What we heard: Consultation on potential amendments to the Human Pathogens and Toxins Regulations

On this page

Executive summary

The Public Health Agency of Canada (PHAC) administers and enforces the Human Pathogens and Toxins Act and associated regulations (HPTA/R), brought into force in 2015, to protect people living in Canada from the health and safety risks associated with the use of pathogens and toxins. This summary report presents findings from an online questionnaire that was made available on the Government of Canada's (GoC) website between August 4, 2023, and September 5, 2023. The purpose of this consultation was to gain a better understanding of what changes and improvements could be made to the HPTR, specifically biosafety and biosecurity measures in the context of non-GoC higher level risk facilities.

Themes

The questionnaire focused on the following themes:

Overall, consultation responses indicate general support of the concepts under consideration for regulatory amendments. PHAC was pleased to receive responses from a broad range of partners and stakeholders, including individuals and organizations. This representative diversity of responses provided insight from a number of perspectives, including regulated facilities, consumer and industry organizations, provincial, territorial, or municipal governments, and professional associations.

Given this report reflects questionnaire responses from individuals, as well as organizations representing many members, it was not possible to quantify the results of all questions in a representative way. Instead, general, qualitative descriptions of the nature of the input are provided. For example, "most", "many" and "some/few/less" are used to describe the volume of respondents who provided the feedback. As a general reference, these terms mean the following percentage of responses:

Summary of findings

PHAC solicited input from stakeholders to inform proposed amendments under the HPTR. 84 participants (for example, organizations and individuals) provided their input on the online questionnaire, where questions were organized thematically and developed specifically to address concerns raised in preliminary stakeholder consultations. More than 1,000 comments were received and summarized into more streamlined responses in order to best analyze the sentiments expressed by respondents.

Respondents represented a diverse and representative range of stakeholders from our regulated party sectors in the areas of human health, academia, all levels of government, general research, pharmaceuticals, animal health, biotechnology, and other industries. The largest number of respondents were from Ontario (32%) and Quebec (27%), followed by British Columbia (11%), Alberta (9%), and Manitoba and Nova Scotia both at 5% respectively. This dispersion is reflective of the geographical distribution of regulated facilities.

The top 3 areas of interest identified by stakeholders, based on the number of comments received, were:

Stakeholders expressed support for:

Stakeholders expressed concerns about:

Stakeholders requested GoC support, particularly in areas where regulated parties felt they are not equipped to institute changes or lack the expertise:

The feedback received related to each theme is explained in more detail in the body of the report. Some of the comments by respondents are highlighted throughout this report. PHAC will use this input to inform future HPTR amendments.

Introduction

Prior to 2009, federal oversight of human pathogens and toxins was limited to facilities importing human pathogens and toxins under the Human Pathogens Importation Regulations (HPIR) and facilities importing animal pathogens under the Health of Animals Act (HAA). This limited the GoC's ability to verify the safe and secure use of pathogens or toxins acquired from domestic sources. In 2009, the Human Pathogens and Toxins Act (HPTA) received Royal Assent to establish a national safety and security regime to protect the health and safety of the public against the risks posed by human pathogens and toxins. On December 1, 2015, the full HPTA and the supporting Human Pathogens and Toxins Regulations (HPTR) came into effect.

PHAC administers and enforces the HPTA to establish a national safety and security regime to protect the health and safety of the public against the risks posed by human pathogens and toxins. The HPTR supports the HPTA authorities by establishing national requirements for the safe and secure handling of human pathogens and toxins, and providing assurance that individuals with unsupervised access to a prescribed list of security-sensitive human pathogens and toxins hold an appropriate security clearance.

As a part of the Regulatory Impact Analysis Statement in 2015, PHAC committed to a legislative review every 5 years, which serves as the HPTA/R life-cycle review. PHAC recently completed a mandated 5-year evaluation of the HPTA/R, which focused on issues of effectiveness and efficiency from 2015 to 2021. The evaluation report , as well as a management response action plan, have been published online.

Overview of engagement process

According to the Cabinet Directive on Regulation - Canada.ca (CDR), departments and agencies are responsible for identifying stakeholders impacted by regulations and meaningfully consulting and engaging with them throughout the development, management, and review of regulations. In doing so, they are to follow the GoC's policies and guidance for consultation and engagement. Departments and agencies document comments received throughout the course of any consultations and make these available to the public upon request. Consultations are done throughout the regulatory process.

In accordance with the CDR, PHAC committed to consultations to:

The objectives of consultations are to address the key stakeholders' concerns before the regulatory proposal is published in the Canada Gazette , Part 1, and to obtain stakeholders' support.

PHAC launched an engagement process for a 30-day period from August 4 to September 5, 2023 through the Government of Canada platform. The purpose of these consultations was to gain a better understanding of what changes and improvements could be made to the HPTR, specifically biosafety and biosecurity measures in the context of non-GoC CL4 labs. The consultation engaged public, private and academic stakeholders. Various mechanisms were employed to promote and encourage completion of the questionnaire including:

In total, 84 stakeholders participated submitting more than 1,000 comments across 8 themes.

The input received through consultations will help inform what could be proposed in upcoming draft regulatory amendments. This report summarizes the ideas shared from the online questionnaire by these stakeholders.

Summary of feedback received

Who we consulted

A diverse yet representative group of stakeholders completed the questionnaire representing different careers, provinces and territories, and working with various risk groups of pathogens and toxins within different containment level facilities.

Several administrative questions provided respondents' demographic information and their areas of concern. The vast majority represented either regulated facilities or themselves as individuals while a much smaller number were affiliated with a consumer or industry organization, a level of government or a professional association.

The respondents hailed primarily from the academic, human health, government, and general research sectors located in Ontario, Quebec and British Columbia. They were predominantly biological safety officers (BSOs) with a smaller number being licence holders (LH) and licence holder representatives (LHR), researchers, management, alternative BSOs and laboratory technicians. The level of understanding of the HPTA/R was self-identified as being generally good to excellent, so responses are knowledgeable about the implications of any changes to the existing oversight.

