Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Passenger Rail Transportation Security Regulations (SOR/2020-222)

Regulations are current to 2022-11-16 and last amended on 2022-01-06. Previous Versions

Passenger Rail Transportation Security Regulations

SOR/2020-222

RAILWAY SAFETY ACT

Registration 2020-10-06

Passenger Rail Transportation Security Regulations

P.C. 2020-779 2020-10-02

Her Excellency the Governor General in Council, on the recommendation of the Minister of Transport, pursuant to subsection 18(2.1)Footnote a of the Railway Safety ActFootnote b, makes the annexed Passenger Rail Transportation Security Regulations.

Interpretation

Marginal note:Definitions

 The following definitions apply in these Regulations.

host company

host company means a railway company that authorizes a passenger company to operate on its railway. (compagnie hôte)

passenger company

passenger company means a company whose operations include the transport of passengers by railway. (compagnie de transport de voyageurs)

small passenger company

small passenger company means a passenger company that transported fewer than 60,000 passengers in one of the two previous calendar years. (petite compagnie)

train

train means all the pieces of railway equipment that are joined together and that move as a unit for the transport of passengers. (rame ferroviaire)

PART 1Security Awareness Training

Marginal note:Security awareness training program

  •  (1) A passenger company and host company must have a security awareness training program that promotes a culture of vigilance with respect to passenger rail transportation security.

  • Marginal note:Program training topics

    (2) The security awareness training program must cover the following topics:

    • (a) a description of the main security risks related to passenger rail transportation;

    • (b) any potential threats and other security concerns related to passenger rail transportation and how to recognize them;

    • (c) the actions to be taken to deal with potential threats and other security concerns; and

    • (d) any measures of the passenger company or host company that are designed to enhance passenger rail transportation security.

  • Marginal note:Prescribed persons

    (3) The passenger company or host company must ensure that any person employed by, and any person acting on behalf of, the company and who have any of the following duties relating to the transport of passengers, as well as the direct supervisors of those persons, undergo security awareness training:

    • (a) operating, maintaining or inspecting railway equipment or railway works;

    • (b) controlling the dispatch or movement of railway equipment;

    • (c) ensuring the security of railway equipment and railway works;

    • (d) loading or unloading goods to or from railway equipment;

    • (e) interacting with the public for the purposes of railway transportation; or

    • (f) ensuring compliance with its security processes, including those set out in their security plan.

  • Marginal note:Provision of training

    (4) The passenger company or host company must ensure that security awareness training is provided to the person

    • (a) within 90 days after the day on which this section comes into force, unless the person has received equivalent security awareness training before that day;

    • (b) within 90 days after the day on which the person initially assumed any of the duties referred to in subsection (3) with that company, if the duties were assigned to that person after the day on which this section comes into force; and

    • (c) on a recurrent basis at least once every three years after the day on which the person completed their previous training, including any equivalent security awareness training received before the day on which this section comes into force.

  • Marginal note:Supervision

    (5) The passenger company or host company must ensure that, until the person undergoes the security awareness training, the person performs their duties under the supervision of a person who has undergone that training.

  • Marginal note:Training records

    (6) The passenger company or host company must ensure that a training record is kept for each person who has undergone security awareness training and that the record

    • (a) is kept up to date;

    • (b) includes the person’s name and details of their most recent training, including the date, duration and the title of the training, the delivery method and the name of the provider of the training;

    • (c) includes the title and the date of any previous security awareness training taken by the person; and

    • (d) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act on behalf of, the company.

  • Marginal note:Retention of training materials

    (7) The passenger company or host company must ensure that a copy of the most recent awareness training materials is kept.

PART 2Coordination and Reporting

Marginal note:Rail security coordinator

  •  (1) A passenger company and host company must have, at all times, a rail security coordinator or an acting rail security coordinator.

  • Marginal note:Contact information

    (2) The passenger company and host company must provide the Minister with

    • (a) the name and job title of the rail security coordinator or acting rail security coordinator; and

    • (b) the 24-hour contact information for the rail security coordinator or acting rail security coordinator.

  • Marginal note:Duties — passenger company

    (3) The passenger company must ensure that the rail security coordinator or acting rail security coordinator

    • (a) coordinates security matters within the passenger company;

    • (b) acts as the principal contact between the passenger company and the Minister with respect to security matters; and

    • (c) coordinates communications between the passenger company, the host company, law enforcement and emergency response agencies with respect to security matters.

  • Marginal note:Duties — host company

    (4) The host company must ensure that the rail security coordinator or acting rail security coordinator

    • (a) acts as the principal contact between the host company and the Minister with respect to security matters related to passenger rail transportation on its railway; and

    • (b) coordinates communications between the host company, passenger companies that operate on its railway, law enforcement and emergency response agencies with respect to security matters related to passenger rail transportation on its railway.

Marginal note:Security Reporting

  •  (1) A passenger company or host company must report to the Transport Canada Situation Centre, by any direct means of communication established and communicated by the Centre, any threat or other security concern that results or may result in an unlawful interference with passenger rail transportation. The report must be made as soon as feasible but no later than 24 hours after the occurrence of the threat or other security concern.

  • Marginal note:Threats and other security concerns

    (2) Threats and other security concerns include

    • (a) any interference with the work of a train crew or service personnel;

    • (b) any bomb threats, either specific or non-specific;

    • (c) any report or discovery of a suspicious item;

    • (d) any suspicious activity observed on, inside or near railway equipment or railway works used by that company;

    • (e) the discovery, seizure or discharge of a weapon, explosive substance or incendiary device on, inside or near railway equipment or railway works used by that company;

    • (f) any sign of tampering with railway equipment or railway works;

    • (g) any information relating to the possible surveillance of railway equipment or railway works; and

    • (h) any suspicious person, circumstance or object that the passenger company or host company considers to be a threat or other security concern.

  • Marginal note:Information to be provided

    (3) The information provided must include, to the extent known, the following:

    • (a) the passenger company’s or host company’s name and contact information, including its telephone number and email address;

    • (b) the name of the person who is making the report on behalf of the passenger company or host company and the person’s title and contact information, including their telephone number and email address;

    • (c) any information that identifies any train that is affected by the threat or other security concern, including its itinerary and line or route position;

    • (d) any information that identifies any railway equipment or railway works that is affected by the threat or other security concern;

    • (e) a description of the threat or other security concern, including the date and time that the passenger company or host company became aware of it;

    • (f) the names of the persons involved in the threat or other security concern, and any other information related to those persons, if the disclosure of those names and that information is permitted; and

    • (g) the source of any threat information or other security concern, if its disclosure is permitted.

  • Marginal note:Follow-up information

    (4) The passenger company or host company must provide to the Transport Canada Situation Centre any information referred to in subsection (3) that was not previously reported, as soon as it becomes known.

  • Marginal note:Avoidance of double reporting — other company

    (5) The passenger company or host company is not required to make a report under this section if the same threat or other security concern has been reported by another company under this section.

  • Marginal note:Provision of information — passenger company

    (6) A passenger company that operates on a host company’s railway must, as soon as feasible, notify the host company if the passenger company becomes aware of a threat or other security concern that could impact the operations of the host company.

  • Marginal note:Provision of information — host company

    (7) A host company must, as soon as feasible, notify a passenger company that operates on its railway if the host company becomes aware of a threat or other security concern that could impact the operations of the passenger company.

PART 3Security Inspections

Marginal note:Security inspections

  •  (1) For the purposes of this section, car means a piece of railway equipment that is used for passenger rail transportation and includes a baggage car, a dining car, a sleeping car, a lounge car, an observation car, the locomotive and any freight car that can be subjected to a walk-through inspection.

  • Marginal note:Process

    (2) A passenger company must establish and document a process with respect to security inspections, including

    • (a) a procedure for conducting security inspections;

    • (b) a method for determining whether security has been compromised;

    • (c) a method for determining whether additional security inspections are necessary if, having regard to the circumstances, security could be compromised;

    • (d) a method for addressing the situation, if security has been compromised, before the train enters into service; and

    • (e) a method for preventing unauthorized interference with the train after the inspection and until passengers board the train.

