while having access to sensitive information.
Clause 3.6 – National Health Security (NHS) checks
The entity must apply to AusCheck for a National Health Security check for all persons who will be authorised persons handling Tier 1 SSBAs, accessing the facility where Tier 1 SSBAs are handled or accessing sensitive information relating to Tier 1 SSBAs. National Health Security checks are not required if the person currently holds a national security clearance of Negative Vetting Level 1, Negative Vetting Level 2 or Positive Vetting.
Clause 3.9.1 – Training and competency
Training for personnel handling Tier 1 SSBAs must include personal security awareness. Personal security is concerned with personnel during their off-duty hours. During this time personnel may be vulnerable due to their function or position. Personal security awareness should cover potential risks associated with their role and provide advice on how to handle and report situations of concern.
Competencies must be reviewed at least annually for all persons who handle a Tier 1 SSBA, have access to facility containing a Tier 1 SSBA or have access to sensitive information about Tier 1 SSBAs.
Part 4 – Physical Security
Clause 4.3 Physical access controls
Facilities handling Tier 1 SSBAs must:
- have two forms of access control before reaching a Tier 1 SSBA. One form of access control must be at the perimeter of the secure area and an additional access control must be in place to prevent physical access to the Tier 1 SSBA. This second control may be within the secure area, for example at the last physical barrier to the SSBA (e.g. at the freezer door)
- have effective measures to prevent tailgating
- The access control must record the identification of the person, the time and date of entry to the secure perimeter and to the secondary access control and the identification of the person, time and date of exit from the secure perimeter
- Access records must be maintained for six months
- access control systems must be tested every six months.
Part 4A – Storage
Clause 4.4 Storage of Tier 1 SSBAs
The entity must only store Tier 1 SSBAs within the secure perimeter (as defined under clause 4.2) of the registered facility.
top of page
Part 5 – Information management
Clause 5.2 – Record keeping
Records of all activities relating to the SSBA Standards must be maintained for a minimum of five years for Tier 1 SSBAs (unless otherwise specified in the Standards).
Clause 5.3 – Information security
Permissions regarding who is able to access sensitive information relating to Tier 1 SSBAs must be reviewed every six months. Sensitive information relating to Tier 1 SSBAs must be stored on a secure system and backed-up regularly.
Part 8 – SSBA management system requirements
Subclause 8.4.3 – Internal inspection
Entities handling Tier 1 SSBAs must conduct internal inspections at planned intervals of no more than six months.
How to register to handle Tier 1 SSBAs
Before receiving a Tier 1 SSBA, the entity should ensure that the facility meets the Tier 1 requirements in the SSBA Standards. If the facility has received a Tier 1 SSBA and is not compliant with the SSBA Standards, the facility must dispose of the SSBA and report the transfer or destruction to the Department of Health (Health).
Once the facility is compliant with the SSBA Standards, Tier 1 SSBAs may be transferred into the facility. The facility has two business days after the transfer of the new SSBA, in which to report to Health using a Start to Handle New SSBA form.
top of page