The consultation focused on the following themes:

Figure 1. Number of comments received by theme
Figure 1. Number of comments received by theme
Figure 1 - Text description
Theme Cyber and Information Technology security Insider threats Physical and tangible assets Foreign ownership, control or influence Compliance, enforcement and penalties Research security and collaboration Prescribed human pathogens and toxins International best practices Other
Number of comments (n=1,001) 195 185 180 166 133 69 29 25 19
Note: 'n' in the table refers to the number of comments received

The themes that received the most comments were enhancing protections for cyber and IT security, and mitigating insider threats while the fewest comments were related to international best practices and prescribed human pathogens and toxins.

Figure 2. Laboratory biosecurity issues of most concern to respondents (respondents may select multiple responses)
Figure 2. Laboratory biosecurity issues of most concern to respondents (respondents may select multiple responses)
Figure 2 - Text description
Issues of concern Access controls to materials stored outside the containment zone Cyber and information technology security Physical on-premises security Insider threats Dual-use research (illegitimate purposes) International Collaboration Domestic collaboration/ partnerships Foreign ownership, control or influence
Number of responses (n=199) 42 37 28 22 20 20 15 15
Note: 'n' in the table refers to the number of responses

The most common identified laboratory biosecurity concerns were around access controls to the containment zone, cyber and information security, physical on-premises security, and dual-use research for illegitimate purposes. Of lesser concern were insider threats, collaboration and foreign ownership, control or influence.

Concerning future plans to seek authorization for a licence for a specific RG or containment level in the next 5 to 10 years, Risk Group 2 (RG2) and RG3 non-Security Sensitive Biological Agent (SSBA) licenses are expected to continue being the largest number of licensed facilities with an increase in facilities seeking to work with SSBAs (Note: RG3 and RG4 pathogens include those listed in Schedules 3 and 4 of the HPTA. An SSBA is the subset of human pathogens and toxins that have been determined to pose an increased biosecurity risk due to their potential for use as a biological weapon; reference Canadian Biosafety Standard, Third edition). Of the 138 responses, the anticipated licences break down as follows:

Theme 1: Foreign ownership, control or influence

Background

The GoC works to mitigate risks associated with foreign influence, including harm to individual Canadian facilities, to Canada's vital assets, and the knowledge-based economy. While acknowledging that research in Canada can benefit from international contributions and perspectives, disreputable foreign control and influence in research can pose a significant risk to:

Questions asked in the consultation

  1. Would Canadian residency requirements for the Licence Holder, Licence Holder's representative and the Biological Safety Officer create obstacles for regulated facilities?
  2. What additional controls from PHAC could support regulated facilities in mitigating risks associated with foreign ownership, control, or influence?
  3. What risk-based preventative measures should be in place to mitigate foreign influence risk on intangible assets (e.g. intellectual property, academic relationships, reputation, etc.) for regulated facilities?
  4. What other recommendations, concerns, or considerations around foreign ownership, control or influence should be addressed?

What we heard

In general, there is interest and support in having interventions in place for Canadian residency requirements for the LH, LHR and the BSO to:

Numerous respondents indicated concern that Canadian residency requirements for the LH, LHR and BSO would have a negative impact on international research collaboration by limiting the pool of qualified candidates for research positions. Based on the feedback, it appears that stakeholders may have misinterpreted the term "residency" as "citizenship", given there were suggestions that any requirements must clearly define Canadian residency as it relates to legal status or physical presence, and should be flexible so as to accommodate exceptional cases. The concept of Canadian "residency" was greatly supported by stakeholders as it will clarify and anchor the requirements for any individuals or type of organization that seeks to conduct regulated activities.

Additional measures suggested to mitigate foreign influence risks on intangible assets include:

The overall responses received from the consultation demonstrate an interest in amending the HPTR to specify Canadian residency requirements for all LH, LHRs and BSOs. Having individuals with Canadian residency in key roles to help safeguard sensitive information, mitigate the risk of foreign influence, minimize security issues (such as security clearance), and liabilities and protection under Canadian law will enhance national security.

Theme 2: Enhancing protections for cyber and IT Security

Background

There is a steady increase in the frequency, sophistication and severity of cyber-attacks against Canadian organizations, including the biosecurity sector. Threats can originate from state, state-sponsored and other actors conducting activities ranging from:

Cyber and IT vulnerabilities can be exploited to collect information on personnel background and security checks to gain access to restricted areas. Intangible technology transfer is a pervasive, persistent and often undetectable method to transfer information from these sources. The theft by cybercriminals of intellectual property, such as patents for vaccines and other therapeutics, or other threats against federally regulated labs can significantly damage Canada's biopharmaceutical and health sectors and deter future investments, thereby negatively impacting Canada's ability to respond to future pandemics and protect public health and safety.

Questions asked in the consultation

  1. What are the risks associated with cyber and IT security in facilities handling human pathogens and toxins?
  2. If you work in a regulated facility that handles pathogens or toxins, have you/the organization experienced any cyber and IT security concerns in the 5 past years?
  3. How does your regulated facility define a cyber security near-miss incident?
  4. If you work in a regulated facility that handles pathogens or toxins, does your regulated facility record near-miss cyber incidents or accidents in the containment zone involving information security breaches?
  5. If you work in a regulated facility that handles pathogens or toxins, do you/the organization have mechanisms in place for the identification, assessment, and management of risks associated with cyber security, information technology security, and information management security risks?
  6. What should be secured with the highest level of cybersecurity in a regulated facility where SSBAs are handled or stored?
  7. If you work in a regulated facility that handles pathogens or toxins, what additional supports are required or would be helpful to adequately identify, assess, and manage risks associated with cyber security, information technology security, and information management security risks?

What we heard

Respondents generally agreed that cyber and IT security are necessary for safety and security in handling human pathogens and toxins, particularly as some facilities have experienced cyber issues within the last 5 years. These concerns were characterized by incidents where policies and directives were not followed by personnel including unauthorized access to electronic files, phishing attempts, and personnel departures without proper notification. Measures taken to record incidents were internal reporting systems, such as vulnerability scans as part of a security assessment and authorization process, non-conformance reporting, and reporting to both law enforcement and PHAC.

