NHS Security Management is the subject discussed in this update post by Jim O’Dwyer, Senior Consultant at AEGIS Protective Services…

NHS Protect (originally the NHS Counter Fraud and Security Management Service), the body with overall responsibility for policy and operational matters relating to the prevention, detection and investigation of crime against the NHS, has been subjected to a review of its functions and services.

The ‘review’ concluded that, as a result of work already carried out by NHS Protect, boards of local NHS organisations should possess the knowledge and capacity required to deal with the crime threats they face and so NHS Protect should no longer continue to provide these services.

The reviewers also felt that if NHS Protect did continue to provide the services there would be a risk that NHS boards would not properly take ‘ownership’ of local anti-crime risks. (The comment is a clear indication that NHS England wishes to devolve responsibility and accountability for NHS security management down to individual health bodies and as far away as possible from the centre.)

An outcome of the review has been that, on 1st April 2017, NHS Protect’s security management functions were effectively decommissioned, although it will continue to lead on tackling fraud, bribery and corruption within the health service in England, under a new title: “NHS Counter Fraud Authority (NHSCFA).”

The decision to disband NHS Protect’s Security Management functions is difficult to reconcile and it conflicts directly with NHS Protect’s own statement that: “In order for it to be effective, work to tackle crime against the NHS really needs to be nationally led and co-ordinated.”

It’s also fair to say that, the suddenness with which this has all happened, coupled with a lack of any meaningful prior consultation with NHS Trusts, has come as a bit of a shock to many NHS Security professionals. It has also generated uncertainty about how security will now be managed across the NHS.


A ‘Security Management’ template to work to

Prior to abdicating responsibility for NHS security management matters, NHS Protect produced a set of Security Management Standards and Security Management Guidance which NHS service providers are required to comply with. This requirement is incorporated into the NHS Standard Contract. Service Condition 24.1 (Page 19) requires all providers to put in place and maintain appropriate counter fraud and security management arrangements, having regard to NHS Protect’s Security Management Standards.

Self-Review Assessment

NHS Protect’s Security Management Standards require health bodies to complete a Self-Review process, using a prescribed format. The Self-Review process involves comparison of performance against the required standards and allocation of a RAG rating (Red, Amber, Green) for key aspects, as well as, an overall RAG level. It also entails production of a summary of the security management work conducted over the previous financial year and creation of a Security Management Work Plan for the future.

Inspection & Enforcement

Health bodies may (or may not) be selected for inspection and assessment of their security management arrangements at any time during the year.

Service Condition 24.3 of the NHS Standard Contract requires providers to permit a person duly authorised to act on behalf of NHS Protect or on behalf of any commissioner to review the security management arrangements; and Service Condition 24.4 requires the provider to implement any reasonable modifications/improvements found necessary.

Note: Prior to April 2017, inspections and assessments were conducted by NHS Protect’s Quality and Compliance team.

It is currently uncertain, who or what organisation will now be responsible for enforcing the requirements; assessing the suitability of the existing security management arrangements and deciding whether or not improvements are needed. However, it seems more likely than not that it will be the Care Quality Commission (CQC). This is because CQC already assesses health bodies against the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (Part 3) (as amended), including Regulation 18 staffing levels, competencies and training (page 74).


Standard 1.4 – Strategic Governance – (page 21) requires health bodies to report annually to their executive board, or equivalent body, on how it has met the Security Management Standards and its local priorities as identified in its Security Management Work Plan. This requirement is aimed to enable health bodies (and individuals with responsibility) to be held to account for any shortcomings.

Some of the security management standards need amending

The almost indecent haste which has accompanied the dissolution of NHS Protect’s security management role has left a need to update and amend some of the Security Management Standards.

For example, Standard 1.2 Strategic Governance (page 17). Currently, to fully meet this standard, organisations must:

  • Employ or contract one or more security specialists trained and approved by NHS Protect and accredited by the Professional Accreditation Board.
  • Ensure that the nominated security specialist(s) attend all necessary training courses and undertake Continuous Professional Development (no CPD scheme or schedule is specified).
  • Ensure the security specialist(s) are involved in NHS Protect security management activities, including attendance at Regional Forums.

A problem here is that NHS Protect no longer provides the ‘approved and accredited’ training for security management specialists and although a new Security Professional Accreditation Board (SPAB) has been established to oversee delivery of the Accredited Security Management Specialist (ASMS) course by external training companies (e.g. Amber Conflict Training), the training is not yet accessible.

Note: If you have a query about ASMS training courses, contact Karen Nixon at the University of Portsmouth (telephone: +44 (0)23 9284 5219, email: karen.nixon@port.ac.uk).

An additional difficulty with Standard 1.2 is that NHS Protect is no longer tasked to provide Regional Forums. Previously, NHS Protect employed Area Security Management Specialists (ASMS) to manage and provide operational support to the network of Local Security Management Specialists. Regional Forums were held quarterly and provided the opportunity to identify and share best practice. It also helped to ensure that operational work informed and drove the revision and refinement of national policy, systems and procedures. It is vital to the continuing development and improvement of security management in the NHS that Local Security Management Specialists are facilitated to network and liaise together.

Another standard that needs amending is Standard 3.4 Prevent and Deter –  (Page 8), which requires health bodies to distribute national and regional NHS Protect Alerts to relevant staff and take action to raise awareness of security risks and incidents in a way that is controlled, monitored, reviewed and evaluated. Since it is no longer part of NHS Protect’s remit to distribute national and regional Alerts, health bodies can’t currently comply with this standard either. The importance to health bodies of the national and regional Alerts cannot be understated and it is essential to security in the NHS that they continue to be published in some form.

Legal Protection Unit disbanded

The Legal Protection Unit (LPU) set up to increase the prosecution rate of individuals who assault staff and professionals working in the NHS, has been disbanded.

The LPU was introduced in December 2003 following disclosure that, whilst there had been some 116,000 ‘assaults’ on NHS Staff in 2002/3, there had been only 51 prosecutions! This statistic flew directly in the face of the key objective of Zero Tolerance Campaign, i.e. deterring assaults on NHS Staff through threat of criminal prosecution and conviction.

The first private prosecution instigated by the LPU resulted in a successful prosecution on the 9th November 2005. The offender, Jason Butcher, who had assaulted a Community Nurse from Burnley, was sentenced to a two-year Conditional Discharge and ordered to pay compensation and costs.

Note: The private prosecution referred to above was jointly funded by the NHS SMS and Burnley and Rossendale PCT.

Subsequently, more prosecutions ensued. During 2004/05 there were 759 prosecutions, i.e. a fifteen-fold increase on the previous year; and in 2015/16, there were 1,740 Criminal Sanctions* applied and, in addition, 1,588 Civil and Administrative Sanctions**.

*Criminal Sanctions include but are not limited to: Cautions & Conditional Cautions, Community Rehabilitation or Punishment Orders, Conditional Discharges, Fines, Fixed Penalty Notices, Imprisonment (including suspended sentences) and Restorative Justice.

**Civil and Administrative Sanctions include but are not limited to: Acceptable Behaviour Agreements, Banning from Premises, Harassment Warning Issued, Injunction, Use of CJIA Powers.

In the process of trying to prosecute as many people who assault NHS Staff as possible, NHS Protect entered into concordats (agreements) with other authorities like the police and the Crown Prosecution Service.

For example:

  • The national partnership protocol between the NHS and police for managing crime in mental health settings. This protocol provides a consistent and effective approach for the NHS and police when managing risk, investigating crime and submitting a case to the Crown Prosecution Service (CPS) to consider prosecuting suspects who commit crime against NHS staff in mental health settings.
  • The Joint Working Agreement between the Association of Chief Police Officers, the Crown Prosecution Service and NHS Protect. The purpose of which was to put in place a broad framework to assist local units of the three national organisations in setting up closer working arrangements to reduce the problem of violence and anti-social behaviour affecting the NHS.

About 80% of physical assaults in healthcare settings involve ‘medical factors’ i.e. where the perpetrator didn’t know what they were doing, or due to mental ill health, medical illness, severe learning disabilities or treatment administered, didn’t know that what they were doing was wrong. Medical factors can mean that an ‘offender’ is unlikely to be held criminally responsible for their actions by a court and so prosecuting them is not likely to result in a conviction. Whilst, medical factors do not preclude prosecution, the reality is that such cases are not usually proceeded with by the Crown Prosecution Service and if they are prosecuted (by the CPS or privately), sentences following convictions are inevitably anything but draconian (e.g. Conditional Discharge; MHS section 37 Hospital Order; MHA Section 41 Restriction Order, etc.) and fines minimal. So, certainly not the kind of sentences that would seriously deter other assaults.

In the prevailing circumstances, especially given the expense of taking out private prosecutions, it’s easy to see why the LPU has been considered not to be cost effective and disbanded.

What is not so easy to determine is the effect on the ‘concordats’ of NHS Protect relinquishing responsibility for leading security management across the NHS in England and how any future concordat (or amendments to existing agreements) will be accomplished.

National Physical Assault Statistics

Prior to 2003, no organisation had a national overview of security in the NHS and it was difficult to ascertain the extent of physical assaults against NHS staff. The establishment of legally based definitions of assault (physical and non-physical), coupled with a requirement for all health bodies to report annually on the number of assaults on staff, changed this and made it possible to identify the true nature and scale of the problem at a national level.

The recent changes to NHS Protect’s remit mean it will no longer be responsible for collating and publishing national physical assault statistics.

The Security Incident Reporting System (SIRS) is no longer accessible to users and data collection through SIRS has now ceased.

However, health bodies and those providing services under the NHS Standard Contract are still required to comply with a specified data collection process, so as to be able to provide an accurate year-end figure for the number of physical assaults against staff in their own organisation. This requirement will enable compilation (and publication) of national physical assault statistics, but whether or not the practice of reporting national physical assault statistics will continue is in doubt.

Note: If national physical assault statistics are no longer published, interested parties will still be able to ‘guesstimate’ from the annual National Survey of NHS Staff.

An error doesn’t become a mistake until you refuse to correct it

Whilst it may have made sense to someone at some time, it has been a serious error of judgement by NHS England to totally abandon central control of security management in the NHS.

I can only conceive that it was a decision based on an investment/performance assessment by officials who were probably unaware of and have over-looked the overall benefits to the NHS of having an effective, centrally directed, security management strategy and who were maybe just looking for ways of reducing NHS expenditure.

Whilst, it may not be glaringly obvious to the uninformed, a security management strategy that just involves ticking the boxes of a static, generic ‘template’ is unlikely to be successful in achieving its goals. This is because, as experience shows, security management capabilities and competencies need to continually improve and evolve in order to counter an ever-widening range of security risks.

To be effective and take advantage of its scale and diversity, security management work across the NHS really needs to be co-ordinated, directed and supported from the centre, intelligence-led and evidence based. Any professionally qualified security consultant would be able to confirm this.

Yes, there may have been aspects of NHS Protect’s work that were not as cost effective as might have been hoped and some would say a “waste of taxpayers’ money”. But, if that was the case, why not just ‘amputate’ those parts and keep the essentials?

NHS Protect were responsible for installing highly trained security managers in all health bodies across the NHS in England. It was probably the most challenging task on their list and accomplishing it no mean feat! It surely can’t be right to now just leave these security professionals to their own devices, to get by as best they can. Well can it?

On the 10 February 2017, an NHS Protect spokesperson said in a statement to the BBC: “Work continues on the potential of identifying who might be best placed to take the lead on guiding this (security management) work, if it is felt appropriate that another body should take it forward”.

Well, it absolutely is ‘appropriate’ that work to improve security in the NHS continues and it would be a big mistake if it didn’t.

Essential work must continue

As highlighted earlier in this report, it is essential that communication, information sharing and networking between Local Security Management Specialists continues and improves. It’s fundamental to the early recognition of emerging problems and identification and dissemination of best practice.

It is also crucial that the practice of publishing National and Regional Alerts continues.

The National Association for Healthcare Security (NAHS) is an obvious choice to ‘inherit the mantle’ from NHS Protect and fulfill these ‘necessary’ functions.

However, to have any chance of delivering real success, the NAHS will need to be appropriately funded. But, it wouldn’t need to cost anywhere near the hundreds of £millions that was invested in the CFSMS and on funding NHS Protect’s activities.

A budget of only £10 million per annum would probably be more than ample.

Up to half of that budget would enable appropriate allowances for travelling, refreshments and overnight accommodation expenses to be paid to LSMS attending the Regional Forums and Annual Conferences and ensure attendance is as free to the LSMS (and NHS Trusts) as possible.

The only other thing NHS England would need to do is ‘mandate’ health bodies to not only encourage and facilitate, but also ensure their LSMS attend and be able to participate in Regional LSMS Meetings and National Annual Conferences.

It is something that needs to be done and it’s a price worth paying, because the predictable alternative is a return to the ‘bad old days’ of NHS Security Managers being isolated in their ‘silos’, wrestling with the difficulty of writing security policy documents from scratch and struggling to get the attention of the board, then either having requests for resources beaten down to the lowest possible level or their recommendations just completely dismissed out of hand.

No-one wants that again. Do they?

Jim O’Dwyer
Senior Consultant
AEGIS Protective Services