Part 1—Preliminary
1 Name
This instrument is the National Health Security Regulations 2018.
2 Commencement
(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
| Commencement information |
| Column 1 | Column 2 | Column 3 |
| Provisions | Commencement | Date/Details |
| 1. The whole of this instrument | The day after this instrument is registered. | 1 September 2018 |
Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.
(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.
3 Authority
This instrument is made under the National Health Security Act 2007.
4 Schedules
Each instrument that is specified in a Schedule to this instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this instrument has effect according to its terms.
5 Definitions
Note: A number of expressions used in this instrument are defined in the Act, including the following:
(a) entity;
(b) facility;
(c) handling;
(d) registered entity;
(e) security‑sensitive biological agent;
(f) SSBA;
(g) SSBA Standards.
In this instrument:
ABN has the same meaning as in the A New Tax System (Australian Business Number) Act 1999.
Note: ABN is short for Australian Business Number.
ACN has the same meaning as in the Corporations Act 2001.
Note: ACN is short for Australian Company Number.
Act means the National Health Security Act 2007.
affected: the body of a person or animal is affected by a security‑sensitive biological agent if the security‑sensitive biological agent has been introduced into the body.
ARBN has the same meaning as in the Corporations Act 2001.
Note: ARBN is short for Australian Registered Body Number.
Deputy Responsible Officer has the same meaning as in the SSBA Standards.
Geocentric Datum of Australia 1994 means the Geocentric Datum of Australia as defined in Gazette No. GN 35 of 6 September 1995, as existing when this instrument commences.
law enforcement agency has the meaning given by subsection 9(2).
Responsible Officer has the same meaning as in the SSBA Standards.
sensitive information, in relation to a security‑sensitive biological agent that an entity handles at a facility, means any of the following:
(a) the entity’s storage records for the agent;
(b) the entity’s risk assessment plan for the agent;
(c) the entity’s risk management plan for the agent;
(d) any information:
(i) that the entity holds; and
(ii) disclosure of which could compromise the security of the agent.
Part 2—Public health surveillance
6 Prescribed intelligence agencies
For the purposes of paragraph 23(2)(b) of the Act, each of the following intelligence agencies is prescribed:
(a) the Australian Federal Police;
(b) the Australian Security Intelligence Organisation.
Part 3—Regulation of security‑sensitive biological agents
Division 1—The National Register
7 Content of National Register
For the purposes of paragraph 37(f) of the Act, the following particulars are prescribed in relation to an entity:
(a) if the entity’s head office is located at a place other than a facility where the entity handles security‑sensitive biological agents:
(i) the address of the entity’s head office; and
(ii) the entity’s postal address;
(b) the entity’s telephone number, fax number and email address;
(c) if the entity has an ABN, ACN or ARBN—those details;
(d) for each facility where the entity handles security‑sensitive biological agents:
(i) the geographic coordinates of the facility, expressed in terms of the Geocentric Datum of Australia 1994; and
(ii) the fax number of the facility; and
(iii) the name, telephone number, after hours telephone number and email address of the Responsible Officer for the facility; and
(iv) the name, telephone number, after hours telephone number and email address of the Deputy Responsible Officer for the facility;
(e) if the Secretary decides under section 49 of the Act to vary the National Register to take account of a reportable event in relation to the entity—details of the reportable event;
(f) if the Secretary decides under subsection 52(2) of the Act to vary the National Register on a temporary basis to take account of a reportable event in relation to the entity:
(i) details of the reportable event; and
(ii) a statement that the variation is temporary.
Division 2—Exempt entities
8 Purposes of this Division
For the purposes of paragraph 40(1)(b) of the Act, this Division prescribes entities to be exempt entities.
9 Law enforcement agencies
(1) A law enforcement agency is an exempt entity in relation to a security‑sensitive biological agent if the agency:
(a) handles the security‑sensitive biological agent only in the course of carrying out a function of the agency under a law of the Commonwealth, or of a State or Territory; and
(b) does not handle the security‑sensitive biological agent for the purpose of using it as a control sample for testing or carrying out diagnostic analysis.
(2) Each of the following is a law enforcement agency:
(a) the Australian Federal Police;
(b) a police force of a State or Territory;
(c) the Department administered by the Minister administering Part 1 of Chapter 8 of the Biosecurity Act 2015;
(d) the Department administered by the Minister administering Part XII of the Customs Act 1901.
