Language selection

Government of Canada / Gouvernement du Canada

Search

Audit of the Biosecurity Program at the Public Health Agency of Canada

Presented to the PHAC Departmental Audit Committee on January 24, 2019

January 2019

PDF version - 28 pages 660 KB

Table of Contents

List of Acronyms

CB
Centre for Biosecurity
CBSA
Canada Border Services Agency
CFIA
Canada Food Inspection Agency
COI
Conflict of Interest
HAA
Health of Animals Act
HAR
Health of Animals Regulations
HPTA
Human Pathogens and Toxins Act
HPTR
Human Pathogens and Toxins Regulations
iSTOP
Integrated Suite of Tools for Operational Processes
MOU
Memorandum of Understanding
NML
National Microbiology Laboratory
PIP
Performance Information Profile
PM
Performance Measurement
PRA
Pathogen Risk Assessment
PSDS
Pathogen Safety Data Sheets
RG
Risk Group
RLCM
Regulatory Life Cycle Management
SMD
Security Management Division
SOP
Standard Operating Procedure
SSBA
Security Sensitive Biological Agents
ToR
Terms of Reference

Executive Summary

The Biosecurity Program (the Program) is Canada's national authority for the biosafety and biosecurity of human and animal pathogens and toxins. The objective of the Program is to establish and maintain a strong and comprehensive safety and security regime which prevents, detects, and responds to the health risks posed by the use of human pathogens and toxins. The program operates under the authority of the Human Pathogen and Toxins Act (HPTA), the Human Pathogens and Toxins Regulations (HPTR) and sections of the Health of Animals Act (HAA) and Health of Animals Regulations (HAR).

What we examined

We reviewed the management control framework for the Program. The audit focused on governance, risk management, and internal controls, as they relate to:

  • compliance verification and monitoring activities, such as licensing, security clearances, inspections, and surveillance;
  • enforcement actions and responses to non-compliance and investigations;
  • processes related to monitoring and operational reporting (dashboards) for the Program;
  • Program-related interactions with the Canadian Food Inspection Agency (CFIA); and
  • development and implementation of procedures to mitigate threats to the Program's impartiality.

The audit also included an analysis of the functionality of the Integrated Suite of Tools for Operational Processes (iSTOP), as the Program relies on the system to carry out its regulatory activities.

Why is it important

The Biosecurity Program regulates the use of human and terrestrial animal pathogens and toxins to protect the health and safety of the public. Pathogens and toxins pose a risk to the public because of their ability to cause disease or death. The spread of infectious disease in Canada could result in substantial social and economic disruption and international repercussions. These agents are used in a wide range of Canadian sectors for many different purposes, including teaching and research at universities, disease diagnosis at hospitals and public health facilities, and vaccine development in the pharmaceutical industry. The Program's components were designed to prevent the accidental release of these agents from a laboratory, including via an infected worker, and to prevent their deliberate release through an act of terrorism or other criminal activity. The Program also helps Canada meet its obligations under the International Health Regulations and the Biological Toxins and Weapons Convention.

What we found

We found that effective management controls were in place to ensure a safe and secure regime to protect the health and safety of the public against risks posed by the use of human pathogens and toxins. Management processes and practices were effective in the following areas:

  • comprehensive committee governance structures that support effective oversight, risk awareness and management, and operational cooperation;
  • coordination and collaboration between the Program and CFIA in support of their joint responsibilities; 
  • risk management practices that were effectively embedded into the operational  activities of the Program;
  • an information management system, complete with qualified resources and comprehensive standard operating procedures (SOPs) to support consistent regulatory activities; and
  • compilation and analysis of incident reports to facilitate real-time recognition of trends to assist stakeholders in managing emerging risks to public health and safety.

We also identified opportunities for improvements in the areas of:

  • raising employees' awareness of their conflict of interest (COI) obligations;
  • establishing procedures for the selection of designated HPTA analysts that have no potential or perceived conflicts of interest, in the event of a situation at the National Microbiology Laboratory (NML), or a situation involving one of its employees that would require pathogen analysis by a designated analyst;
  • implementing a risk-based process to monitor user activity within iSTOP in order to verify the accuracy of records and of the reporting process;
  • strengthening the Program's inspection framework through the articulation of senior management's risk tolerance with regards to the frequency of inspections for Risk Group (RG) 2 licenses and further refinement of risk criteria and ratings once sufficient data is gathered; and
  • ensuring the security screening process under the HPTA is accurate, efficient, and in accordance with the service level agreement.

The areas for improvement noted in this audit report and associated recommendations will collectively strengthen the management of the Biosecurity Program. Issues identified as being minor in nature have been brought to management's attention.

A - Introduction

  1. Pathogens and toxins pose a risk to human health, animal health, and public safety because of their ability to cause disease and sometimes death. Whether unintentional or deliberate, the release of a pathogen from a laboratory environment into the community can result in serious consequences to the health and socio-economic wellbeing of Canadians, and can pose a threat to national security. Without proper controls, biosafety or biosecurity incidents may result in catastrophic repercussions, including a public health disease outbreak with multiple illnesses or deaths, as well as economic losses due to stricter border and trade controls.
  2. Biosafety and biosecurity are two distinct yet intertwined facets of the Agency's mandate. Biosafety is meant to protect humans and animals, from individuals to entire species, by means of safe handling, transportation, and storage (biocontainment). Biosecurity refers to the safekeeping of high-risk pathogens or toxins, including Security Sensitive Biological Agents (SSBAs), from ill-intentioned individuals or organizations.
  3. There are approximately 1,000 licence holders in Canada that have one or multiple laboratories under their management. These laboratories are found in universities and colleges, health care diagnostic facilities, federal, provincial and territorial governments, pharmaceutical and biotechnological facilities, and commercial distributors.
  4. The Biosecurity Program is Canada's national authority for the biosafety and biosecurity of human and terrestrial animalFootnote 1 pathogens and toxins. The program operates under the authority of the Human Pathogens and Toxins Act (HPTA) and Human Pathogens and Toxins Regulations (HPTR), which came into effect on December 1, 2015. Furthermore, in April 2013, certain provisions of the Health of Animals Act (HAA) and Health of Animals Regulations (HAR) related to the importation of indigenousFootnote 2 terrestrial animal pathogens were transferred from CFIA to PHAC.
  5. Pathogens and toxins are classified into four risk groups based on their relative hazards to human and animal health, with RG4 pathogens being those with the highest risk. The Act and Regulations apply to all persons and facilities in Canada that are conducting controlled activities with pathogens and toxins from Risk Group (RG) levels 2, 3, and 4, while RG1 pathogens are not regulated.  
  6. To protect the health and safety of Canadians from risks associated with the use of human and terrestrial animal pathogens and toxins, program components include laboratory licensing, individual security clearances for high-consequence pathogens, incident reporting, pathogen risk assessments (PRAs), standards development and implementation, stakeholder outreach and engagement, and compliance and enforcement.
  7. The Biosecurity Program is managed through the Centre for Biosecurity (CB, or the Centre) within the Health Security Infrastructure Branch (HSIB). The Centre is comprised of four different offices whose responsibilities are outlined in Appendix A. The Program's annual budget is approximately $8.5 million, with 75 full-time equivalents. This audit predates the August 2018 integration of the Office of Border and Travel Health into the Centre.
  8. The appendices for this audit report provide additional information on the results of the audit and how it was conducted: Appendix B – Scorecard, Appendix C – About the Audit, and Appendix D – Lines of Enquiry and Criteria.

