Consultation on Regulations and Guidance to be Made Under Part 1 of the Civil Contingencies Act 2004

CONSULTATION ON REGULATIONS AND GUIDANCE TO BE MADE UNDER PART 1 OF THE CIVIL CONTINGENCIES ACT 2004

DRAFT REGULATORY GUIDANCE
Civil Contingencies Act 2004
Contingency Planning (Scotland) Regulations 2005

Chapter 1 - INTRODUCTION
Chapter 2 - CO-OPERATION
Chapter 3 - RISK ASSESSMENT
Chapter 4 - BUSINESS CONTINUITY AND EMERGENCY PLANNING
Chapter 5 - COMMUNICATING WITH THE PUBLIC
Chapter 6 - PROMOTION OF BUSINESS CONTINUITY MANAGEMENT BY LOCAL AUTHORITIES
Chapter 7 - INFORMATION SHARING
Chapter 8 - AUDIT AND MONITORING

CHAPTER 1 INTRODUCTION

Summary

This document forms one part of Scottish guidance to support civil protection in the 21st century.
Some issues underpin the main duties under the Act. They relate to the:
- Definition of emergency
- Responders' functions
- The links between duties
- The role of the lead responder

How to use this guidance

1.1 This part of the Scottish Guidance ¹ accompanies Part 1 of the Civil Contingencies Act 2004 ("the Act"), and its supporting Contingency Planning (Scotland) Regulations 2005 ("the Regulations"). The purpose of the Act, Regulations and Scottish Guidance is to provide a framework for Scotland's contribution to UK civil protection in the 21st century.

1.2 This part of the guidance applies in Scotland. Separate legislation with supporting guidance recognises local conditions in England, Wales and Northern Ireland.

1.3 The Scottish Guidance will support individuals and organisations with a role to play in civil protection. This part of the Scottish Guidance, in particular, will advise those organisations subject to duties under the Act.

1.4 This part of the guidance is divided into chapters. Each chapter describes the chief obligations imposed by the Act on Category 1 or Category 2 responders by reference to particular duties. Guidance on how the duties may be performed is outlined in Part 3 of the Scottish Guidance. Part 3 will provide examples of good practice and commend a range of options that can support local arrangements.

What the Act requires

1.5 The Act is enabling legislation. The main impact of Part 1 of the Act is delivered through the Regulations that define, in greater detail, the extent and manner in which the main duties are to be performed. The Act and Regulations are supported by this part of the Scottish Guidance, which is formal guidance to which the organisations covered by the Act must have regard ².

1.6 All the duties specified in Part 1 of the Act rely on the definition of "emergency" ³.

The definition of "emergency"

1.7 "Emergency" is defined in Part 1 of the Act as "An event or situation which threatens serious damage to human welfare in a place in the UK, the environment of a place in the UK, or the security of the UK or of a place in the UK".

1.8 The definition of "emergency" is concerned with consequences, rather than its cause or source. Therefore, an emergency inside or outside the UK is covered by the definition provided it has consequences inside the UK.

1.9 An emergency is considered to have consequences inside the UK ⁴ if the serious damage is within the territorial sea of the UK. The territorial sea is the area of sea 12 nautical miles from the coastline.

1.10 A place in the UK may be anything from a small village or a town square, to a large city.

1.11 Determination of when an emergency has occurred, or is likely to occur, is addressed in three ways The Act provides:

a definition of "damage";
a test for determining when an emergency would require the exercise of a local responder's functions;

and

a standard procedure, outlined in Regulations, for making the decision to implement a business continuity plan or an emergency plan.

Damage

1.12 The definition spells out the nature of damage ⁵ in each of three categories - human welfare, the environment and security.

Serious damage which tests the responder

1.13 Damage must be serious to constitute an emergency. There is no definition of "serious" in the Act. The Act states that Category 1 responders must apply their duties only if:

the consequences of an emergency would constitute a threat of serious damage to a place in the UK

and

a considerable test for that organisation's ability to perform its functions.

1.14 In this way, the Act narrows the class of emergencies, to which the duties apply, to those which test the responder. An event threatening to cause serious damage to a place in the UK would not constitute an emergency under the Act if it failed to engage one of the Category 1 responder's functions to a considerable extent. In effect, responders themselves determine what is serious, firstly, in the light of their functions and secondly, their ability to deal with the damage.

1.15 The two cases where an emergency is deemed to require the delivery of a Category 1 responder's functions under the Act are:

in relation to business continuity ⁶:

where the emergency would be likely to seriously obstruct its ability to perform its functions; and

in relation to emergency planning ⁷:

where the Category 1 responder would consider it necessary or desirable to act to prevent, reduce, control, or mitigate its effects, or take other action, and would be unable to act without changing the deployment of its resources or acquiring additional resources.

Procedure for determining when an emergency has occurred

1.16 A procedure for determining when an emergency has occurred must be written into business continuity and emergency plans ⁸. The procedure must identify the person who will make the judgement, how they will be advised and whom they must inform.

The importance of responders' functions

1.17 The Act requires local responders to take up their civil protection duties by reference to their functions ⁹. Functions are defined as "any power or duty whether conferred by virtue of an enactment or otherwise. ¹⁰" The reference covers statutory powers and duties, as well as common law powers.

1.18 The local responder's functions are called into play when an emergency occurs or is likely to occur.

1.19 A main purpose of the legislation is to require Category 1 responders to prepare to perform their functions as far as necessary or desirable to respond to an emergency ¹¹.

The role of Category 1 and Category 2 responders

1.20 Category 1 responders are listed in Schedules 1 and 2 of the Act. They are the main organisations involved in most emergencies at the local level.

1.21 Category 2 responders are listed in Schedules 3 and 4 of the Act. They are likely to be heavily involved in particular types of emergencies. They are generally subject to regulatory regimes that require them to plan for emergencies and therefore their duties under the Act are limited.

1.22 The Act brings both Categories of responder under its framework to ensure greater consistency and co-operation at the local level. The Regulations acknowledge the differences between responders in Scotland and other parts of the UK.

The links between the duties

1.23 The main civil protection duties fall on the Category 1 responders as follows:

risk assessment;
planning to continue to perform functions -business continuity management (BCM);
emergency planning;

and

maintaining public awareness and arrangements to warn, inform and advise the public.

Figure 1 shows how the elements of the Act fit together.

1.24 A fifth duty applies to local authorities alone,

the promotion of BCM for the commercial and voluntary sector.

1.25 Two further duties are prescribed in the Regulations:

co-operation and

information sharing.

These two duties will strengthen the partnership arrangements at local-level.

Figure 1 How the seven elements of the Act fit together

1.26 Risk assessment provides the foundation for other duties. Emergency planning is supported by BCM planning and is determined by risk assessment. Its purpose is to ensure that Category 1 responders can perform their functions effectively in an emergency. It supports public awareness work and shapes arrangements for warning and informing the public. Local responders must co-operate and share information in fulfilling these duties.

1.27 Promotion of Business Continuity Management by the local authority, for the local business and voluntary community, is likely to be linked to emergency plans and draws on risk assessments. It is also supported by co-operation and information sharing with partners.

The Lead Responder Principle

1.28 The main duties of the Act fall equally on all Category 1 responders. Consequently, there is a risk that Category 1 responders may duplicate each other when, for example, carrying out their duty of risk assessment or providing warnings when an emergency occurs.

1.29 This is particularly important in relation to communicating with the public. It would not be sensible for a number of responders each to be publishing similar information for the same members of the public. It might be unsafe if several organisations were to issue public warnings about an emergency in an uncoordinated fashion. To address this difficulty specific regulations have been drawn up. These regulations are described in Chapter 7 consistent with the principles outlined below.

1.30 There is a further potential difficulty regarding ineffective use of resources where several responders each have a common duty such as assessing risk. Regulations address these matters by permitting Category 1 responders to identify one of their number as lead responder ¹².

1.31 The lead responder is the Category 1 responder that agrees to take lead responsibility for performing a given duty in relation to a given emergency, or an emergency of a particular kind, in its Police area. The other Category 1 responders that are parties to the decision are referred to as non-lead Category 1 responders.

1.32 Regulations outline the requirements on a lead Category 1 responder. It must:

take the lead responsibility in its Police area.
consult the non-lead Category 1 responders in performance of the duty.
keep the non-lead Category 1 responders informed about how it is fulfilling the duty and,
as far as reasonably practicable, obtain approval from the non-lead Category 1 responders for the way they are performing the duty.

1.33 Regulations also specify the role of the non-lead Category 1 responders ¹³. They must:

co-operate with the lead Category 1 responder in performance of the duty;
provide information to the lead Category 1 responder which will assist in performance of the duty;

and

assist the lead responder in any exercises or training in connection with the duty.

1.34 However, the non-lead Category 1 responders do not themselves need to perform the duty to an extent that would unnecessarily duplicate what the lead Category 1 responder is doing ¹⁴.

1.35 A decision by the local Category 1 responders, with similar duties, not to co-operate to identify a lead responder in relation to a particular duty leaves them equally responsible for the performance of that duty. Agreement between them to allocate the responsibility between them under the lead responder principle will ensure proper co-ordination of risk assessment and multi-agency emergency planning and, under separate regulations, communication with the public.

1.36 To accept lead responsibility does not mean accepting sole responsibility. For example, the lead responder co-ordinates other responders delivery of duties to warn and inform the public.

1.37 Lead responder in terms of particular activity in preparation and response should not be confused with the leadership of the Strategic Co-ordinating Group nor the change in leadership as a response to an emergency develops. See Chapter 2 of this Part of the Scottish Guidance.

Cross-border co-operation

1.38 It is commonplace, as a sensible element of civil protection work, for individual organisations to plan to work with neighbouring authorities, should that be required to respond effectively to an emergency. The Regulations permit this to happen between authorities in Scotland and England and Northern Ireland, thus ensuring that planning can be joined up in border areas ¹⁵.

Other statutory regimes in the field of civil protection

1.39 A particular set of risks is excluded from consideration under the legislation ¹⁶. These risks, and the planning arrangements which address them, are subject to the Control of Major Accident Hazards (COMAH) Regulations 1999, the Pipeline Safety Regulations 1996 or the Radiation (Emergency Preparedness and Public Information) (REPPIR) Regulations 2001. By excluding them the Act ensures that there is no conflict or duplication between the two sets of requirements.

1.40 Potential difficulties that may be caused by a separation between the two regimes, the one supported by the Act, the other by the Health and Safety Executive, is addressed by the inclusion of the Health and Safety Executive as a Category 2 responder.