10 Depot and warehouse licence holders
(1) An entity that holds:
(a) a depot licence (within the meaning of Part IVA of the Customs Act 1901); or
(b) a warehouse licence (within the meaning of Part V of that Act);
is an exempt entity in relation to a security‑sensitive biological agent if the entity handles the security‑sensitive biological agent only in accordance with the licence.
(2) An entity that is permitted or required to do something under:
(a) paragraphs 77VA(2)(a) to (d) of the Customs Act 1901; or
(b) paragraphs 86(7)(a) to (d) of that Act;
is an exempt entity in relation to a security‑sensitive biological agent if the entity handles the security‑sensitive biological agent only in accordance with that permission or requirement.
11 Persons and animals affected by security‑sensitive biological agents
Persons affected by security‑sensitive biological agents
(1) A person who is affected by a security‑sensitive biological agent is an exempt entity in relation to that security‑sensitive biological agent while the person is affected by it.
Providing treatment to affected persons or animals
(2) An entity that provides treatment to a person or animal is an exempt entity in relation to a security‑sensitive biological agent if:
(a) the person or animal is or has been affected by the security‑sensitive biological agent; and
(b) the entity handles the security‑sensitive biological agent only while:
(i) the security‑sensitive biological agent is in the body of the person or animal; or
(ii) taking a sample from the person or animal for the purposes of the treatment.
Destroying affected animals
(3) An entity that destroys an animal is an exempt entity in relation to a security‑sensitive biological agent if:
(a) the animal is affected by the security‑sensitive biological agent; and
(b) the entity destroys the animal because the animal is affected by the security‑sensitive biological agent; and
(c) the entity handles the security‑sensitive biological agent only in the course of destroying the animal.
Handling of bodies of affected deceased persons
(4) An entity that has the function of:
(a) examining, identifying, storing, transporting, burying or cremating the bodies of deceased persons; or
(b) preparing the bodies of deceased persons for burial or cremation;
is an exempt entity in relation to a security‑sensitive biological agent if:
(c) a deceased person was affected by the security‑sensitive biological agent before the person’s death; and
(d) the entity handles the security‑sensitive biological agent only in the course of carrying out a function mentioned in paragraph (a) or (b) in relation to the person’s body.
12 Handling of mice to test for botulinum toxin
An entity that has the function of handling mice to test for the presence of botulinum toxin is an exempt entity in relation to botulinum toxin if the entity:
(a) handles the botulinum toxin only in the course of carrying out that function; and
(b) does not handle the botulinum toxin for the purpose of using it as a control sample for testing or carrying out diagnostic analysis.
Division 3—Reportable events for registered entities
Subdivision A—Unauthorised access
13 Unauthorised access
(1) This section applies if:
(a) a security‑sensitive biological agent is included in the National Register in relation to an entity and a facility; and
(b) a person at the facility enters a place where the security‑sensitive biological agent is handled.
(2) For the purposes of paragraph 48(1)(g) of the Act, access by the person to the security‑sensitive biological agent at that place is unauthorised if:
(a) the person is neither:
(i) authorised by the entity, in accordance with Part 3 of the SSBA Standards, to enter the place; nor
(ii) approved by the entity, in accordance with Part 3 of the SSBA Standards, to enter the place; or
(b) the person is so authorised or approved, but the person enters the place other than in accordance with the authorisation or approval.
Subdivision B—Other reportable events
14 Purposes of this Subdivision
For the purposes of paragraph 48(1)(h) of the Act, this Subdivision prescribes events in relation to registered entities.
15 Transfers of SSBAs—successful transfers
Transfers to other facilities of same entity
(1) Subregulation (2) applies if:
(a) a registered entity is included on the National Register in relation to a facility and a security‑sensitive biological agent; and
(b) the entity transfers the security‑sensitive biological agent from the facility to another facility of the entity; and
(c) the security‑sensitive biological agent is received at the other facility; and
(d) the entity verifies, in accordance with Part 6 of the SSBA Standards, that the transport of the security‑sensitive biological agent to the other facility was successful.
(2) The event mentioned in paragraph (1)(d) is a reportable event for the entity.
Note: The event mentioned in paragraph (1)(b) is a reportable event for the entity under subparagraph 48(1)(e)(ii) of the Act.
Transfers to facilities of other entities
(3) Subregulation (4) applies if:
(a) a registered entity (the sending entity) is included on the National Register in relation to a facility (the sending facility) and a security‑sensitive biological agent; and
(b) another registered entity (the receiving entity) is included on the National Register in relation to another facility (the receiving facility) and the same security‑sensitive biological agent; and
(c) the sending entity transfers the security‑sensitive biological agent from the sending facility to the receiving facility; and
(d) the security‑sensitive biological agent is received at the receiving facility; and
(e) the receiving entity verifies, in accordance with Part 6 of the SSBA Standards, that the transport of the security‑sensitive biological agent to the receiving facility was successful.
(4) The event mentioned in paragraph (3)(e) is a reportable event for the receiving entity.
Note: The event mentioned in paragraph (3)(c) is a reportable event for the sending entity under subparagraph 48(1)(e)(i) of the Act.
16 Transfers of SSBAs—unsuccessful transfers
Transfers to other facilities of same entity
(1) Subregulation (2) applies if:
(a) a registered entity is included on the National Register in relation to a facility and a security‑sensitive biological agent; and
(b) the entity transfers the security‑sensitive biological agent from the facility to another facility of the entity; and
(c) the security‑sensitive biological agent is received at the other facility; and
(d) the entity is unable to verify, in accordance with Part 6 of the SSBA Standards, that the transport of the security‑sensitive biological agent to the other facility was successful.
(2) The event mentioned in paragraph (1)(d) is a reportable event for the entity.
Note: The event mentioned in paragraph (1)(b) is a reportable event for the entity under subparagraph 48(1)(e)(ii) of the Act.
Transfers to facilities of other entities
(3) Subregulation (4) applies if:
(a) a registered entity (the sending entity) is included on the National Register in relation to a facility (the sending facility) and a security‑sensitive biological agent; and
(b) another registered entity (the receiving entity) is included on the National Register in relation to another facility (the receiving facility) and the same security‑sensitive biological agent; and
(c) the sending entity transfers the security‑sensitive biological agent from the sending facility to the receiving facility; and
(d) the security‑sensitive biological agent is received at the receiving facility; and
(e) the receiving entity is unable to verify, in accordance with Part 6 of the SSBA Standards, that the transport of the security‑sensitive biological to the receiving facility was successful.
(4) The event mentioned in paragraph (3)(e) is a reportable event for the receiving entity.
Note: The event mentioned in paragraph (3)(c) is a reportable event for the sending entity under subparagraph 48(1)(e)(i) of the Act.
17 Transfers of SSBAs—SSBAs not received by expected time of delivery
Transfers to other facilities of same entity
(1) Subregulation (2) applies if:
(a) a registered entity is included on the National Register in relation to a facility and a security‑sensitive biological agent; and
(b) the entity arranges for the transfer of the security‑sensitive biological agent from the facility to another facility of the entity; and
(c) the entity notifies the other facility, in accordance with Part 6 of the SSBA Standards, of the expected time of delivery of the security‑sensitive biological agent to the other facility; and
(d) the security‑sensitive biological agent is not received at the other facility by the notified expected time of delivery.
(2) The event mentioned in paragraph (1)(d) is a reportable event for the entity.
Note 1: Transferring the security‑sensitive biological agent is a reportable event for the entity under subparagraph 48(1)(e)(ii) of the Act.
Note 2: Loss or theft of the security‑sensitive biological agent is a reportable event for the entity under paragraph 48(1)(f) of the Act.
(3) Subsection (2) does not apply if:
(a) the security‑sensitive agent is received at the other facility within 2 business days after the notified expected time of delivery; and
(b) at all times between the notified expected time of delivery and the receiving of the security‑sensitive biological agent, the entity knows that the security‑sensitive biological agent is not lost or stolen.
Transfers to facilities of other entities
(4) Subregulation (5) applies if:
(a) a registered entity (the sending entity) is included on the National Register in relation to a facility (the sending facility) and a security‑sensitive biological agent; and
(b) another registered entity (the receiving entity) is included on the National Register in relation to another facility (the receiving facility) and the same security‑sensitive biological agent; and
(c) the sending entity arranges with the receiving entity for the transfer of the security‑sensitive biological agent from the sending facility to the receiving facility; and
(d) the sending entity notifies the receiving entity, in accordance with Part 6 of the SSBA Standards, of the expected time of delivery of the security‑sensitive biological agent to the receiving facility; and
(e) the security‑sensitive biological agent is not received at the receiving facility by the notified expected time of delivery.
(5) The event mentioned in paragraph (4)(e) is a reportable event for the receiving entity.
Note 1: Transferring the security‑sensitive biological agent is a reportable event for the sending entity under subparagraph 48(1)(e)(i) of the Act.
Note 2: Loss or theft of the security‑sensitive biological agent is a reportable event for the sending entity under paragraph 48(1)(f) of the Act.
(6) Subsection (5) does not apply if:
(a) the security‑sensitive agent is received at the receiving facility within 2 business days after the notified expected time of delivery; and
(b) at all times between the notified expected time of delivery and the receiving of the security‑sensitive biological agent, the receiving entity knows that the security‑sensitive biological agent is not lost or stolen.
18 Unauthorised handling etc.
An event mentioned in column 1 of an item of the following table is prescribed in relation to a registered entity that is included on the National Register in relation to a facility and a security‑sensitive biological agent, if:
(a) there are no circumstances mentioned in column 2 of the item; or
(b) the circumstances mentioned in column 2 of the item exist.
| Reportable events |
| Item | Column 1 Event | Column 2 Circumstances |
| 1 | a person handles the security‑sensitive biological agent at the facility | (a) the person is neither: (i) authorised by the entity, in accordance with Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility; nor (ii) approved by the entity, in accordance with Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility; or (b) the person is so authorised or approved, but the handling is not in accordance with the authorisation or approval |
| 2 | a person attempts to handle the security‑sensitive biological agent at the facility | (a) the person is neither: (i) authorised by the entity, in accordance with Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility; nor (ii) approved by the entity, in accordance with Part 3 of the SSBA Standards, to handle the security‑sensitive biological agent at the facility; or (b) the person is so authorised or approved, but the attempt is not in accordance with the authorisation or approval |
| 3 | a person attempts to access the security‑sensitive biological agent at the facility | the access is unauthorised under section 13 |
| 4 | a person attempts to steal the security‑sensitive biological agent at the facility | none |
| 5 | the security‑sensitive biological agent is accidentally released during its handling at the facility | none |
| 6 | a person who has been to the facility is affected by the security‑sensitive biological agent as a result of the entity’s handling of the security‑sensitive biological agent at the facility | none |
| 7 | a person accesses sensitive information at the facility about the security‑sensitive biological agent Note: For sensitive information, see section 5. | (a) the person is neither: (i) authorised by the entity, in accordance with Part 3 of the SSBA Standards, to access the information; nor (ii) approved by the entity, in accordance with Part 3 of the SSBA Standards, to access the information; or (b) the person is so authorised or approved, but the access is not in accordance with the authorisation or approval |
| 8 | a person attempts to access sensitive information at the facility about the security‑sensitive biological agent | (a) the person is neither: (i) authorised by the entity, in accordance with Part 3 of the SSBA Standards, to access the information; nor (ii) approved by the entity, in accordance with Part 3 of the SSBA Standards, to access the information; or (b) the person is so authorised or approved, but the access is not in accordance with the authorisation or approval |
19 Changes in particulars
The following events are prescribed in relation to a registered entity:
(a) a change to any of the following:
(i) the entity’s name;
(ii) if the entity’s head office is located at a place other than a facility where the entity handles security‑sensitive biological agents—the address of the entity’s head office, or the entity’s postal address;
(iii) the entity’s telephone number, fax number or email address;
(iv) the entity’s ABN, ACN or ARBN;
(b) any of the following events in relation to a facility where the entity handles security‑sensitive biological agents:
(i) a change to the name, location or fax number of the facility;
(ii) a change to the telephone number, after hours telephone number or email address of the Responsible Officer or the Deputy Responsible Officer for the facility;
(iii) the Responsible Officer for the facility ceases to be the Responsible Officer;
(iv) the Deputy Responsible Officer for the facility ceases to be the Deputy Responsible Officer;
(v) a Responsible Officer or Deputy Responsible Officer is appointed for the facility.
Subdivision C—When reports must be given
20 When reports must be given
For the purposes of subsection 48(3) of the Act, a registered entity that must give a report about a reportable event mentioned in column 1 of an item of the following table must give the report within the period mentioned in column 2 of the item.
| When reports must be given |
| Item | Column 1 For a reportable event mentioned in … | Column 2 the report must be given within … |
| 1 | paragraph 48(1)(a) of the Act (entity starts to handle a security‑sensitive biological agent) | 2 business days after the entity starts to handle the security‑sensitive biological agent. |
| 2 | (a) paragraph 48(1)(b) of the Act (entity disposes of its entire holdings of a security‑sensitive biological agent); or (b) paragraph 48(1)(c) of the Act (disposal of toxins resulting in less than a reportable quantity) | 2 business days after the event occurs. |
| 3 | subparagraph 48(1)(d)(i) of the Act (entity starts to handle a security‑sensitive biological agent for a purpose not specified in the National Register) | 2 business days after the entity starts to handle the security‑sensitive biological agent for that purpose. |
| 4 | subparagraph 48(1)(d)(ii) of the Act (entity stops handling a security‑sensitive biological agent for a purpose specified in the National Register) | 2 business days after the entity stops handling the security‑sensitive biological agent for that purpose. |
| 5 | paragraph 48(1)(e) of the Act (entity transfers a security‑sensitive biological agent) | 2 business days after the event occurs. |
| 6 | (a) paragraph 48(1)(f) of the Act (security‑sensitive biological agent is lost or stolen); or (b) paragraph 48(1)(g) of the Act (unauthorised access to a security‑sensitive biological agent) | 2 business days after the entity becomes aware of the event. |
| 7 | section 15, 16 or 17 of this instrument (transfer of security‑sensitive biological agent) | 2 business days after the event occurs. |
| 8 | section 18 of this instrument (unauthorised handling etc.) | 2 business days after the entity becomes aware of the event. |
| 9 | section 19 of this instrument (change in particulars) | 2 business days after the event occurs. |
Subdivision D—Events that must be reported to police
21 Events that must be reported to police
(1) For the purposes of paragraph 48A(1)(b) of the Act, the following reportable events are prescribed:
(a) the event mentioned in paragraph 48(1)(g) of the Act;
(b) the event mentioned in subsection 16(2) or (4) of this instrument;
(c) the event mentioned in subsection 17(2) or (5) of this instrument;
(d) the event mentioned in column 1 of item 1, 2, 3, 4, 7 or 8 of the table in section 18 of this instrument.
(2) For the purposes of subsection 48A(3) of the Act, the period is the period of 24 hours after the registered entity becomes aware of the event.
Division 4—Reportable events for entities that temporarily handle SSBAs
22 Unauthorised access
For the purposes of subparagraph 60AF(1)(b)(ii) of the Act, access is unauthorised if the access does not comply with Part 10 of the SSBA Standards.
23 When reports must be given
When reports must be given to Secretary
(1) For the purposes of subsection 60AF(2) of the Act, the period is the period of 2 business days after the entity becomes aware of the event.
When reports must be given to police
(2) For the purposes of subsection 60AH(3) of the Act, the period is the period of 24 hours after the entity becomes aware of the event.
Division 5—Identity cards
24 Identity cards
For the purposes of paragraph 64(2)(a) of the Act, an identity card issued to an inspector must be in a form that contains the following information:
(a) the full name of the inspector;
(b) a statement that the person to whom the card is issued is appointed under subsection 63(1) of the Act;
(c) for the photograph required under paragraph 64(2)(b) of the Act, an image showing the inspector’s full face, head and shoulders;
(d) the date the card was issued;
(e) the date the card expires.
Note: Paragraph 64(2)(b) of the Act provides that an identity card issued to an inspector must contain a recent photograph of the inspector.
Division 6—Confidentiality of information
25 Confidentiality of information
Intelligence agency
(1) For the purposes of paragraph 85(1)(a) of the Act, the Australian Security Intelligence Organisation is prescribed.
Law enforcement agencies
(2) For the purposes of paragraph 85(1)(b) of the Act, the following law enforcement agencies are prescribed:
(a) the Australian Federal Police;
(b) the police force of a State or Territory.