B - Findings, Recommendations and Management Responses

Governance

Oversight Structure

  1. A governance framework is a set of rules and practices by which an organization ensures coordination, leadership, and accountability. Ultimately, the application of good governance contributes to the effective and efficient realization of strategic and organizational goals.
  2. We expected to find governance mechanisms with clearly defined roles, responsibilities, membership, and decision-making authority that support the Centre for Biosecurity's regulatory activities.
  3. We found that senior management committees were in place at the branch and directorate levels. In addition, there were various operational-level committees and working groups. This governance structure was appropriate, as it reflects the complexity and shared responsibilities of the Program's activities. Through their respective mandates, senior management committees provided an effective oversight and decision-making function, while supporting collaboration, information sharing, and transparency for the delivery of the Program. Operational committees below the senior management level provided additional support and direction.
  4. We reviewed seven Terms of Reference (ToR) for senior and working-level committees and found that one ToR was not current and another committee did not have a ToR. In addition, one ToR did not describe the committee's decision-making authority, nor did it identify alternate members. Updated ToRs for all key committees would ensure accountabilities are appropriate, optimized, and documented. Provision of decision-making authorities within ToRs will also help ensure that committees make decisions on their areas of responsibility.  
  5. A sample of agendas and meeting minutes was reviewed to confirm that committees were working efficiently and effectively. We found that the Directors Working Group performed decision making through consensus. However, we noted a high number of instances where the number of participating directors was less than other participants in attendance. The ToR did not provide for the delegation of authority at these meetings or cover what was considered to be a quorum, which may have impeded effective committee operations.
  6. In addition, members of the Centre for Biosecurity (CB) middle management committee indicated that receipt of agendas in advance was sporadic or last minute, and resulted in lengthy briefings on issues during the meeting that could have been provided in advance. Considering the large number of managers in attendance, this may not have been an efficient use of their time.  
  7. We noted an overlap of activities and responsibilities between the CB management committee and the Regulatory Life Cycle Management Committee (RLCM). The RLCM's mandate was to provide strategic direction and decision making on horizontal initiatives involving PHAC regulatory programs. It also provided a forum for CB senior management to discuss, provide strategic direction for, and make decisions on the regulation of human pathogens and toxins. This overlapped with the Centre's existing internal governance mechanisms. However, the Office of Border and Travel Health, which is the other regulating program, was merged with the Centre in August 2018, and as a result, this committee will be dissolved.
  8. Overall, with some minor exceptions, this audit found the establishment of governance structures and related mechanisms to effectively support the Centre for Biosecurity's regulatory activities.

Conflicts of Interest

  1. Independence is a critical attribute for a regulator to be effective. Conflicts of interest (COI) bring into question the integrity and fairness of decisions made by regulators. If not properly addressed, conflicts of interest can increase the level of distrust and cynicism toward regulators and, over time, affect the legitimacy and effectiveness of actions.
  2. We expected to find established mechanisms to manage conflicts of interest, especially regarding the National Microbiology Laboratory (NML), as both the laboratory and the Centre are under PHAC's authority.
  3. With any regulatory program, there is a risk that employees will allow prejudice or bias to override objectivity or use information obtained in the course of their duties for personal benefit or gain. For the period of this audit, the Centre had not established stand-alone or program-specific policies and procedures to assess and mitigate the risks posed by conflicts of interest, relying instead on the department-wide COI process. However, in May 2018, the Centre developed a COI Declaration Process with an associated COI Declaration Form. Specific measures at the program level to raise employee awareness about real or perceived COI and of their obligation to declare them would maintain the integrity of the process.
  4. We found that the Centre maintained an arms-length relationship with the NML by being both structurally and financially independent. Under the HPTA, HPTR, HAA and HAR, the Centre was delegated the authority to regulate facilities conducting controlled activities, including the NML. The Canadian Biosafety Standard (CBS) was used as the basis for compliance monitoring and verification. Our analysis of compliance monitoring and verification activities conducted at the NML, as well as interviews with inspectors, allowed us to conclude that the NML was subject to the same amount of rigor and objectivity as any other regulated party.
  5. Under the HPTA, the Minister may designate analysts for the administration and enforcement of the Act and Regulations, and an inspector may submit anything they have seized or taken for examination by a designated analyst. This is particularly important for penal enforcement. We noted that the current pool of designated analysts was housed within the NML and CFIA's National Centre for Foreign Animal Disease (NCFAD). In the event of a situation at the NML, or situation involving one of its employees, an analysis of pathogens by a designated analyst would be required; however, using an NML-designated analyst could give rise to the appearance of a conflict of interest, which could undermine penal enforcement efforts. Although this risk was mitigated by the Program's ability to use the NCFAD laboratory for appropriate sample storage, analysis, and detention, as well as close monitoring of the NML through yearly inspections and ongoing support, the lack of a contingency plan could result in the Program being reactive, leading to confusion and inefficiency, and affecting the Centre's reputation as an effective regulator.
  6. Overall, we concluded that the Program maintained an arms-length relationship with the NML. However, there were no procedures in place for the selection of designated HPTA analysts with no potential or perceived conflicts of interest, in the event of a situation at the NML, or involving a NML employee, that would require the analysis of pathogens by a designated analyst. In addition, the Program had not established specific measures at the program level to raise employees' awareness of their COI obligations.

