Skip to main content
main content, press tab to continue
Article

Protection of premises legislation: Implications for the health and social care sector

By Rachel Phillips | September 9, 2024

Preparing the health and social care sector to be more resilient and better prepared to respond to threats.
Crisis Management|Risk Management Consulting
N/A

The UK Terrorism (Protection of Premises) Bill, published in draft by the UK Government, is a significant step towards improved safety and emergency preparedness in the UK. Named in honour of Martyn Hett, a 2017 Manchester Arena victim, Martyn’s Law seeks to fortify security in public spaces, including where healthcare is delivered, and better prepare organisations to respond to terrorist threats.

Below we explore the implications of this highly anticipated legislation for the health & social care sector and ways in which you can prepare your organisation to be more resilient in the face of active assailants regardless of motivation.

Under the impending Protect Duty legislation, re-announced in the recent King’s Speech and expected to become law later in 2024, venue operators, including health and social care providers and non-profits/charities, will be required to ensure public safety from the threats of terrorism.

The consultation on the Bill earlier this year sheds some light on what future intention is for the Bill including specific requirements for organisations. These requirements mandate to ‘have in place procedural measures’ aimed at reducing, as far as reasonably practicable, the risk of physical harm to individuals at the premises in the event of an attack. These measures will cover evacuation, invacuation, lockdown and communication strategies. While the Bill primarily addresses terrorism, many attacks are carried out by lone assailants driven by a variety of personal motivations. Therefore, a broader focus is essential.

The legislation emphasises the importance of proportionality, ensuring that security measures are reasonably practicable and implemented through a tiered approach:

  • Enhanced Tier: Applies to any venues with a capacity of 800 or more. These venues must conduct detailed terrorism risk assessments and implement robust security measures. This includes creating and practicing security plans and providing specific training to staff
  • Standard Tier: Applies to venues with a capacity of 100 to 799. These venues need to have procedures to reduce harm in case of a terrorist attack, such as clear evacuation and lockdown plans. However, they aren’t required to make physical alterations or purchase additional equipment

Ultimately, if passed into law, there is likely to be an 18-24 months gap before implementation. The initial focus appears to be on Standard Tier operations. The legislation may not address the Enhanced Tier until the Bill has proven effective for ‘Standard’ size organisations - a recommendation from the select committee, though not yet formally confirmed.

Does the legislation apply to the health & social care sector?

Simply put, yes.

The former drafting of the Bill defines ‘hospital’ with a reference to S.275 of the National Health Service Act 2006, which does not make a distinction between NHS or independent hospitals, with the intention that both were captured by this legislation.

UK health and social care providers are considered vulnerable to attacks under the Protect Duty legislation due both the nature of services, locations and type of attack.

Health and social care facilities are often busy publicly accessible spaces that provide critical services, making them potential targets for active assailants. The open and welcoming nature of these environments, combined with the presence of vulnerable individuals, can increase their attractiveness as targets for those who seek to cause significant harm and disruption. The potential for harm is further exacerbated by the high-profile ambassadors or patrons of many sector organisations and the types of events held for fundraising purposes, often attended by high-profile individuals, which can raise the level of risk.

Historically, most UK attacks were the work of organised groups with centralised command structures. Today, however, most attacks are perpetrated by individuals acting alone, often not motivated by terrorism, which can make them more unpredictable and harder to prevent. Sadly, incidents in recent years serve as a reminder that attacks can occur anywhere to anyone.

Providers must keep in mind the diverse threats that may impact their spaces, such as knife or gun violence, explosives, or vehicle assaults, carried by individuals or groups. In addition, providers must also be diligent in evaluating the potential for both general and targeted attacks and the risk of mass harm. There is a need to assess the vulnerabilities of publicly accessible buildings and remain vigilant in updating security plans in response to evolving threat levels.

Enhancing your organisation’s security: Strategies to deter, detect, delay, mitigate and respond to potential threats

The steps any organisation takes should aim to disrupt assailants before they can act and minimise loss if an attack occurs. The measures should:

Use of fences, lights and signage, or security guards to show your business is not a soft target and to deter potential assailants.

Train your staff to spot suspicious behaviour and consider installing CCTV and alarms to detect intruders. Lone attackers may frequently visit potential targets to collect information, displaying nervous, anxious or paranoid behaviour during interactions with staff. This unusual behaviour offers staff a chance to identify and prevent potential attacks early. Training staff who interact with patients to recognise and address suspicious behaviour can help deter attackers and show that the facility is secure. Even basic interactions like a friendly greeting or asking polite questions can interrupt a potential assailant’s plans. The National Protective Security Authority (NPSA), which is the UK's authority on physical and personnel security, provides a free training programme called See, Check and Notify (SCaN). This programme is available to all UK businesses and organisations, helping employees detect unusual behaviour and learn the correct ways to report and respond to it.

Additional physical measures such as fencing, vehicle barriers, roller shutters and security doors can give you vital extra minutes that could save lives in the event of a terror attack.

Assailants consider the broader environment, not just individual sites. Health and social care providers should look outside their buildings and work with nearby businesses and authorities to make shared spaces safer. By forming partnerships for joint security initiatives like CCTV or security patrols, and participating in information-sharing networks, providers can reduce potential safe zones for hostile individuals, secure vulnerable areas and stay updated on security trends and threats. This collaborative approach helps prevent areas from being used for terrorist planning and maintains a high level of threat awareness.

Health and social care providers should have tried and tested incident response and crisis management plans including first aid and links to emergency services. Typically, these will cover three phases:

  1. Response phase: Focuses on protecting people and minimising damage during an attack
  2. Crisis Management phase: Involves reassuring staff and customers, managing media and engaging other stakeholders
  3. Recovery phase: Aims to restore normal operations for employees and service users as quickly as possible.

By developing a crisis management strategy, you can enhance your organisation’s resilience and its ability to respond effectively in the event of a major incident. There are five key steps to develop an effective crisis management plan:

  • Step one: Evaluate your organisation’s risk profile
  • Step two: Appoint an internal crisis management team
  • Step three: Create and test your crisis management plan
  • Step four: Understand how investigations work
  • Step five: Be ready to respond

For more information on how to build a crisis management plan, please contact our Risk & Resilience Advisory Practice.

Building resilience

Other steps you can take to embed security, protect employees and the public, and foster resilience in the long term include:

Make sure that active assailant risk is included in your risk register and it prioritises resilience to such threats.

Organisations should develop an understanding of the UK threat levels including the changing terror landscape:

  • Protect UK provides business and the public with counter terrorism support and guidance to effectively protect and prepare including training via eLearning and webinars
  • Register with the Cross-sector Safety and Security Communications group to receive regular security updates relevant to your organisation

If you are moving or building new premises, think about how you can build security from the start. For example, you could integrate surveillance systems into the design, reduce visibility from outside, control access points – anything to make it harder for assailants to attack.

Look at what you are already doing and how you can deploy it to address active assailant threats specifically. For example, could you build on your health and safety and fire safety procedures? The chances are much of this activity can be mapped across to meet the new legislation as well. Look at the risk assessments you already perform and see how you could adapt them into a template for your active assailant assessments.

Having a well-developed security culture in your organisation will go a long way towards enhancing your resilience and meeting this forthcoming legislation. This could comprise:

  • Having action cards, reminding people what they need to do and when
  • Promoting internal security forums or WhatsApp groups, so best practice is better understood and socialised
  • Being discreet in your external communications, so you don’t give away information potentially useful to active assailants.

Health and social care providers in the UK are often at risk because of the work they do and the environment they work in. The Terrorism (Protection of Premises) Bill aims to mitigate this risk by introducing more consistent and effective security measures, ensuring that organisations work together and making sure the right people are in place to oversee and manage security. Irrespective of the proposed legislation, providers should expand their risk assessment to cover the threat of active assailants, whatever their motivation, to boost their own resilience. For further updates and detailed guidance, refer to the official resources provided by the UK government and relevant authorities.

How can WTW help?

  • Security vulnerability assessment – this assessment will assess the physical, technical and procedural security measures currently in place at your asset(s) and align these, through remedial recommendations, to any new legislative requirements. This assessment will be carried out by our specialist security consultants
  • Threat awareness brief – this brief will translate the UK terrorism threat environment specifically to your organisation, leveraging the expertise of our consultants to competently assess the risk. You will receive practical recommendations to enhance your organisation’s security culture, awareness and physical protective measures
  • Risk & Resilience Advisory – the Risk & Resilience Advisory Practice includes highly experienced crisis management and business continuity specialists. They are equipped to support you with a range of crisis preparation measures, including risk assessment, plan writing, crisis and response training, scenario-based exercises and related management systems.

If you need support enhancing your organisation’s resilience, or a smarter way to help assess your current preparedness, please get in touch.

Author

WTW Health and Social Care Leader, GB

Contact us