I have with me today Patrick Rogers from Alert:24, WTW's in-house global security and crisis management practice, to discuss the implications for the health and social care sector of the forthcoming Terrorism Protection of Premises Act 2025.
Patrick, Head of Risk Advisory for Alert:24, is a certified security professional working with clients around the world on some of their most complex issues. Domestically, this includes a wide array of organisations, including many FTSE 100 and 250 companies and plenty in the health and social care sector. Patrick is our technical lead on this new legislation, formally known as Martyn's Law or Protect Duty. Patrick, welcome. It's really good to have you here.
PATRICK RODGERS: Thank you, it's a pleasure.
RACHEL PHILLIPS: So on Wednesday, the 3rd of April this year, the Terrorism Protection of Premises Act 2025 was given royal assent. This brings to an end a very long campaign and consultation period, which has seen a lot of speculation about and variation of the proposed specifications of the bill and the timelines.
It's encouraging to see this much-anticipated act finally making progress, even if it won't come into force immediately. Patrick, could you walk us through the key aspects of the legislation, and particularly those most relevant to the UK health and social care sector?
PATRICK ROGERS: Sure. So, yes, as you correctly say, this has been a long process with a lot of speculation and changes as it's gone through consultation and parliament over the last few years. So, it's almost a relief to be at a point where we actually know exactly what we're dealing with.
I think many people were trying to get ahead of it over a number of years, but really, my first point of advice for the last four years really was just let's wait and see. And we're finally at that point. So, one of the headline points is that really it's a 24-month implementation period from now on.
So, the act is unlikely to be implemented, or you need to be compliant with it until April 2027. There's a bit of time there to get ready for more guidance to be provided around some of the specifications, which I'll touch on soon, but that's the timeline that we're working with.
And I think up front, it's important that people know that across all sectors, obviously, in health and social care, getting prepared and ready for when this will be implemented. So, in terms of the crux of the legislation, this was really born from the Manchester Arena attack, which is why it's often known as Martyn's law.
So, Martyn Hett was, sadly, a victim in the Manchester Arena bombing, and from that point, his mother has been campaigning to get the legislation in place and we are now obviously at that stage and it's really there to address some of the responsibility for security at different events and public spaces.
So, the intention there, of course, is to save lives, prevent these events from happening, and if they do, making sure that the response is as effective as possible to mitigate the impact as much as possible. So there are two, perhaps three, core components of the legislation. So really, the focus is on your premises.
If you have any public facing premises that are expected or reasonably expected to hold at least 200 individuals, they'll meet one of the criteria called "the standard criteria", and then any of your premises and crucially, events as well, that are expected to accommodate 800 or more individuals at any given time, will be classified as an “enhanced duty” premises.
Now there's a whole, what's called a schedule of qualifying premises, and that touches on things like bars, restaurants, hotels, cinemas, bowling complexes, libraries, all of these sorts of things, but crucially also covers health as well.
Their definition of healthcare is any hospital or asset used for the provision of healthcare of all forms, including physical and mental health, as well as ancillary care. More on the social care side, it's really anything that might classify as childcare or large events or any type of visitor attraction or social engagement, where as I say, you would expect at least 200 people to be on site at any given time if it's a fixed asset and over 800 people if it's an event.
So, how that might be applicable if you're not immediately blessed with assets of that size is, for instance, if you're a charity, you do an event and there are 800 people or more at that event, you would then qualify for the legislation.
There are some operations, some organisations, where this is more immediately obvious about how it will impact what they do, and then for others, perhaps more subtle. So, it does require some review to really understand where you sit within. We'll touch more on that, I'm sure, as we’ll chat through this. But the key things are, of course, determining where you sit on that and the protective measures that you're expected to meet. So, for standard tier (those that are between 200 and 800 capacity), they have a set of what's known as protective procedures, and these are really designed to be things that your average safety security risk professional can develop by themselves, but also with a bit of guidance from the home office. And they centre around evacuation, invacuation, lockdown and communication procedures.
That's really what the legislation is trying to get people to raise a certain baseline of security measures in place, but predominantly around protocols and procedures.
The good news is that it comes with limited OpEx and CapEx generally. It's more just a refocus of what people have in place in many cases, and then just making sure that you're meeting that administrative need. You have to communicate as well that you have assets to the regulator, which I'll touch on in a second, that meet this requirement.
But that is the standard tier. And then for the enhanced tier, it does get a little bit more complicated in the administrative burden and potentially the need for additional OpEx and CapEx on security expenditure kick in.
For the enhanced premises, those that are 800 capacity or more and events that are also 800 capacity or more, they need to introduce those for protective procedures, but then on top of that, protective measures.
So, you need to go through a whole process of risk assessment, but then, really start to focus more on some of the procedural, the people and the physical security measures and controls that you need to apply above and beyond what you might already have in place. So, that's where it starts to look at things like CCTV and monitoring, controlling the movement of people.
So, access control, your barriers, your searching, screening, etc. Hostile vehicle mitigation, safety glass, stand-off areas, those sorts of things. And then also the protection of that information itself, because obviously, if the bad guys find out about what you're introducing to prevent them from doing these things, then they can exploit that.
So, there's a little bit around how you secure that information as a whole. But to some extent, it's less of a burden than it perhaps was previously tabled, as in terms of the legislation was looking to do more mandatory training around security, etc.
And I think a lot of organisations and I think the government in the end were slightly concerned about what that might look like for industry and sectors as a whole. Obviously, in health and social care, it would be quite a big administrative burden to train all of your staff on these things.
So, thankfully, that's been taken out, although I would still advocate that doing some level of training on these things is a good thing to do. But that's the crux of what the legislation is trying to do.
The regulator is the Security Industry Authority (SIA). So the SIA, as it's commonly known, has been established for quite a long time and are now being absorbed into the home office, into a department called Homeland Security. They're not traditionally a regulator, so this 24-month implementation period is really focused around getting them up to speed as a regulator, which is quite a different thing from what they were doing previously.
So as I say, it's built to enable them to get up to that speed and their role really is to provide support and guidance for those that qualify. Therefore, we'll be reaching out to say, OK, how do we maintain compliance with what you need? And then, eventually, there'll be the enforcement agency as well moving forward.
RACHEL PHILLIPS: That's interesting and that's a really quick whistlestop tour of what is quite a large piece of legislation. It's interesting to hear, Patrick, that it's been slimmed down, I guess, and some of the perhaps more onerous elements of it have been removed.
And also, I think it's interesting because I guess there will be a lot of health and social care providers, including charities and not-for-profit organisations, that wouldn't necessarily feel that they would fall within the realms of this act. But actually, when you start to think about events, that's quite interesting. What are the implications of this act on the sector? Is there anything else, you started to talk about some of this, is there anything else that you would add?
PATRICK ROGERS: Yeah. So, I think, look, if we look at it from an organisational perspective, really trying to work out what the administrative burden is, what the costs associated with this could be, and then, obviously, what the penalties are.
So, I'll just touch on the administrative burden. First, that's really the fact that you need to identify where you qualify, what qualifies. And someone needs to take that on. The act determines that you need a responsible person, that could be an individual, but is more likely to be a department within an organisation, it depends on the size, of course. And then for enhanced premises, that's a minimum standard of what you need in place for responsible persons who will be responsible for compliance with the act.
If you have enhanced tier premises, those with 800 occupancy or more and events that qualify, you'll need a more senior person. So, effectively a director within the organisation that will be responsible to meet these requirements.
So, the burden of responsibility increases as you go through the enhanced tiers. But there are questions around, OK, who is a competent person? And the industry is working on that to help those who will be the responsible persons for the legislation.
Get up to a base level of knowledge to be able to effectively apply it. So, that's the administrative side of things and you will need to communicate to the SIA where you qualify and keep that up to date.
If you have enhanced tier assets, then you'll have to maintain security risk assessments. You'll have to submit those frequently to the SIA, etc. So, there's quite a bit to do on that front if you have certainly a large number of premises that qualify. So for instance, a hospital would be an enhanced tier asset generally but there'll be plenty of others that will also be a standard tier for your typical organisation within the sector.
Looking more at the security controls and some of that OpEx and CapEx, as I say, it really depends on where you fit in. The standard tier assets and operations, they should be pretty limited OpEx and CapEx, but obviously, there is a time cost of making sure that you're compliant with these things.
But it's more on the enhanced side of this. So, I've spoken to many people in the industry where they're looking at things like the Shard or Wembley and they're saying, gosh, what does the legislation mean for those guys? And I've spoken to the security teams there, and they see this as not a huge burden to them because they're already doing it.
They're already turned as a tier 1 assets within the UK, and therefore, they have to meet a number of requirements already around counter-terrorism to the government. So, this kind of very obvious tier who might be impacted, generally, it's not a huge burden to them. It's actually more this kind of middle tier of those types of organisations where they might just trigger the threshold occasionally. So I mentioned, obviously, the events.
That's not your standard operation potentially, but you may once, twice, maybe three or more times a year fall into a place where you need to be compliant with the legislation. And that's much more complicated to navigate and identify, because typically your business wouldn't be scaled to handle these things. And with the expertise that you need around security if you operate like that generally.
So, that's what the main implications are. And then of course, you have non-compliance that really centres around compliance notices. So the SIA, when they become effective and implemented in regulating this, the intention, and they are very publicly saying this is not to go around throwing large fines and penalties, which I'll touch on to organisations.
It's more about making sure that people just continue to meet a minimum standard and a baseline of controls and responsibility for security events within the requirements of the legislation. So, the first thing is compliance notices.
So really just saying, OK, we don't think you're quite meeting the standard, please raise it from that point. Then, more restriction notices, so it could be that they cancel an event or they say you won't be able to use this operation until these measures have been put in place. And then, it starts getting more into things like penalty notices, where on the extreme end of it, the penalties could be up to either 18 million or 5% of your worldwide revenue. So similar to other legislation, things like GDPR, etc in that sense where
RACHEL PHILLIPS: Yeah, I was thinking GDPR.
PATRICK ROGERS: Yeah, it is a kind of similar mechanism, but that obviously means it's potentially quite a significant penalty if you fall foul of it. And that would really be if you were proven negligent following a serious event.
If there was a terror attack somewhere within your operation that should qualify for this, and you haven't been compliant with the legislation up to that point. But, that's obviously headline-catching and, of course, it means it needs to be taken seriously.
RACHEL PHILLIPS: Thank you. Yeah, that's quite insightful actually. So thinking as a health and social care provider, and we've got this legislation that's coming through in two years time, what practical steps can they take now to start preparing for the introduction of this legislation?
PATRICK ROGERS: Yeah, I think, I mean one of my first recommendations really is just take your time with it, because, as I say, over the next 24 months, over the next 12 months, we expect the SIA to provide some more prescriptive guidance that you can then hopefully pick up and use to make sure that you are compliant.
At the moment, I think the best things you can do is really determine where you would qualify for the legislation and as we were alluding to, you'll have some very obvious assets and operations that will meet either the standard tier or the enhanced tier.
But it's those others where there's a little bit more ambiguity. So, things like events, etc., where people will need to determine when it will be applicable if it's not routine. So that's the core of it, I would say, just make sure that you're ahead of it.
I think identifying your responsible persons as well. So again, once you've got a good idea about what is standard duty, what is enhanced duty, you'll then understand what your responsible person's requirements are.
So, whether that is just an individual or a department within your routine business operations who would take responsibility for it, and that can be political within organisations. If you are blessed with having a security department, it's maybe more obvious where this sits. If you aren't, then I'm not sure everyone will appreciate having the burden of it.
And then, of course, if you're an enhanced tier, it then comes up to something more like director level and determining who's then going to have responsibility for that. So again, depending on your operation, if you're a large health care provider, you would likely have frameworks and structures where this is already applicable and it's a bit more normal.
But if you're maybe an operation that is smaller, but could potentially touch the requirements of the legislation, then that could be actually something that's a little bit more complicated to navigate.
RACHEL PHILLIPS: Thank you, Patrick. And I guess a follow-up question for me in my mind, is why is it critical or why would you say it's critical for organisations to prioritise preparedness for such incidents even ahead of any legal obligation? Or is it not?
PATRICK ROGERS: No. I mean, it absolutely is, and this is the sad reality of the need for these types of legislations, really. So, I think many people will default to the more extreme scenarios and visualising this legislation in the context of things like Manchester Arena and other very high-profile, headline-grabbing terror attacks.
But this also, helps prevent other types of security events and incidents. So, it might not meet that high-profile threshold. I mean, what I would highlight is there is very clearly a risk to health and social care from traditional terrorists, but also those that are having mental health emergencies, others who now fit into a more ambiguous risk category or threat actor category, and this is why the government is looking at changing the definition of terrorism within the legislation, because it was very much focused traditionally around a motive and an ideology. But, we're seeing cases, Southport, the very sad events there where the attacker targeted a group of children last summer.
That in itself, doesn't fit a clear definition of terrorism, but it's clearly a growing risk, and we've seen other threat actors - a guy called Nicholas Prosper in Luton that you might have heard about. So, he killed his family and then he was planning to undertake a school shooting.
Again, not an Islamist or far right or nationalist agenda that would neatly fit into terrorism, but is very clearly terror of a sort. And I think that's the key thing, Southport is a very clear example because that type of operation, that dance class wouldn't fit within the requirements of the legislation.
However, if that is a target which is now proven to be, then there's a moral obligation. There's duty of care to even these smaller size, social clubs, healthcare, assets and operations to take the risk seriously.
And then the more extreme events with hospitals, we've had Liverpool Women's Hospital being targeted in November 2021. We've had, what was called the Leeds bomb plot. But again, the hospital in Leeds where was actually proven to be a terrorist.
He also had mental health issues, turned up with a gun and a bomb and was eventually talked out of attacking it over three hours. Actually, it's quite a long process. But it proves that these are targets sadly, and it doesn't have to meet that really high-profile mass casualty threshold.
By introducing preventative procedures and also the measures, you can help resolve a whole host of different types of security risks and ensure better resiliency, better preparedness, more defendable reputation and legal liability from that.
But, on the face of it really showed duty of care and take that moral responsibility for what is sadly evolving, and I don't want to overdo it, really, but an increasing risk in different ways ok.
I'm not going to say the frequency and the volume of these things is dramatically increasing, but it's much more complicated because you are seeing different modus operandi, different threat actors now. And previously, let's say the last 20- 25 years, it was much more easy to identify who would be a threat to you. And that's really broadening out now.
RACHEL PHILLIPS: And I think that's really interesting and the motivation, as you say, is irrelevant in many ways. And I think also when you think about the type of service user within the sector, that can in itself cause, as has been highlighted, those that are having mental health crises and things.
So while the legislation rightly, I guess, places strong emphasis on safeguarding service users, patients, and the wider public, how important is it also to consider well-being of staff, and particularly the mental health impact on teams following such incidents?
PATRICK ROGERS: Yeah, I mean, obviously very, very important. I think sometimes it's easy to be a little lackadaisical in that sense because it's really quite often it's focused on patrons and others. And there's very much a mentality of it, it will never be us. But, as we've discussed, it very obviously can be in a whole host of different places.
But taking the mental health side and the support to staff is very serious and actually we've done quite a lot of work with clients where it's not even a real event, if that makes sense. So someone's had a fight, someone says it's an attack, someone's pulled a knife or whatever it is, but they actually may not solve.
But if you go into lockdown and you're hiding and you're waiting for the police to turn up or another member of staff eventually hours later to say it was a false alarm or you can come out now. We've worked with clients where they've lived through an active shooter event that never actually happened, but they went into lockdown, they hid for four hours.
So their minds, they've lived that experience. So they're actually traumatised by something that didn't happen, which is quite a complex thing for an organisation to manage really. So, it's very clearly something that's quite complex and certainly needs support from the mental health side of things.
And that's either immediately after trauma, but you have secondary third experiences of these things so people can be traumatised because they knew the person or people who were impacted by it. You have those who witnessed it, you have those who were targets and victims of it and you have those who then potentially had to clean up the scenario.
So it's very, very complicated. And, I mean, the bottom line is they're not normal experiences. So it’s something that is triggering, does create post-traumatic distress and therefore, organisations really need to take it very seriously because that's how the crisis can exacerbate considerably more if you're not addressing these sort of underlying issues and over time, of course.
RACHEL PHILLIPS: Thank you Patrick. Where can the health and social care providers get more information on the act and also any supporting materials? You touched upon that being worked on at the moment to help them with future compliance with this act.
PATRICK ROGERS: Yeah. So it's been a long-established but very little known website, which was created by the counter-terror police and the Home Office called ProtectUK and that's a really, really good repository for security and materials of all sorts.
So yes, there's plenty that's relevant to Martyn's Law, but also just more broadly, things like, how do you conduct security risk assessments? How do you templates and guidance on how you introduce different procedures? Things around hostile vehicle mitigation that are quite technical things that you may need to be aware of, but also, crucially, training and awareness programmes as well.
So publicly available, all free. It's all there at your fingertips, but not many people know about it, unless you do this for a day job. And I think that's a part of the process that the Home Office are going to go through now, which is really raising that profile.
And there'll be plenty of resources there that are very specific to Martyn's Law and compliance with that. But, as I mentioned, the SIA are in the process of developing that and providing, in some cases, clearer guidance.
In others, more templates and things that will help organisations of all shapes and sizes who will fall under the requirements of the legislation, make sure that they're compliant as they move forward.
So, ProtectUK is a good place to start. The Home Office itself and the website for the legislation or the government legislative website. If you look into the acts, there's a series of fact sheets as well attached to it. They're literally there to help people identify, does it apply to them? How can they be compliant, etc.? Even simple things like tools to help you identify occupancy because it's not always clear, right?
You may sometimes be over 200 people. If you are sometimes over 200 people, then you will qualify for the act but if you can't identify that, it becomes more difficult. So, there are things like that and tools that you can help to do it.
And then, obviously, folks like ourselves, not just Willis, there's a lot of commentary now from professionals in the industry who are helping publicly people identify where they can be compliant, get the resources they need. And in two years time, hopefully, make this something that's not too much of a burden and quite a straightforward process to follow.
RACHEL PHILLIPS: Thank you Patrick, and thank you so much for walking us through what is, I'm sure, a complex piece of legislation, and actually helping us understand it in a very practical way. I get one key takeaway for me is that aside from the impending regulatory requirements and legislation, in the current security risk environment, there's already, as you've touched upon, a moral corporate responsibility to protect staff, as well as the general public as reasonably as is practicable. And therefore, health and social care providers of all sizes can and should seek to immediately review and potentially enhance their protective security and preparedness.
And as you mentioned, there's a range of resources already available to assist you, including on the ProtectUK website, but much that will be forthcoming over the next 12 to 24 months. So, Patrick, it's been a pleasure chatting with you today on WTW's The Anatomy of Risk. Thank you very much.
PATRICK ROGERS: It's been a pleasure. Thank you.
RACHEL PHILLIPS: Thank you for listening to this podcast from Willis at WTW Business.
SPEAKER 2: The information in this podcast is believed to be accurate at the date of publication. This information may have subsequently changed or have been superseded, and should not be relied upon to be accurate or suitable after this date.
This podcast offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. It is not intended to be, and nor should it be used to replace specific advice relating to individual situations and we do not offer and this should not be seen as legal, accounting, or tax advice.
If you intend to take any action or make any decision on the basis of the content of this publication, you should first seek specific advice from an appropriate professional. Some of the information in this publication may be compiled from third-party sources we consider to be reliable. However, we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of Willis Towers Watson. For further authorization and regulatory details about our Willis Towers Watson legal entities operating in your country, please refer to our Willis Towers Watson website. It is a regulatory requirement for us to consider our local licensing requirements.
