Understanding the Protect Duty
The long awaited government response to the Martyn’s Law (UK Protect Duty) consultation was published on 10 January, the same day that the government’s representative from the Homeland Security Group (formerly the Office for Security and Counter Terrorism) gave their final evidence to the Manchester Arena Inquiry. The ensuing, ferocious, questioning of Mr Shaun Hipgrave perhaps summarised how many felt about the government document.
It wasn’t a response, it was an analysis and we are all generally none the wiser about the government’s policy direction on Martyn’s Law.
However, understanding what the Martyn’s Law campaign originally asked of government, and what has subsequently come to light from the Manchester Inquiry, I think it is possible to give an informed view of how it might develop and what might be slowing things down.
Section 1 - Who or where should legislation apply?
The good news is that a majority of respondents agreed with the need for the law and none other than the Right Honourable Priti Patel, Home Secretary, has provided a ministerial statement giving an absolute commitment to bringing the proposed law before Parliament. The down side is that a government mired in many other challenges, hasn’t been able to give a timeline for when this might happen. An optimist won’t be troubled by this, but a pessimist might see the turbulent political landscape creating potential for further delay or de-prioritisation. I’m somewhere in there being an optimistic pragmatist. It could happen, but hopefully it won’t.
The majority (seven out of 10) agreed, or strongly agreed, with the principle of the legislation being applied to publicly accessible locations (PAL). Helpfully, the government’s document provided a definition:
A publicly accessible location is defined as any place to which the public or any section of the public has access, on payment or otherwise, as of right or by virtue of express or implied permission. For clarity, public places/venues are permanent buildings (e.g., entertainment and sports venues) or temporary event locations (such as outdoor festivals) where there is a defined boundary and open access to the public. The document makes a distinction between places and spaces, and I hypothesise that this distinction will enable a desegregation of spaces from places in legislative terms. In other words, I sense that spaces, per-se, will not be included in the act, unless they become a temporary event location, or are in some other way boundaried.
The single most significant feature that defined which places should be included in the legislation appears to be capacity, followed by a range of other criteria including: risk based assessment; geography; type of events; and average (rather than maximum) capacity. Most people agreed the capacity threshold should be 100 or more, but where there were other suggestions, the mean equalled 303 persons. It is worth stating that those of us who continue to campaign for Martyn’s Law, would like to see all PAL’s, regardless of capacity, subject to the law, albeit proportionately so.
Another important application proposed was that the law should apply to all companies with 250 or more employees. There were several suggested exemptions, notably within the faith sector, but these didn’t appear to have substance attached to them that would differentiate them from many others who could potentially claim exemption. Interestingly, the faith sector has benefited from government funding to help protect places of worship from terrorism and it would seem contradictory to now suggest that they are not at risk.
When it came to accountability, most respondents believed that the owners and operators of PALs should be accountable to the law and this suggests to me the possibility of an accountable persons within a company needing to be identified as they are for health and safety or fiduciary matters.
What will be interesting is how security and stewarding providers take forward discussions about whether compliance with the law can be migrated to contractors, who might be delivering security on behalf of an owner or operator. The challenge that I see here is that if the owner or operator is accountable for the security plan, they need to provision it properly. What happens if a contractor defaults on the plan, or disagrees that their client is contracting sufficient resources for it to be delivered properly?
I think the security industry as a whole now has an opportunity to come together and reconfigure themselves with a code of practice that stops the race to the bottom line, and requires clients to commission the right number of resources, with the right level of skills and at a fair price. Could a protect duty be the spark that ignites reform of the security industry, and the professionalisation of its workers?
What should the requirements be?
The Martyn’s Law campaign group asked for the following: owners and operators engage their staff in freely available CT training; owners and operators undertake vulnerability risk assessments; where proportionate to do so, risks are mitigated; and owners and operators have a CT plan.
The starting point of CT security should be a threat assessment followed by an assessment how vulnerable your place or space is to that threat. There was a split response (50-50) as to whether respondents undertook CT risk assessments, it seems to me that given this level of compliance already, that legislation would sensibly include this need. The reality is that without a risk assessment, the rest of the law is pointless. The Manchester Arena Inquiry generated a monitored recommendation relating to government driving forward consistent risk model and I therefore conclude that a requirement to undertake assessments will be within the law.
One of the challenges for government will be how to legislate the concept of proportionality. In some areas, there is useful guidance. An example of this is CPNI’s guidance on Hostile Vehicle Mitigation (HVM) which introduces a sliding-scale of effectiveness (and by default cost), and has allowed owners and operators to make more informed choices about how to reduce vulnerability from such threats. However, not all threats are so easily proportioned and therefore I’m far from convinced that mitigating risks can be universally legislated for, except in the high value end of operations, where it is right and proper to protect the thousands of people who attend some places. There is another element to this though which is whether failure to mitigate risk exposes you to the, potentially, even costlier spectre of public liability. If saving people’s lives is not motivation enough, costly publicly liability pay outs should encourage good behaviour among owners and operators. We know the human cost of missed opportunities at Manchester and those involved in the management of Manchester Arena, may yet find out what the final financial cost will be.
Generally, investment in security seemed to be quite low and many will see the protect duty as an opportunity to engage better with their corporate finance controllers and insurers will see it as an opportunity to demand compliance with risk mitigation.
The value of information, and using it to enhance security, was seen as important in respect of protecting public spaces. Training, awareness, campaigns and guidance were all seen as providing value. Within this grouping was the inclusion of ‘tools’ something that needs further consideration. I’m confident that the new law will include the need to engage with training and guidance, an important element of the campaigns call to government. Not only is it easily enacted (and already available), but government, policing, and the private sector, have been investing in Protect UK, which will soon become the centralised library of authoritative information, called for during the Manchester Arena Inquiry.
There is a great emphasis within the report on engagement with existing statutory bodies, such as local authorities and emergency services, in the protection of public spaces, rather than places. It’s not clear to me why these questions were focussed on spaces and not places. I hypothesise that given most spaces are likely to be controlled in some way by statutory regulations that the government might perceive there is sufficient regulation already in existence to ensure effective oversight of their security. Another hypothesis might also be that engagement is seen as sufficiently important as to make it a legal requirement to do so, especially for those places that are linked to spaces.
I think it is certain that places will be required to undertake CT risk assessments, not least of all as this has strong correlation with Part 1 of the Manchester Arena Inquiry’s monitored recommendations. Of course, once you have a risk assessment, that identifies risks, you are then likely to have liabilities under existing laws and TORTS and I wonder therefore whether the government will need to mandate risk mitigations.
I sense that the application of the duty to spaces will be too difficult to achieve in the same way as places, but a general duty of collaboration and/or consultation on security issues might be applicable. However, this could also be expanded into applying a legal requirement for local resilience forums to consider the risk of terrorism, something that is currently only discretionary.
The argument about cost will endure and I would certainly encourage a counter narrative regarding the cost of not doing something.
Section 3 - How should compliance work?
Views were sought on what an inspectorate might deliver and how it might enforce the law. It appears that most of the responses were tactical, with the highest number of respondents suggesting that the main compliance measure should be training. Other responses included spot checks, annual visits and self-assessment. It is clear from the brevity of this section that inspection and compliance are presenting government with some difficult questions.
There was a mixed response about using civil fines as a sanction for non-compliance with a majority being against this however, a significantly larger group of respondents proposed alternative or additional views. This included a qualified use of fines and education as an alternative to enforcement. There seemed to be little support for criminal prosecution, although it was mentioned by some.
I think it is unlikely that the government will build a new inspectorate. If this legislation is to be created this year, there is neither time nor money to create a new inspectorate and you cannot establish a new law without some sense of how it will be enforced. I therefore believe that enforcement will be pursued through self-certification and/or voluntary compliance, in most cases. Given the focus on existing statutory bodies in section 2, I also hypothesise that they will be used as part of the legislative mechanism, with some already having powers to bring criminal prosecutions (licensing law being the obvious example). It is possible that as the law matures, other inspection regimes will evolve, the HSE wasn’t created in a day.
Section 4 - How should government best support and work with partners?
The government clearly sees itself as being responsible for providing authoritative advice and guidance. This is their most important role. Most respondents seem to agree, with 74 per cent proposing the use of a digital service to deliver this. Interestingly, there is some cross-over with section 3, with 61 per cent asking for the government to define what ‘reasonably practicable’ will mean in terms of compliance. While the government acknowledge this feedback, such definitions are usually defined by legal precedent (case law) and so it will be interesting to see where they draw their position from. Helpfully, the government, with policing and the private company Pool Reinsurance Ltd have been building the digital platform for the last 12 months, and it is expected to be launched imminently.
Furthermore, 55 per cent of respondents stated that they currently engage with government/police-provided advice and guidance which is demonstrable of the value such authoritative voices are seen as giving. Other respondents suggested that information should be sector-specific as well as seeking validation of who provides expertise. It is within this context that the government discusses the possibility of licensing security consultants.
Among the other responsibilities that it was suggested government should have, was the funding of mitigations where there was perceived to be a sector-specific cost impact. There is a precedent for this with the places of worship fund.
There is a lot in this section, but most of it seems to validate the simple concept of the digital service and provides helpful feedback on how that is likely to be most effective.
One of the final questions sought feedback on how the provision of high-quality advice could be guaranteed. This led to significant commentary regarding the regulation and accreditation of security consultants. It is unclear what the government’s intentions are and the scope to which this might be applied. There is no such thing as a universal security consultant, and many operate in fields for which there is not accredited training.
I believe that the government is likely to satisfy itself by ensuring that the digital service is up and running in time for the launch of the law and it is of a standard that means people will engage with it voluntarily, and not just because of a legal compulsion. While there is a project already underway to look at the accreditation and skills of CTSA’s there is great risk in assuming that the protect duty is best served by this skill set. The Manchester Arena Inquiry highlighted the limitations of CTSA’s, and they are not CT generalists. I would argue that seeking to replicate their accreditation within the private sector, is more likely to increase costs and the use of costly physical measures, rather than other strategies.
Written by Nick Aldworth. Nick campaigned alongside Figen Murray for the introduction of the UK Protect duty and was the author of the original proposal submitted to government for consideration.
He is director of Risk to Resolution Ltd.