Introduction
On 26 February 2021, the Home Office launched a consultation into how the Government might use legislation to improve protective security and organisational preparedness at publicly accessible locations across the UK.
The consultation seeks views from anyone who might be affected by a new “Protect Duty”, from individuals to businesses and public authorities. The consultation closes on 2 July 2021.
Who will the “Protect Duty” apply to?
Whilst subject to consultation, the intention is that the Duty would apply to specified owners and operators of public venues, large organisations and those responsible for public spaces.
Specifically, it is proposed that the Duty could apply in three main areas, namely:
- Public venues with a capacity greater than 100 people (such as entertainment and sports venues).
- Large organisations who employ more than 250 people that operate at publically accessible locations (such as retail or entertainment chains).
- Public spaces (such as public parks, beaches and pedestrianised areas).
The proposed Duty is far-reaching. It could also be applied to companies and other organisations responsible for holding, selling or hiring products that could be used as weapons by terrorists in an attack at a publicly accessible location.
What are the proposed requirements?
For public venues and large organisations, it is proposed that owners/operators should be required to:
- Use information and guidance provided by government to consider terrorist threats to the public and staff at locations they own/operate.
- Assess the potential impact of these risks.
- Consider and take forward ‘reasonably practicable’ steps to protect against security threats.
The consultation includes a number of good practice examples for different types and sizes of organisations. For large venues such as theme parks, this could involve a risk assessment with a pre-written plan to be understood by all key staff; receiving regular briefings by a dedicated Counter Terrorism Security Adviser (CTSA); having deterrence messaging in communications on site; live CCTV feed; employment screening to minimise the insider threat; both physical measures and associated policies and processes to control site access; training for staff; and also a comprehensive business continuity plan.
How will the Duty be enforced?
A ‘light-touch’ inspection regime is envisaged and non-compliance could result in notices of deficiency and enforcement action. A new offence is proposed for those organisations who persistently fail to take reasonable steps to reduce the potential impact of attacks, based on civil rather than criminal sanctions.
What next?
The consultation will run for 18 weeks and will seek the views on:
- Who the Duty should apply to;
- What it will require stakeholders to do;
- How compliance should work; and
- How the Government can support those in scope.
Once the consultation closes on 2 July 2021, a Regulatory Impact Assessment will be developed and published. The hope is that for many organisations and venues, the new requirement would involve minimal costs, as much of the work will have already been undertaken in relation to COVID-19 safety measures and processes put in place since March 2020.
Reactions so far
The escalation of terror attacks and the methods employed have changed dramatically over recent years. Governments are hastily adapting policies and legislation to reflect the evolving nature of this risk. As well as radicalised groups, there are now a growing number of lone-wolf attackers bent on causing maximum loss of human life rather than economic damage and with no warning.
It is reassuring that the UK Government is exploring how to best manage the changing nature of terrorist threat. However, a new legal requirement to protect against security threats needs to be considered carefully and with all relevant actors, including the business community and insurers. While business is quite rightly a part of a ‘bigger picture’, such a duty could be cumbersome for certain organisations, including SMEs. All and any new roles and responsibilities must be clearly defined. As such, the devil will be in the detail.