  • Marginal note:Inspection

    (3) In order to ensure that there are no security concerns related to passenger rail transportation, a passenger company must ensure that security inspections consist of both a ground-level visual inspection of the exterior of the train and an inspection of the interior of each car and are carried out in accordance with the process set out in subsection (2).

  • Marginal note:Time of inspection

    (4) The passenger company must ensure that a security inspection is carried out before the train enters service for the day. In all cases, the inspection must be carried out before passengers board the train.

  • Marginal note:Additional inspections

    (5) The passenger company must ensure that additional security inspections are carried out after the train enters service for the day, if it is determined, in accordance with the method referred to in paragraph (2)(c), that they are necessary.

  • Marginal note:Protection of train

    (6) When the security inspection is carried out before passengers board the train, the passenger company must ensure that the train is protected from unauthorized interference from the start of the security inspection until passengers board the train.

  • Marginal note:Signs of tampering, suspicious objects and other things

    (7) If signs of tampering or the presence of a suspicious object or any other thing that raises security concerns is discovered during the security inspection, the passenger company must determine whether security has been compromised.

  • Marginal note:Compromise of security

    (8) If it is determined that security has been compromised, the passenger company must ensure the situation is resolved before allowing the train to enter into service.

  • Marginal note:Records

    (9) The passenger company must keep a record of each security inspection and ensure that the record contains the following information:

    • (a) the time and date of the inspection;

    • (b) the information identifying the train that was inspected;

    • (c) the name of the person who conducted the inspection;

    • (d) the details of any signs of tampering, suspicious objects or other things that raise security concerns; and

    • (e) the measures taken to resolve the situation, if the company determined that security was compromised.

  • Marginal note:Retention period

    (10) The passenger company must retain the record for three years after the day on which the security inspection is conducted.

PART 4Security Risk Assessment

Marginal note:Security risk assessment

  •  (1) A passenger company, other than a small passenger company, must conduct a security risk assessment of its network and operations that are related to passenger rail transportation in Canada that identifies, describes, assesses and prioritizes security risks and that

    • (a) is based on the following elements:

      • (i) current security threats, including security threat information received from a federal department or agency and threats or immediate threats identified in an instrument made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act;

      • (ii) operations, railway equipment, railway works and other assets that are deemed critical and that most require protection from acts and attempted acts of unlawful interference with passenger rail transportation;

      • (iii) security vulnerabilities, including those identified during daily operations, in security reports made under section 4, during security inspections carried out under section 5 and during security exercises carried out under section 9; and

      • (iv) potential impacts, including a decrease in public safety and security, loss of life, damage to property or the environment, disruption of rail transportation and financial and economic loss;

    • (b) identifies, for each risk, the likelihood that the risk will occur and the severity of the impact that it could have if it occurs; and

    • (c) identifies potential safeguards intended to mitigate the risks identified.

  • Marginal note:Report

    (2) The security risk assessment must be documented in a report within 30 days after the day on which the assessment is completed and the report must

    • (a) indicate the date of completion of the assessment; and

    • (b) contain all the information referred to in subsection (1).

  • Marginal note:Subsequent risk assessments

    (3) A passenger company, other than a small passenger company, must conduct a new security risk assessment within three years after the date of completion of the current security risk assessment, or any assessment that is carried out before the day on which this section comes into force and that meets the requirements of this section.

  • Marginal note:Review

    (4) A passenger company, other than a small passenger company, must review its security risk assessment within seven days after the day on which

    • (a) there is a change in circumstances that is likely to adversely affect passenger rail transportation security;

    • (b) an instrument that identifies a threat or an immediate threat to passenger rail transportation security that is not described in the assessment is made by an inspector under section 31 of the Railway Safety Act or by the Minister under section 33 or 39.1 of that Act; or

    • (c) the company identifies a significant security vulnerability that is not described in the assessment.

  • Marginal note:Periodic review

    (5) A passenger company, other than a small passenger company, must review its security risk assessment at least once every 12 months. A new risk assessment conducted under subsection (3) or a review conducted under subsection (4) is a review for the purposes of this subsection.

  • Marginal note:Requirements for review

    (6) As part of a review referred to in subsection (4) or (5) — with the exception of a new risk assessment referred to in subsection (5) — a passenger company, other than a small passenger company, must

    • (a) identify, describe, assess and prioritize any new security risks in accordance with subsection (1); and

    • (b) document the review in the report on the current security risk assessment, including the date of the review, the reason for the review under subsection (4) or (5) and any new risks that have been identified, their priority level and the potential security safeguards, if applicable.

PART 5Security Plan

Marginal note:Security plan — objectives

  •  (1) A passenger company, other than a small passenger company, must have and implement a security plan that contains measures to be taken to prevent, detect, mitigate, respond to and recover from acts or attempted acts of unlawful interference with passenger rail transportation.

  • Marginal note:Strategy

    (2) In order to meet the objectives of subsection (1), the security plan must set out

    • (a) a risk management strategy that addresses the risks prioritized as medium or higher in the company’s most recent security risk assessment and all other risks that require remedial action; and

    • (b) additional safeguards that are intended to mitigate heightened risk conditions in a graduated manner.

  • Marginal note:Requirements

    (3) The security plan must

    • (a) be in writing;

    • (b) identify, by job title, a senior manager responsible for the plan’s overall development, approval and implementation;

    • (c) describe the organizational structure, identify the departments that are responsible for implementing the plan or any portion of it and identify each position whose incumbent is responsible for implementing the plan or any portion of it;

    • (d) describe the security duties of each identified department and position;

    • (e) set out a process for notifying each person who is responsible for implementing the plan or any portion of it when the plan or that portion of it must be implemented;

    • (f) set out a program for the security awareness training required under section 2 and the components of the security plan training referred to in section 8, including a method to ensure that persons who undergo the security plan training acquire the knowledge and skills required under subsection 8(3);

    • (g) set out a process with respect to security risk assessments required under section 6, including

      • (i) a procedure for conducting security risk assessments, and

      • (ii) a method for assessing and prioritizing the risk;

    • (h) set out a process with respect to remedial actions that are part of the risk management strategy referred to in subsection (2), including

      • (i) a method for identifying security risks that require remedial action, and

      • (ii) a method for implementing remedial actions and for evaluating their effectiveness;

    • (i) set out a process for selecting and implementing additional safeguards required under paragraph (2)(b);

    • (j) describe the remedial actions, including their effectiveness in reducing or eliminating the risks, and the additional safeguards that are part of the risk management strategy referred to in subsection (2);

    • (k) set out the process with respect to security inspections referred to in subsection 5(2);

    • (l) set out a process with respect to security exercises referred to in section 9, including procedures for conducting security exercises;

    • (m) set out a process for responding to threats and other security concerns, including procedures for communicating and coordinating with the host company, if applicable;

    • (n) set out a process for reporting threats and other security concerns;

    • (o) set out a process for reviewing the security plan;

    • (p) include the report on the most recent security risk assessment required under section 6; and

    • (q) set out a policy on limiting access to security-sensitive information and set out measures for the sharing, storing and destruction of that information.

  • Marginal note:Implementation — remedial actions and safeguards

    (4) A passenger company, other than a small passenger company, must implement the remedial actions and additional safeguards referred to in subsection (2), in accordance with the security plan.

  • Marginal note:Timelines — remedial actions

    (5) A passenger company, other than a small passenger company, must establish timelines for implementing each remedial action and for evaluating its effectiveness in reducing or eliminating the risks.

  • Marginal note:Effectiveness — remedial actions

    (6) A passenger company, other than a small passenger company, must evaluate the effectiveness of each remedial action that has been implemented in reducing or eliminating the risks.

  • Marginal note:New remedial action

    (7) If the remedial action is not effective in reducing or eliminating some of the risks, the passenger company must identify additional remedial actions or a new remedial action to address those risks.

  • Marginal note:Security plan management

    (8) A passenger company, other than a small passenger company, must

    • (a) make available to each person who is responsible for implementing the security plan the portions of the security plan that are relevant to the duties of that person;

    • (b) review the security plan at least once every 12 months after the day on which this section comes into force;

    • (c) amend the security plan if it does not reflect the most recent security risk assessment;

    • (d) amend the security plan if deficiencies that could adversely impact the security of passenger rail transportation are identified in the security plan, including those identified during the security exercises;

    • (e) conduct a comprehensive review of the security plan within three years after the day on which this section comes into force and subsequently within three years from the date of completion of the last comprehensive review;

    • (f) notify the persons referred to in paragraph (a) of any amendments to the relevant portions of the security plan; and

    • (g) provide a copy of the security plan to the Minister within 30 days after the day on which this section comes into force or after a comprehensive review is conducted under subsection (e), and a copy of the amended portions of the security plan within 30 days after an amendment is made under paragraph (c) or (d).

Marginal note:Security plan training

  •  (1) A passenger company, other than a small passenger company, must ensure that the following persons employed by, or acting on behalf of, the company undergo training on the components of the security plan referred to in paragraphs 7(3)(c) to (e), (g), (m), (n) and (q), and any other components that are relevant to the person’s duties:

    • (a) persons responsible for the development and implementation of the plan or any portion of it; and

    • (b) any other person with duties referred to in paragraph 7(3)(d) and for whom the training is considered necessary to ensure the effective implementation of the security plan.

  • Marginal note:Provision of training

    (2) A passenger company, other than a small passenger company, must ensure that the training is provided to those persons

    • (a) within 90 days after the day on which this section comes into force, unless those persons have received equivalent training on the security plan before that day;

    • (b) within 90 days after the day on which those persons initially assume the duties referred to in subsection (1), if their duties are assigned after the day on which this section comes into force; and

    • (c) on a recurrent basis at least once every three years after the day on which those persons completed their previous training, including any equivalent training on the security plan received before the day on which this section comes into force.

  • Marginal note:Knowledge and skills

    (3) A passenger company, other than a small passenger company, must ensure that persons, on completion of the training, have acquired the knowledge and skills required to carry out the duties referred to in subsection (1).

  • Marginal note:Supervision

    (4) A passenger company, other than a small passenger company, must ensure that, until those persons complete the training, they perform their duties under the close supervision of a person who has completed the training on the overall security plan.

  • Marginal note:Training on amended plan

    (5) A passenger company, other than a small passenger company, that amends its security plan in a way that significantly affects the security duties of a person referred to in subsection (1) must ensure that, within 30 days after the day on which the amendments are implemented, the person is provided with training on the amendments.

  • Marginal note:Training records

    (6) A passenger company, other than a small passenger company, must keep a training record for each person who has undergone the security plan training and must ensure that the record

    • (a) is kept up to date;

    • (b) contains the person’s name and details of the most recent training they received under subsections (1) and (5), including the date, duration and title of the training and the components of the security plan that were covered;

    • (c) contains the title and the date of any previous security plan training taken by the person; and

    • (d) is retained for at least two years after the day on which the person ceases to be employed by, or ceases to act on behalf of, that company.

  • Marginal note:Retention of training materials

    (7) A passenger company, other than a small passenger company, must ensure that a copy of the most recent training materials is kept.

PART 6Security Exercises

Marginal note:Operations-based security exercise

  •  (1) A passenger company, other than a small passenger company, must carry out, at least once every five years after the day on which section 7 comes into force or, in the case of a passenger company created after the day on which section 7 comes into force, within five years after the day of its creation, an operations-based security exercise that is designed to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests

    • (a) the effectiveness of the security plan and its implementation with respect to

      • (i) the elements of the risk management strategy that are relevant to the scenario selected for the exercise,

      • (ii) the additional safeguards set out in the security plan that are relevant to the scenario selected for the exercise, and

      • (iii) the process for responding to threats and other security concerns; and

    • (b) the proficiency of persons in performing security duties that are relevant to the scenario selected for the exercise.

  • Marginal note:Deemed — security exercises

    (2) The implementation of safeguards in response to a heightened risk condition may be considered an operations-based security exercise if it tests

    • (a) the effectiveness of the security plan and its implementation with respect to

      • (i) the elements of the risk management strategy that are relevant to the heightened risk condition,

      • (ii) the additional security safeguards set out in the security plan that are relevant to the heightened risk condition, and

      • (iii) the process for responding to the heightened risk condition; and

    • (b) the proficiency of persons in performing security duties that are relevant to responding to the heightened risk condition.

  • Marginal note:Notice

    (3) A passenger company, other than a small passenger company, must give the Minister 45 days’ notice of any operations-based security exercise that it plans to carry out.

  • Marginal note:Discussion-based security exercise

    (4) A passenger company, other than a small passenger company, must carry out a discussion-based security exercise at least once every year after the day on which section 7 comes into force or, in the case of a passenger company created after the day on which section 7 comes into force, from the day of its creation, in order to address acts or attempted acts of unlawful interference with passenger rail transportation and that tests the effectiveness of the security plan with respect to

    • (a) the elements of the risk management strategy that are relevant to the scenario selected for the exercise;

    • (b) the additional safeguards set out in the security plan that are relevant to the scenario selected for the exercise; and

    • (c) the process for responding to security threats or other security concerns.

  • Marginal note:Notice

    (5) A passenger company, other than a small passenger company, must give the Minister 45 days’ notice of any discussion-based security exercise that it plans to carry out.

  • Marginal note:Deemed

    (6) An operations-based security exercise carried out under subsection (1) or referred to in subsection (2) is considered to be a discussion-based security exercise.

  • Marginal note:Participants

    (7) A passenger company, other than a small passenger company, must ensure, to the extent possible, that persons with security duties that are relevant to the scenario selected for the exercise participate in the exercise referred to in subsection (1) or (4). In addition, the company must invite host companies and law enforcement and emergency response agencies to participate in the exercise, if their participation is relevant to the scenario.

  • Marginal note:Records

    (8) A passenger company, other than a small passenger company, must create a record of each exercise carried out under subsections (1), (2) and (4) within 30 days after the date of the exercise and must ensure that the record contains the following information:

    • (a) the date of the exercise;

    • (b) the names of participants;

    • (c) a list of the companies and agencies that were invited;

    • (d) a description of the exercise scenario or, in the case of the exercise referred to in subsection (2), a description of the heightened risk condition;

    • (e) a description of the results of the exercise with respect to the elements tested in accordance with subsection (1), (2) or (4), as applicable; and

    • (f) a description of potential actions to address deficiencies that were identified during the exercise and that could adversely impact the security of passenger rail transportation.

  • Marginal note:Retention period

    (9) A passenger company, other than a small passenger company, must ensure the record of each exercise is retained for three years after the date of the exercise.

  • Marginal note:Actions

    (10) A passenger company, other than a small passenger company, must implement any action to address deficiencies that were identified during the exercise and that could adversely impact the security of passenger rail transportation.

Coming into Force

Marginal note:Registration

  •  (1) Subject to subsections (2) to (4), these Regulations come into force on the day on which they are registered.

  • Marginal note:Three months after registration

    (2) Sections 2 and 5 come into force on the day that, in the third month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that third month has no day with that number, the last day of that third month.

  • Marginal note:Nine months after registration

    (3) Sections 6 and 7 come into force on the day that, in the ninth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that ninth month has no day with that number, the last day of that ninth month.

  • Marginal note:Fifteen months after registration

    (4) Sections 8 and 9 come into force on the day that, in the fifteenth month after the month in which these Regulations are registered, has the same calendar number as the day on which they are registered or, if that fifteenth month has no day with that number, the last day of that fifteenth month.

Date modified: