Duty of Care in Executive Protection — Legal Obligations & Best Practices

Duty of care is a concept that underpins every aspect of executive protection work. It is the legal and ethical obligation to take reasonable steps to prevent foreseeable harm — and in the security industry, where the entire purpose of the engagement is to protect people, the standard is especially high. For security companies and individual operators working in Australia, understanding duty of care is not just good practice; it is a legal requirement with serious consequences for failure. This article examines what duty of care means in the context of executive protection, the Australian legal framework that governs it, and the practical steps that operators and companies can take to meet their obligations.

What Is Duty of Care in EP

At its core, duty of care is a legal principle derived from common law that requires a person or organisation to act with reasonable care toward others who could foreseeably be affected by their actions or omissions. In the context of executive protection, this duty runs in multiple directions simultaneously.

The most obvious duty is to the principal — the person being protected. When a security company accepts a contract to provide executive protection, it assumes a duty to take all reasonable steps to keep the principal safe from foreseeable threats. This includes conducting proper threat assessments, deploying suitably qualified and licensed operators, planning for contingencies, and responding appropriately to emerging risks.

However, the duty extends further. Security companies owe a duty of care to their own operators — ensuring they are not placed in unreasonably dangerous situations without adequate training, equipment, and support. They owe a duty to third parties — members of the public who might be affected by the actions of protection teams. And in some circumstances, they may owe a duty to the client organisation (which may be distinct from the principal) to provide accurate risk assessments and honest advice, even when that advice is not what the client wants to hear.

The standard against which duty of care is measured is that of the reasonable professional. Courts do not expect perfection — security incidents can occur even when every reasonable precaution has been taken. What the law requires is that the security provider acted as a competent professional in the same field would have acted given the same circumstances. This makes the practices and standards of the industry — including frameworks established by bodies such as ASIAL — directly relevant to legal assessments of whether duty of care was met.

Legal Framework in Australia

In Australia, duty of care in the security industry is governed by an overlapping framework of common law, statute, and regulation. Understanding this framework is essential for any company or operator providing executive protection services.

Common law negligence. The foundational legal principle comes from the common law of negligence, established in the landmark case of Donoghue v Stevenson (1932) and extensively developed by Australian courts. To succeed in a negligence claim against a security provider, a plaintiff must establish that the provider owed a duty of care, that the provider breached that duty by failing to meet the standard of a reasonable professional, that the breach caused the plaintiff's loss, and that the loss was not too remote. In the executive protection context, the existence of a contractual relationship (the protection engagement) makes establishing the duty straightforward — the critical question is typically whether the standard of care was met.

State and territory Security Industry Acts. Each Australian state and territory has its own legislation governing the security industry. In New South Wales, the Security Industry Act 1997 and its associated regulations set out licensing requirements, conduct standards, and enforcement mechanisms. Victoria's Private Security Act 2004, Queensland's Security Providers Act 1993, and equivalent legislation in other jurisdictions impose similar obligations. These Acts require that security providers hold appropriate licences, that operators meet minimum training standards (including the Certificate II or III in Security Operations), and that companies maintain proper records. Failure to comply is not merely a regulatory infraction — it can be cited as evidence of a breach of duty of care in civil proceedings.

Work Health and Safety (WHS) legislation. The Work Health and Safety Act 2011, adopted in most Australian jurisdictions, imposes a primary duty of care on persons conducting a business or undertaking (PCBUs) to ensure, so far as is reasonably practicable, the health and safety of workers. For security companies, this means conducting risk assessments for missions, providing appropriate personal protective equipment, ensuring adequate training, and implementing safe systems of work. The WHS framework is particularly relevant to executive protection because of the inherently elevated risk profile of the work.

Privacy Act 1988. Executive protection involves collecting, storing, and using significant amounts of personal information about principals, their families, and potential threat actors. The Australian Privacy Principles (APPs) under the Privacy Act 1988 require organisations to handle this information responsibly. A data breach involving sensitive protection-related information could constitute both a privacy violation and a breach of the duty of care owed to the principal.

Consumer law. The Australian Consumer Law, found in Schedule 2 of the Competition and Consumer Act 2010, prohibits misleading or deceptive conduct and requires that services be provided with due care and skill. A security company that represents capabilities it does not possess or provides services below a reasonable professional standard may face claims under both consumer law and negligence.

Operator Responsibilities

While the security company bears the primary organisational duty of care, individual operators have their own legal and professional responsibilities that cannot be delegated.

Maintaining current licensing. Every operator engaged in security work in Australia must hold a valid licence issued by the relevant state or territory authority. Operating without a licence — or with an expired or incorrect class of licence — is a criminal offence and an automatic breach of duty of care. Operators are personally responsible for ensuring their licence remains current, including meeting any continuing professional development requirements.

Operating within scope of competence. An operator who accepts an assignment for which they lack the necessary skills or experience may be personally liable if their incompetence contributes to a failure to protect. The duty of care requires operators to be honest about their capabilities and to decline assignments that exceed their competence. This is particularly relevant in executive protection, where assignments can range from straightforward residential security to complex international travel details requiring advanced skills in counter-surveillance, medical response, and diplomatic protocols.

Following established protocols. When a security company has established standard operating procedures (SOPs) for executive protection operations, operators have a duty to follow them unless circumstances make adherence unreasonable. Deviating from SOPs without justification — such as skipping advance work to save time or failing to conduct vehicle checks — can constitute a breach of duty.

Reporting and escalation. Operators have a responsibility to report incidents, near-misses, and emerging risks to their chain of command. Failing to report a credible threat because it seems minor, or neglecting to document an incident because it was resolved without injury, undermines the organisation's ability to manage risk and may constitute a breach of the operator's individual duty of care.

Use of force. Australian law permits the use of reasonable force in certain circumstances, including self-defence and the defence of others. However, the threshold is strictly defined. An operator who uses excessive force — even in a genuine attempt to protect the principal — may face criminal charges and civil liability. Training in the legal boundaries of force, and the ability to make sound judgements under pressure, is a critical component of the operator's duty of care.

Documentation and Record-Keeping

If duty of care is the obligation to act reasonably, documentation is the evidence that you did. In the executive protection industry, thorough record-keeping serves both operational and legal purposes, and it is one of the areas where many security companies fall short.

Risk assessments. Every executive protection engagement should begin with a documented risk assessment. This assessment should identify the threats relevant to the principal, evaluate their likelihood and potential impact, and describe the countermeasures to be implemented. The assessment should be reviewed and updated whenever the threat landscape changes — for example, when the principal's travel itinerary changes or when new intelligence emerges. A documented risk assessment demonstrates that the company applied a systematic, professional approach to identifying and mitigating risks.

Mission planning documents. Advance reports, route plans, contingency plans, and communication protocols should all be documented and retained. These records show that the security team prepared thoroughly for each engagement and considered the foreseeable risks. In the event of a legal claim, the absence of planning documentation can be as damaging as the absence of the planning itself.

Operator credentials and training records. Companies must maintain current records of every operator's licences, qualifications, training history, and competency assessments. These records demonstrate that the company deployed appropriately qualified personnel — a fundamental element of meeting the duty of care. Records should include not only the qualifications held but evidence of verification (for example, confirmation that a licence was checked against the relevant state database before deployment).

Incident reports. Every incident — regardless of severity — should be documented in a standardised format. Reports should capture the facts of what occurred, the actions taken in response, the outcome, and any recommendations for preventing recurrence. Incident reports are critical evidence in legal proceedings and regulatory inquiries, and they also feed into the continuous improvement of the organisation's protective practices.

Communication logs. Records of communications during operations — including radio logs, message transcripts, and check-in records — provide a timeline of events and decisions that can be invaluable in reconstructing what happened during an incident. Digital platforms that automatically log communications provide a more reliable record than handwritten notes compiled after the fact.

How Technology Supports Duty of Care

Meeting the duty of care in executive protection has always required discipline and professionalism. What has changed in recent years is the availability of technology that makes meeting that standard more achievable and more demonstrable.

Purpose-built security operations platforms like EP-CP address many of the documentation and compliance challenges that security companies face. By centralising mission planning, operator credential management, real-time communication, and incident reporting in a single platform, EP-CP creates an automatic, time-stamped record of the actions that constitute duty of care compliance.

Consider licence verification. Rather than relying on operators to self-report their licence status, a platform can track licence expiry dates and alert operations managers before a deployment would involve an unlicensed operator. This automated check — documented in the system's audit log — provides evidence that the company took reasonable steps to ensure compliance with state licensing requirements.

Real-time communication tools integrated into an operations platform create automatic logs of team communications during missions. These logs eliminate the need for manual record-keeping during high-pressure situations and provide a reliable timeline if events need to be reconstructed later.

Digital incident reporting — with structured fields, mandatory data capture, and automatic timestamps — ensures that reports are complete and contemporaneous. Paper-based or email-based reporting, by contrast, often results in incomplete records filed hours or days after the event.

For security companies operating across multiple Australian states, a centralised platform also simplifies the challenge of managing different regulatory requirements. Licence classes, training requirements, and reporting obligations vary by jurisdiction, and a platform that tracks these variations reduces the risk of inadvertent non-compliance.

Technology does not replace professional judgement — an operator still needs to make sound decisions under pressure, and a platform cannot substitute for thorough training and experience. But technology can ensure that the administrative and documentation foundations of duty of care are met consistently, reducing the risk of gaps that could become liabilities.

The security industry in Australia is moving toward greater accountability and transparency. Regulators expect higher standards of documentation. Clients demand evidence of compliance. Insurers require proof of risk management practices. In this environment, the companies that invest in systems and processes to support their duty of care obligations are the ones that will sustain their licences, their reputations, and their businesses.