Identified vulnerabilities included:

Respondents highlighted that the threats to facilities could include exposure to phishing attempts via IT networks, hijacking the access system for break-in and material theft, unauthorized access to pathogen inventory, personnel records, research data and proprietary information, and compromising ventilation and temperature control systems.

Most facilities noted they have mechanisms in place for the identification, assessment and mitigation of cyber and IT security risks. Those mentioned included:

Additional supports required or that would be helpful for risk mitigation purposes were focussed on stricter measures, communication and training and awareness. Some respondents indicated they would welcome minimum IT hardware requirements, operating system and firewall recommendations, along with regular cybersecurity audits, regular updates from security experts, use of security risk assessment grid, and integration of physical and IT interventions for key card and password protection for doors and computers. A few respondents suggested communication support could involve a dedicated, centralized PHAC Office of IT Security (note that other GOC departments, not PHAC, have the authority for this activity), having all PHAC IT-related correspondence be sent directly to IT directors (rather than the BSO) to increase its visibility and importance, and the appointment of senior IT personnel for oversight and communicating with internal auditor and senior management. Lastly, it was suggested that there be mandatory biosecurity training for personnel, students, and principal investigators as well as training and awareness of which pathogens are more desirable for misuse.

Cybersecurity in a facility with SSBAs

Figure 3. What should be secured with the highest level of cybersecurity in a regulated facility where SSBAs are handled or stored (Respondents may select multiple response)
Figure 3. What should be secured with the highest level of cybersecurity in a regulated facility where SSBAs are handled or stored (Respondents may select multiple response)
Figure 3 - Text description
Items to be secured Critical biosecurity components (such as security measures restricting access only to authorized individuals, etc.) Documents identifying the location of critical biocontainment components or the location of SSBAs in the building (such as blueprints, floorplans etc.) Personnel personal information Documents identifying biosecurity measures (such as biosecurity plan) Research results with dual-use potential (until risk mitigation strategies can support responsible publication) Genetic sequences of concern (until risk mitigation strategies can support responsible publication or sharing to inform public health preventive measures) Intellectual property (until publication or patent application) Critical biocontainment and biosafety components (such as HVAC, etc.)
Number of responses (n=387) 66 63 58 50 44 42 40 24
Note: 'n' in the table refers to the number of responses

Although most items in a regulated facility that is handling or storing SSBA should require cybersecurity measures, critical biosecurity components and documents identifying the location of those components or the SSBAs themselves were deemed as necessitating the highest cybersecurity level. While the questionnaire elaborated on critical biosecurity components as restricting access only to authorized individuals, stakeholders went further and suggested that the most critical information should also be subject to the highest level of security. Respondents indicated that documentation that would benefit from the highest level of cybersecurity would include: blueprints, floorplans, HVAC, and personnel's personal information (given their potential use in a nefarious manner against the individual or the facility). Of note, there was little concern for research results with dual use potential, genetic sequences of concern, and intellectual property although these are generally recognized by the GoC and stakeholders as areas that would most likely require more cybersecurity protection.

Theme 3: Enhancing protections for physical assets

Background

It is in the interest of a facility to protect their tangible assets, which can be described as physical property (such as pathogens, toxins, equipment, animals or hardware). Physical protection refers to identifiable physical elements such as barriers, doors and gates, access controls, and devices which protect, deter, or detect a biosecurity event, and which aid with response and recovery efforts once a biosecurity event has been detected.

Questions asked in the consultation

  1. Would specifying safety and physical security related requirements for phases of facility construction activities (location, design, construction) support existing and/or future regulated facilities in ensuring proper oversight and safe operations of these facilities?
  2. Would expanding protections for physical or tangible assets in regulated facilities conducting controlled activities with human pathogens or toxins beyond the containment zone improve pathogen security?
  3. What preventative measures (administrative, operational, physical, etc.) should regulated facilities have in place for assets located outside the containment zone?
  4. What other recommendations, concerns, or considerations regarding protection of tangible assets should be considered?
  5. What physical security measures are appropriate in a Containment Level 4 (CL4) facility?
  6. What security measures are appropriate for the transportation of Risk Group 4 (RG4) pathogens?

What we heard

Overall, there was support for enhanced oversight of the design and construction phases of building higher-risk facilities. There was also general support for the concept of expanding oversight of assets and introducing security measures beyond the containment zone of a regulated facility. There was caution expressed around the cost of introducing new requirements, and suggestions that these new measures be applied only to higher-level risk facilities. However, the concept of enhanced security during pathogen or toxin transport was not of interest to stakeholders.

Pre-licence considerations

There was support for specifying safety and physical security requirements for phases of construction (location, design, construction) citing the benefits this could bring to the facility. Regulatory requirements for a design specification would make it easier for regulated parties to obtain approval and funding for those requirements before and during construction. Defining requirements at an early stage would enable changes to be implemented much more easily and at less cost compared to those made prior to or upon completion of construction. The consistency in the requirement of building to the same standards would improve construction uniformity across regulated labs, and facilitate equitable application of the law to all regulated parties.

However, there were a few considerations offered by some to make any new interventions less restrictive. Performance-based requirements were suggested to allow flexibility for facilities to adapt the requirements to their circumstances. A few respondents noted that design information would have to be secured to prevent threats. Some noted that these requirements could be burdensome for lower risk-level facilities and would be more appropriately applied only to facilities handling RG3 or RG4 pathogens.

We were told

"The sooner a regulated facility is aware of the requirements and aware of the risks, the easier it will be for that facility to adapt to those requirements."

Expanding protection beyond the pathogen/toxin containment zone

Of the respondents who provided input to the question, the majority supported expanding protections for physical or tangible assets beyond the containment zone. In particular, there was some support for adding physical security measures for access into the building or areas adjoining the security facilities (e.g., records/inventory storage or freezers containing pathogens that are located outside the containment zone). There was also support for more stringent requirements around access to networks (for example, computer hardware and equipment) outside of the location in a facility where pathogens and toxins are handled and stored. A benefit of these expanded requirements could be the prevention of unauthorized personnel from making observations and gleaning information on the containment facility or their proprietary work.

There was significant support to secure assets located outside of the containment zone through a combination of administrative policies and processes (such as password protection, security measures for clearances and access), operational policies (such as safeguarding instructions for assets, monitoring and control of inventories), and physical security measures (such as locked doors and freezers, security cameras and surveillance, controlled entrances and key cards, signage). A risk-based approach based on the physical space was mentioned several times, which would inform the appropriate level of security as a preventative measure. These policies and procedures on when and how to respond to a situation could mitigate the risk attributable to human error.

Nevertheless, it was suggested that these expanded requirements may cause undue burden and impede egress for facilities that currently do not have these security enhancements in place. A risk/benefit/resources analysis was recommended before imposing any protections. PHAC has undertaken a cost-benefit survey as part of the regulatory amendment process to assess this concern.

Measures for higher risk facilities

The general sentiment was that a combination of physical security measures could be appropriate in the highest risk facilities. Security measures such as cameras, motion detectors and any other similar items could rapidly detect suspicious activity at a site and a building's perimeter. A minimum of 2 active security barriers, such as guard dogs, wedge barriers or crash arm barriers, could be implemented to protect critical biocontainment and biosafety components such as HVAC, breathing air systems, and effluent decontamination systems.

We were told

"All preventative measures would need to be in place: administrative: passwords, security clearances, specific security controlled devices that are strictly monitored by security. Operational: Location of assets, including individuals that have access to those assets and can remove them from the containment zone. Physical: locked doors and controlled, monitored and recorded access at all times (who comes in and out)."

Enhanced transportation oversight

For the transportation of RG4 pathogens, there was minimal support for interventions, such as:

There was very little support for physical presence or escorts during transportation.

Theme 4: Mitigating insider threats

Background

An insider threat is a potential for a person/employee (such as IT personnel, senior management, etc.) that works for an organization to subvert, either intentionally or unintentionally, the confidentiality, integrity, and availability of the information and physical assets possessed by that organization. An HPTA SC, which validates that persons do not pose an undue security risk, is already a requirement for persons performing any controlled activity with an SSBA pathogen or toxin. Respondents were asked for input on revisions to oversight of who requires a security clearance, what should be included in the application, and whether other security screening measures should be put in place for persons with more peripheral access to assets (for example not a full security clearance). It was suggested that security screening measures outside of a SC might include a broad array of options, such as:

Questions asked in the consultation

  1. Should security screening processes be implemented for an individual who does not have an HPTA Security Clearance (SC) but can access:
    • The containment zone if accompanied and supervised by someone else who does have an HPTA SC. Applicable, please explain
    • Sensitive information related to SSBA human pathogens and toxins, personnel HPTA security clearance information, construction/HVAC designs, SSBA pathogen and toxins inventory records, or IT systems of a regulated facility. Applicable, please explain
  2. What measures would you suggest for individuals who do not require access to information and technology but do require access to protected or restricted areas or facilities (i.e. Containment Zone) where SSBA pathogens or toxins are used or stored (e.g. custodial staff, repair persons, etc.)?
  3. What measures would you suggest for individuals working in the facility where SSBA pathogens or toxins are used or stored, and who have access to sensitive information and technology but do not work in the containment zone?
  4. What measures do you suggest for individuals who have access to both sensitive information and technology and work in the containment zone?
  5. What measures do you suggest for escorted visitors entering a building with a CL4 laboratory?
  6. What measures would you suggest for individuals with access to sensitive information related to the transportation of risk group 4 pathogens.
  7. Are there any other roles or functions mentioned in the previous questions (either within a facility or through remote access) that would benefit from requiring some level of security screening requirements?
  8. What type(s) of sensitive information do you think should be safeguarded in a facility working with SSBA pathogens and toxins?
  9. What additional information, other than that already obtained through the HPTA Security Clearance Application process (HPTR s. 12), should be sought from applicants seeking to work with SSBAs to help reduce the risk of insider threats?
  10. What additional controls could support Canadian facilities in mitigating risks of an insider threat?

What we heard

Overall, there seems to be general support in increasing the safeguarding of information. There was less interest in increased security oversight of personnel, although a tacit acceptance that those working with higher risk pathogens, including SSBAs, may require an additional level of security.

Persons accompanied and supervised by someone holding a HPTA SC

Overall, most respondents were in general agreement that some security screening processes should be implemented for a person who does not have an HPTA SC but can access secure areas. Specifically, many respondents were in agreement that this approach should be required for individuals who access the containment zone under the "accompany and supervise" provision. A greater number supported this approach for individuals with access to "high risk" sensitive information (such as, inventory records) for SSBA human pathogens and toxins, personnel HPTA security clearance information, construction/HVAC designs, or IT systems. Identity verification and criminal records' checks every 5 years were suggested for escorted individuals requiring access to protected or restricted areas where SSBAs are used or stored or have access to sensitive information or technology. Several respondents who expressed opposition to the implementation of a security screening process cited the delays caused by the current HPTA SC process.

We were told

"Supervision [is] a broad term which can mean full time oversight over an individual to simply being in the same area as an individual. All individuals should be required to have clearance."

Persons with access to assets

Most supported an alternate security screening approach for persons with general access to assets beyond what is already in the legislation. There were only two exceptions for which there was limited support:

  1. escorted visitors entering the highest risk facilities to have screening for association with criminal activities, terrorism or hostile foreign military and intelligence
  2. individuals with access to sensitive information related to the transportation of RG4 pathogens to undergo screening by a suitability assessment (under the Transportation of Dangerous Goods Act) or requiring a full HPTA SC

For those who supported security screening measures, it was suggested these be applied to the following organizational roles or functions:

Figure 4. Suggested security measures for individuals who work in a facility where SSBA pathogens or toxins are used or stored and who require access to protected or restricted areas (respondents may select multiple responses)
Figure 4. Suggested security measures for individuals who work in a facility where SSBA pathogens or toxins are used or stored and who require access to protected or restricted areas (respondents may select multiple responses)
Figure 4 - Text description
Security measures Verification of identity Criminal record check Suitability assessment Open-source checks CSIS assessment Fingerprinting Credit check
Number of responses (n=171) 45 39 26 19 16 14 12
Note: 'n' in the table refers to the number of responses

Most respondents did not know what additional information could be sought from HPTA SC applicants to help reduce the risk of insider threats for persons working with SSBAs. Screening was suggested to be conducted by the GoC and security partners rather than the institution. It was suggested to specifically seek information about foreign employment/military service collaborations and/or assets for those working with SSBAs. Some also offered that ongoing monitoring of employees with SSBAs as part of performance management would be appropriate.

A stakeholder raised the need to consider institutional anti-discrimination protocols for employees and workers from countries of concern.

Sensitive information to be protected

All suggested options for the safeguarding of sensitive information in a facility working with SSBAs were widely supported. Respondents were particularly concerned with protecting information around pathogen storage location, as well as information that could allow pathogens or toxins to be weaponized. This focus reinforces the concept of introducing an additional level of security to facilities handling SBBAs. Protecting personal information of personnel with an HPTA SC was also an area of high concern, as the repercussions following release of this information could compromise a facility working with SSBAs.

Stakeholders identified the following as the type of sensitive information to be safeguarded:

We were told

"A detailed suitability and reliability interview should be conducted (e.g., as is done in the US for the Federal Select Agent program [FSAP]). Providing a guidance document on how to conduct suitability assessments/interviews (pre-access) and ongoing behaviour monitoring would be helpful.

General suggestions regarding insider threat management

Approximately one-third of respondents suggested additional controls that could support Canadian facilities in mitigating risks on an insider threat. These include:

Other suggested enhancements were:

As well, other control measures could include restricting access to normal working hours only, revoking access upon an employee's departure and providing basic biosafety training to personnel requiring access. Lastly, some respondents suggested that strategies are in place to protect the mental health of personnel.

We were told

"Regular and up-to-date reports on foreign actors who may be targeting individuals who hold HPTA clearances to inform regulated facilities of the types of threats and who they might be targeting."

Theme 5: Research security and collaboration

Background

The dual-use potential of pathogens and toxins is an important factor that should be considered for all research activities regulated under the HPTA/R to maintain that biosafety and biosecurity programs are sufficient to mitigate risks to the health and safety of the public and those working within facilities. Canada's commitment to open and collaborative academic research embraces discovery, creativity and innovation to keep Canadian research and training internationally competitive, while also protecting public health and safety. Domestic and international partnerships are an essential component of this ecosystem, guided by the principles of academic freedom and institutional autonomy.

Questions asked in the consultation

  1. If you work in a regulated facility that handles pathogens or toxins, what mechanisms does your facility have in place for research security and collaboration, including mitigating risks associated with the transfer of knowledge or "know-how" and intellectual property?
  2. What checks and balances should be in place for the protection of health and safety without impeding science and innovation when it comes to the publication of research with dual-use potential?
  3. Are there types or categories of scientific research information that you think should not be published? If so, why?

What we heard

Overall, respondents voiced support for a systematic and cautious approach to dual-use research to safeguard against unintended negative consequences.

The most popular mechanisms in place for research security and collaboration in a regulated facility are material transfer agreements, internal policies and directives, non-disclosure agreements and training. Less common mechanisms included Biological Agent Transfer Notifications (BATN), administrating institutional biosafety committee and risk assessment processes, transfer approval documents between institutions, and implementing a comprehensive safeguarding research framework with measures to support identification and mitigation of risk.

There were three recurring topics that were supported as checks and balances for the publication of research with dual-use potential for the protection of health and safety. Calls were made for mandatory dual-use training of researchers prior to funding being released, as well as providing training and resources to researchers, directors, and journal editors to better fully understand and identify dual-use concerns in their work. Also suggested was a comprehensive approach to address dual-use research and enhance biosecurity measures that would feature a thorough committee review of proposed research, requirements to identify dual-use potential during funding applications, safe dissemination of results, and development of mitigation plans in case of nefarious use of research. Additionally, stakeholders proposed ongoing oversight including internal reviews throughout the research process, engagement with scientific journal editors, and reviewed by the facility's LH and BSO. Also highlighted to mitigate biosecurity risks were the importance of background checks and social platform monitoring to prevent military connections, the creation of clear research and science sharing agreements, and regulation of certain technology and equipment. Suggested information controls included implementing measures to flag dual-use potential in research publications through a peer review process, tracking and recording access to publications with dual-use potential, only sharing access upon request with those with appropriate security clearances, having replicated experiments require a screening process to access crucial details, and obligations on researchers to be transparent about their work to facilitate accurate risk assessments.

Respondents suggested the following:

  1. Avoid publishing research involving:
    • national security
    • animal work that raises animal rights concerns
    • enhancement of the virulence, transmissibility, or pathogenicity of pathogens or toxins
    • bioweapons
  2. Conduct risk assessment of release of research methodology and approaches for genetically modified microorganisms (GMMOs) and recombinant DNA (rDNA), including detailed data on quantities, timelines, temperatures and additives. Limit detailed information for research involving high-risk pathogens without omitting results. Also require security clearances to access the more detailed information.

Theme 6: Prescribed human pathogens and toxins

Background

The HPTR prescribes certain human pathogens and toxins for which an HPTA SC (or accompaniment) is required for containment zone access, which are referred to in practice as SSBAs. Prescribed pathogens are those that are either RG3 or RG4 human pathogens under the HPTA and which are also on the List of Biological Agents and Animal Pathogens for Export Control (published by an international council of experts, also known as the Australia Group [AG]), with some exceptions. Prescribed toxins are those that are listed in Schedule 1 of the HPTA and which are also included on the List of Biological Agents and Animal Pathogens for Export Control , with the exception of some organisms present in defined minimal quantities.

Questions asked in the consultation

  1. What tool do you or your organization use to determine whether a toxin is regulated by the HPTA?
  2. Should the HPTR allow for prescribing of human pathogens or toxins (as defined in the HPTA/R but not otherwise already on the Australia Group list ) for the purpose of containment zone access in accordance with HPTA s. 33, in response to international obligations or emerging biosecurity threats (e.g., Poliovirus eradication)?

What we heard

Figure 5. Tools the respondent's organization uses to determine whether a toxin is regulated by the HPTA (respondents may select multiple responses)
Figure 5. Tools the respondent's organization uses to determine whether a toxin is regulated by the HPTA (respondents may select multiple responses)
Figure 5 - Text description
Tools Schedule 1 of the HPTA ePATHogen online tool Pathogen Safety Data Sheets/Material Safety Data Sheets Distributors' information The American biological safety association (ABSA) risk group database
Number of responses (n=185) 55 47 46 23 14
Note: 'n' in the table refers to the number of responses

Awareness of regulated pathogens and toxins

Respondents indicated that Schedule 1 of the HPTA was the most efficient way to determine whether a toxin is regulated, while the ePATHogen online tool and Pathogen Safety Data Sheets were also deemed useful. Other tools respondents reported using, not captured in the above graph, include direct consultation with PHAC, the Canadian Food Inspection Agency (CFIA), and the Australia Group list.

Timely and clear communication to regulated parties was stressed as an area of importance. This was especially noted for the process/criteria used for adding emerging pathogens or toxins to the regulated list. The lack of notice/time needed to allow facilities to respond to a new addition and comply quickly was perceived as a threat of increased burden on the administrator. The ePATHogen, which is increasingly used by researchers as their primary point of reference, should be enhanced to explain prescribed pathogens and toxins.

Suggestions were offered to both increase and decrease regulatory requirements. Some stakeholders indicated they felt certain pathogens or toxins are over-classified, particularly in the case of RG2s. Conversely, some respondents were advocating for strengthening biosecurity and biosafety requirements for facilities handling RG2 microorganisms given the growth in this area and potential enforcement challenges.

Determining regulatory oversight of pathogens and toxins

Many respondents agreed that some flexibility should be provided in the HPTR to allow for prescribing of human pathogens or toxins not otherwise already on the Australia Group List in response to international obligations or emerging biosecurity threats (such as Poliovirus eradication). Note that some feedback indicated a lack of support for Canadian deregulation of an organism listed by the internationally agreed Australia Group. However, most respondents indicated it was reasonable for Canada to set its own containment priorities while still operating in a collaborative environment with international partners. There is interest to permit interventions that keep up with current scientific realities for the purposes of security and safety. Some felt that methods other than regulations, such as advisories or other companion documents, could also achieve this goal, so instrument choice should be carefully examined prior to undertaking change. Poliovirus was used as a specific example to highlight the complexity of internationally collaborative pathogen oversight, where it is crucial to have transparency on the rationale for an organism's inclusion as a regulated entity in Canada.

There was general consensus that subject matter experts in Canada should have the ability to review pathogens and toxins and add them to the prescribed list, as required, for such purposes as newly emerging pathogens, endemic pathogens, new science, emerging threats and/or a change in global circumstance. We heard that expert involvement, such as a panel of subject matter experts and consultation of regulated facilities, should be considered. There was consensus that the classification of pathogens/toxins should adapt as the threat associated with the organism evolves. Higher containment and stricter biosecurity measures, including associated clearances to access, were communicated as of utmost importance based on the risk presented by the organism to the public and the environment.

We were told

"Yes, we are obligated to honour our international commitments, including provisions for Polio eradication and other relevant initiatives."

Theme 7: Compliance, enforcement and penalties

Background

PHAC administers and enforces the HPTA/R through various compliance and enforcement authorities and tools. Inspections are routinely conducted to monitor and verify regulated parties' compliance and prevent non-compliance, with the HPTA/R requirements. Inspections are also conducted to establish compliance for new laboratories under construction (such as, new vaccine manufacturing facilities), as a condition of issuing a licence. Due to restrictions on conducting normal business during the COVID-19 pandemic, PHAC's Centre for Biosecurity, as well as many other federal government departments, developed new mechanisms to conduct virtual inspections to verify compliance, prevent non-compliance, and undertake enforcement under their respective legislative schemes. There are also enforcement tools in place to fine or otherwise pursue action against non-compliant persons and facilities.

Questions asked in the consultation

  1. If the HPTA/R were to prohibit certain types of foreign ownership, control or influence, what types of penalties would you suggest should such a violation created a risk to the health, safety and security of the public?
  1. a) What existing HPTA/R enforcement tools or deterrents are most effective in preventing intentional minor non-compliance?
  1. b) What existing HPTA/R enforcement tools or deterrents are most effective in preventing intentional major non-compliance?

What we heard

Offences

A majority of respondents supported revocation or cancellation of the LH's licence and monetary penalties as enforcement actions should certain prohibited types of foreign ownership, control, or influence activities were undertaken by the organization such that it created a risk to the health, safety and security of the public. Less popular choices were penal consequences and imprisonment.

Figure 6. Most effective existing HPTA/R enforcement tools for preventing intentional minor non-compliance (respondents may select multiple responses)
Figure 6. Most effective existing HPTA/R enforcement tools for preventing intentional minor non-compliance (respondents may select multiple responses)
Figure 6 - Text description
Enforcement tools Monetary penalties Revocation of licence Cancellation of licence Penal consequences Imprisonment
Number of responses (n=135) 52 37 31 11 4
Note: 'n' in the table refers to the number of responses

In the event of intentional non-compliance (other than FOCI) by an individual or LH, respondents favoured different enforcement actions dependent on the severity of the non-compliance (such as, minor or major). For intentional minor non-compliance, commonly suggested deterrents included monetary penalties, followed by revocation or cancellation of the licence. Less popular were penal consequences and imprisonment. Suggestions for other actions included publishing the name of the offender, issuance of a warning letter, and recommending additional training.

Figure 7. Most effective existing HPTA/R enforcement tools for preventing intentional major non-compliance (respondents may select multiple responses)
Figure 7. Most effective existing HPTA/R enforcement tools for preventing intentional major non-compliance (respondents may select multiple responses)
Figure 7 - Text description
Enforcement tools Penal consequences Monetary penalties Imprisonment Cancellation of licence Revocation of licence
Number of responses (n=221) 53 45 43 41 39
Note: 'n' in the table refers to the number of responses

Acknowledging the potential severity associated with intentional major non-compliance, harsher deterrents were recommended. Feedback indicated strong support for penal consequences followed by monetary penalties, imprisonment, cancellation of the licence, and licence revocation. Suggestions for other actions included legal action against an offending researcher (rather than the organization), as well as amending the organization's licence to remove permission for activities, materials and/or locations associated with the non-compliance.

Inspections

Another compliance and enforcement activity used by PHAC is inspections. Although there may be efficiency gains for PHAC in instituting a virtual inspection program (especially for low-risk facilities), most respondents indicated that risks or challenges exist that could compromise the integrity of the system. They expressed concern that LHs with malicious intent could limit access to or outright hide information (e.g., non-compliant facility practices, constructions or damages) and manipulate the inspection to ensure that access or information is restricted to what they prefer. It was noted that some stakeholders value the physical presence of an inspector for the following reasons:

Several strategies for preventative measures to mitigate risks associated with virtual inspections were suggested. Robust and cyber-attack resilient communication and documentation protocols and policies should be in place for both PHAC and facilities to ensure secure transfer, storage and use of documentation and live-streaming feeds during virtual inspections. Concerning the format of inspections, comments ranged from:

To reduce the opportunity facilities may have to control what is displayed during a virtual inspection, respondents suggested PHAC should provide minimal advance notice of the inspection. From an efficiency and effectiveness perspective, suggestions included adequate inspector training on conducting virtual inspections as well as providing PHAC with pertinent documentation in advance (such as risk assessments, digital floor plans, etc.)

We were told

"There would be a large amount of documentation sent electronically to the inspectors - there would need to be appropriate safeguards to protect the transmission of the information."

Theme 8: International best practices

Background

Canada is a signatory to multiple international treaties and other commitments. These include the Biological and Toxin Weapons Convention (BTWC), a treaty that bans the development, stockpiling, acquisition, retention, production, and transfer of biological agents or toxins of types and in quantities that have no justification for prophylactic, protective or other peaceful purposes, and weapons, equipment, or delivery vehicles designed to use such agents or toxins for hostile purposes or in armed conflicts.

The HPTA/R is the primary legislation to support Canada's obligations under the BTWC through the establishment of national requirements for the safe and secure handling of human pathogens and toxins.

Questions asked in the consultation

  1. What international standards should be considered in developing legislative/regulatory amendments?
  2. Are you aware of any international compliance standards that can strengthen the HPTA/R?
  3. Before shipping a Security Sensitive Biological Agent (SSBA), should a regulated facility (including supplier companies) receive an attestation that the receiving facility intends to conduct legitimate and peaceful activities in accordance with any applicable legislation and international agreements?

What we heard

International standards

Overall, there was little to no support for using international standards as the basis for Canadian legislation. Less than one-fifth of respondents felt that international standards should be used to develop HPTR amendments. In the case of regulatory oversight models, the few who supported reliance on international standards pointed to the following resources:

An even smaller number felt that international compliance standards should be used to strengthen the HPTR. For compliance models, those who supported the concept pointed to the following resources:

Export and import

Nearly two-thirds of respondents said that prior to shipping an SSBA, a regulated facility should always receive an attestation that the receiving facility intends to conduct legitimate and peaceful activities in accordance with any applicable legislation and international agreements. Significantly smaller numbers indicated that an attestation should only be received if the material is being exported, contains an RG4 pathogen, or is an RG4 that is being exported.

Theme 9: Miscellaneous

In addition to the themes discussed above, the questionnaire sought feedback on cost recovery. There was also the opportunity to provide feedback on various issues that may not have been addressed by other areas of the questionnaire.

Questions asked in the consultation

  1. Are there risks associated with virtual inspections of facilities handling human pathogens and toxins? If so, what are they?
  2. What preventative measures should be in place to mitigate virtual inspection risks for regulated facilities?
  3. Should regulated parties (notably for-profit entities) contribute either in full or in part to costs incurred for certain government regulatory activities (e.g. licencing, security clearances and inspections)?

Cost recovery

There was no overall support for cost recovery from the regulated party for certain government regulatory activities such as licencing, security clearances, and inspections.

It was noted that several federal government departments (such as, CFIA, Health Canada) have a cost recovery mechanism in place as part of their service delivery. Furthermore, it was recognized that the potential increase in new private facility builds stemming from recent investments may present the GoC financial challenges in executing its mandate with the corresponding increase in regulatory activities. Several individuals suggested that if a for-profit entity were to make significant profit from having an HPTA-licensed facility, then they should contribute some if not all of the inspection costs. This cost of conducting business approach may also incentivize the entities to be compliant given the potential administrative fees.

However, it was widely held that there should be exceptions to a cost-recovery regime for academic institutions and not-for-profit entities such as public health laboratories. Note that these form a large percentage of the regulated party base. Additionally, there was a warning that if funding were provided by for-profit entities, then there may be pressure for, or the perception of, favouritism being shown to these paying entities.

Other comments

Feedback was received on various issues that were not addressed by other areas of the questionnaire.

BSOs

Stakeholders suggested BSOs be provided training on the basic knowledge of medical microbiology to facilitate appropriate assessments for handling both pathogens and associated materials. It was also suggested that PHAC consider quantitatively whether more than one BSO should be required for entities with multiple separate research groups. In general, it was noted that researchers could benefit from training on the risks of cyber threats and dual use issues in particular.

Biorisk management plans

Additional comments related to research and clinical trials involving human gene transfer, drugs engineered with genetic vectors with viral backbones, and biohazard transmission from a pathogen to a drug in dosage form. Recommendations for patient specimen manipulation in samples from patients suspected of high containment pathogens should not be unnecessarily prescriptive but practical and reasonable. Comprehensive biorisk management plans were suggested as a way to mitigate the malicious purposes of genomic sequencing for viruses and bacteria.

Streamline regulatory oversight

Harmonization of GoC regulatory regimes was identified by several respondents as creating redundancies and burdens upon organizations. It was highlighted that the CFIA continues to issue and maintain compliance letters for facilities that already possess an HPTA licence, when in their recommendation the PHAC licence should be considered sufficient to demonstrate compliance. It was also noted that there needs to be improved harmonization between PHAC and CFIA in the context of imports of biological material of RG2 or higher. Lastly, PHAC and Transport Canada should coordinate to develop reasonable and practical recommendations for the shipment of clinical specimens.

Balance between oversight and competition

There were several comments about maintaining a delicate balance between regulatory burden and competitiveness. In particular, as a small player and market in the global research field, any additional regulatory requirements must be tempered with a cost-benefit approach so as not to inhibit research or operations.

Next steps

These consultations were held pursuant to commitments made under regulatory review of the HPTR, which included seeking input through stakeholder engagement. The consultation has provided a better understanding of what changes and improvements should be made to the HPTR, specifically biosafety and biosecurity measures that could be considered for a non- GoC higher risk facilities.

The findings from the questionnaire are consistent with the current state of biosafety and biosecurity in Canada. The detailed feedback on existing processes and approaches, coupled with the identified areas of perceived risks and improvement, offers a strategic direction for enhancing the regulatory framework.

Moving forward, feedback will be analyzed to inform the policy development of any proposed regulatory amendments. There will also be consideration of appropriate implementation, and risk mitigation for unintended consequences on regulated parties.

Stakeholders will have another opportunity to provide feedback and comment on proposed regulations when they are published in Canada Gazette Part 1.

Glossary

Accident

The Canadian Biosafety Standard defines accident as an unplanned event that results in injury, harm or damage.

Australia Group

The Australia Group is an informal forum of countries which, through the harmonization of export controls, seeks to ensure that exports do not contribute to the development of chemical or biological weapons.

The Australia Group

Containment level (CL)

Minimum physical containment and operational practice requirements for handling regulated materials safely in laboratory, large-scale production, and animal work environments. There are 4 containment levels ranging from a basic laboratory (CL1) to the highest level of containment (CL4).

Containment zone

A physical area that meets the requirements for a specified containment level. A containment zone can be:

  • a single room (for example, a CL2 laboratory)
  • a series of co-located rooms (for example, several non-adjoining but lockable CL2 laboratory work areas)
  • comprised of several adjoining rooms (for example, a CL3 suite with dedicated laboratory areas, and separate animal rooms or animal cubicles)

Dedicated support areas are considered to be part of the containment zone. This includes anterooms with showers and "clean" and "dirty" change areas where required.

Controlled activities

Any of the following activities referred to in subsection 7(1) of the Human Pathogens and Toxins Act:

  • storing a human pathogen or toxin
  • producing a human pathogen or toxin
  • transferring a human pathogen or toxin
  • disposing of a human pathogen or toxin
  • importing or exporting a human pathogen or toxin
  • possessing, handling or using a human pathogen or toxin
  • permitting any person access to a human pathogen or toxin
  • releasing or otherwise abandoning a human pathogen or toxin

Human Pathogens and Toxins Act: Compliance and enforcement

Cyber security

The body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access. This ensures confidentiality, integrity and availability.

Dual-use potential

Qualities of a pathogen or toxin, scientific method, intellectual property or other related asset that allow it to be both:

  • used for legitimate scientific applications, for example:
    • medical purposes
    • research purposes
    • commercial purposes
  • intentionally misused to cause harm or disease

Examples of assets with dual-use potential include:

  • the discovery that a certain mutation results in resistance to all available treatments
  • a method that facilitates propagation of such pathogens in a non-traditional laboratory setting
  • pathogens or toxins that could be used as a biological weapon (in other words, for bioterrorism)
Incident

The Canadian Biosafety Standard, 3 rd edition defines incident as an event or occurrence that has the potential of causing:

  • harm
  • injury
  • illness
  • disease
  • damage
  • infection
  • intoxication

Incidents include accidents and near misses.

Information management

The set of policies, controls, procedures and structures which enable an organization to manage information as a corporate resource.

Insider threat

Malicious threat to an organization that comes from people within the organization (such as employees, former employees, contractors or business associates) who have inside information concerning the organization's security practices, data and computer systems.

Intangible assets

An intangible asset is a non-monetary asset that has no physical nature. It cannot be touched or felt.

IT security

Safeguards to preserve the confidentiality, integrity, availability, intended use and value of electronically stored, processed or transmitted information.

Near-miss

An event that could have resulted in exposure if there was also a break down in personal protective equipment or HVAC, such as a spill.

It may also be a break down in personal protective equipment that could have caused exposure if the pathogens had been present, such as a tear in the zipper of the positive pressure suit.

Pathogen

A microorganism, nucleic acid, protein, or other infectious agent that is transmissible and capable of causing disease or infection in humans or animals. Classified human and animal pathogens can be found on the PHAC's ePATHogen - Risk Group Database.

Risk group (RG)

The classification of a biological agent (that is a microorganism, protein, nucleic acid or biological material containing parts thereof) based on its inherent characteristics, including:

  • virulence
  • pathogenicity
  • communicability
  • the availability of effective prophylactic or therapeutic treatments

The risk group describes the risk to the health of individuals and the public, as well as the health of animals and the animal population.

Security sensitive biological agents

The subset of human pathogens and toxins that have been determined to pose an increased biosecurity risk due to their potential for use as a biological weapon. Security sensitive biological agents are identified as prescribed human pathogens and toxins by section 10 of the Human Pathogens and Toxins Regulations.

This means all RG3 and RG4 human pathogens that are in the List of Human and Animal Pathogens and Toxins for Export Control (published by the Australia Group), as amended from time to time, with the exception of:

  • rabies virus
  • Duvenhage virus
  • all other members of the:
    • Lyssavirus genus
    • vesicular stomatitis virus
    • lymphocytic choriomeningitis virus
  • all toxins listed in Schedule 1 of the Human Pathogens and Toxins Act that are listed on the List of Human and Animal Pathogens and Toxins for Export Control when in a quantity greater than that specified in subsection 10(2) of the Regulations

Learn more about:

Tangible assets

The physical assets of a firm or other entity that can be sold and therefore have a monetary value.

(Microbial) Toxin

A poisonous substance that is produced by or derived from a microorganism and can lead to adverse health effects in humans or animals. Human toxins are listed in Schedule 1 and Part 1 of Schedule 5 in the Act.

Prepared by

Office of Stakeholder Engagement and Regulatory Affairs
Centre for Biosecurity
Health Security and Regional Operations Branch
Public Health Agency of Canada

Page details

Date modified: