New draft UK legislation will impose a legal duty on those responsible for public spaces to assess the risks of terrorist attack and to take steps to mitigate the risk and potential harm to the public. The 2017 bombing of the Manchester Arena was the catalyst for these proposals, which have been named after Martyn Hett, one of 22 people killed in the incident. This article examines the key aspects of the Bill, its potential impact on risk management issues and a possible time frame for the proposals to come into force.
The draft Bill in summary
This is a substantial piece of legislation. A key measure is the imposition on people responsible for publicly accessible locations of a new duty to assess the risk of terrorist incidents and to take appropriate mitigating steps. Commonly known as the “protect duty” – the duty is not universal and will apply only to those places with a capacity of greater than 100 people – “qualifying spaces”. Above this threshold, a “standard duty” will apply to places with capacity between 100 and 799, with an “enhanced duty” applying where the capacity runs to 800 or more. This “enhanced duty” will also apply to temporary events that exceed the 800 people threshold.
In broad terms, the scheme set out in the new Bill is as follows.
The “standard duty” will require the responsible person to:
- Register qualifying places with the regulator;
- Undertake a standard terrorism evaluation at least every year;
- Provide terrorism protection training to relevant workers.
The “enhanced duty” will additionally require the responsible person to:
- Undertake a specific terrorism risk assessment at least every year, which must
- consider the risks of terrorist attack, and keep this under review;
- ensure that all such reasonably practicable security measures are put in place to reduce to reduce the risk of attack and the risk of harm in the event of attack;
- Prepare and submit a security plan to the regulator;
- Nominate a designated senior officer to the regulator (a director or manager in the case of a company.
The Bill provides powers for various regulations to be made to set out the detail of these requirements for the thousands of organisations in scope – the material released by the Home Office suggests that around 300,000 locations will be subject to the new duty.
On compliance and enforcement, the Bill gives the regulator powers to issue contravention and restriction notices, as wells as powers to issue significant fixed or daily penalties in the event of failure to comply.
Upper limits of the penalty regime:
|Standard duty||Enhanced duty|
|Fixed penalty||· Up to £10,000||· Up to the greater of either
– £18 million, or
– 5% of worldwide revenue
|Daily penalty||· Up to £500||· Up to 1% of the fixed penalty|
The Bill does not specify one critical aspect: the identity of the regulator who oversees compliance with the duty and engagement with duty holders, including a potentially extensive inspection regime. Instead, it provides that the regulator will be the Secretary of State – in effect, creating a new function within the Home Office – if no other existing public body is designated in regulations.
Given that the overall framework of the new duty borrows from fields such as health and safety, security, disaster planning, licensing, construction and planning, and the environment, it may be that one or more regulators in those sectors emerge as candidates here, subject to resourcing issues and operational capacity in those sectors and in the Home Office itself.
Approaches to risk management
An important consequence of the Bill will be that terrorism risk assessments, mitigation plans and monitoring activity are likely to come together under the operational focus of the “designated senior officer”. Although organisations controlling publicly accessible places may already be carrying out tasks and activities required by the new duty, those may well be taking place in discrete parts of the business (such as in those fields mentioned above). The new duty does seem to point strongly to these activities being brought together so that appropriate material and information can be centrally collated and supplied to the regulator for compliance and monitoring purposes.
On liabilities, the Bill is very clear in not providing for a new type of claim in the event of non-compliance with the principal duty or contravention of regulatory notices: “Nothing in this Act confers a right of action in any civil proceedings in respect of any contravention or a requirement imposed on any person by or under this Act.”
Nevertheless, the same clause then adds that that is “without prejudice to any right of action which exists apart from the provisions of this Act.” When the Act is in force, there will be the potential for liability claims – as indeed there is already – in the event of an attack at a qualifying place. What will be new and uncertain is the extent to which a failure to comply with the new duty might go towards evidence of breach of other duties (whether at common law or statue such as the Occupiers Liability Acts) and/or causation in civil claims made against the dutyholder(s) after such an attack.
At standard duty level, it seems highly likely that parts of the insurance market will develop solutions to help businesses, individually or in trade groupings, access information and online resources that will assist with compliance. Such services may well spin out of existing property and liability risk management services. Meeting the enhanced duty seems much more likely to require bespoke approaches tailored to the particular risks and mitigation plans identified for specific qualifying places, and the ways in which they are used by the business and accessed by the public. Broker and / or insurer-led risk management / monitoring services look likely to have a greater role at this higher level of the duty.
Compliance will, inevitably come at a cost. The Home Office published an initial impact assessment (IA) alongside the Bill that provides detailed estimates of adaptation, set up and ongoing costs. Using a present value (PV) calculation, the IA estimates that “the total set-up cost of Martyn’s Law is between £268m and £1.3bn, with a central estimate of £625m (PV) [and that] the total ongoing cost … is between £850m and £5bn, with a central estimate of £2.1 billion (PV).”
Next steps for the draft Bill?
The Home Affairs Select Committee will conduct pre-legislative scrutiny of these proposals. The overall timetable is not clear, but this stage – which could include stakeholders submitting written evidence as well as oral hearings in Committee – might take place in the next few months before the summer recess. Any resulting report from the HASC would then go to the Home Office and could lead to a revised Bill (and a revised impact assessment) being published and beginning its formal legislative stages in Parliament in the autumn. If that were to happen, Martyn’s law may be in place during the second half of 2024.
Contributed by Alastair Kinley, head of policy development, Clyde & Co