CHAPTER 2 CO-OPERATION

Summary

Category 1 and Category 2 responders must co-operate locally.
Local co-operation takes two forms. Responders must co-operate individually with other responders and jointly through a Strategic Co-ordinating Group.
The Strategic Co-ordinating Group involves all local responders. The Group has a role in both preparation and response to emergencies. All local responders must be effectively represented at meetings of the Strategic Co-ordinating Group. Category 2 responders have the right to attend if desired and must attend if requested. Responders not covered by the Act have a role in the Groups' activities.
Each Strategic Co-ordinating Group should agree its remit and nominate a Chair and Secretary. It must meet at least twice a year.
Local responders may co-operate with others outside their local resilience area.

Other forms of co-operation are permitted. They include entering into protocols agreeing arrangements for discharge of functions and nominating "lead responders" to act on behalf of others.

Co-operation

2.1 Co-operation involves Category 1 and Category 2 local responders working together to address the full range of civil protection duties across their organisational boundaries. Co-operation may take place within a multi-agency setting or directly between two or more local responders.

2.2 Co-operation under the Act is not meant to replace the normal interaction between responders. It is expected that organisations not specifically captured by the Act, for example, the voluntary sector, the Armed Forces or businesses, will be fully involved with local responders dependent on local circumstances.

2.3 It is intended that the Act will reinforce partnership working at all levels. The focus for local partnerships will be the Strategic Co-ordinating Groups (SCG) established in each Police area. All Category 1 and 2 responders will be members of the SCG ¹⁷.

Direct co-operation by local responders

2.4 Co-operation must take place between Category 1 and Category 2 responders ¹⁸. The relationships are clearly defined. Category 1 responders must co-operate with each other in connection with the performance of their duties, such as the development of risk assessments and plans. They should also be involved with activities to maintain and improve local arrangements, such as training and exercising.

2.5 Category 2 responders must co-operate with Category 1 responders, but not to the extent that the demands of the Category 1 responders effectively place a Category 1 responsibility on them "by the back door". For example, if the Category 2 organisation has not undertaken a risk assessment in relation to a particular hazard, it cannot be compelled to do so by a Category 1 organisation seeking information or co-operation.

2.6 Category 1 and Category 2 responders will also be expected to co-operate outside their local resilience area including cross border co-operation ¹⁹. The relationships are clearly defined.

2.7 Many Category 2 responders have pre-existing requirements on them under other legislation (including, for example, their licence conditions from the regulator, or by direction of a Minister) to assess risk and to prepare planning arrangements. Under the Act they may expect co-operation in undertaking these activities from Category 1 and Category 2 responders.

Multi-agency co-operation - the Strategic Co-ordinating Group (SCG)

2.8 The principal local forum for multi-agency co-operation is the Strategic Co-ordinating Group ²⁰. A SCG must be established in each Police area. The SCG is the place in which the formal duty to co-operate in a single forum is met by all Category 1 and Category 2 responders. It is not a statutory body as such, nor does it have powers to direct its members. It is intended to be the focal point for local resilience building and for preparation and response to emergencies.

2.9 The SCG should ensure the effective delivery of those duties under the Act that need to be developed in a multi-agency environment through:

acting as the focus for the development of civil protection in its area
acting as the focus for response to local emergencies and external emergencies affecting the Police area
adopting a systematic, planned and co-ordinated approach to risk management
producing a Community Risk Register for its Police area
addressing the risks identified in accordance with its members' functions
making arrangements for the effective management of response to emergencies in its area including:
preparing an integrated emergency management framework for response to any emergency affecting its area
publishing information about identified risks and the joint arrangements to deal with their consequences
maintaining arrangements to raise awareness, warn and inform the public regarding local risk
supporting their local authorities in advising and assisting business and voluntary organisation on business continuity management
establishing an annual programme for maintenance and development of local arrangements
when necessary, implementing arrangements for a co-ordinated and managed response
acting as a conduit for information flow between local responders and central government in both preparation and response, review, training and exercising
considering central government policy initiatives in the area of civil protection
reviewing lessons learned from incidents and exercises, local, Scottish, UK and international
co-ordinating multi-agency exercises and training
encouraging close working across organisations which have an important role in civil protection but are not Category 1 or 2 responders, according to local circumstances

2.10 The SCG should agree its membership and role. Model terms of reference for a Strategic Co-ordinating Group are attached at Annex 1.

2.11 The SCG is intended as a key element of the Scottish multi-level planning and response framework (as set out in Section 1 of the Scottish Guidance). It also reflects a key principle of UK civil protection arrangements that the initial response to most emergencies is delivered at the local level.

2.12 Because of its importance, the SCG should only attract the most senior level of representation, those on whom the ultimate responsibility for meeting their organisation's obligations falls. Because its focus is strategic, the SCG should meet relatively infrequently and the business of meetings should be thoroughly prepared so that the time of Chief Officers is used well. The SCG may establish subordinate groups to undertake tasks on its behalf.

2.13 In the absence of a Chief Officer Category 1 and Category 2 responders must be effectively represented at SCG meetings ²¹. That means that local responders need to be represented by individuals who have the right combination of seniority and expertise to be able to speak with authority on behalf of their organisations.

2.14 Responders from one particular sector of Category 1 or 2 (local authorities, health services, utilities, etc.) may choose to be represented if they are not able to attend all meetings ^. It is particularly important that representatives do represent their sector and are responsive to the views of responders in their sector. There are a number of tests which can be applied to judge the effectiveness of sectoral representation. An effective representative organisation:

has the authorisation of the other local members of its sector to represent them
is aware of the proceedings of any SCG subgroups and is ready to take forward issues raised by local members of the sector in the subgroups
is able to explain current structures, policies, priorities and events in civil protection affecting its sector
ensures that the local members of its sector it represents are kept fully informed of issues discussed and are invited to submit their comments, or to attend particular SCG meetings as appropriate.

2.15 All local responders should take part in the work of any sub-groups as necessary. Membership of sub-groups should be opened to all local responders, as appropriate. Representation at this level is also permitted.

2.16 The SCG is required to meet at least twice a year ²². These meetings should be held on a regular cycle. Meetings could be held more frequently if the SCG agreed that was necessary. Special meetings of the Group may be necessary if an emergency was likely to occur or had occurred.

2.17 SCG meetings should have a clear agenda and papers should be circulated sufficiently in advance of routine meetings to allow appropriate preparation. A clear record of meetings should be kept and circulated promptly.

2.18 Regardless of the way in which organisations are represented at SCG meetings, all papers should be circulated to all local responders ²³.

Leadership of the Strategic Co-ordinating Group

2.19 Two aspects of leadership should be considered by the SCG. Chairing of its meetings and the administration of its activity.

2.20 The task of chairing the routine meetings of the SCG does not necessarily need to fall to a particular Category 1 responder. The choice of Chair is a matter for local determination.

2.21 The task of chairing meetings of the SCG called in response to an emergency should be determined by the nature of the emergency and arrangements made locally. In many emergencies the Chief Constable will chair the initial meetings of the Group. Local arrangements should accommodate the need for flexibility in responding to a range of emergencies and the choice of Chair would reflect the effects of the particular emergency. For example, in the case of a health emergency the chairmanship of meetings may fall to the Health Service.

2.22 The administrative support role for the SCG is crucial in ensuring that it performs effectively. This role is one that can fall to any of the member bodies in order to:

manage the business of the SCG
fix the date and times of its meetings
agree agenda with SCG members
organise the production of papers and presentations that the SCG deem to be necessary
brief the Chair
take the minutes of meetings
disseminate papers before and after meetings
ensure that the business and meetings of any sub-groups are effectively administered
act in support of the SCG's activity in emergency response

2.23 The task of providing administrative support for the SCG may fall to a single organisation, or, given the range of joint activity of the local responders, to several working together through a joint secretariat. The secretary should:

be able to take on the job on a permanent basis
be of a level of seniority and competence to support the Chair
have the dedicated support of an administrative team within their organisation or from SCG partners
be competent to co-ordinate, or to support, staff of other organisations with specialist skills and manage the wider range of activity of the SCG in meeting its members obligations under the Act
be adequately resourced

2.24 The Chair and Secretary of the SCG must be formally agreed and contact details made known to all partners.

The role of Category 2 organisations

2.25 Category 2 responders have a narrower range of obligations under the Act. Category 1 responders need to develop effective relationships with Category 2 responders and address issues in which Category 2 responders are expert. However, there is a need to avoid unnecessary engagement of Category 2 responders in the generality of civil protection work.

2.26 In return, Category 2 bodies should co-operate in a way which is consistent with the obligations set out in the Regulations. They must respond to reasonable requests ²⁴, and they must adhere to the principles of effective representation ²⁵.

2.27 Category 2 responders will not be obliged to attend all SCG meetings. Instead, attendance will be determined on the basis of two complementary principles - the right to attend and the right to invite. In either case the principles of effective representation apply.

2.28 Under the right to attend, Category 2 bodies will be able to send representatives to any meeting of the SCG as they deem necessary ²⁶. Category 2 responders will make that decision on the basis of the proposed agenda for the SCG meeting.

2.29 Under the right to invite, Category 1 responders can require the attendance of any Category 2 responder at the SCG where it is deemed that attendance is necessary ²⁷.

The role of other responders not covered by the Act

2.30 The Armed Forces do not play a permanent role in local civil protection. Nevertheless, experience has shown the value of armed forces support in the event of emergencies. It is important that the Armed Forces are considered as members of the SCG, albeit that attendance at all meetings is not formally required.

2.31 The Scottish Executive Civil Contingencies Division will endeavour to attend all SCG meetings and when required convey the SCGs' views to the Scottish Executive. It will act as the first point of contact for communications between the SCG, other parts of the Scottish Executive and central government.

2.32 The Voluntary Sector has shown itself to possess skills, resources and commitment in preparation and response to emergencies in Scotland. It is not appropriate for the voluntary sector to be given formal duties under the Act. However, local responders have developed strong partnership working with local voluntary organisations and involved them in local arrangements at all stages in development and maintenance. Category 1 responders must have regard to their activity in preparing for response to emergencies ²⁸.

Sub-groups

2.33 There will be a need for work to take place outside the normal meetings of the SCG. For example, that work will include:

progressing the SCG's agreed work programme
regular maintenance of joint arrangements:
- Risk assessment and management
- Managing the Integrated Emergency Management process
- Reviewing capabilities
- Joint training and exercising
- Continuous improvement and monitoring standards
developing arrangements with particular sectors of the local community
developing subordinate arrangements where the size of the Police area or number of local responders suggests that effectiveness would be enhanced
specialist activity such as chemical incidents, coastal pollution, personal support, media, CBRN
ad hoc "task and finish" groups to develop particular projects

2.34 The SCG may establish groups to take forward these and other tasks. Most SCG's have established Working Groups to take forward matters of general interest and manage projects.

Other aspects of co-operation under the Act

There are additional elements of co-operation that support duties under the Act.

2.35 Cross border co-operation²⁹ - Where necessary, regulations allow for cross border co-operation between Scottish local responders and their counterparts in other parts of the UK. Category 1 responders can seek co-operation and Category 1 and 2 responders may co-operate. This will be of interest in co-operation with responders, such as the HSE and Maritime and Coastguard Agency that have remits that cover the UK. Co-operation between different administrations will be helpful for those who share a border.

2.36 Joint discharge of functions³⁰ - A Category 1 responder may make arrangements with another responder for the joint performance of a duty, or for a duty to be performed on its behalf. This discretion is not allowed for duties outlined in Section 2(1) (c).

2.37 Nomination of a lead responder³¹ - Where civil protection duties fall locally on more than one Category 1 responder they may agree that one shall take the lead role or perform a duty on behalf of the other responders. Local responders may consider identifying a lead responder for particular duties, except those duties relating to continuing to perform its functions or warning and informing the public. See Chapters 4 and 7 of this guidance. The roles of the lead responder and the non-lead responders are clearly defined.

ANNEX 1 - Model Terms of Reference for the Strategic Co-ordinating Group

Aim

The [area] Strategic Co-ordinating Group aims to ensure effective management of multi-agency response to emergencies which may have a significant impact in [area]. It will do this by promoting sound partnership working, developing a unified emergency management framework for [area] and ensuring that all partners are prepared for joint response to any emergency at any time.

Objectives

The Strategic Co-ordinating Group's objectives are:

to establish a meaningful partnership dedicated to promoting effective management of emergency response.
to establish an integrated emergency management framework for preparation and response.
to verify that all responders' arrangements to perform their functions support and complement their partners' in response to emergency and are integrated with the Strategic Co-ordinating Group's arrangements.
to agree strategy and policy relating to [area]'s preparedness and response to emergencies.
to provide clear direction and leadership in developing, maintaining and constantly improving local emergency arrangements.
to measure assessed risks against local arrangements for response remedying any shortcomings identified, as necessary.
to ensure that all individuals with a part to play in response to emergency are aware of local arrangements and have trained and exercised in them before an emergency occurs.
to act as a focal point for local civil protection activity and maintain effective working relationships with central government and neighbouring Strategic

Co-ordinating Groups

to ensure that appropriate resources are made available to meet these objectives.

CHAPTER 3 RISK ASSESSMENT

Summary

Risk assessment provides the foundation for the Civil Protection duty.
Under the Act, local Category 1 responders are required to undertake risk assessments for events or situations which may constitute an "emergency"
The duty to assess risk locally falls on each Category 1 responder in accordance with its functions - but they must co-operate with each other within the Strategic Co-ordinating Group to compile a Community Risk Register.

The Community Risk Register collates the collective views on risks within a local area. It helps to prioritise risks and identify those which require risk treatment.

Risk Assessment

3.1 Risk assessment is both an integral component of risk management and the first step in the emergency planning process. The Civil Contingencies Act places a risk assessment duty on all Category 1 responders ³².

3.2 A fundamental principle of emergency planning is to address common consequences rather than different causes. The regulations require Category 1 responders to produce generic arrangements to perform their functions in a variety of circumstances. However, in order to ensure that generic plans can cope, it is essential that they are underpinned by risk assessment that evaluates hazards and threats according to their associated consequences. If generic arrangements cannot cope specific arrangements may need to be made.

3.3 The purpose of the risk assessment duty is to:

ensure that local responders have an accurate understanding of the risks that they face so that their planning has a sound foundation and is proportionate to the risks.
enable local responders to assess the adequacy of their planning and capabilities, and allow any shortcomings to be addressed.
facilitate co-ordinated local preparation based on consistent planning assumptions.
enable local responders to describe the emergency planning context for the public and officials.
inform and reflect Scottish and UK risk assessments that support emergency planning and capability development.
provide a rational basis for the prioritisation of objectives, work programmes and the allocation of resources.

3.6 The risk assessment duty is concerned with "hazards" and "threats" that might give rise to an emergency within or affecting a geographical area for which each local responder is responsible ³³. "Hazards" is the term used here to describe natural or non malicious risks and "threats" are malicious events. In this context, an emergency is a threat or a hazard to human welfare, the environment, or the security of a community that meets either of the following criteria:

The threat or hazard is of a sufficient scale and nature to seriously obstruct a Category 1 responder in the performance of its functions.
The threat or hazard requires the local responder to exercise its functions and undertake a special mobilisation.

3.7 Risk assessment will be conducted at the local, Scottish and UK levels. At UK level the Civil Contingencies Secretariat will co-ordinate risk assessment as part of the process that underpins the UK Capabilities Programme. That work will comprise the assessment of the likelihood and impacts of malicious threats and non-malicious hazards. The Scottish Emergency Co-ordinating Committee (SECC) will consider hazard assessment for Scotland.

3.8 Strategic Co-ordinating Groups will assist the SECC in the Scottish risk management process by providing Community Risk Registers that can, in turn, be collated for Scotland.

3.9 The Act imposes a duty on each Category 1 responder to assess risk. However, it is recognised that requiring each local responder to assess risk in isolation would lead to a wasteful duplication of resources. In a majority of cases a particular responder, or specialist body (e.g. Food Standards Agency), will be best placed to assess the likelihood of a particular emergency occurring on behalf of all local responders in an area.

3.10 In light of this, the Regulations enable the risk assessment duty to be exercised in different ways. Regulations permit responders to assess risk jointly. For example, a number of responders co-operating as a sub-group of the Strategic Co-ordinating Group might collectively assess the risk of a particular emergency occurring.

3.11 Alternatively Category 1 responders may, by agreement, delegate their function to another Category 1 responder. This model is particularly appropriate in the risk assessment context where responders may delegate the duty of assessing the likelihood of a particular emergency to the organisation that is best placed to perform the assessment. However, each responder must assess the challenge, for its functions, posed by the particular risk and treat it appropriately.

3.12 In addition, a responder may engage a third party (for example, an external consultant) to provide it with advice that relates to the likelihood of a particular emergency occurring. The responder may then rely on this advice in making its own risk assessment.

3.13 However, local responders may feel that they might be beneficial to develop a deeper understanding of the risk if they undertook assessments themselves. They may find it helpful to engage with stakeholders who may have interest in particular risks. The in depth knowledge gained may also assist when communicating risk to the public.

3.14 A Scottish Minister may issue a risk assessment to local responders ³⁴. The Minister may require local responders to adopt the risk assessment as their own. In general, this approach will be used for risks associated with malicious threats. Alternatively, the Minister may require local responders to "have regard" to the assessment.

In such cases, local responders must take the Ministerial assessment into account, but if there are particular reasons to depart from that assessment (because of peculiar local features or circumstances not taken into account), a responder may do so. This is the vehicle that will be used for risk assessments that apply to the local level but for which the likelihood assessment is best performed UK or Scottish levels.

3.15 Local risk assessment must be based on a sound process using the available evidence and judgement. It is important that the process involves all Category 1 and Category 2 responders and other local bodies that can make a positive contribution. Scottish and UK organisations will be expected to contribute where appropriate. Guidance on undertaking risk assessment is set out in Part 3 of the Scottish Guidance.

3.16 There will be benefits for local responders in Scotland in having a standardised risk management approach. Common risk assessment processes are currently being implemented at UK and Scottish levels and the Scottish Guidance referred to above has been written with these in mind. By applying an approach that is consistent at all levels it will be possible to:

understand and monitor the Scottish and UK exposure to risk.
compare the exposure of local areas and local responders to different types of risks.
facilitate regional aggregation of local risk assessments in support of Scottish and UK planning.
ensure that plans and capabilities - at all levels - are commensurate with the risks.

3.17 By establishing a consistent approach it will be possible for government to provide much greater support to the local risk assessment process. Central government departments or their agencies will be best placed to assess the likelihood (although not the impact) of many local threats and hazards. Since these departments and agencies contribute to an annual risk assessment process at the UK level, it would be most efficient for them to provide local assessments at the same time. The guidance in Part 3 will enable the local responder's risk assessment to interface with the Scottish and UK processes.

3.18 The UK and Scottish risk assessments will be performed in the first quarter of each calendar year. It is at these times of year when the Scottish Emergency Co-ordinating Committee (SECC) is most likely to request information about local risk assessments. When the local risk assessment process is in place it will be a relatively straightforward matter for local responders to respond to these requests and thereby influence strategies related to contingency planning at Scottish and UK levels.

3.19 In conducting their risk assessments local responders are required to co-operate with other local responders through the Strategic Coordinating Group, supported by other stakeholders as necessary ³⁵. In undertaking risk assessment it is important that they review the process by which risks will be evaluated and prioritised. They should also describe the characteristics of the local resilience area stating the current situation, emerging trends, and future prospects.

3.20 Category 1 responders must take into account the local context and individually:

identify hazards and threats that present significant risks over the next five years that are likely to require a special mobilisation.
Consider hazards and threats identified by central government.

3.21 They must then co-operate within the Strategic Co-ordinating Groups to:

collate and organise the hazards and threats identified for the local resilience area.
assess the likelihood and scale of the risk (through the appropriate responder).
undertake an assessment of the consequences of the risk and their impact.
prioritise and consider the treatment of the risks with regard to capabilities, generic and specific planning.
complete a Community Risk Register
publish all, or part, of the Community Risk Register (see below)

3.22 Category 1 responders must inform each other of their own risk assessments, but not insofar as sensitive information is compromised or its confidentiality is impaired ³⁶. See also Chapter 7.

3.23 The Community Risk Register will identify the hazard/threat, its scale, its effects, arrangements and plans in place to deal with the effects, steps that need to be taken to manage the risk and its place in local priorities.

3.24 In performing its duties to assess risks in its area a Category 1 responder should have regard to any relevant Community Risk Register ³⁷. It may be necessary to consider risks from outside the Police area that could impact upon its geographical area - for example, a chemical plant in a neighbouring Police area.

3.25 The Act does not require local responders to take action to reduce the likelihood of threats and hazards. Local responders may decide to do this as part of their treatment of assessed risks but the Act only requires that emergency plans are maintained that will deal with an emergency caused by the risk.

3.26 The Act requires risks to be assessed from time to time ³⁸. There must be a full and formal review of all risks on a three yearly cycle. However, local risks should be monitored continuously. When information suggests a potential change in risk assessment, for example, because of changes in the environment in which it is placed or due to lessons identified during an emergency or exercise, a risk assessment must be performed and the Community Risk Register updated accordingly. This may require special meetings of the Strategic Co-ordinating Group. Nonetheless, risk assessments must be a standing item on the agenda of the Strategic Co-ordinating Group. The Community Risk Register will also need to be updated periodically to reflect changes in the response capability.

3.27 Each responder must publish all, or part, of its risk assessments ³⁹. It may do this (by agreement with its Strategic Co-ordinating Group partners) by publishing all or part of the Community Risk Register. Alternatively, it may publish all or part of an individual risk assessment it has carried out. It may also fulfil the duty by publishing all or part of a plan, where the part published includes a summary of the risk assessment on which the plan is based. See also Chapter 6 of this Part of the Scottish Guidance.

3.28 When publishing their risk assessments, Category 1 responders must have regard to the need to avoid alarming the public unnecessarily ⁴⁰. It must also take into account the needs of vulnerable people and those whose first language is not English ⁴¹. See Chapter 5 regarding Communicating with the Public.

3.29 In fulfilling the Act's requirements each Category 1 responder should have an auditable process in place regarding its individual risk assessment, the development of a Community Risk Register, the actions it has taken to treat risks identified and, where necessary, the publication of its assessments or the Community Risk Register ⁴².

CHAPTER 4 BUSINESS CONTINUITY AND EMERGENCY PLANNING

Summary

The purpose of emergency planning is to ensure the effective management of response to emergencies.
Emergency planning is at the heart of the civil protection duty on Category 1 responders at the local level.
Emergency planning covers both plan preparation and plan maintenance.
Emergency plans must be developed in accordance with a risk assessment and the responder's functions.
Emergency plans must be supported by business continuity plans.
Generic plans are required. Specific plans are permitted, but not required.
Category 1 responders must consider the benefits of developing Multi-agency plans.
Category 2 responders, voluntary organisations and others involved with the Strategic
Co-ordinating Group should be included at all stages of planning arrangements.
Plans should have particular regard to the needs of vulnerable people.

Training and exercising is a formal requirement of emergency plans.

Planning for response to emergencies

4.1 The purpose of emergency planning is to prepare for the effective management of response to emergencies. Preparation for emergency response lies at the heart of the Civil Contingencies Act provisions.

4.2 The objectives of emergency response are:

to preserve life, property and the environment
to reduce to a minimum the harmful effects of the emergency
to bring about a swift return to normal life
to maintain normal services at an appropriate level.

To meet these objectives the Act lays a duty to plan for emergencies on Category 1 responders.

4.3 The basis for planning and response will be Integrated Emergency Management (IEM). Under the principles of IEM preparation and response to emergency should concentrate on the effects of the emergency rather than its cause and, wherever possible, should be planned and undertaken as an extension of normal day to day functions of local responders. An underlying aim of the process will be to develop flexible arrangements which will enable agencies to deal with any crisis whether foreseen or unforeseen.

4.4 Emergency plans do not necessarily need to be single documents that describe, in detail, response to particular emergencies. They can also be based on discrete arrangements that fit within an agreed co-ordinating management structure. However, they must be auditable and demonstrate the ability of the Category 1 responder to perform its duties under the Act ⁴³.

The Duty to plan for emergencies

4.5 The Act lays two duties on Category 1 responders related to planning for emergencies:

Category 1 responders must maintain plans for the purpose of ensuring that, so far as is reasonably practicable, if an emergency occurs it is able to continue to perform its functions ⁴⁴, and
Category 1 responders must maintain plans for the purpose of ensuring that if an emergency occurs or is likely to occur, it is able to perform its functions, as necessary or desirable ⁴⁵, for the purpose of:
Preventing the emergency
Reducing, controlling or mitigating its effects, or
Taking other action in connection with it.

4.6 A duty to maintain arrangements to warn and provide information for the public is dealt with under Chapter 5 of the Regulations.

4.7 Each Category 1 responder's plans should be integrated with their organisation's internal management arrangements and should be aligned with the management structure for response established by each Strategic Co-ordinating Group.

4.8 For a plan to be valid, it must be accepted as the stated policy of the organisation or organisations, for which it has been produced. For this to happen, the key decision makers in an organisation should have an awareness of the plan and acknowledge ownership.

4.9 The duty to maintain plans for response to emergencies is determined by the definition of emergency in the Act and the risk assessment carried out under Part 3 of the regulations ⁴⁶. The duty applies only to those events or situations that threaten serious damage to human welfare, the environment or national security that cannot be dealt with by normal operating procedures and resources.

4.10 The duty to plan and co-operate rests with Category 1 and 2 responders but all organisations with a potential part to play should be involved in planning, whenever possible. It would be ineffective if organisations such as the Armed Forces, Scottish Executive, voluntary organisations and local businesses were not involved in local emergency planning where it affected their business.

Risk Assessment

4.11 The duties to plan for response to emergencies require the development of plans to address the risks assessed under the Regulations and the responder's functions, its powers or duties as outlined in Chapter 1.

4.12 Each Category 1 responder must have regard to any relevant risk assessment it has carried out. This will include the Community Risk Register ⁴⁷.

4.13 In preparing its plans a Category 1 responder should consider the capabilities required to deal with the risks. As part of the risk management process lack of capability may require risk treatment. However, under the terms of the Act, the sole risk treatment activity which must be taken is to develop emergency plans where these are necessary or desirable ⁴⁸.

Planning to continue to perform functions (Business Continuity Management)

4.14 The Act requires Category 1 responders to maintain plans (business continuity plans) to ensure that they can continue to perform their functions in the event of an emergency to ensure that:

Category 1 responders can mobilise the functions they need to perform to deal with the emergency,
the impact of the emergency on the responder's day-to-day activity is kept to a minimum,
vital services for the community can be maintained at an appropriate level.

4.15 This duty applies to each Category 1 responder and cannot be performed jointly with another responder or delegated to another responder ⁴⁹. The ability to perform functions and support emergency response should be owned corporately and plans should be supported by senior managers.

4.16 Business Continuity Management (BCM) is a flexible management framework designed to help organisations to continue operating in the face of a wide range of different types of disruptions. It can assist in dealing with a range of disruptions from "normal" internal business crises to the major emergencies caused by external events.

4.17 However, the BCM duty is determined by the definition of emergency in the Act and requires planning for a much narrower range of disruptive challenges. While the legal definition of the duty focuses on the most challenging situations, it is likely that the arrangements made will enhance responders' resilience to a much wider range of day-to-day interruptions.

4.18 The BCM duty is qualified. It requires Category 1 responders to maintain plans to ensure that they can continue to perform their functions in the event of an emergency "so far as is reasonably practicable". There are three aspects to this qualification:

A Category 1 responder is not expected to continue all of its functions in the event of an emergency. However, it must ensure that it can perform critical functions. Which of its functions is critical is a matter that can only be determined by its senior management in the light of the circumstances of an emergency. Whilst many front line services may be considered critical for the community, they may only function effectively if supported by core business functions (administration, finance, management) that in themselves may then become critical.
In the event of an emergency all functions need not continue at normal levels. Some critical functions may need to be scaled up, whilst some non-critical functions may be scaled down or suspended. Arrangements made under the duty provide an opportunity to address this matter and provide the community with prior information regarding service provision at times of crisis.
The Category 1 responder may need to establish the level of protection afforded to its functions in the light of a cost/benefit decision. It is the role of the responder's senior management to make this decision in the light of resource availability and risk appetite.

4.19 In preparing its plans to continue to perform its functions the Category 1 responder must have regard to the arrangements made to perform them in response to an emergency and to the framework for response established by the Strategic Co-ordinating Group in its Police area.

Planning to respond to emergency

4.20 Category 1 responders must maintain plans for the purpose of ensuring that if an emergency occurs or is likely to occur, it is able to perform its functions, as necessary or desirable, for the purpose of:

preventing the emergency
reducing, controlling or mitigating its effects, or
taking other action in connection with it ⁵⁰.

4.21 The first element of the duty deals with the short time before an emergency occurs, when it might be avoided by prompt or decisive action. Plans should ensure that if an emergency is likely to occur the Category 1 responder can perform its functions to prevent the emergency.

4.22 Prevention, in this context, means carrying out functions in such a way as to prevent an emergency which is about to occur or reduce its impact. Emergencies should be "nipped in the bud" in the way that fire fighters stop a fire from spreading, highways authorities close a road or a bridge in the face of imminent collapse, the emergency services mobilise on New Year's Eve in readiness to deal with incidents and health services take action to immunise against the spread of disease.

4.23 The Act does not impose a duty on a Category 1 responder to prevent all emergencies nor does it require it to undertake remedial works which might prevent a possible emergency at some future date. Such actions may be desirable and they may be a logical outcome of the risk assessment process at the risk treatment stage but they are not required by the Act.

4.24 The second element deals with mitigating, controlling or reducing the effects of an emergency. Prompt remedial action will reduce the impact of an emergency. Effective management of response will mitigate its effects and support quality decision making regarding the controlling of its effects.

4.25 Plans must therefore enable rapid mobilisation and management of resources. They must be flexible and adaptable to the circumstances of an emergency. They should enhance the functional response to an emergency from the earliest stages of its development to the long term rehabilitation and recovery of the affected communities.

4.26 Plans must also address the third element of the duty, enabling responders to take other action in connection with an emergency. The effects of emergencies are not all predictable. The immediate effects are obvious and will be identified through the risk assessment process. However, secondary and longer term effects are largely determined by the circumstances of an emergency and matters such as the timing, location, season and the community affected. These things may require a responder to take action by performing its functions in innovative and unforeseen ways.

4.27 Some subordinate arrangements and procedures that support emergency plans might not be captured by the earlier requirements. By including a third duty to maintain plans for taking other action in connection with an emergency the Act ensures that there can be no doubt that these types of secondary arrangements and supportive procedure are required by statute.

4.28 Subordinate arrangements required in support of plans and necessary to ensure effective and sustained response may include, for example, emergency control centres, internal communications, contractual arrangements with third parties, information management systems or stress management for staff.

Plan Maintenance

4.29 Under the Act plan maintenance procedures must ensure that plans are kept up to date.

4.30 Plans must be reviewed and amended, as necessary, in the light of changes in the environment in which the plan is set. For example, these may include new risks ⁵¹, roles and responsibilities, lessons learned from emergencies or exercises, changes in the organisation, personnel, legislation or regulation.

4.31 Any modification of plans and arrangements must be supported by complementary procedures to ensure that documentation is current, personnel are made aware of changes and, when necessary, that exercises and training are carried out ⁵².

Generic and specific plans

4.32 The risk assessment process will identify many hazards and threats. It would not be sensible to require Category 1 responders to prepare a specific plan for each possible event. Therefore, regulations distinguish between a generic plan which relates to any emergency and plans which relate to a particular emergency or a particular kind of emergency.

4.33 Generic plans enable a responder to perform its functions in relation to a wide range of possible emergencies. Each Category 1 responder must maintain a generic plan ⁵³.

4.34 The Strategic Co-ordinating Group will produce an integrated emergency response framework for any emergency in its Police area. This will formalise the strategic, tactical and operational arrangements currently in place. The generic arrangements of Category 1 responders must have regard to the framework and should support the combined response it establishes.

4.35 A specific plan is one that relates to a particular emergency, or a particular kind of emergency. Specific plans are detailed arrangements designed to address any special needs of particular emergencies. The special needs may relate to a variety of matters including processes and procedures, management arrangements, public safety, specialist plant and equipment or establishing specialist teams. It is expected that specific plans will build upon but not duplicate generic plans. The Category 1 responder must decide whether the risk assessment makes a specific plan necessary or desirable ⁵⁴.

Multi-agency plans

4.36 A multi-agency plan may be maintained by more than one Category 1 responder acting jointly. Multi-agency plans are developed when partners agree that a successful combined response would be aided by joint arrangements.

4.37 Category 1 responders must, together, consider whether it would be appropriate to maintain multi-agency plans in performing functions or duties in relation to an emergency or a particular kind of emergency ⁵⁵.

4.38 As noted above, Strategic Co-ordinating Groups will establish a framework for combined response that should be supported by the generic arrangements of Category 1 responders. Category 1 responders must consider whether it would be beneficial to build that local framework into a generic multi-agency plan for its Police area, or for discrete parts of a large area. Such plans would describe the management structures and co-ordination of a combined response and supporting arrangements such as establishment of strategic or tactical centres. The arrangements would build on the functional response of Category 1 and 2 responders and form the basis of multi-agency response for any event including those for which specific plans are required.

4.39 Consideration must also be given to preparing multi-agency specific plans for a particular emergency or type of emergency.

4.40 Category 1 responders may perform their duty to maintain an emergency plan by way of a multi-agency specific plan.

Voluntary organisations

4.41 In performing its duties to plan for emergencies each Category 1 responder must have regard to the activities of voluntary organisations that are relevant in response to an emergency ⁵⁶. Relevant activities are those employed in preventing, reducing, controlling or mitigating the effects or taking other action in connection with an emergency, regardless of any other activity of the voluntary organisation.

4.42 It is expected that the voluntary sector will be involved in all aspects of emergency planning insofar as they wish to be involved. There is no duty on the voluntary sector to assess risk, co-operate, share information or maintain plans.

Procedure for determining whether an emergency has occurred

4.43 Any emergency plan maintained by a Category 1 responder must include a procedure for determining whether an emergency has occurred that makes it necessary or desirable for it to perform its functions ⁵⁷. The responder's senior management should be involved in the procedure.

4.44 The procedure must ⁵⁸:

identify the person who should formally determine whether an emergency has occurred. This is likely to be a Chief Officer or Chief Executive.
specify the procedure which that person should adopt in taking that decision. This will usually involve consultation with specialist personnel experienced in emergency management and/or responsible for the functions affected by the emergency,
specify the persons who should be consulted about the decision. The procedure should ensure that the Chief Officer or Chief Executive is able to contact named individuals or their deputies at any time,
specify the persons who should be informed about the decision. This procedure relates to key personnel and not to every individual or organisation with a part to play. Effective use of cascade systems should enhance the effectiveness of informing individuals and organisations.

4.45 In the case of generic plans the procedure should be sufficiently flexible and adaptable to meet the needs of a range of emergencies by consideration of their consequences.

Training and exercising

4.46 Every plan and arrangement made must include provision for carrying out exercises and for the training of staff and other persons considered necessary for their implementation ⁵⁹. Plans and arrangements must, therefore, contain a policy statement and schedule regarding the nature of the training and exercising, the timing of events and the people for whom they are intended.

4.47 Training should ensure that relevant people are prepared to respond to emergency. People should be aware of the plan's objectives, their roles and the part they play in the plan. Training should raise awareness about emergency response and promote confidence in the plans and the ability of individuals to carry them out successfully. Generally, plans should aim to place individuals in positions where they perform their normal functions. Additional training may be required to equip people to perform their functions under special arrangements if required by the plan.

4.48 Training should extend beyond those employed by the Category 1 responder and include opportunities for others, such as contractors and the staff of voluntary organisations who would be involved in support of the plan to participate.

4.49 People taking part in exercises should be trained beforehand, so that they know what is expected of them and can contribute.

4.50 Exercises should ensure that the emergency plans are current, valid and effective. The nature and timing of exercises should form a programme that will ensure that plans are current and fit for their purpose at all times.

4.51 Every plan must be exercised at least once in every three years. Exercises to test discrete parts of plans will meet requirements but the effectiveness of all parts must be demonstrated at least once in every three years. It will not be necessary to duplicate exercising of elements of a generic plan if they contribute to specific plans. However, it will be expected that Category 1 responders will be able to demonstrate that the integration of generic and specific plans has been exercised and is effective. Exercises must include procedures for evaluation, identifying lessons, establishing improvement programmes (if necessary), monitoring progress on actions taken and reporting results to senior management.

4.52 The outcomes of all exercises will be reported to the Strategic Co-ordinating Group.

4.53 The requirements of the Act in regard to exercising and training apply to Category 1 responders, but Category 2 organisations are obliged to co-operate with them in the delivery of their civil protection duties. In seeking co-operation from Category 2 bodies in their exercise programmes, Category 1 responders should ensure that their requests are reasonable and do not overburden them.

4.54 In the event that a lead responder's arrangements require exercising or training to comply with a duty, Category 1 responders must assist. ⁶⁰

Plan revision

4.55 Category 1 responders must consider whether a new risk assessment issued by Scottish Ministers makes it necessary or expedient to add to or modify their business continuity or emergency response plans, in addition to the general requirement to maintain plans ⁶¹.

Vulnerable people

4.56 Regulations identify various categories of people who are considered to be vulnerable in the context of an emergency. Category 1 responders must have regard to the particular needs of vulnerable individuals when maintaining their emergency plans ⁶².

4.57 The duty relates to people who are present or resident in the area in which the Category 1 responder operates and the responder knows, or has reason to know, that they are vulnerable. The effect of this regulation is to require Category 1 responders to have regard in their emergency plans to means of obtaining information, as necessary and desirable, about vulnerable people, which is contained in records held by local authorities, health services, utility companies and other bodies such as residential homes, day centres and voluntary organisations.

4.58 Vulnerable people are defined in Regulations as those:

under the age of 16. Particular attention should be paid therefore to schools, nurseries, child care centres and medical facilities for children.
inhibited in physical movement, whether by reason of age, illness (including mental illness), disability, pregnancy or other reason. Attention should be paid to identifying those residents in specialist accommodation and the community recorded on lists held by health services, local authorities and other organisations.
deaf, blind and visually impaired or hearing impaired. The means of accessing these people too during an emergency, or when one is likely, should be recorded in plans.

Existing Emergency Planning Duties

4.59 Three pieces of legislation which pre-date the Act were introduced separately under legislation operated by the Health and Safety Executive. Regulations made by HSE relate to major accident hazards at industrial establishments (Control of Major Accident Hazards), to fuel pipelines (Pipeline Safety) and to radiation hazards (Radiation (Emergency Preparedness and Public Information)).

4.60 The HSE regulations, listed above, have established multi-agency emergency planning regimes in co-operation with the operators of businesses, which are specific, well-defined and more prescriptive than the emergency planning requirements contained in the Act. To avoid duplication the Regulations under the Act do not require Category 1 responders to perform a duty in relation to any emergency which is within the meaning of major accidents and radiation emergencies under HSE's regulations ⁶³.

Delegation of duty under section 2(1) (c)

4.61 The duty to make plans to continue to perform functions should an emergency occur must be performed by each Category 1 responder alone and may not be delegated or performed jointly with another responder ⁶⁴.

CHAPTER 5 COMMUNICATING WITH THE PUBLIC

Summary

Communicating with the public about emergencies is a key part of local civil protection.

The Act requires Category 1 responders:

to increase public awareness by publishing risk assessments and emergency plans;
make arrangements to warn and inform the public when an emergency happens; and
make arrangements to provide information about the progress of an emergency and advice on actions to take.

In addition, the Regulations require:

consideration to be given to the needs of vulnerable members of the community;
care to be taken to avoid alarming the public unnecessarily;
the protection of information which is sensitive in terms of security, public safety, commercial confidentiality or personal data protection;

All Category 1 organisations have responsibilities for communicating with the public;

All Category 1 responders must agree which of them will take the lead in delivering messages about particular types of emergency;

In some instances, Category 2 responders, such as utilities, and organisations outside the Act, including the Meteorological Office, will have a prime role in communicating with the public;

Communicating with the public

5.1 Two aspects of planning for emergencies are of such importance that they have been identified specifically in the Act. The first is that the public should be made aware of the risks of emergencies in order that they may know what to do before they occur ⁶⁵. The second is that people should be warned at the time of an emergency and provided with information and advice, as necessary, as it progresses ⁶⁶.

5.2 The duties to publish plans and assessments and to maintain plans to warn, inform and advise the public, require Category 1 responders to avoid alarming the public unnecessarily and meet the particular needs of vulnerable people.

Alarming the public unnecessarily

5.3 When performing its duties to communicate with the public the Regulations require Category 1 responders to have regard to the need not to alarm the public unnecessarily ⁶⁷. Comprehensive guidance is available to inform responders on how best to communicate risk without causing disproportionate concern and they should become familiar with its recommendations ⁶⁸. The principle expectations relate to openness, transparency and engagement with the public that is proportional to the level of protection required.

Having regard to the needs of vulnerable persons

5.4 The Regulations also require that Category 1 responders have regard to the particular needs of vulnerable members of the community ⁶⁹. Vulnerable persons must be present or resident in the area and the Category 1 responder knows, or has reason to know, that they are vulnerable. Those present may include vulnerable people employed in or visiting the area.

5.5 People become vulnerable if they are not able to receive or understand published documents, warning messages or information and advice. Therefore, the Regulations highlight those people as needing special consideration. They may include people from ethnic minorities for whom English is not their first language, people not able to see written material, hear broadcast announcements or understand them by virtue of other impairments.

5.6 There will be evident needs in some areas which have, for example, a high proportion of elderly residents who may welcome the option of a large print version of a document, or where there may be significant numbers who speak a minority language. Where vulnerable people are in the care of institutions such as schools or old people's homes, the most effective delivery of information will be through their management which must be made aware of the details of local plans as they affect their own arrangements.

5.7 The most effective communications route may be a leaflet expressed in very simple English, illustrated with pictures and symbols, which includes a request that the reader should share the information with family, friends and neighbours who are not able to read or understand it themselves. It should be clear that options to receive the information in a form designed to meet particular needs will be available, if necessary, on request.

Publication of plans and assessments

5.8 The duties to assess risks and to maintain plans are followed by a further duty on Category 1 responders to arrange for the publication of all or part of risk assessments and plans they have made, where publication is necessary or desirable to prevent, reduce, control, mitigate or take other action in connection with an emergency.

5.9 Category 1 responders do not necessarily have to publish documents themselves but that they must arrange for their publication.

5.10 The duty is not to arrange to publish the whole of a risk assessment or a complete plan but only those parts which it is necessary or desirable to publish. What is necessary or desirable is determined by whether publication will assist in dealing with an emergency. It is assumed that if the public is better informed and educated about the risks and the actions to be taken in the event of an emergency their resilience and the effectiveness of emergency response will be improved.

5.11 Available information should be identified clearly in the Category 1 responder's Freedom of Information Publication Scheme and should be easily obtained by those who are interested.

Sensitive information

5.12 Where risk assessments or plans contain sensitive information only edited or summary versions should be published, as necessary or desirable, as outlined above. More information on the use of sensitive information is contained in Chapter 7 of this Part of the guidance.

Maintenance of arrangements to warn, inform and advise the public

5.13 Category 1 responders are required to maintain arrangements to warn the public if an emergency is likely to occur or has occurred. In addition to warning they must also have arrangements to provide information and advice for the public before, during and after an emergency.

5.14 The Act does not place a duty on Category 1 responders to warn but to maintain arrangements to warn. This allows the local responders themselves to take the decision about when to issue warnings. It is expected that the arrangements to warn will be utilised where an emergency has occurred that makes it necessary or desirable for the responder to take action.

Duty to have regard to emergency plans

5.15 Warning, informing and advising the public is not a stand-alone duty. A Category 1 responder in carrying out its duties to communicate with the public must have regard to its emergency plans ⁷⁰.

5.16 As with any other part of planning for response to an emergency, communication, either direct with the public, or through the media, should be fully integrated into the responder's emergency plans.

General and specific arrangements to warn, inform and provide advice

5.17 In regard to emergency planning the Regulations distinguish between generic and specific plans. Similarly, the Regulations recognise that arrangements to warn, inform and advise the public may also be generic or specific ⁷¹. Which arrangements are chosen will depend on the type of emergency being planned for and the particular circumstances in a locality. There would be benefit if specific plans for warning and informing the public were based on generic arrangements that established a basis for providing information regardless of the emergency. Generic arrangements for warning, informing and advising the public should be integrated with the generic plans outlined in Chapter 4 of this guidance.

Training and exercises

5.18 The maintenance of plans for warning, informing and advising the public must include provision for training and exercising in the same way as that required for emergency plans as described in Chapter 4 of this guidance ⁷².

Requirements related to identification of a lead responder

5.19 The duty to maintain arrangements to warn applies to all Category 1 organisations whose functions are likely seriously to be obstructed by an emergency or who consider it necessary or desirable to take action in relation to that emergency.

5.20 Confusion would be caused, however, if more than one Category 1 responder was to plan to warn the public about the same risk at the same time for the same extent. To avoid duplication, Category 1 responders whose functions are affected by an emergency must, by agreement, identify one of their number to take lead responsibility for maintaining arrangements to warn in regard to that particular emergency ⁷³.

5.21 If they are unable to reach agreement they are in breach of the Regulations. If agreement cannot be reached, each of them must maintain arrangements separately.

5.22 Regulations envisage three ways in which a lead responder for warning, informing and advising the public may be chosen ⁷⁴:

by identification before an emergency;
by adopting a procedure to be followed at the time of emergency; or
by adopting a procedure to be followed during an emergency, including the longer term recovery, as the functional response develops and the lead may change from one Category 1 responder to another.

5.23 Arrangements must record which of these options has been chosen in relation to the any emergency or to a particular emergency.

5.24 Arrangements must ensure that the responder organisation which has accepted the lead responsibility for warning, informing and advising the public ⁷⁵:

is able to contact the other Category 1 responders whose functions are relate to that emergency;
will inform those Category 1 responders of the actions it is taking at the time of an emergency; and
is able to collaborate with other Category responders in performing the duty.

5.25 The Regulations require the lead responder to collaborate with its partners in fulfilling its role ⁷⁶. There is no question of the lead responder assuming sole responsibility for carrying out the task. The Regulations place a reciprocal responsibility on non-lead Category 1 responders ⁷⁷. They must:

consult with the lead responder in relation to the arrangements on a regular basis; and
inform the lead responder of the actions which they are taking and proposing to take in relation to warning, informing and advising the public within the arrangements.

Advice provided by other responders and the Meteorological Office

5.26 Category 1 responders are not the only responders likely to be involved in arrangements to warn, inform and advise the public.

5.27 The Regulations recognise that some Category 2 responders, such as utilities, have a duty under their own regulatory regime to provide warning, information and advice in certain circumstances when their services are interrupted. Similarly, the Meteorological Office provides a warning service for severe weather emergencies. Accordingly, the Regulations require that Category 1 responders in performing their duty to warn, inform and advise ⁷⁸:

should have regard to these arrangements; and
need not duplicate them.

CHAPTER 6 PROMOTION OF BUSINESS CONTINUITY MANAGEMENT BY LOCAL AUTHORITIES

Summary

As "relevant responders" Scottish local authorities must provide business continuity management advice and assistance for those undertaking commercial activities and for voluntary organisations in their communities.

Local authorities:

must provide general BCM advice and assistance,
may provide specific advice and assistance to individual organisations;
may refer organisations to business continuity consultants.
may determine their voluntary sector audience, targeting effort where it will add most value,
may charge for the cost of providing advice and assistance.
must have regard to relevant Community Risk Registers in its BCM activity,
may enter into collaborative arrangements with other local responders to fulfil their duties.
must co-operate with other local authorities in its Police area, in performing BCM duties,
must have regard to BCM advice and assistance provided by other local responders in its Police area.

Business continuity management - Advice and assistance to business and voluntary organisations

6.1 The duty to give advice and assistance to business and voluntary organisations in relation to business continuity management (BCM) is an essential part of the Act ⁷⁹. It makes a contribution to building the UK's resilience to disruptive challenges. The duty falls on local authorities alone. Local authorities are "relevant responders" in Scotland ⁸⁰.

6.2 In the event of emergency local responders will give all the assistance they can but there is merit in ensuring that communities themselves are resilient. In particular it is important to ensure that the impact of an emergency on the continuity of commercial and voluntary organisations' functions is kept to a minimum. This should help reduce the economic and social impact of emergencies and may assist recovery by ensuring that others, who may have a part to play, are prepared.

6.3 The BCM duty is closely related to other duties in the Act and should not be seen as a stand-alone duty. Developing and exercising emergency plans may require close liaison with organisations that carry out commercial or voluntary activities.

There are clear synergies between this work and the duty to give BCM advice and assistance, in many ways it is a logical extension of the work.

6.4 There is also a strong relationship with the warning and informing duty that requires Category 1 responders to publish aspects of risk assessments and contingency plans and to maintain arrangements to issue advice, information and warnings in the event of an emergency. The duty to give BCM advice and assistance complements that work.

The nature and extent of the duty to promote business continuity management

6.5 Local authorities have the duty to provide advice and assistance to local businesses and voluntary organisations in connection with business continuity management.

6.6 BCM is a flexible framework designed to help organisations develop resilience to the full spectrum of events. However, the Act imposes a duty on local authorities to give advice and assistance to commercial and voluntary organisations on developing arrangements to deal with a much narrower range of events and situations that it defines as emergencies. The duty does not extend to the wider range of day-to-day events that can threaten an organisation.

6.7 A key objective of the BCM duty is to raise awareness of the practical emergency planning arrangements put in place by local responders for local commercial and voluntary organisations. Local authorities are particularly well placed to give advice and assistance in preparing for events or situations whose scale and impact require the implementation of emergency arrangements.

6.8 Local authorities must provide general advice for businesses in its area and may provide such advice for voluntary organisations as it deems appropriate ⁸¹.

6.9 Individual businesses and voluntary organisations might seek further specific advice in which case the local authority may provide that advice, or alternatively, refer the organisation making the request to a business continuity consultant.

6.10 The duty relates in part to commercial activities ⁸². "Commercial" is not a straightforward term to define. It should not be taken narrowly to mean only private sector businesses operating for a profit. Others, including charities, building societies and credit unions, carry out commercial activities, they operate as businesses, generate financial benefits and should be considered in performing the duty.

6.11 Providing business continuity advice to voluntary organisations ⁸³ will help build the resilience of the wider community. However, the voluntary sector is large and diverse and it is unrealistic to expect local authorities to provide advice and assistance for all organisations. When deciding how to prioritise when taking forward a programme for advice and assistance, local authorities may need to take decisions about which voluntary organisations to approach and where to target resources.

6.12 The local authority is permitted to determine its target audience within the voluntary sector ⁸⁴. In so doing, local authorities should have regard to a range of factors including the organisations:

role in relation to emergencies,
contribution to the effective functioning of the community,
economic importance and its
place of business.

6.13 The duty to provide BCM advice and assistance only applies for those who are "resident" or "present" in the local authority area. The duty extends to activities that operate in the area for a period of time without being resident, for example, music festivals or major construction projects.

General advice and assistance

6.14 Local authorities have a duty to provide general advice and assistance regarding the benefits of adopting BCM arrangements and to disseminate information to assist the business continuity planning process.

6.15 Whilst the Act imposes a duty on local authorities to offer advice and assistance it does not impose a corresponding obligation on the recipients to act upon it.

6.16 In complying with the duty, local authorities must demonstrate that they have taken reasonable steps to promote BCM advice in their areas. This will involve developing a strategy that:

identifies what organisations need to know
selects appropriate means of delivery and
targets its message at its audience.

Specific advice and assistance

6.17 Local authorities are permitted to provide specific advice and assistance on BCM for local organisations ⁸⁵. The Act does not oblige them to do so. A local authority can undertake the work itself if it feels it possesses the necessary experience and competence.

6.18 A Local authority could work with individual organisations to establish the nature of the risks they face and the steps they can take to manage them. This might include, for example:

assistance with risk assessment
provision of advice about Category 1 responders' response arrangements and
support in the development and validation of plans.

6.19 Alternatively, the local authority may refer individual organisations to BCM consultants which might be better placed to provide the advice and assistance required ⁸⁶. Experience has shown that businesses value the role that a local authority can play in acting as an 'honest broker' in this way. In referring organisations to BCM consultants the local authority must remain impartial and take steps to ensure that consultants are competent and experienced ⁸⁷.

6.20 The Business Continuity Institute (BCI) provides a certification scheme for business continuity professionals. It publishes a list of consultants it deems to be experienced, qualified and competent in particular areas. BCI operates a code of practice for its members. The BCI and the Chartered Management Institute are useful sources of advice on commissioning consultants.

6.21 Whichever approach local authorities take, regarding provision of specific information and advice, they should consider developing a policy statement in order to manage the expectations of local organisations and to ensure consistency and fairness.

6.22 Local authorities should consider their professional liability in the specific advice and assistance it may offer or its part in referring organisations to a BCM consultant.

Co-operation and identification of a lead responder

6.23 The duty to promote BCM falls on all local authorities. They must co-operate with each other in their Police area in connection with performing their BCM duties ⁸⁸. The purpose of this requirement is to ensure that local authorities within a Police area deliver a coherent programme for providing advice and assistance for commercial and voluntary organisations in their communities.

6.24 Other Category 1 and Category 2 responders in a Police area must co-operate with local authorities in connection with performing their BCM duties ⁸⁹.

6.25 Co-operation may take place bilaterally or within a single forum perhaps through the auspices of the Strategic Co-ordinating Group.

6.26 There are a number of options open to local authorities in deciding how best to discharge their responsibility:

they may perform the duty themselves,
they may, by agreement, identify a lead responder from the local authorities within their Police area ⁹⁰,
they may make arrangements with another local authority for the joint performance of a duty, or for a duty to be performed on its behalf ⁹¹.

6.27 The permissive approach gives local authorities the flexibility to decide how to make the best use of the skills, expertise, networks and resources available in a Police area. Working collaboratively could help ensure that efforts are co-ordinated and that economies of scale are achieved. However, it remains the responsibility of each authority to ensure that its duties are fulfilled.

6.28 BCM promotion programmes should be driven by the needs of local organisations not local authorities' administrative boundaries. It is important to deliver co-ordinated messages with promotional or awareness-raising work across the Police area. Local authorities should consider the need to adopt a coherent approach in the provision of specific advice and assistance where this is requested.

6.29 Category 1 and Category 2 responders will also be expected to co-operate with Category 1 responders outside their Police area, and across UK administrative borders, in the performance of their duties to promote BCM ⁹².

Co-ordination with other local responders' business continuity work

6.30 The duty to promote BCM falls on local authorities but this does not mean that other local responders do not have an interest in the work.

6.31 A number of other local responders are also engaged in BCM promotion. For example, the police support the activity in relation to security issues, the Fire Service does so in relation to fire risks and the Maritime and Coastguard Agency in relation to safety at sea.

6.32 Local authorities must have regard to the business continuity activities undertaken by other local responders. In practice this means that local authorities are required to develop an awareness of the business continuity work of their partners and consider the implications for their own programmes. They should also consider how their programmes can complement other activity and take steps to avoid unnecessary duplication of activity.

Risk Assessment

6.33 In performing its duty the local authority must "have regard" to the Community Risk Register when developing a business continuity promotion programme ⁹³. It may also be necessary to consider risks outside the Police area that could impact upon businesses in a local authority area - for example, a chemical plant in a neighbouring Police area. Hence the Regulations require local authorities to have regard to "any relevant risk register".

Charging

6.34 The Regulations permit local authorities to charge for any advice and assistance provided by them but does not oblige them to do so ⁹⁴.

6.35 It is unlikely that local authorities will be able to charge for promotional materials or awareness-raising materials supplied for organisations at large. However, local authorities may wish to make a charge for a number of activities including:

attendance at local authority organised events,
membership of Business Continuity Forums,
provision of specific information (for example, aspects of risk assessments),
provision of advice on an ad hoc basis (for example, development or review of firms' own plans) and
provision of a professional BCM service.

6.36 Local authorities may only charge for BCM advice and assistance on a cost-recovery basis. They may charge for the full cost of all the resources used in carrying out activities for which a charge is to be made, and a reasonable share of any research or documentation that support the activity. The regulations do not permit local authorities to make a profit from the promotion of BCM.

6.37 Further guidance on charging policy can be found in the Scottish Executive's Public Finance Manual - Fees and Charges (see ww.scotland.gov.uk/library5/finance). However, local authorities should consider the impact of their charging policy on the adoption of their advice and assistance.

CHAPTER 7 INFORMATION SHARING

Summary

Information sharing is a crucial element of civil protection processes underpinning all forms of co-operation.

The initial presumption is that all information should be shared.
Some information should be controlled if its release would be counter-productive or damaging in some other way.
There are various types of information. Information may not be suitable for all audiences.
In most instances, information will pass freely between responders, as part of a more general process of dialogue and co-operation.
A formal request for information should state what is required and why it is required.
The information sharing obligation only applies to information the responder already has. It does not enable one responder to require another to create new information.
Some responders may have obligations under other legislation related to Freedom of Information and Environmental information.
Not all information can be shared.

Information sharing

7.1 Information is shared between Category 1 and Category 2 responders as they work together to perform their duties under the Act. Information sharing is a key element of civil protection work underpinning all forms of co-operation. It is essential to other duties under the Act, in particular risk assessment, business continuity management and emergency planning. It may be undertaken by the Strategic Co-ordinating Groups. It may involve direct contacts between responders where information held by one is needed to help another fulfil its civil protection duties.

7.2 The assumption that all information should be shared has to be balanced against the harm that may be caused to national security, public safety, commercial confidentiality or the rights of individuals. Similarly the use of information has to be considered with care to ensure that information given for one purpose is not misused or misinterpreted in its use for another reason. For example, comparing the radiation dose for emergency workers over a short period with that for a community at large over a long period.

7.3 In most instances, information will pass freely between responders, as part of a more general process of dialogue and co-operation. The overwhelming majority of information sharing should happen in this way. If this is not the case, it is probably evidence of a wider systemic failing in the way the Act is operating in the Police area in question.

What information can be shared?

7.4 Not all information can be shared, and Category 1 and Category 2 responders can claim exceptions in specified circumstances and thus not supply certain information. Exceptions relate to sensitive information only. Where the exceptions apply, a responder must not disclose the information.

7.5 Sensitive information ⁹⁵ means information which, if disclosed, would:

be contrary to the interests of national security
endanger public safety
harm legitimate business interests, or
contravene personal data protection principles.

7.6 Category 1 and Category 2 responders must reach a decision about whether the information they hold is sensitive. In considering the sensitivity of information the test is whether disclosure to the public would compromise the information, not whether disclosure to the requesting responder would do so.

7.7 The two exceptions are:

Exception where disclosure would prejudice sensitive information ⁹⁶.

A Category 1 and Category 2 responder must refuse to comply with an information request if the information is sensitive and if it has reasonable grounds to believe that complying with the request would compromise that information. If a Category 1 and Category 2 responder refuses to disclose information on this basis, it must give reasons for so doing, unless the information is sensitive by virtue of its impact on national security. A certificate signed by a Minister of the Crown, Scottish Minister, the Advocate General for Scotland or the Attorney General for Northern Ireland is conclusive evidence that information is sensitive for reasons of national security. The Minister can issue a certificate in relation to a class of information or a specific piece of information. However, it should be noted that absence of a certificate does not mean that the information cannot be sensitive on national security grounds.

Exception where information has been supplied by the security services ⁹⁷:

Where a responder receives an information request in relation to information which has been supplied directly or indirectly by the intelligence services (the Security Service, SIS, GCHQ or NCIS), the responder must not comply with the request unless the relevant intelligence service consents to the disclosure of the information. The intelligence service may impose conditions on its consent.

7.8 Where a request relates to information, part of which is sensitive and part of which is not, the exception only applies to the sensitive information. The application of an exception does not necessarily enable a Category 1 or Category 2 responder to refuse to share a piece of information in its entirety.

Requesting information

7.9 As stated above it is expected that most information will be shared through existing informal relationships and networks. However, there are still some instances in which the supply of information will be more controlled if informal processes fail.

7.10 Any Category 1 responder can request information from any other Category 1 or Category 2 responder for the purpose of fulfilling its duties under the Act 1 ⁹⁸.

7.11 Any Category 1 or Category 2 responder can request information from any other Category 1 or Category 2 responder for the purpose of performing its functions which relate to an emergency ⁹⁹.

7.12 Should a Category 1 or Category 2 responder receive a request for information it must comply with that request unless exceptions apply for sensitive information as outlined above ¹⁰⁰.

7.13 Should formal requests for information become necessary, there are a number of formal procedures that need to be followed. ¹⁰¹

Procedure for making a request for information

7.15 When seeking information a "requesting responder" will approach a "receiving responder."

7.16 A request for information should be made in writing. It must specify clearly either the information required or a description of the information requested. The request must include the reason the requesting responder needs the information (the performance of a particular duty or a function related to an emergency).

7.17 The request may specify a time limit for dealing with the request and the place at which the information should be provided. The requesting responder may also specify the form in which the information is to be supplied (for example, in paper form or on a computer disc). In each case the time allowed, and the place and form specified must be reasonable. For example, a request for details from an established emergency plan could be expected sooner than one which sought information not collated or subject to release only with the permission of a third party. Wherever possible the request should be discussed in advance between responders.

Procedure for dealing with a request for information

7.18 A valid request must be complied with unless one of the exceptions (set out above) applies. This is the case even where the information has been originally supplied in confidence, although the responder which receives the information is also likely to become subject to that duty of confidence. Where the responder is subject to restrictions on disclosure of information under other legislation or a contract, the other legislation or contract will have to be considered in light of the regulations. Which provision applies will depend on the particular terms of the other enactment or contract.

7.19 In considering whether the request is valid, a responder should consider if the procedural requirements have been satisfied and whether the reasons given by the requesting responder indicate the information is required in connection with the requesting responder's duties and functions.

7.20 The information must be provided within the time limit specified in the request. If no time limit is specified, the information must be provided in a reasonable period. The information must be supplied in the form and at the place specified by the request.

7.21 A request for information relates to information not documents. A responder which receives a request is not required to disclose all the documents which contain the information which has been requested. However, this will often be the easiest way to deal with a request for information.

Using non-sensitive information

7.22 The Act and Regulations do not impose any limits on the use of information obtained under the Act which is not sensitive. However, use of non-sensitive information may be limited by duties of confidence established by other legislation or by contract. Category 1 or Category 2 responders may also be subject to other statutory restrictions on disclosure.

7.23 Other than mentioned above there are unlikely to be any restrictions on the use to which a Category 1 or Category 2 responder can put non-sensitive information which it creates in the course of carrying on its duties under the Act. Responders should be mindful that information may be sensitive within different environments and whilst some information may be suitable for sharing among responders, it might not be suitable for the wider public. For example, there is a need to avoid alarming the public in the information made available under other duties.

7.24 Because there is no restriction on disclosure does not mean that responders will be obliged to disclose information. However, some responders may be under a legal obligation to disclose certain information. For example, the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 may require disclosure.

7.25 Members of the public may make requests under the Freedom of Information (Scotland) Act 2002 to see the Community Risk Register or any of the individual risk assessments. Individual responders which are presented with such requests will need to consider what can be released. The exemptions relating to national security and commercial sensitivity may be particularly relevant to these deliberations. Given the relatively short timeframe in which information must be provided, it would be helpful for local responders to consider in advance how such requests would be handled.

Using sensitive information

7.26 Sensitive information reasonably requested by a Category 1 or Category 2 responder to perform its functions which relate to an emergency, may only be used for the purpose of performing the function for which it was requested. The effect of this should limit the circulation of information within a responder's organisation. For example, information about the robustness of mobile 'phone coverage, legitimately obtained for use in developing emergency plans, should not be shared with those responsible for the contractual relationship with its mobile phone provider.

7.27 If a responder wishes to use sensitive information it has received by virtue of an information request under the Act for a different purpose, it must obtain the consent of the relevant person or organisation. The relevant person or organisation for different types of sensitive information is set out below ¹⁰².

Type of sensitive information

Person or organisation whose consent is needed

Relates to national security and supplied indirectly or directly by one of the intelligence services

Minister of the Crown OR the intelligence service which supplied the information

Relates to national security and not supplied indirectly or directly by one of the intelligence services

Minister of the Crown OR (a) if the information is contained in a document which has been created by a public authority, that authority; (b) in other cases, the organisation which supplied the information

Relates to public safety and supplied indirectly or directly by one of the intelligence services

Minister of the Crown OR the intelligence service which supplied the information

Relates to public safety and not supplied indirectly or directly by one of the intelligence services

Relates to the business or other affairs of a person where disclosure would harm the legitimate business interests of that person

The person to whom the information relates

Is personal data (within the meaning of the Data Protection Act 1998) where disclosure would contravene the data protection principles/section 10 of the Act.

The individual to whom the information relates

7.28 The use of sensitive information may be further restricted by duties of confidence, by other legislation or by contract.

7.29 Category 1 and Category 2 responders are prohibited from publishing or otherwise disclosing any sensitive information which they have received by virtue of the Act or which they created in the course of discharging their duties under the Act.

7.30 There are two exceptions to the prohibition on disclosure. Where the exceptions apply, the responder may disclose. However, unless the responder is subject to an obligation under the Act to disclose the information (for example the duty to publish risk assessments), it is not obliged to do so.

7.31 The two exceptions are:

Consent for the publication or disclosure is obtained) ¹⁰³.

Consent should be obtained from the person identified in the table above. The consent may be given subject to conditions.

The information is commercially sensitive or personal data and the public interest in disclosure outweighs the interests of the person ¹⁰⁴.

This exception does not apply if the information is sensitive by virtue of its national security or public safety implications. When relying on this exception, the responder must inform the person to whom the information relates of its intention to disclose the information and provide reasons why it is satisfied that the public interest in disclosure outweighs their personal interests.

7.32 The prohibition on disclosure applies when the Category 1 or Category 2 responder is discharging its duties under the Act or any other function that it has in relation to an emergency ¹⁰⁵. However, the restrictions on the use of information mean that in most cases sensitive information should not be used for other purposes. The prohibition does not apply where a Category 1 or Category 2 responder is dealing with an information request or contributing to the Community Risk Register (CRR). However, the Regulations covering those topics allow for the treatment of sensitive information if the information may be compromised or its confidentiality may be threatened.

7.33 The prohibition on disclosure will not apply where the Category 1 or Category 2 responder receives an information request under the Freedom of Information (Scotland) Act or the Data Protection Act. In such circumstances responders must consider the relevant legislation to determine whether or not the information should be released. Each case should be considered on its merits.

7.34 Under its duties related to risk assessments the Category 1 responder does not need to provide information for the Community Risk Register (CRR) where it considers that to do so would compromise or impair the confidentiality of the information. Note that there is no obligation under the Regulations to publish the CRR although publication by the Strategic Co-ordinating Group "as far as necessary or desirable" of the Register or parts of the Register would fulfil other duties. It is possible for a local responder to contribute a risk assessment to the CRR on condition that its risk assessment is not published.

Category 2 responders

7.35 It is important for Category 1 responders to be realistic about what information is requested from Category 2 bodies. Information sharing has the potential to be very burdensome if it is not handled responsibly.

7.36 Where possible, Category 1 responders should seek to channel requests through as small a number of routes as possible so as to avoid duplication of effort. For example, all local responders could channel requests through the Strategic Co-ordinating Group, or lead responder, and share the information.

7.37 Where sensitive information is held, many Category 2 responders are likely to rely on exceptions that relate to commercial confidentiality. This may reflect the status of some responders as private sector commercial organisations. In that regard considerations related to contract and confidentiality may also apply.

7.38 In return for responsible use of these powers to request information, Category 2 responders should ensure that they can deal with reasonable requests made by Category 1 responders.

Security of sensitive information

7.39 Category 1 and Category 2 responders must establish arrangements to ensure that sensitive information it obtains or creates under the Act is not compromised or its confidential nature impaired ¹⁰⁶.

7.40 The arrangements made must include:

security marking,
regulation of access to those performing duties or functions who need to have access to the information,
secure storage, and transfer arrangements, including electronic transfer.

Health and Safety at Work Act 1974

7.41 Restrictions on disclosure of information under Section 28(2) of the Health and Safety at Work Act do not apply to the disclosure of information by the Health and Safety Executive if the disclosure is made in connection with:

performance of a duty under section 2(1) or 4(1) of the Act,
a request under regulation 45
a request under regulation 44 in connection with functions of the Health and Safety Executive.

Other legislative requirements

7.42 Although there are many pieces of legislation which affect the use of information within individual sectors, there are three which have a wider-ranging impact and of which, as a consequence, responders should be aware. They are:

Freedom of Information (Scotland) Act 2002

The Freedom of Information (Scotland) Act 2002 provides individuals with the right to seek information from public bodies, subject to procedural requirements and particular exemptions. The rights of individuals to seek such information under the Freedom of Information Act must be considered by responders, alongside the duties under the Act and Regulations.

Further information is available through the Scottish Executive's website, at: http://www.scotland.gov.uk/Topics/Government/FOI

Environmental Impact (Scotland) Regulations 2004

The Environmental Impact (Scotland) Regulations 2004 provide for the freedom of access to information on the environment, subject to certain conditions, and must be taken into account when carrying out duties under the Act and Regulations.

Further information is available through the Scottish Executive's website, at http://www.scotland.gov.uk/library5/environment/aeig-00.asp

Data Protection Act 1998

The Data Protection Act 1988 provides certain rights to individuals to request information from public bodies about personal data held by them which relates to that individual. It also provides limits on the use or processing of such data by public authorities. The Data Protection Act must be considered in relation to the duties imposed under the Act and Regulations.

Guidance on the Data Protection Act can be found on the Information Commissioner's website at www.informationcommissioner.gov.uk

7.43 It is for each responder to make the final judgements about the detailed implications of each of these pieces of legislation and how they interface with the Act, as each takes precedence over the Act's information-sharing framework

CHAPTER 8 AUDIT AND MONITORING

Summary

Integrating civil protection as normal business of Category 1 and Category 2 responders will obviate the need for a new inspectorate.
Arrangements for monitoring through normal audit and inspection regimes will be developed with the assistance of stakeholders.
Self assessment and the role of managers will be key features of the monitoring regime.
Failure to perform a duty may lead to enforcement by the Court of Session.

Monitoring performance and audit

8.1 The Act introduces a series of duties for those engaged in civil protection work at the local level. These duties have been detailed in preceding chapters. Taken together, these duties provide a framework for civil protection.

8.2 The Act makes reference in Section 9 to monitoring by government. Scottish ministers may require Category 1 and Category 2 responders:

to provide information about action they have undertaken in complying with a duty; or
to explain why they have not taken action in complying with a duty.

8.3 Neither the UK Government nor the Scottish Executive is establishing a new, dedicated inspectorate for the purposes of monitoring the duties of the Civil Contingencies Act. The provisions of the Act are interwoven with corporate governance and, therefore, the creation of an independent body to consider enforcement risks the artificial separation of the duties from the wider context of corporate governance.

8.4 The Turnbull Report (1999) has set the agenda for good governance, and its principles have been widely adopted by industry and government alike. Turnbull focuses primarily on risk management as the key mechanism of internal control. Within this, emphasis is placed upon the vital role of management in implementing the risk-based approach. Turnbull advocates establishing a management framework which focuses on business objectives and specific outcomes.

8.5 This approach has ramifications for monitoring performance. Using a system of minimum standards has proved to be unnecessarily rigid and inadequate for measuring the performance of an organisation. Many audit and inspection bodies have adapted their monitoring processes to focus upon a more risk-based and strategic regulation approach.

8.6 Internal assessment can provide a useful indication of the performance of an organisation. The Turnbull Report highlights the role of self-assessment and the need for senior management to oversee the performance of the organisation. The importance of self-assessment is confirmed by the research of the Prime Minister's Office of Public Services Reform, which noted that inspectors and auditors should encourage self-assessment by managers.

The inspectors should challenge the outcomes of the managers' assessments and take them into account in the inspection process.

8.7 The Scottish Executive's position is also in line with the Public Service Reform Strategy which set four principles of reform. One of these was devolution and delegation to the front line, giving local leaders responsibility and accountability for delivery and the opportunity to develop services around the needs of local people.

8.8 The Scottish Executive will rely on current good practice in performance management and on established audit and regulatory bodies across the Category 1 and Category 2 responders to assess performance. The performance against duties will be measured for all functions.

8.9 Consideration will be given to the use of rigorous and regular self-assessment of performance and the part of the Strategic Co-ordinating Groups in the assessment. Stakeholders will be involved in the development of self assessment models.

8.10 Where the Scottish Executive has reason to require more information about compliance with duties and to seek an explanation for non-compliance, Scottish Ministers' have powers under the Act to require that responders provide information.

Enforcement

8.11 The Act enables Scottish ministers, Category 1 and Category 2 responders to take action in the Court of Session regarding a failure by a Category 1 or Category 2 responder to perform its duties under the Act ¹⁰⁷.

8.12 The failure to perform duties includes compliance with regulations and having regard to guidance issued by a Scottish minister.

8.13 The Court of Session may grant any remedy, or make any order, that it thinks appropriate.

Page updated: Thursday, May 25, 2006

Scottish Government