As reported in the May edition of Professional Security Magazine, in April the Home Office brought out statutory guidance to explain Martyn’s Law in detail. How fully does a security manager have to read it – can you get away with knowing the gist of it?! In a word, no, says Stewart Brown of consultancy Surelock International, who returns to these pages to take us through the Terrorism (Protection of Premises) Act 2025.
All owners-operators of premises and events organisers in scope of this Act need to be aware of their legal responsibilities under the Act and security professionals need to fully understand the Act and statutory guidance documents to be able to give best advice and advise properly, how to comply with this new legislation. Solicitors, the Security Industry Authority (SIA) and the courts will eventually challenge the wording and interpretation of the Act to great costs. These documents need to be understood now. I expect the SIA are working to a six month before timescale as getting requirements explained & documented will take about that time, so by October 2026 will probably be a date that owners-operators of premises and events organisers should have responded (or started work) to the Act’s requirements.
Statutory guidance
It is a fair document (it is the first of its kind) but unfortunately does not define or explain the title word ‘terrorism’, which would have been helpful and relevant. I know various countries and academics have struggled with this and appear to have different versions, but a simple phrase like “any potential act that creates or intimates fear or terror to or on the general public” may have sufficed. Also in Chapter 3: Glossary of terms, they have not mentioned or defined ‘Protection of Premises’ or given any indication of what they mean by that phrase, which are two major omissions as these two points are what the Act is all about, whereby they have explained other words ‘appropriate’ and ‘reasonably practicable’ in detail, among others. With regards to the requirements detailed and ‘terms used’, they have highlighted in bold the words, MUST, SHOULD and COULD with the following explanations:
MUST – A legal requirement in the Act;
SHOULD – Not an express requirement in the Act but strongly recommended and encouraged good practice; and
COULD – Not a legal requirement but an optional suggestion or example.
On initial reading of the 129 pages (nine chapters) then the additional three supplementary documents, there is a fair amount of duplication of words and phrases that owners/operators of premises and event organisers have to try and work out what is relevant and intended, but I have broken down that there appears to be in total 124 actual requirements, that I take the SIA will follow and enforce during their investigative and regulatory approach role. Simplified (I think) there are the use of the words: must 55 times, should 91 times and could 50 times, and in some requirements there is more than one of these words used in the actual requirement paragraph, phrase or details. Seventy-two requirements affect all the standard and enhanced tier premises and events; 74 requirements that affect standard tTier premises; 118 that affect enhanced tier premises and 122 requirements that affect events.
Responsible person
Chapter 3: Glossary of terms, does explain the following words or phrases: ‘appropriate’ means ‘suitable’ (but this would be subjective to a view). ‘Immediate vicinity’: an area close to the premises. No fixed distance is associated with this term (they should have given some indication of distance or explained what they consider ‘immediate’). ‘Reasonably practicable’ means ‘proportionate’ – the responsible person should weigh what can be done to achieve the objectives of procedures or measures, balanced against the cost, time and difficulty of implementation (again, a subjective view). ‘Responsible person or responsible persons’ – this is the individual, organisation or company with control of the qualifying premises or with control of the premises at which the qualifying event is taking place, for the purpose of the event (this person is therefore legally responsible for all aspects of the Act). ‘Senior individual’: where the responsible person for enhanced tier premises or a qualifying event is an organisation or company, a ‘senior individual’ must be designated to ensure compliance with the Act. That is someone who is involved in the management or control of the responsible person (this does not negate the responsible person from the legal requirements of the Act).
The glossary does detail the public protection procedures (paragraphs 7.33 to 7.49) of ‘evacuation’, ‘invacuation’, ‘lockdown’ and ‘communication’ briefly, but does not mention or explain the public protection measures of ‘monitoring’, ‘movement control’, ‘physical security’ and ‘security of information’ until page 92, and pages 96 to 113, which really does not clearly assist the responsible person or anyone else trying to advise on how to protect premises or events effectively.
The stated four procedures are not too difficult to identify and comply with (after a lot of research and understanding), but the stated four measures of: monitoring, movement control, physical security and security of information are phrases that need to be explained in detail and guidance given to understand what the SIA may need to be covered to achieve effective compliance with the Act.
Compliance document
The statutory guidance (paragraphs 8.56 to 8.67) states the responsible person for enhanced tier premises or qualifying events must document their compliance with the Act, using statements and assessment, then calling it a ‘compliance document’, which the SIA ‘statutory operational guidance’ also refers to. This guidance uses the word ‘statements’ that are required to set out public protection procedures and measures, but the SIA refer to compliance documents and do not refer to ‘statements’ or ‘assessments’ in any of their guidance, which causes confusion.
A number of examples are given and figures (charts, lists and columns) with relevant information that assists the various chapters in the statutory guidance, which references and supports the relevant sections of the actual Act, but working out the various requirements needed to establish and identify terrorist assessments (potential threats-actions) and actual protection of premises aspects (for enhanced tier premises and qualifying events) is very difficult to work out and record, to comply with the Act. I fully understand that all this process is new for owners-operators of premises and events organisers but still a large number of unidentified matters will have to be considered by the premises-events to satisfy the SIA that compliance is there for the safety of the public.
Now the Statutory Guidance (paragraph 6.7) actually states “It is not mandatory to use third-party products or services to comply with the Act’s requirements. However, the responsible person may contract relevant services to assist in meeting their obligations under the Act if they consider necessary, helpful or appropriate (for example, a security provider, contractor and/or consultant who can advise on vulnerabilities, and appropriate public protection procedures or measures). The responsible person remains liable for ensuring that premises or events are compliant with the Act and should therefore be satisfied that any support provided by providers, contractors or consultants is suitable to meet their requirements, properly resourced and effectively delivered”. This now identifies to owners-operators and events organisers that they can obtain specialist advice from the UK security industry (consultants etc) if lacking experience and knowledge in interpreting and dealing with all (or any) aspects of Martyn’s Law.
Operational guidance
The Statutory Operational Guidance by the SIA under section 12 of the Act, mainly relates to its role, regulatory functions, investigatory powers and enforcement which will evolve over time, after April 2027 and is still in the draft stage. Although it clearly identifies the compliance process, including notification, information-gathering and inspection, investigation, interviews, risk assessments and serving relevant notices during the compliance process. The SIA are already engaging staff, inspectors and management to deal with their requirements under the Act and have new offices in Manchester, although these guidance documents reveal that the majority of contact will be done through an online portal for correspondence and notices rather than telephone or face to face.
SIA powers
The SIA have the powers to seek information from the responsible person or other party, by (1) information request, (2) statutory information notice, (3) interview notice, or (4) inspection of premises (with or without a warrant).
There are three types of statutory civil notices: compliance notices, restriction notices and penalty notices that they will serve on the responsible person for enhanced tier premises or qualifying events. Compliance notices are the process that the SIA will use to advise and probably support those in preparing and submitting compliance documents. SIA enforcement regime will follow with restriction notices (stop premises-events from operating?) then pursue with penalty notices (to punish non-compliance). The responsible person for enhanced tier premises or large events, has to notify (register themselves) to the SIA and then provide compliance documents regarding the operational use of their premises or events before allowing members of the public to attend the venue.
The SIA under Section 1.2 of their statutory Ooperational guidance document, fifth paragraph states: “The SIA publishes guidance and tools to support those in scope of the Act to comply, as set out in section 3 of this guidance. The SIA does not usually provide tailored regulatory advice on compliance to those in scope, except where it has identified a specific compliance issue”. To explain in simple terms, they do not provide site (premises or events) specific advice, unless they are dealing with the responsible person regarding a compliance matter or issue that has been identified by them.
Summary
To briefly summarise, the detailed Statutory Guidance document has 120-plus requirements (MUST, SHOULD &and COULD) for owner-operators and events organisers (‘responsible person’ position) that it is expected that the SIA will use to ascertain compliance under the Act. Any guidance/advice that the Home Office have stated in this document will have to be considered or implemented; if not, the responsible person will have to detail and justify why they cannot action or comply with the provisions of the Act.
As a consultant to clients I take it that any information (requirements) from this Statutory Guidance document provided by the Home Office under the Act, will need to be thought of, acknowledged, considered and explained by owners-operators or event organisers, then documented to enable them to comply with Martyn’s Law Act.
All owners-operators of premises and events organisers that fall into the scope of this Act, they will need to fully understand these requirements to satisfy the SIA that they are compliant in keeping members of the public safe on their premises or an event run by them.
There is a great amount of work still to be done, before April 2027 when this Act comes into force, which we at Surelock International Limited are ready and can assist with. We have adapted our security consultancy services and current security survey-audit process on all premises/events in the scope of this Act to comply with this new legislation and therefore be in a position to provide ‘Compliance documentation’ for owners-operators &and events organisers to assist them in complying with this law.
Photo by Mark Rowe: Home Office, Horseferry Road, Westminster.