Recommendation 1

The Vice-President of the Health Security Infrastructure Branch should:

  1. raise employees' awareness of their conflict of interest obligations; and
  2. establish procedures for the selection of designated HPTA analysts with no potential or perceived conflicts of interest, in the event of a situation at the NML, or involving a NML employee, that would require pathogen analysis by a designated analyst.

Management response

Management agrees with this recommendation.

To maintain confidence in the impartiality of regulatory processes and as part of our obligations under Chapter 2 of the Public Health Agency of Canada's Values and Ethics Code, all Centre for Biosecurity employees are required to declare that they have read, understood and have acted according to their conflict of interest (COI) obligations under the Code. In support of this, the Centre for Biosecurity developed a program specific document to raise employees' awareness of their obligations and of potential or perceived conflicts of interest that may apply specifically in their regulatory role.

To maintain confidence in the impartiality of regulatory and penal enforcement processes, the Centre will develop procedures for the appropriate selection of HPTA analysts that have no potential or perceived conflicts of interest.

Collaboration with CFIA

  1. The respective administration of the HAR by each Agency (PHAC and CFIA) provides an opportunity to deliver a united approach to animal pathogen oversight. Collaboration between the Agencies is essential to support regulated parties by improving efficiency and reducing duplication.
  2. We expected to find a coordinated and collaborative approach to the joint responsibilities under the HAR.
  3. A Memorandum of Understanding (MOU) was in place that articulated the vision, mission, guiding principles, and values, as well as clearly defined roles and responsibilities for collaborative activities between the Agencies. The Program and CFIA participated in joint inspections and worked together through the Interdepartmental Interpretation Working Group, whose mandate was to develop a consistent interpretation of the Canadian Biosafety Standards. We also found that both Agencies demonstrated a willingness to collaborate by establishing lines of communication, at both the inspector and Director General levels, in an effort to address any difficulties arising from their joint responsibilities.

Risk Management

  1. Risk management is an integral component of good management that supports organizations in making informed decisions for allocating resources, mitigating threats, and proactively capitalizing on opportunities. However, risk management is not a one-size-fits-all approach, but rather a process that is tailored to the organizational environment, including its mandate, structure, operations, and related constraints. 
  2. We expected to find an effective risk management process in place where risks, including biosafety risks outside of the current oversight framework, were identified, assessed, managed, and reported.
  3. We found that the risk management process in place for the Centre incorporated and addressed key risks related to the Biosecurity Program, and was effectively integrated within the operational planning process at the branch and program levels.
  4. The Centre developed a risk register that identified key risks that were also reflected in the Branch Operational Plan (BOP) and Corporate Risk Profile (CRP). We noted that the Centre's risk register had not been updated since February 2016. However, at the time of the audit, the Centre was developing its strategic plan and updating its risk register.
  5. In addition, the Centre embedded risk management into its operational structure through ongoing activities and key initiatives designed to create a cohesive integrated risk management environment. Key processes and activities in support of this environment included:
    • collection and analysis of reported incidents for the identification of patterns or trends that highlight common or emerging issues;
    • participation in various interdepartmental committees identifying pathogen security priorities;
    • collaboration on the international stage through global health security partnerships and outreach; and
    • engagement with the Canadian do-it-yourself biology community to raise awareness of safe laboratory practices and promote responsible innovation.  
  6. A semi-annual review of the Centre's operational plans allowed for monitoring and review of the Centre's priorities. Initiatives and activities were monitored and reported both formally, through documented reporting, and informally, through bilateral discussions.
  7. Overall, we concluded that the Program implemented adequate processes for identifying, assessing, managing, and reporting on key risks and related initiatives.

Communication with Stakeholders

  1. Communication of information plays a strategic role within a regulatory environment. Effective communication supports the development of positive relationships with the stakeholder community and can also be used to influence wider attitudes and behaviours.
  2. We expected to find that the Program disseminated timely and relevant information to its stakeholder community. 
  3. We found that information was disseminated to the wider stakeholder community through quarterly newsletters, risk notices, and workshops. The Centre also provided specific regulatory information to the appropriate parties through the Biosafety Officer (BSO) Network, Biosafety Advisories, and targeted newsletters. Our review of various communication activities determined that the information provided to stakeholders and regulated parties was timely and provided relevant information.      
  4. Web statistics were collected mainly to determine the frequency of when the Pathogen Safety Data Sheets (PSDS) were consulted, the distribution of webpage views by country, and mobile application downloads. These statistics enabled the Program to determine whether it remained worthwhile to develop these products, as they are not required by the HPTA and HPTR. Furthermore, in August 2018, the Centre launched a stakeholder survey to obtain feedback on the effectiveness of communication and training results. This feedback aims to improve future communication with stakeholders.
  5. We concluded that the Program provided timely and relevant information to stakeholders and implemented continuous improvement initiatives.

Internal Controls

Capacity, Training and Information Technology

  1. To ensure a program meets its objectives, the organization must have sufficient and qualified human resources. Human resource planning must be aligned with strategic and business planning, and the organization must provide employees with the necessary training to support the discharge of their responsibilities. In addition, leveraging technology can help to increase efficiency and optimize processes. 
  2. We expected to find that the Centre had sufficient and qualified human resources in place, as well as adequate tools, to meet its program objectives.
Capacity and Training
  1. We found that, although the Centre did not establish a formal recruitment strategy, it undertook several recruitment activities, including staffing processes at various classification levels, student bridging, and recruitment events at universities. These activities helped the Centre to fill vacant positions required for the delivery of compliance monitoring and verification activities, especially within the Biological Sciences Group.
  2. Since the inception of the Program, total vacancies have been reduced from 32% in 2016 to 19% in 2018. Nevertheless, seven positions have largely remained vacant over the past three years despite the Program's efforts to fill them. These vacancies have affected the Program's ability to undertake planned activities and have contributed to delays in drafting regulatory policies and developing new PSDS, and have exacerbated the backlog of Pathogen Risk Assessment (PRA) and Plans for Administrative Oversight (PAO) reviews. 
  3. The Inspector Training Policy and the Designation Policy provided a framework for the training of inspectors designated under the HPTA and the HPTR. It clearly identified the competencies required of inspectors and performance criteria, as well as outlining the policies for mentoring, training, and assessment of inspectors. The various training activities aimed to develop and maintain a skilled inspectorate to perform compliance monitoring, verification, and enforcement activities. Audit interviews highlighted that the majority of inspectors thought that the training activities met their needs and allowed them to carry out their responsibilities.
  4. Training activities were recorded and monitored using individual training records and a master tracker. Analysis of a sample of training records and competency checklists identified that records were not completed consistently, and relevant information was either missing or had discrepancies.  
Information Technology
  1. At the onset of the Program in December 2015, the Centre implemented the Integrated Suite of Tools for Operational Processes (iSTOP) to support the implementation of the HPTA. The system was used for the majority of the Program's activities, including the processing of license applications, recording of inspection and enforcement activities, and pathogen risk assessments (PRAs), as well as reporting of exposure incidents.
  2. Updates to iSTOP were effectively managed by a multidisciplinary team and overseen by senior level project governance. The development process was based entirely on user input, as the software was in a constant state of testing by the users themselves. The iterative development approach allowed for a quick turnaround on IT issues, as the releases were frequent.
  3. Through audit interviews and observations, we noted that there were redundancies, manual data entry, and difficulties in searching for information. For instance, inspection checklists were paper-based and manually entered in iSTOP. These manual operations were not only time-consuming, but also led to the possibility of inputting data incorrectly, which could have affected data integrity.
  4. Audit interviews with program employees identified that, although some of these issues were attributed to iSTOP limitations, discrepancies in data input methods and searching capabilities were mostly due to insufficient training and lack of familiarity with the system as a result of limited exposure.
  5. IT controls to ensure segregation of duties are an important control in which more than one person is required to complete a task, and is intended to prevent fraud or error. Our analysis of inspection activities within iSTOP identified that user access rights did not prevent an individual from preparing, reviewing, and approving inspection reports. The risk of fraud or error was mitigated through a suite of SOPs governing both inspections and reporting. For instance, a minimum of two inspectors conduct and document each inspection, verbally debrief the regulated party at the end of the inspection, and review the report in iSTOP. Moreover, audit logs maintained a record of each individual's activity within iSTOP, though these were not systematically reviewed.
  6. Overall, we found that the Centre had sufficient and qualified human resources and had leveraged information technology to meet its program objectives. However, the lack of monitoring of user activity may have undermined the integrity of the reporting process. 

Recommendation 2

The Vice-President of the Health Security Infrastructure Branch should establish a process to monitor user activity within iSTOP to ensure integrity of the reporting process. 

Management response

Management agrees with the recommendation.

Management recognizes the importance of preventing fraud and error in the reporting process. Since the period covered by the audit, standard operating procedures have been implemented to reinforce the division of responsibilities and delegated authorities in the use of iSTOP.  In response to an IT Security audit, iSTOP access controls were further strengthened to align privileges with user roles and delegated authorities. In addition to the measures already taken, the Centre will establish a risk-based operational process to verify that user activity within iSTOP is being conducted in accordance with established policies and procedures.

Compliance Monitoring and Verification

  1. Monitoring and verification of a facility's compliance with regulations for safe use and secure laboratory containment of human pathogens ensures protection of public health. The delivery of effective and consistent compliance monitoring and verification activities not only enables inspectors to carry out comprehensive monitoring and verification activities, it also ensures that regulated organizations are treated fairly and equitably.
  2. We expected to find processes in place to ensure effective, efficient, and consistent delivery of compliance monitoring and verification activities.
Inspections
  1. We found that the Program implemented clear policies, SOPs, processes, and templates, aimed at obtaining effective and consistent inspection activities. The Program also implemented processes, including benchmarking exercises, to ensure continuous improvement of inspection activities. 
  2. We reviewed 20 inspection reports from different risk group laboratories and noted that, although there were minor discrepancies related to follow-up requirements, inspection activities were carried out consistently, from planning and reporting to communications with regulated parties. We also observed inefficiency in the inspection process with regard to manual data entry, as discussed in the section above. 
  3. The Program communicated its Policy on Compliance Monitoring, Verification and Regulatory Risk-Based Activities to regulated parties to ensure transparency. The Policy breaks down licensed laboratories into risk groups (RG): RG4 is the highest and RG2 is the lowest. The Program committed to inspecting RG4 licenses every year, RG3 licenses once every three years, and a risk-based percentage of RG2 licenses annually. During the period of the audit's scope, mandatory commitments for RG4, RG3, and SSBA licenses were met. In 2016-17, the Program did not meet its target with regard to RG2 licenses, as a result of resources being prioritized to the issuance of licenses for the first half of the year. In 2017-18, the program inspected 4% of the RG2 population of 885 licenses, for a total of 45 inspections. At this rate, it would take over 20 years to inspect all RG2 license holders at least once.
  4. The Policy on Compliance Monitoring, Verification and Regulatory Risk-Based Activities outlined the six risk factors that were considered when identifying potential inspections of RG2 licenses. These included compliance history, robustness of an organization's biosafety and biosecurity program and management, complexity of the organization's activities, complexity of oversight, new or emerging safety and security risks, and external risk identification. Even though the selection criteria took into account relevant and adequate factors, according to the number of RG2 inspections, the Program had insufficient data to determine whether high-risk scores correlated to actual biosafety and biosecurity risks that were observed during inspections.
  5. In addition, we found that senior management did not articulate its risk tolerance with respect to the number of RG2 licenses to be inspected in any given year. Targets for RG2 inspections were established annually based on available resources. At the time of the audit, the Program was examining the possibility of developing a statistical model that would determine a sample size that is representative of the entire population.
  6. Articulating management's risk tolerance, as well as refining risk factors and ratings, would ensure that resources are deployed where they are most needed, and allow the timely monitoring and verification of higher-risk laboratories.

Recommendation 3

The Vice-President of the Health Security Infrastructure Branch should articulate senior management's risk tolerance for Risk Group 2 inspections, and re-evaluate the inspection selection risk factors and ratings once sufficient data is gathered to represent a statistically relevant sample size.

Management response

Management agrees with the recommendation.

Management recognizes the importance of deploying resources to where they are most needed and targeting monitoring and verification activities to areas of higher risk. The Centre will engage senior management to articulate risk tolerance with regard to the frequency of inspection of Risk Group 2 licence holders and develop a plan to evaluate Risk Group 2 inspection selection risk factors and ratings once sufficient data is gathered. 

Border Import Monitoring
  1. During the period of the audit's scope, the Canada Border Services Agency (CBSA) shared commercial customs data electronically with federal organizations through a project called Pathfinder. These data entries came in the form of a daily feed from the Pathfinder application, which collects information on all imports. Upon receipt of the data, various filters were applied to identify the highest priority entries for which monitoring activities were required. 
  2. We reviewed a sample of 25 Pathfinder entries that were deemed potentially risky by the Program. We found that for 72% of entries had appropriate monitoring activities, including reaching out to the importer and performing unannounced inspections, with an average delay of just over 200 days between receiving the data feed and initiating the follow-up. This information also included an outlier that affected the subset average, resulting in a complex policy issue, as discussed further below. We noted that there were no dedicated resources for performing follow-up activities. These were instead performed by licensing technologists, in addition to their everyday tasks which took priority. The lack of timeliness of follow-up activities raises the possibility that a given pathogen had already been used in an unsafe or malevolent manner.
  3. In April 2018, the CBSA made changes to the Single Window Initiative to reflect the use of Integrated Import Declaration. Through the Single Window Initiative, traders were able to submit all required import information to the CBSA electronically. In turn, the CBSA transmitted the information to the appropriate department or agency responsible for regulating the goods. These departments and agencies assessed the information and provided any necessary border-related decisions. This initiative was expected to mitigate the risk of organizations and individuals importing regulated materials without a valid license.
  4. In addition, 56% of our sample was from intermediary companies, which included brokers, distributors, drop-shippers, and e-commerce companies. The HPTA was unequally applied to intermediary companies. This created a public health risk, as employees at some facilities may have been conducting controlled activities involving human pathogens and toxins without a license and, as such, were not subject to compliance monitoring and verification. At the time of the audit, the Program was analyzing and developing policy options for licensing of intermediary companies.
  5. We concluded that, although the Program monitored border imports, delays in follow-up measures and immediate actions could have led to the public being exposed to harmful pathogens. This risk is expected to be mitigated by the recent updates to the Single Window Initiative.    

Enforcement Activities

  1. A well-formulated enforcement strategy is one that provides correct incentives for regulated parties, as well as appropriate guidelines for staff carrying out enforcement activities. Enforcement actions should be aimed at reducing the actual risk posed by non-compliance, and should be proportionate to the severity of the potential risk. This reduces the burden on businesses and citizens while improving the desired outcomes.
  2. We expected to find enforcement activities that were conducted consistently and in accordance with regulatory requirements, policies, procedures, and guidelines.
  3. We found that the Program had adopted a risk-based approach to enforcement, where actions taken were proportionate to the seriousness of deficiencies and the resulting non-compliance. The Program also developed a Compliance and Enforcement Policy that was aligned with PHAC's Compliance and Enforcement Framework, and complimented by the Compliance and Enforcement Continuum. The Policy depicted a progressive approach to enforcement, where the degree of an activity took into account a variety of factors, such as the harm or potential harm an infraction caused or may cause, the compliance history of the regulated party, whether the regulated party acted with indifference, and the likelihood that the problem will recur. The Continuum specifies that the first enforcement actions undertaken will usually be more lenient, before applying increasingly stringent measures.
  4. Our review of a sample of 18 enforcement activities allowed us to conclude that activities were aligned with the Policy and the Enforcement Continuum. Situations of non-compliance were appropriately documented and the resulting enforcement action was justified. In addition, there was appropriate management oversight over enforcement activities. 

Biosafety and Biosecurity Activities

  1. Controlled activities with human pathogens that are classified as RG2 to RG4, or with toxins listed in Schedule 1 of the HPTA, require a license issued by the Program. The Program conducts pathogen risk assessments (PRAs) to determine the human and animal risk group classifications and corresponding containment level. In addition, regulated parties are required to obtain an HPTA Security Clearance if they work with, or have access to, prescribed human pathogens and toxins, knowns as Security Sensitive Biological Agents (SSBAs), that if misused, can pose a risk to Canada's national security.  
  2. We expected to find that biosafety and biosecurity activities, including PRAs, the issuance of security clearances, and processing of license application to have been carried out efficiently and effectively.
Pathogen Risk Assessments (PRAs)
  1. Through its legislative mandate, the Advisory Committee on Human Pathogens and Toxins has the authority to advise on modification of Schedules 1 to 5 to the HPTA by recommending additions or deletions of human pathogens or toxins. Comprised of subject matter experts, the committee was involved in mitigating the risks that pathogens and toxins may not be properly categorized.
  2. We found that the Program had developed an effective process for the proper assignment of pathogen and toxin risk groups through comprehensive methodologies, criteria, SOPs, training, and tools. Our review of a sample of 40 PRAs noted that the majority of the assessments were effectively completed by applying the methodologies. A management review process was established, but it was not always completed in a timely manner, creating a substantial backlog. Potential reasons for this backlog included only having one approving authority, as well as the steadily increasing number of requests. Delays in assessing the risk group of pathogens may have resulted in regulated parties performing controlled activities within inappropriate containment levels; however, this is highly unlikely due to the Program's close monitoring of emerging pathogens.
HPTA Security Clearances
  1. Authority to issue HPTA Security Clearances to regulated parties working with SSBAs resided with the Director General (DG) of the Centre; however, applications were processed by the Security Management Division (SMD), within the Corporate Services Branch (CSB) at Health Canada.  A service level agreement was in place aimed at establishing clear expectations between the Program and the Security Management Division. 
  2. The HPTR articulates risk assessment criteria to identify the potential risk to the health and safety of the public. A security clearance can only be refused when an applicant poses undue risk to the health or safety of the public. The risk assessment criteria were imbedded in the SOPs to assess potential adverse information for applicants. In the event that potential adverse information relevant to issuance was discovered, the file was reviewed by the Interdepartmental Security Advisory Forum (ISAF), who is tasked with formulating a recommendation to the DG of the Centre.
  3. We found that the HPTA Security Clearance Framework provided the necessary guidance and tools to process security clearances, establish roles and responsibilities, and ensure consistent application. We reviewed 45 security files and found that the process in place was not efficient and did not meet established service delivery standards. For instance, the preliminary assessment of the application to determine if it was complete, and if all required documents were provided, was not conducted thoroughly. This led to inaccuracies and numerous interactions with the applicant, sometimes spanning several months and leading to delays in issuance. Furthermore, evidence of issuance of an acknowledgment letter of receipt of the application was also missing in twelve files, making it difficult to accurately report on this particular service delivery standard.
  4. The Program committed to a service delivery standard of five business days for the issuance of an acknowledgment letter of receipt of a HPTA security clearance application and 80 business days for the issuance of HPTA security clearance upon receipt of a completed application that contained no adverse information. For 2017-18, only 21% of acknowledgment letters were issued within five business days, and 45% of security clearances were issued within the established 80 days.
  5. Inaccuracies and delays in processing security clearance applications affected the Agency's ability to effectively regulate individuals who have access to a prescribed list of high-risk human pathogens and toxins, thus posing a risk to the health and safety of the public.

Recommendation 4

The Assistant Deputy Minister of the Corporate Services Branch should ensure the security clearance process is administered accurately, efficiently, and in accordance with the service level agreement established with the Centre for Biosecurity.

Management response

Management agrees with the recommendation.

CSB-SMD will improve and align the monitoring, processing and reporting systems and practices for the HPTA Security Clearances. Weekly reporting and bi-weekly meetings will occur to permit accurate and efficient reporting.

CSB-SMD, in collaboration with the Biosecurity Program, will develop security training and reporting tools that will ensure that the service standards are met for the HPTA Security Clearances.

HPTA Licenses
  1. We reviewed a sample of 40 license applications and found that the Program established effective processes for the issuance of HPTA licenses. The process included validation of organizations and Biosecurity Portal applicants (Licence Holders, Biological Safety Officers, and Alternate Biosafety Contacts) to ensure legitimacy before granting them access, and a comprehensive scientific review to determine if the applicant's facilities have the appropriate containment level, corresponding to the risk group of the pathogens or toxins.
  2. We also noticed that in 2016-17, eight license applications were approved by individuals other than the Manager of the Inspection Program, who was the delegated authority. The dates on which these particular licenses were approved correlated with the surge in license applications following the enactment of the HPTA. As a result, Inspection Managers provided assistance to the Licensing Program to reduce the backlog, and senior management authorized the deviation in authorities.
  3. The Program committed to a service delivery standard of 80 business days for the issuance of a RG2 License upon receipt of a completed application. For 2017-18, 100% of RG2 licenses were issued within the established service standard.
  4. We also found that there was a process in place to remove expired or revoked licenses from circulation. As all licenses were electronic and were accessible in the Biosecurity Portal, when they became expired or revoked, access to the license was disabled. Although organizations or individuals could be performing controlled activities without a license, other program activities were in place to mitigate the associated risk.

Surveillance

  1. Through the mandatory reporting of laboratory incidents, the Centre collects national data that facilitate real-time recognition of trends in exposure incidents. This enables the Program to assist stakeholders in managing emerging risks to public health and safety.
  2. We expected to find that surveillance activities were effectively conducted to detect and assess biosecurity risks and trends.
  3. The reporting module within the Biosecurity Portal allowed for the creation, storage, and submission of reports by users. Reports captured exposure incidents, missing, lost or stolen human pathogens, and their inadvertent possession, production or release. A follow-up report was required and aimed to identify the likelihood of reoccurrence, the root causes, and corrective actions taken. This information provided useful and relevant data for the Program to compile data and analyze for trends.
  4. Internally, the compilation and analysis of trends and patterns were presented in monthly reports and in the quarterly dashboard presented to senior management. In addition, results of surveillance activities were communicated to stakeholders via newsletters and other publications. These products highlighted trends and patterns, possible root causes, and identified mitigating measures to implement.

Monitoring and Reporting

  1. Monitoring and reporting can help an organization extract, from past and ongoing activities, relevant information that can subsequently be used as the basis for course correction and planning. Without monitoring and reporting, it would be impossible to judge if work was going in the right direction, whether progress and success could be claimed, nor how future efforts might be improved.
  2. We expected to find that an effective monitoring and reporting framework had been established that enabled decision making to support program improvements.
  3. We found that, through participation at various interdepartmental committees and attendance at select conferences, the Program was kept abreast on initiatives, potential changes to legislation, and emerging risks to support program improvements. Processes were implemented for staff to report and share information gathered at such events in trip reports, which were then presented to management. These reports and ensuing discussions could lead to changes in program activities and deliverables.
  4. The Centre also implemented processes to identify potential changes in legislation that could have an impact on the program. The two-pronged approach included scanning the Canada Gazette for regulatory proposals with potential implications and through requests from other federal organizations to review and comment on regulatory proposals.
  5. A Performance Measurement (PM) Strategy for the Biosecurity Program was drafted and approved by the Director General in November 2016. The PM Strategy set out the 32 indicators used for ongoing monitoring and reporting on the performance of the Program. The indicators identified in the strategy aligned with those identified in the Agency's Performance Measurement Framework and related products, demonstrating careful consideration and linkages between the two frameworks. 
  6. However, key elements of the PM Strategy were not put into effect and the Strategy was not implemented, due to the Government of Canada's new approach to performance measurement, which ushered in the Policy on Results, the Departmental Results Framework, and the Program Performance Information Profiles (PIPs).
  7. For most of 2017, the Program developed its PIPs, resulting in significant changes to its logic model and associated performance indicators. The PIPs were officially approved in October 2017. At the time of the audit, the Program had signaled that data collection was underway and that 2017-18 results would be reported in the fall of 2018-19. We noted that program performance had been monitored and reported through other mechanisms, including reporting annually on the three existing performance indicators included in the Agency Performance Measurement Framework, as part of the Departmental Results Report process. Nevertheless, it would be beneficial for the Program to prioritize implementation of the PIP in an effort to strengthen the ongoing monitoring and assessment of performance across the Program, in order to inform course corrections, where necessary.
  8. We found that there was an operational dashboard process in place to inform senior management. Data sources and methods to extract information for the creation of operational reports and resulting dashboards were established and being consistently used. The responsible individuals were aware of their roles and responsibilities for collecting and recording information, creating reports, and reviewing the accuracy and completeness of those reports. The relevant Directors and Director General were involved in reviewing the reports and approving them prior to being presented to the Vice-President.
  9. Although the dashboard provided a snapshot of key activities, it was quite brief and the information presented was focused on operations. The Interpretation and Observation Note complimented the operational dashboard and provided details on the activities reported. It would be beneficial for the Program to integrate performance metrics within the dashboard.
  10. Overall, we found processes in place to capture and review operational results for accuracy and completeness, and provide senior management with information for decision making related to the Program.

Conclusion

  1. Overall, we found that effective management controls were in place to ensure a safe and secure regime to protect the health and safety of the public against risks posed by the use of human pathogens and toxins.
  2. Areas where good practices were identified included:
    • comprehensive committee governance structures that support effective oversight, risk awareness and management, and operational cooperation;
    • coordination and collaboration between the Program and CFIA in support of their joint responsibilities; 
    • risk management practices that were effectively embedded into the operational  activities of the Program;
    • an information management system, complete with qualified resources and comprehensive standard operating procedures (SOPs) to support consistent regulatory activities; and
    • compilation and analysis of incident reports to facilitate real-time recognition of trends to assist stakeholders in managing emerging risks to public health and safety.
  3. We also identified opportunities for improvements in the areas of:
    • raising employees' awareness of their conflict of interest (COI) obligations;
    • establishing procedures for the selection of designated HPTA analysts that have no potential or perceived conflicts of interest,in the event of a situation at the National Microbiology Laboratory (NML), or a situation involving one of its employees that would require pathogen analysis by a designated analyst;
    • implementing a risk-based process to monitor user activity within iSTOP in order to verify the accuracy of records and of the reporting process;
    • strengthening the Program's inspection framework through the articulation of senior management's risk tolerance with regard to the frequency of inspections for Risk Group (RG) 2 licence holders and further refinement of risk criteria and ratings once sufficient data is gathered; and
    • ensuring the security screening process under the HPTA is accurate, efficient, and in accordance with the service level agreement.
  4. The areas for improvement noted in this audit report and associated recommendations will collectively strengthen the management of the Biosecurity Program. Issues identified as being minor in nature have been brought to management's attention.

Appendix A – Roles and Responsibilities

The Centre for Biosecurity (the Centre) is comprised of four different offices, which administer and enforce the Human Pathogens and Toxins Act (HPTA), the Human Pathogen and Toxins Regulations (HPTR) and certain sections of the Health of Animals Act and the Health of Animals Regulations (HAA/HAR). The responsibilities of each Office are outlined below and each contributes to the Agency's ongoing efforts to anticipate and respond to public health challenges and protect the health, safety, and security of the Canadian public against the risks posed by human pathogens and toxins.

The Office of Biosafety Programs and Planning (OBPP) is responsible for the development of biosafety standards, guidelines, policies, and training tools used for compliance promotion and to support compliance and enforcement under the Human Pathogens and Toxins Act (HPTA) and Human Pathogens and Toxins Regulations (HPTR). It leads the collection and analysis activities for Laboratory Incident Notification Canada, assesses and addresses existing and emerging risks from human pathogens and toxins and associated emerging technologies, and manages penal enforcement activities under the HPTA and HPTR. The OBPP also serves as the focal point for key international biosecurity commitments, including the Biological and Toxin Weapons Convention and the Australia Group (a forum of countries that seeks to ensure that exports do not contribute to the development of chemical or biological weapons), to ensure that international discussions are considered for domestic policy development and implementation, and vice-versa.

The Office of Biosafety and Biocontainment Operations (OBBO) is responsible for the day-to-day administration and enforcement of the HPTA, theHPTR, and select sections of the Health of Animals Regulations (HAR). Its key activities include:

  • processing applications and authorizing the conduct of controlled activities by issuing HPTA licences and HAR importation permits;
  • monitoring and evaluating compliance with the HPTA, HPTR, HAR and national containment standards;
  • verifying compliance through inspections, document reviews, and audits;
  • conducting regulatory enforcement activities; and
  • advancing biocontainment engineering science to identify knowledge gaps and inform biosafety standards and guidelines.

The OBBO is the lead on Canada's commitments for biocontainment within the Global Polio Eradication Initiative. It also leads activities to support capacity building, sharing of expertise, and the provision of technical expertise to support PHAC's mandate as a World Health Organization (WHO) Collaborating Centre for Biosafety and Biosecurity.

The Office of Pathogen Security (OPS) is responsible for the administration of the security clearance and laboratory biosecurity components of the HPTA and HPTR, provides technical assistance to domestic and international partners and stakeholders in the area of laboratory biosecurity with a view to mitigating deliberate misuse of pathogens and toxins, and implements innovative information technology solutions to support administration and compliance activities under the HPTA. It acts as a focal point for the WHO Collaborating Centre for Biosafety and Biosecurity, for the Centre's activities under the US-Canada Beyond the Border partnership, for the Biosafety and Biosecurity Action Package under the Global Health Security Agenda, and for global biosafety and biosecurity capacity building activities.

The Office of Stakeholder Engagement and Regulatory Affairs (OSERA) promotes regulatory compliance and informs policy and regulatory decision making by engaging internal and external stakeholders and interested parties. It provides leadership in regulatory matters and coordination for the Agency. It positions the Agency to effectively implement Government of Canada and Ministerial regulatory priorities, including openness and transparency, regulatory modernization, and effective regulatory management. The OSERA also maintains an inventory of international biosafety and biosecurity legislation.

Appendix B – Scorecard

Audit of the Biosecurity Program at the Public Health Agency of Canada
Criterion Rating  Conclusion Rec #
Governance
Oversight Mechanisms One major deficiency Oversight mechanisms were effectively established to support the Centre for Biosecurity's regulatory activities. In addition, there was a coordinated and collaborative approach to the joint responsibilities under the HAR. The Program had not, however, put in place procedures in the event of a non-compliance situation at the National Microbiology Laboratory (NML), or involving an NML employee, that would require analysis by a designated analyst. In addition, the Program had not established specific measures at the program level for raising employees' awareness of their conflict of interest obligations. 1
Risk Management
Risk Management No deficiencies A risk management process for the Biosecurity Program was established where risk activities were identified, assessed, managed, and reported effectively.  
Internal Controls
Human resources, training and tools Minor deficiencies 3.1 The Biosecurity Program had sufficient and qualified human resources and adequate tools in place to meet its objectives. The Program provided employees with the necessary training and tools to support the discharge of their responsibilities. However, the Program did not monitor user activity within iSTOP to ensure integrity of the reporting process. 2
Compliance monitoring and verification Minor deficiencies 3.2 The Biosecurity Program established processes to ensure effective, efficient, and consistent delivery of compliance monitoring and verification activities. However, management did not articulate its risk tolerance with regard to inspections of Risk Group (RG) 2 licenses. In addition, given the low number of RG2 inspections to date, the risk factors and rating scale used to determine prioritization of inspections had not yet been re-evaluated. Border import monitoring activities were untimely, leading to a risk of the public being exposed to harmful pathogens. This risk is expected to be mitigated by the recent update of the Single Window Initiative. 3
Enforcement activities No deficiencies 3.3 The Biosecurity Program undertook enforcement activities consistently and in accordance with regulatory requirements, policies, procedures, and guidelines.  
Biosafety and Biosecurity Activities One major deficiency 3.4 Overall, the Biosecurity Program established processes to ensure that pathogen risk assessment and issuance of licenses were carried out efficiently and effectively. However, the process for the issuance of security clearances contained inaccuracies, was not efficient, and did not meet established service standards. This created delays and processing errors, which could hinder the Agency's reputation as a regulator. 4
Surveillance No deficiencies 3.5 Surveillance activities were effectively conducted to detect and assess biosecurity risks and trends.  
Performance monitoring No deficiencies 3.6 Processes for reporting related to the Biosecurity Program were established to inform senior management on operational matters. However, due to the change in the Government of Canada's approach to performance measurement, the Program had not yet reported on performance within the context of the new departmental results/PIP framework.  

Appendix C – About the Audit

1. Audit Objective

The objective of the audit was to provide assurance that effective management controls are in place to ensure a safe and secure regime to protect the health and safety of the public against risks posed by the use of human pathogens and toxins. 

2. Audit Scope

The scope of this audit included relevant processes and regulatory activities undertaken by the Centre for Biosecurity, including governance and oversight, program management, and monitoring and reporting. The audit focused on the period commencing with the effective date of the Human Pathogens and Toxins Act, which was December 1, 2015, and ending March 31, 2018. The areas of focus were as follows:

  • Prevention and preparedness, encompassing compliance promotion activities through training and outreach, and the program's regulatory framework;
  • Protection, including compliance verification and monitoring activities such as licensing, security clearances, inspections, and surveillance; and
  • Response and control, consisting of enforcement actions and responses to non-compliance and investigations.

The audit scope also included an analysis of the functionality of the Integrated Suite of Tools for Operational Processes (iSTOP), as the Centre relies on this system to carry out its regulatory activities.

The audit included an examination of the management and responsibilities detailed in the Memorandums of Understanding (MOU) between the Agency and the Canadian Food Inspection Agency (CFIA). The MOU covers authorities referred to in section 51 of the Health of Animals Regulations concerning terrestrial animal pathogens other than animal pathogens that cause foreign animal diseases or emerging diseases. These authorities were transferred to the Minister of Health from the Minister of Agriculture and Agri-Food by an Order in Council. 

Activities not in Scope

In August 2016, the Centre for Biosecurity conducted an Internal IT Security Audit for iSTOP that included security functions and processes. The audit made several recommendations which were addressed by management. Therefore, IT security functions and processes were not included in the scope of this audit. 

3. Audit Approach

We conducted this audit in conformance with the Treasury Board of Canada's Policy on Internal Audit and with the Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. The audit was conducted at the Public Health Agency of Canada's headquarters. The principal audit procedures included, but are not limited to:

  • A review and analysis of policy frameworks, planning documents, and documentation related to service delivery and performance;
  • Walkthroughs and interviews with key program personnel; and
  • Observation, inquiry, and testing of related controls over regulated activities. A sampling strategy was developed to ensure sufficient evidence was obtained for the criteria being addressed through the detailed testing approach. 

Statement of Conformance

This audit was conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, as supported by the results of the Office of Audit and Evaluation's Quality Assurance and Improvement Program.

Appendix D – Audit Criteria

Audit of Biosecurity Program at Public Health Agency of Canada
Criteria Title Audit Criteria
Line of Enquiry 1: Governance
Oversight Mechanisms 1. Effective governance structure and related governance mechanisms have been established to support the Centre for Biosecurity's regulatory activities.
Line of Enquiry 2: Risk Management
Risk Management 2. Internal and external risks related to the management of the Centre's regulatory activities are identified, assessed, and managed effectively.
Line of Enquiry 3: Internal Controls
Human Resources, training and tools 3.1 The Centre for Biosecurity has sufficient and qualified human resources, as well as adequate tools in place to meet its objectives.
Compliance monitoring and verification 3.2 Control processes are in place to ensure effective, efficient, and consistent delivery of compliance monitoring and verification activities.
Enforcement activities 3.3 Enforcement activities are conducted consistently and in accordance with regulatory requirements, policies, procedures, and guidelines.
Biosafety and biosecurity activities 3.4 Biosafety and biosecurity activities (e.g., Pathogen Risk Assessments, issuance of security clearances and licences) are carried out efficiently and effectively.
Surveillance 3.5 Surveillance activities are effectively conducted to detect and assess biosecurity risks and trends.
Monitoring and reporting 3.6 An effective monitoring and reporting framework has been established that enables decision making to support program improvements.

References

Page details

Date modified: