Current through Register Vol. 47, No. 6, September 18, 2024
The department may request assistance from the department of
public safety in ensuring a laboratory meets the security requirements in this
rule.
(1)
Security policy
requirement. A laboratory shall maintain a security policy to prevent
the loss, theft, or diversion of medical cannabis goods and samples. The
security policy shall apply to all staff and visitors at a laboratory
facility.
(2)
Visitor
logs. Visitors to a laboratory facility shall sign visitor manifests
with name, date, and times of entry and exit, and shall wear badges that are
visible at all times and that identify them as visitors.
(3)
Restricted access. A
laboratory shall use a controlled access system and written manifests to limit
entrance to all restricted access areas of its laboratory facility and shall
retain a record of all persons who entered the restricted access areas.
a. The controlled access system shall do all
of the following:
(1) Limit access to
authorized individuals;
(2)
Maintain a log of individuals with approved access, including dates of
approvals and revocations;
(3)
Track times of personnel entry;
(4)
Track times of personnel movement between restricted access areas;
(5) Store data for retrieval for a minimum of
one year; and
(6) Remain operable
in the event of a power failure.
b. Separate written manifests of visitors to
restricted areas shall be kept and stored for a minimum of one year if the
controlled access system does not include electronic records of visitors to the
restricted areas.
c. A laboratory
shall promptly, but no later than five business days after receipt of request,
submit stored controlled access system data to the department.
(4)
Personnel
identification system. A laboratory shall use a personnel
identification system that controls and monitors individual employee access to
restricted access areas within the laboratory facility and that meets the
requirements of this subrule and subrule 154.76(2).
a. Requirement for employee identification
card. An employee identification card shall contain:
(1) The name of the employee;
(2) The date of issuance;
(3) An alphanumeric identification number
that is unique to the employee; and
(4) A photographic image of the
employee.
b. A laboratory
employee shall keep the identification card visible at all times when the
employee is in the laboratory.
c.
Upon termination or resignation of an employee, a laboratory shall immediately:
(1) Revoke the employee's access to the
laboratory; and
(2) Obtain and
destroy the employee's identification card, if
possible.
(5)
Video monitoring and surveillance.
a.
Video surveillance
system. A laboratory shall operate and maintain in good working order
a video surveillance system for its premises that operates 24 hours per day,
seven days a week, and visually records all areas where medical cannabis goods
are stored or tested.
b.
Camera specifications. Cameras shall:
(1) Capture clear and certain identification
of any person entering or exiting a restricted access area containing medical
cannabis goods;
(2) Have the
ability to produce a clear, color still photograph live or from a
recording;
(3) Have on all
recordings an embedded date-and-time stamp that is synchronized to the
recording and does not obscure the picture; and
(4) Continue to operate during a power
outage.
c.
Video
recording specifications.
(1) A
video recording shall export still images in an industry standard image format,
such as jpg, .bmp, or .gif
(2)
Exported video shall be archived in a format that ensures authentication and
guarantees that the recorded image has not been altered.
(3) Exported video shall also be saved in an
industry standard file format that can be played on a standard computer
operating system.
(4) All
recordings shall be erased or destroyed at the end of the retention period and
prior to disposal of any storage medium.
d.
Additional requirements.
A laboratory shall maintain all security system equipment and recordings in a
secure location to prevent theft, loss, destruction, corruption, and
alterations.
e.
Retention. A laboratory shall ensure that 24-hour recordings
from all video cameras are:
(1) Available for
viewing by the department upon request;
(2) Retained for a minimum of 60
days;
(3) Maintained free of
alteration or corruption; and
(4)
Retained longer, as needed, if a manufacturer is given actual notice of a
pending criminal, civil, or administrative investigation, or other legal
proceeding for which the recording may contain relevant information.
(6)
Chain-of-custody policy and procedures. A laboratory shall
maintain a current chain-of-custody policy and procedures. The policy should
ensure that:
a. Chain of custody is
maintained for samples which may have probable forensic evidentiary value;
and
b. Annual training is available
for individuals who will be involved with testing medical cannabis
goods.
(7)
Information technology systems security. A laboratory shall
maintain information technology systems protection by employing comprehensive
security controls that include security firewall protection, antivirus
protection, network and desktop password protection, and security patch
management procedures.
