This is the 4th in a series of interim reports on the replies from NHS Trusts to security related FOI requests

To review the previous report Click Here

The focus of this report is the responses received to question 4 – Are Security training deficiencies recorded on the NHS Trust’s Risk Register?


On 26th July 2021 AEGIS Protective Services sent security related Freedom of Information (FOI) requests to 194 NHS Trusts in England.

The Freedom of Information Requests asked:

  1. Does the NHS Trust contract a private security company to provide Security Officers to work onsite, or employ an ‘in house’ team of Security Officers, or both?
  2. Please provide a copy of the most recent ‘training needs analysis’ conducted at the Trust for a Security Officer role or, explain why there isn’t one.
  3. Do Security Officers have autonomy to remove people from the Trust’s premises i.e. without seeking advice from clinical staff as to whether or not the person to be removed requires medical advice, treatment or care?
  4. Are Security Officer training deficiencies that are known to exist listed on the NHS Trust’s Risk Register?

This 4th Interim report addresses the responses received to Question 4 above.

Interim Report #4 – The Risk Register

Our Question 4 asked: “Are Security Officer training deficiencies that are known to exist listed on the NHS Trust’s Risk Register?”

A Risk Register is a risk management tool used to record known risks to an organisation.

Each risk identified should be recorded with:

  • a description of the risk
  • the potential impact should it occur
  • the existing controls for the risk
  • an assessment of the likelihood of the risk happening (i.e. with the existing controls)

The risk would be categorised as: low, medium, high or very high risk and prioritised accordingly.

So, where a training deficiency exists (or should reasonably be known to exist) which presents a serious threat of harm to anyone (or the organisation), it should be recorded on the organisation’s Risk Register.

For example, no training in Self-Harm Awareness for Security Officers deployed in an hospital. Or, no training in Clinically Related Challenging Behaviour, or no training in how to recognise characteristic signs, traits and symptoms of people who have mental ill health and learning difficulties.

Below are examples of the FOI responses to Question 4

“Any training gaps will be notified to the Health/Safety and Risk Management team for updating onto the Trusts Risk Register, entries are subject to a scoring matrix and if thresholds are met, this is flagged to Executive Directors for information and remedial action.”

We currently do not have any deficiencies in training needs at the Trust. However where we do have an issue and it could impact of security services, or could have reputational issues, we would escalate this through via the Trust risk register process.”

“Training for NHS processes are provided by the Business Security Unit – all other procedures by regular G4S toolbox talks to staff. There are no known training deficiencies.

“As part of our PFI contract the training of security staff is regularly monitored, at the last audit no deficiencies were identified.”

“No deficiencies in officer training are noted in the Serco Security Training Matrix. There are also no training deficiencies within the Trust, therefore, there is no record of this on the Trust‘s Risk Register.”

“The Trust does not hold this information and it is therefore not disclosable.”

“Information not held by the Trust as Security Contract is outsourced and the company is not subject to FOI requests.”

“Training deficiencies are not listed on the Trust’s Risk register as this is not managed directly by the Trust but rather by the service provider.”

“Not Applicable.” (x9)

“None known.” (x12)

“None currently known.” (x3)

“We do not have a training deficiencies risk on the Trust’s risk register.”

“There are currently no training deficiencies listed on the risk register.”

“Private security firm procured on quality and cost.”

“No just local.”

“Not at this time, no.”

“No known deficiencies in training at this current time.”

“From a Risk Register perspective, there are no specific risks related to deficiencies in training for the Security Officers.”

“Training is the responsibility of the service provider and is monitored as part of the PFI contract agreement to ensure training is up-to-date and relevant.”

The Trust expects security guards to be adequately trained and meet the requirements of the SIA. We do not believe there is a legal training requirement, but the compliance with standards of behaviour and conduct are expected, and the SIA is a robust regulator (using a framework of guidelines and rules). Any security provider in breach of those rules is not able to be accredited by the SIA. This issue is dealt with in the contractual terms and SIA accreditation.”

“Security officers training is a continuous ongoing process where training needs are reviewed and actioned i.e. Maybo Training, Conflict Resolution and SIA licensing.”

“Security Officers are not permitted to operate alone on site without undertaking their relevant training which includes conflict management and physical intervention training and full site familiarisation. They are shadowed by a fully trained officer until they are signed off as competent.”

“The contract is monitored monthly, and any gaps are addressed in those meetings. Therefore training is not something that escalates to risk registers.”

“Any risk associated with the security officers competencies would be raised with the security provider in the first instance and if not addressed, recorded on the Trust’s risk register.”

If there were training deficiencies, then it would be identified and if the risk was deemed to fit the criteria would be placed on the department’s Risk Register.”

“No deficiencies are detailed on the risk register, as all aspects of training covered. Should a deficiency be identified, training would be provided.”

“Security training is in line with the NHS Mandatory training matrix and audited on a monthly basis.”

“The Trust is not aware of any training deficiencies; all security staff are fully trained.”

“Not applicable – the Contract is for the supply of appropriate security.”

“If they are not SIA badged, they are not employed by the external company.”

“Reported as fully compliant.”

“No deficiencies are known to exist as all guards must be SIA trained and licensed to the appropriate standards for the job they have been asked to attend.”

“There are no known deficiencies as the training is dictated by the Contract Specification and therefore is mandatory.”

“Fully trained to SIA.”

“Due to the nature of the trust, training needs are not required; we do not have control of restraint security guards, or the need for.”

“There are references in the Security Department’s Risk Assessment that refer to having insufficient numbers of fully trained staff on duty to respond to routine, urgent and emergency security-related incidents in addition to business continuity and major incident plans.”

“If one is noted and deemed as a risk, yes. Currently none exist on the register.”

“They are addressed if and when they arise but would not keep as an ongoing risk once resolved and it would depend on which aspect of training the risk related to.”

“All training compliance is monitored and tracked, and any risks to compliance included in our service risk register. If there were significant risk to compliance then that would be escalated to the Trust’s overarching risk register, but that is not currently required.”

“All Security Officer training is kept up to date – there are no training deficiencies.”

“No, they are not as any training deficiencies are addressed on a 1:1 basis with the officer concerned.”

“There are no deficiencies as staff are fully trained and induction in place for new starters all officers are BTECH Level 2 in Control and Restraint and in the use of mechanical restraint. All mandatory training including Conflict Resolution is complete. All staff are subject to competency assessments over individual aspects of the role.”

“There are no current training deficiencies. We cannot say whether any such deficiencies could be listed at a future date, as this is entirely speculative and would depend on the circumstances.”

“Individual training gaps would be included on personal files. Wider issues would be recorded on Datix (risk register).”

“Staff training is mandatory and kept current via line management reporting. If there are training deficiencies these would be addressed and corrective actions taken to resolve this in a timely manner. Therefore these would not be placed onto the risk register.

“The only training requirement showing on the risk register is Lift release training which has recently been identified and is on the Risk Register.”


It is clear that many NHS Trusts mistakenly believe that SIA Licence-linked training is sufficient training for their Security Officers. It’s also clear that many NHS Trusts mistakenly believe that contracting in private security services transfers liability for adverse outcomes involving Security Officers directly to the security service provider company and so are content to implicitly trust the security service provider companies to provide ‘appropriate’ training for the Security Officers. (These issues were explored in FOI Interim Update #2.)

Some NHS Trusts provide training for their Security Officers in line with the (Statutory/Mandatory) NHS Core Skills Training Framework, supplemented with physical intervention and restraint training i.e. in addition to any SIA Licence-linked training.

Some NHS Trusts also train their Security Officers to be able to safely release passengers trapped in lifts.

More than a few NHS Trusts recognised that significant training deficiencies should be listed on the Risk Register. However, except for one Trust that had identified a lack of Lift release training as a risk to be recorded on the Risk Register, none had actually identified any such risks.

One reason for that could be failure to conduct a Training Needs Analysis (TNA) in the first place.

However, even so, if NHS Trusts are carrying out Post Incident Reviews following incidents that happen, then the results should surely highlight any need for ‘additional’ training. Shouldn’t it?

So, what does the failure to identify any ‘significant training deficiencies’ indicate about the quality of the Post Incident Reviews, (if they are being conducted) and the efficacy of the ‘robust, risk management systems’ in place?

What ‘extra’ training do NHS Security Officers need?

The AEGIS Healthcare Security Officer Training course was designed in collaboration with experts from the National Association for Healthcare Security and, in particular, Gary Ross, Security Ops Manager at Kings College Hospital NHS Trust. The training incorporates all the learning objectives set by the Security Industry Authority (SIA) for Security Guarding and is overlaid with additional ‘healthcare specific’ elements that have been identified as ‘necessary’ by a Training Needs Analysis, following a Risk Assessment of the role.

The Healthcare Security Officer ‘Top Up’ Training course is designed to supplement previous SIA Security Guard training and provides just the additional ‘healthcare specific’ training.

If you take a look at the Learning Outcomes for the ‘Top Up’ course, you’ll get an idea of the ‘extra’ training NHS Security Officers need (i.e. in addition to SIA Licence-linked training).

Click the button below to view/download the Learning Outcomes for the ‘Top Up’ course (.pdf)

Healthcare Security Officer ‘Top Up’ Training