Guidance

Introduction: Crowded Places

Published 2 November 2020

This guidance was withdrawn on

For the latest, up to date versions of NaCTSO guidance, please visit www.protectuk.police.uk. This NaCTSO page is no longer updated.

1. Introduction

The threat we face from terrorism is significant. As we have seen in the UK and across Europe attacks can happen at any time and any place without warning. Understanding the threat we all face and of the ways we can mitigate it can help keep us safer. Everyone can play a role in this effort by taking steps to help boost their protective security whether that’s at work, at home or away; when travelling, when out and about or just simply when online. Having better security for all these areas makes it harder for terrorists to plan and carry out attacks. It also helps reduce the risk of other threats such as organised crime.

This document provides protective security advice in a number of sectors and scenarios. It has been developed through extensive research and analysis of previous incidents, and the assessment of current known threats. It covers the key forms of protective security: physical, personnel, cyber and personal, and helps give guidance on how different sectors can act to help make their business, institutions or organisations safer.

This guidance is primarily aimed at those in the security sector and those who own or run businesses, organisations, amenities or utilities. Some of the terminology may be unfamiliar to some readers. However, we hope the advice can also be of use to anyone who wishes to improve their own security. To deliver protective security effectively a security plan is essential along with a full risk assessment. It is important to identify an individual responsible for security and to identify what are the important assets, people, products, services, processes and information within your organisation. You can then begin to introduce mitigation to reduce vulnerabilities. A strong security culture must be supported and endorsed from a senior level.

1.1 Physical security

Effective physical security is best achieved by multi-layering different measures. An adversary will attempt to identify and exploit perceived weaknesses. The core principles for protecting an asset are Deter, Detect, Delay and initiate an effective response.

1.2 Personnel and People security

Personnel and people security requires the integration of physical, personnel, people and cyber security. To achieve effective personnel security a system of policies and procedures are required to reduce the risk of an organisation’s assets from being exploited. This guidance will signpost you towards the objective of vigilant staff and an effective security culture. Organisations should determine how to get the best from their staff in security matters and disrupting hostile reconnaissance and insider threats.

1.3 Cyber Security

The cyber threat as one of the most significant risks to UK interests. The National Cyber Security Centre role is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. They work together with UK organisations, businesses and individuals to provide authoritative and coherent cyber security advice and cyber incident management. They are able to provide effective incident response to minimise harm to the UK, help with recovery, and learn lessons for the future.

1.4 Personal Security

Our own security, and the safety of those close to us, is of utmost importance. The more you do to protect yourself, the safer you and your family will be. There are three key areas that can affect your safety. These are physical security, your situational awareness and online security. Exactly which security measures you adopt will depend on the extent, or level, of threat you are likely to encounter and vulnerabilities you have. This may be dependent upon your profession or role, a specific threat, the location you work and or your personal history. No-one has more responsibility for your personal security than you. With an evolving threat we must all consider our own personal security, particularly when in crowded places.

2. How to use this Guidance

The online Crowded Places guidance has been reviewed by protective security experts from the Centre for the Protection of National Infrastructure, the National Counter Terrorism Security Office and practitioners from a range of businesses, trade bodies and associations.

Whilst it can be read page by page, it has been designed for the user to jump to the page most relevant to their interest or enquiry, be that ‘Business Continuity’ or ‘Hostile Vehicle Mitigation.’

The guidance is divided into sections that discuss both types of terrorist attack and their effective mitigations. It is worth bearing in mind that a number of these attack-types can be carried out at varying times when a crowded site is in use. An attack can be perpetrated during the ingress or egress of crowds or during a specific event or during the ‘lifecycle’ of the use of a particular site (e.g. during a concert, or during the opening hours of a shopping centre). Some attacks (e.g. timed devices) may lead to ‘preparatory acts’ being carried out prior to the presence of any crowds.

We would caution against undue emphasis being placed on the timing of any particular attack and that the possibility of attacks taking place at different times is considered in the planning and preparation to mitigate attacks.

Essential mitigations against certain types of attack or indeed preparatory hostile reconnaissance, such as identifying and notifying supervisors or the police about suspicious behaviour are relevant mitigations against acts of terrorism throughout an event or the lifecycle of a site. Use should be made of examples in tabletop exercises and discussions in order for the operators of sites and relevant third party contractors (e.g. security staff, facilities management) to work through their processes and emergency procedures in a range of scenarios that consider different types of attack taking place at different times.

3. Law and liability

There are legal and commercial reasons why venues should plan to deter terrorist and criminal acts, or at least to minimise their impact. There is the potential of criminal prosecution and penalties under health and safety legislation for companies and individuals, particularly when statutory duties that have not been met. Where sectors are regulated it is important to liaise with the appropriate body.

3.1 The Health and Safety at Work Act 1974 and the Management of Health & Safety at Work Regulations. 1992 (updated 1999) outlines the responsibilities of an organisation:

  • The Health and Safety at Work Act 1974 and the regulations made under it, requires organisations who are duty holders to do what is reasonably practicable to ensure people’s health and safety. The Act sets out the general duties that employers have towards their employees whilst at work. The Act also requires employers and the self-employed to protect people other than those at work e.g. volunteer staff and spectators. These people should be protected from risks to their health and safety arising out of, or in connection with, an employer’s work activities

  • The Management of Health and Safety at Work Regulations 1999 (the Management Regulations) require organisations to assess and control risks to protect employees and others who may be effected their work activity. Where two or more employers share a workplace (whether on a temporary or a permanent basis) each employer shall have systems in place to co-operate and co-ordinate with the other employers concerned so far as is necessary to manage interfaces between activities and any shared risks.
  • Co-operate and co-ordinate safety arrangements between owners, managers, security staff, tenants and others involved on site, including the sharing of incident plans and working together in testing, auditing and improving planning and response. The commercial tensions which naturally arise between landlords and tenants, and between retail tenants who may well be in direct competition with each other, must be left aside entirely when planning protective security.
  • Ensure adequate training, information and equipment are provided to all staff, and especially to those involved directly on the safety and security side.
  • Put proper procedures and competent staff in place to deal with imminent and serious danger and response to terrorist incidents.

Go to the Health and Safety Executive website

4. Reputation

Reputation and goodwill are valuable, but prone to serious and permanent damage if it turns out that you gave a less than robust, responsible and professional priority to protecting people against attack. Being security minded and better prepared reassures your customers and staff that you are taking security issues seriously.

Further information

For specific advice relating to your venue contact the nationwide network of specialist police advisers known as Counter Terrorism Security Advisers (CTSAs) through your local police force. They are co-ordinated by the National Counter Terrorism Security Office (NaCTSO).

We welcome feedback from the public/business community using the gov.uk feedback process at the bottom of each page.

Go to the Emergency Planning College Website

Go to the Health and Safety Executive website

Go to the Occupiers’ Liability Act 1957