Policy paper

Terrorism (Protection of Premises) Bill: Enhanced duty requirements factsheet

Published 12 September 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/terrorism-protection-of-premises-bill-2024-factsheets/terrorism-protection-of-premises-bill-enhanced-duty-requirements-factsheet

This factsheet explains the requirements for persons responsible for enhanced duty premises and events under the Terrorism (Protection of Premises) Bill. Further information on which premises or events may be subject to enhanced duty requirements can be found in the scope (premises) factsheet and scope (events) factsheet. Enhanced duty premises and events are also referred to as the “enhanced tier”.

As with the standard duty, enhanced duty requirements are designed to ensure that responsible persons for qualifying premises and events are prepared to take, what the government considers, appropriate actions in the event of an attack. As enhanced duty premises and events will reasonably be expected to host greater numbers of individuals, the impact of a successful attack is likely to be more significant; and so responsible persons will also be required to put in place reasonably practicable public protection measures. These measures aim to reduce vulnerabilities and therefore provide better protection from acts of terrorism.

The enhanced duty requirements are:

1. Notification

The responsible person for enhanced duty premises and events will be required to notify the Security Industry Authority (SIA) when they become responsible for the premises or event. They must also notify the SIA if they cease to be responsible.

Regulations will set out the required time for notifying the SIA, and what information must be provided about the responsible person and the premises or event, such as the number of individuals the premises or event can reasonably expect to be present and contact information relating to the responsible person.

2. Designated senior individual

Where the responsible person for an enhanced duty premises or event is not an individual, they must appoint a designated senior individual (DSI). The DSI must be someone who has responsibility for managing the affairs of the responsible person as a whole, such as a director or partner, rather than a lower-level employee.

The primary function of the DSI is to ensure that the responsible person complies with the relevant legislative requirements with a wider objective of ensuring senior management are engaged in decision-making. The DSI may delegate actions that relate to the requirements but cannot delegate their overall responsibility.

The DSI will not be held accountable for an organisation’s failure to meet requirements where they have done everything within their capability to ensure the organisation complies with requirements. Senior officers (including the DSI) may be liable to prosecution under the bill if their organisation commits an offence and it is proved that the offence was committed with their consent, connivance or occurred as a result of their neglect.

3. Public protection procedures and measures

Public protection procedures

The responsible person for enhanced duty premises and events will be required to ensure that, so far as is reasonably practicable, appropriate public protection procedures are in place at the premises or event.

Public protection procedures are procedures of a type set out in the bill that may be expected to reduce the risk of physical harm to individuals in the event that an act of terrorism occurs at the premises or the event, or in their immediate vicinity. They are procedures to be followed by people working at the premises or event where they suspect an act of terrorism is occurring, or is about to occur, at the premises, the event or in the immediate vicinity.

The four types of procedures that must be put in place, as appropriate and reasonably practicable, are: 

Evacuation The process of getting people safely out of the premises or event
Invacuation The process of bringing people safely into, or to safe parts within, the premises or event.
Lockdown The process of securing the premises or event to ensure that the entry of any attacker is restricted or prevented e.g. locking doors, closing shutters or using barriers.
Communication The process of alerting people on the premises or event to move them away from any danger.

When considering the procedures in place, the responsible person will need to consider what is appropriate and reasonably practicable for their premises. This will involve consideration of matters such as the nature of the premises and resources available.

As part of ensuring that public protection procedures are in place, people working at the premises must be made aware of the procedures so that they are ready to put them into practice. For example, it would not be sufficient to have in place an evacuation procedure if no one working on the premises understood how to follow it.

Public protection measures

The requirements of the enhanced duty are designed to ensure that responsible persons for qualifying premises and events deliver appropriate mitigations to provide greater protection against acts of terrorism. For the purpose of this bill, such mitigations are known as public protection measures.

To be effective, the responsible person should ensure that the public protection measures that they put in place are tailored to their particular premises or event. This includes how they operate, their resources and the types of acts of terrorism that could occur there. It will be imperative to consider the effect of all measures when integrated together, to form an accurate understanding of how their vulnerabilities will be reduced in order to mitigate the impact of a terrorist attack, should one occur.    

The delivery of these measures will vary between different types of qualifying premises and events and may be implemented through people (e.g. training), processes (e.g. a bag search policy) or physical measures (e.g. CCTV). The measures will also need to be delivered holistically, for example, installing CCTV would not address a vulnerability if it were not operated by people who have appropriate awareness of relevant threats. The four types of measures that must be put in place, as appropriate and reasonably practicable, are: 

Measures in relation to monitoring the premises or event, and their immediate vicinity:

  • Monitoring measures focus on identifying and reporting signs of suspicious activities, behaviours, items or other potential indicators of a potential or actual terrorist attack at a premises or event, and their immediate vicinity, to protect members of the public. Examples of such measures range from circulating awareness-raising material to those working at the premises or event, to comprehensive security systems and control rooms at the higher end of the scale.

Measures in relation to controlling the movement of individuals into, out of and within the premises or event:

  • Movement measures focus on employing appropriate deterrents and mitigations to reduce vulnerabilities to attacks and to protect members of the public entering, within and exiting the premises or event. Examples of such measures range from policies and processes for observing suspicious bags, searching and screening individuals, locks and barriers or CCTV.

Measures in relation to the physical safety and security of the premises or event:

  • Physical safety and security measures focus on the strengthening of premises and events structures to prevent certain attack methodologies from occurring and/or to mitigate their impacts. Examples of such measures range from stand-off zones (a designated area to place distance between one location and another), safety glass or Hostile Vehicle Mitigation.

Measures in relation to the security of information which may assist in the planning, preparation or execution of acts of terrorism:

  • This focuses on understanding the sensitivities of information, particularly what is appropriate to share, where and who with. It may include key information about the premises or event, operating environment, design or usage that could reveal vulnerabilities. An example of this measure is ensuring that sensitive information such as floor plans are held securely, and access is restricted to relevant individuals.

The government will provide comprehensive guidance for enhanced duty premises and events to support the understanding, development and implementation of reasonably practicable public protection procedures and measures.

Types of acts of terrorism

To develop reasonably practicable public protection procedures and measures, the responsible person for enhanced duty premises and events will need to consider the different attack types that could take place at their location and therefore the measures that they need to put in place to reduce vulnerabilities and the harm caused by particular methodologies.

The government will provide comprehensive guidance for enhanced duty premises and events to further understand relevant types of terrorist attack methodologies.

Reasonably practicable

Reasonably practicable is a concept found in other regimes, such as Fire Safety and Health and Safety. In determining what is reasonably practicable, the responsible person will need to take into account their particular circumstances and the circumstances of the premises. Matters that may be relevant to this question include the nature of the premises, as well as the resources available to the responsible person.

The particular procedures and measures put in place at one location may not be appropriate and reasonably practicable at another. For example, procedures and measures will differ at a cinema that can reasonably expect to have no more than 1,000 people on the premises at any one time from a stadium that can seat 20,000 people.

Procedures and measures should be tailored to the specific circumstances of the premises or event. For example:

A 1,200-capacity theatre may take forward the following activities in relation to implementing their public protection procedures and measures:

  • Developing and implementing plans for public protection procedures and ensuring that they are routinely rehearsed

  • Ensuring that induction and probation periods for new staff include awareness training packages for all those working at the theatre in roles relating to safety, security and counter-terrorism

  • Developing policies for perimeter and entry checks as well as queue management and ticket checks

  • Using internal radio systems and mobiles for communication between relevant individuals working at the theatre

  • Introducing interim tabletop activities and walk-through scenarios that are designed and led by designated individuals

  • Employing a mixture of salaried and contracted door staff to sufficiently protect ingress and egress areas

  • Developing policies for suspicious or restricted items including bag checks and storage

  • Having effective CCTV with an adequately staffed monitoring and control room

This list is non-exhaustive and subject to change over time.

Effective procedures and measures

The procedures and measures should be effectively communicated to all those who need to be aware of them in order to deliver an effective response to a suspected incident. This may include employees, volunteers and contractors as well as those hiring premises. 

How staff are made aware of the public protection procedures and measures will depend on the particular circumstances of the premises (including the nature of their use and types of people working there) and the responsible person’s resources. For example, the responsible person may require relevant employees to attend instructional training.

4. Documenting compliance

Responsible persons for enhanced duty premises and events are required to record the following information to form a tailored document:

  • the public protection procedures that they have in place, and/or will put in place, to remedy or mitigate relevant risks
  • the public protection measures that they have in place, and/or will put in place, to remedy or mitigate relevant vulnerabilities or risks
  • reasoning as to how those public protection procedures and measures reduce the vulnerabilities and/or risk, were a terrorist attack to occur

The document should focus on the totality of the procedures and measures in place and contain the necessary detail to enable the SIA to make an initial evaluation of compliance. This might form part of a remote assessment or support an on-site inspection and it is therefore critical that the SIA can develop a clear understanding of the vulnerabilities of the premises or event to the different attack methodologies.

The document should be provided to the SIA as soon as reasonably practicable after it is prepared and resent within 30 days of any revision.

Back to top