Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Passenger Rail Transportation Security Regulations (SOR/2020-222)

Regulations are current to 2024-11-26 and last amended on 2022-01-06. Previous Versions

PART 4Security Risk Assessment

Marginal note:Security risk assessment

  •  (1) A passenger company, other than a small passenger company, must conduct a security risk assessment of its network and operations that are related to passenger rail transportation in Canada that identifies, describes, assesses and prioritizes security risks and that

    • (a) is based on the following elements:

      • (i) current security threats, including security threat information received from a federal department or agency and threats or immediate threats identified in an instrument made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act;

      • (ii) operations, railway equipment, railway works and other assets that are deemed critical and that most require protection from acts and attempted acts of unlawful interference with passenger rail transportation;

      • (iii) security vulnerabilities, including those identified during daily operations, in security reports made under section 4, during security inspections carried out under section 5 and during security exercises carried out under section 9; and

      • (iv) potential impacts, including a decrease in public safety and security, loss of life, damage to property or the environment, disruption of rail transportation and financial and economic loss;

    • (b) identifies, for each risk, the likelihood that the risk will occur and the severity of the impact that it could have if it occurs; and

    • (c) identifies potential safeguards intended to mitigate the risks identified.

  • Marginal note:Report

    (2) The security risk assessment must be documented in a report within 30 days after the day on which the assessment is completed and the report must

    • (a) indicate the date of completion of the assessment; and

    • (b) contain all the information referred to in subsection (1).

  • Marginal note:Subsequent risk assessments

    (3) A passenger company, other than a small passenger company, must conduct a new security risk assessment within three years after the date of completion of the current security risk assessment, or any assessment that is carried out before the day on which this section comes into force and that meets the requirements of this section.

  • Marginal note:Review

    (4) A passenger company, other than a small passenger company, must review its security risk assessment within seven days after the day on which

    • (a) there is a change in circumstances that is likely to adversely affect passenger rail transportation security;

    • (b) an instrument that identifies a threat or an immediate threat to passenger rail transportation security that is not described in the assessment is made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act; or

    • (c) the company identifies a significant security vulnerability that is not described in the assessment.

  • Marginal note:Periodic review

    (5) A passenger company, other than a small passenger company, must review its security risk assessment at least once every 12 months. A new risk assessment conducted under subsection (3) or a review conducted under subsection (4) is a review for the purposes of this subsection.

  • Marginal note:Requirements for review

    (6) As part of a review referred to in subsection (4) or (5) — with the exception of a new risk assessment referred to in subsection (5) — a passenger company, other than a small passenger company, must

    • (a) identify, describe, assess and prioritize any new security risks in accordance with subsection (1); and

    • (b) document the review in the report on the current security risk assessment, including the date of the review, the reason for the review under subsection (4) or (5) and any new risks that have been identified, their priority level and the potential security safeguards, if applicable.

PART 5Security Plan

Marginal note:Security plan — objectives

  •  (1) A passenger company, other than a small passenger company, must have and implement a security plan that contains measures to be taken to prevent, detect, mitigate, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation.

  • Marginal note:Strategy

    (2) In order to meet the objectives of subsection (1), the security plan must set out

    • (a) a risk management strategy that addresses the risks prioritized as medium or higher in the company’s most recent security risk assessment and all other risks that require remedial action; and

    • (b) additional safeguards that are intended to mitigate heightened risk conditions in a graduated manner.

  • Marginal note:Requirements

    (3) The security plan must

    • (a) be in writing;

    • (b) identify, by job title, a senior manager responsible for the plan’s overall development, approval and implementation;

    • (c) describe the organizational structure, identify the departments that are responsible for implementing the plan or any portion of it and identify each position whose incumbent is responsible for implementing the plan or any portion of it;

    • (d) describe the security duties of each identified department and position;

    • (e) set out a process for notifying each person who is responsible for implementing the plan or any portion of it when the plan or that portion of it must be implemented;

    • (f) set out a program for the security awareness training required under section 2 and the components of the security plan training referred to in section 8, including a method to ensure that persons who undergo the security plan training acquire the knowledge and skills required under subsection 8(3);

    • (g) set out a process with respect to security risk assessments required under section 6, including

      • (i) a procedure for conducting security risk assessments, and

      • (ii) a method for assessing and prioritizing the risk;

    • (h) set out a process with respect to remedial actions that are part of the risk management strategy referred to in subsection (2), including

      • (i) a method for identifying security risks that require remedial action, and

      • (ii) a method for implementing remedial actions and for evaluating their effectiveness;

    • (i) set out a process for selecting and implementing additional safeguards required under paragraph (2)(b);

    • (j) describe the remedial actions, including their effectiveness in reducing or eliminating the risks, and the additional safeguards that are part of the risk management strategy referred to in subsection (2);

    • (k) set out the process with respect to security inspections referred to in subsection 5(2);

    • (l) set out a process with respect to security exercises referred to in section 9, including procedures for conducting security exercises;

    • (m) set out a process for responding to threats and other security concerns, including procedures for communicating and coordinating with the host company, if applicable;

    • (n) set out a process for reporting threats and other security concerns;

    • (o) set out a process for reviewing the security plan;

    • (p) include the report on the most recent security risk assessment required under section 6; and

    • (q) set out a policy on limiting access to security-sensitive information and set out measures for the sharing, storing and destruction of that information.

  • Marginal note:Implementation — remedial actions and safeguards

    (4) A passenger company, other than a small passenger company, must implement the remedial actions and additional safeguards referred to in subsection (2), in accordance with the security plan.

  • Marginal note:Timelines — remedial actions

    (5) A passenger company, other than a small passenger company, must establish timelines for implementing each remedial action and for evaluating its effectiveness in reducing or eliminating the risks.

  • Marginal note:Effectiveness — remedial actions

    (6) A passenger company, other than a small passenger company, must evaluate the effectiveness of each remedial action that has been implemented in reducing or eliminating the risks.

  • Marginal note:New remedial action

    (7) If the remedial action is not effective in reducing or eliminating some of the risks, the passenger company must identify additional remedial actions or a new remedial action to address those risks.

  • Marginal note:Security plan management

    (8) A passenger company, other than a small passenger company, must

    • (a) make available to each person who is responsible for implementing the security plan the portions of the security plan that are relevant to the duties of that person;

    • (b) review the security plan at least once every 12 months after the day on which this section comes into force;

    • (c) amend the security plan if it does not reflect the most recent security risk assessment;

    • (d) amend the security plan if deficiencies that could adversely impact the security of passenger rail transportation are identified in the security plan, including those identified during the security exercises;

    • (e) conduct a comprehensive review of the security plan within three years after the day on which this section comes into force and subsequently within three years from the date of completion of the last comprehensive review;

    • (f) notify the persons referred to in paragraph (a) of any amendments to the relevant portions of the security plan; and

    • (g) provide a copy of the security plan to the Minister within 30 days after the day on which this section comes into force or after a comprehensive review is conducted under subsection (e), and a copy of the amended portions of the security plan within 30 days after an amendment is made under paragraph (c) or (d).

Marginal note:Security plan training

  •  (1) A passenger company, other than a small passenger company, must ensure that the following persons employed by, or acting on behalf of, the company undergo training on the components of the security plan referred to in paragraphs 7(3)(c) to (e), (g), (m), (n) and (q), and any other components that are relevant to the person’s duties:

    • (a) persons responsible for the development and implementation of the plan or any portion of it; and

    • (b) any other person with duties referred to in paragraph 7(3)(d) and for whom the training is considered necessary to ensure the effective implementation of the security plan.

  • Marginal note:Provision of training

    (2) A passenger company, other than a small passenger company, must ensure that the training is provided to those persons

    • (a) within 90 days after the day on which this section comes into force, unless those persons have received equivalent training on the security plan before that day;

    • (b) within 90 days after the day on which those persons initially assume the duties referred to in subsection (1), if their duties are assigned after the day on which this section comes into force; and

    • (c) on a recurrent basis at least once every three years after the day on which those persons completed their previous training, including any equivalent training on the security plan received before the day on which this section comes into force.

  • Marginal note:Knowledge and skills

    (3) A passenger company, other than a small passenger company, must ensure that persons, on completion of the training, have acquired the knowledge and skills required to carry out the duties referred to in subsection (1).

  • Marginal note:Supervision

    (4) A passenger company, other than a small passenger company, must ensure that, until those persons complete the training, they perform their duties under the close supervision of a person who has completed the training on the overall security plan.

  • Marginal note:Training on amended plan

    (5) A passenger company, other than a small passenger company, that amends its security plan in a way that significantly affects the security duties of a person referred to in subsection (1) must ensure that, within 30 days after the day on which the amendments are implemented, the person is provided with training on the amendments.

  • Marginal note:Training records

    (6) A passenger company, other than a small passenger company, must keep a training record for each person who has undergone the security plan training and must ensure that the record

    • (a) is kept up to date;

    • (b) contains the person’s name and details of the most recent training they received under subsections (1) and (5), including the date, duration and title of the training and the components of the security plan that were covered;

    • (c) contains the title and the date of any previous security plan training taken by the person; and

    • (d) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act on behalf of, that company.

  • Marginal note:Retention of training materials

    (7) A passenger company, other than a small passenger company, must ensure that a copy of the most recent training materials is kept.

 

Date modified: