Get started

Harassment Duties Under the Employment Rights Act — The 'All Reasonable Steps' Standard

guide 9 min read Updated 2026-03-23

Harassment Duties Under the Employment Rights Act — The ‘All Reasonable Steps’ Standard

In October 2026, the harassment landscape shifts. The Employment Rights Act introduces an “all reasonable steps” employer harassment prevention duty — a move away from the current reactive standard (handling complaints when they arrive) toward a proactive standard (preventing harassment before it happens). This isn’t a small tweak. It’s a fundamental change in employer liability.

Currently, employer harassment liability is complaint-driven. Someone experiences harassment, reports it, and the employer’s duty is to handle the complaint fairly. October 2026 adds a second layer: employers must take “all reasonable steps” to prevent harassment happening in the first place. You can’t just wait for a complaint. You have to demonstrate you’ve actively worked to create an environment where harassment is less likely to occur.

This matters because the “all reasonable steps” standard is hard to defend if you haven’t documented what you’ve done. “We have a good culture” doesn’t qualify. A harassment policy you’ve never shown staff doesn’t qualify. Training you’ve never recorded doesn’t qualify. Evidence — documented policies, training records, risk assessments, monitoring — qualifies.

This guide walks through what the duty actually requires, how it differs from current practice, and what you need to do to demonstrate compliance.

Why This Matters

Harassment claims are expensive. A successful claim can result in compensation for injury to feelings (Vento bands: lower £1,100–£11,200, middle £11,200–£33,700, upper £33,700–£56,200 as of April 2025, uprated annually) plus lost earnings if the employee was forced out. The median harassment claim costs around £15,000–£20,000 in compensation alone, plus legal fees.

But the bigger issue is employer liability for third-party harassment — harassment by customers, suppliers, or others outside the employment relationship. The current law makes this hard to defend. From October 2026, it becomes even harder unless you can show you took “all reasonable steps” to prevent it.

What’s a “reasonable step” in this context?

  • A harassment policy that staff know about
  • Staff training on what constitutes harassment and how to report it
  • A risk assessment identifying types of harassment relevant to your workplace
  • Clear reporting mechanisms
  • Regular monitoring to check if the policy is working
  • Action taken if problems emerge

You need all of these, documented, to claim you’ve taken “all reasonable steps.”

Smaller workplaces are particularly exposed. You don’t have the structural separation of a big organization with HR departments and formal channels. Harassment in a small team can destroy the whole dynamic. But that same smallness means documentation becomes even more important — you can’t claim “we have a no-harassment culture” without showing evidence.

What Changes from October 2026

Before October 2026: Employer harassment liability is complaint-driven. Someone experiences harassment (by a colleague, customer, or third party), reports it, and the employer’s duty is to investigate and respond fairly. If you handle the complaint well, you’ve met your obligation.

From October 2026: The “all reasonable steps” duty runs parallel to complaint handling. You still have to handle complaints well. But you also have to demonstrate you took preventive steps before any complaint arrived. If you haven’t taken those steps, you’re liable even if a complaint is handled perfectly.

The practical difference: harassment liability moves from “reactive” to “proactive + reactive.” A business with no harassment policy, no training, and no risk assessment loses the “all reasonable steps” defence even if it responds well to a complaint. A business with a policy, training, and documented risk assessment has a defence.

What “All Reasonable Steps” Requires

There’s no statutory checklist of what “all reasonable steps” means. The standard is fact-specific — what’s reasonable depends on your business. But the case law framework and regulatory guidance point to five core elements:

1. A documented harassment policy.

Your policy should:

  • Define harassment clearly. Examples: unwanted conduct related to a protected characteristic (age, disability, gender, gender reassignment, marriage/civil partnership, pregnancy/maternity, race, religion/belief, sex, sexual orientation); conduct of a sexual nature; or any other unwanted conduct that violates dignity or creates an intimidating, hostile, degrading, offensive environment.
  • Include third-party harassment (customers, suppliers, contractors). You’re liable for customer harassment if you don’t take reasonable steps to prevent or respond to it.
  • State the employer’s zero-tolerance approach.
  • Be accessible to all staff in plain language.
  • Be dated and reviewed regularly (you should review at least annually, more if circumstances change).

Most SME harassment policies are one page and reactive (“here’s how to report harassment”). They should be 2–3 pages and balanced (“here’s how we prevent it, here’s how to report it, here’s what happens next”).

2. Staff training.

Training should:

  • Be mandatory for all staff, not optional.
  • Cover what constitutes harassment (examples help more than definitions).
  • Explain how to report (multiple channels — line manager, alternative contact, external helpline if available).
  • Explain what happens after a report (investigation process, timeframe, confidentiality).
  • Be documented. You record dates, attendees, and content covered.
  • Be refreshed regularly. Annual refresher or whenever policy changes.

Training for managers should be more detailed: how to spot harassment, how to handle a report, how to investigate, what records to keep.

3. A risk assessment for harassment.

This is often overlooked, but it’s critical evidence of “all reasonable steps.”

Your risk assessment should:

  • Identify types of harassment most likely in your workplace. (A customer-facing retail business faces different harassment risks than an office-based professional services firm.)
  • Consider sector, location, lone working, shift patterns, use of agency workers, high staff turnover, anything relevant.
  • Map where harassment is most likely to occur (certain roles, certain times, certain interactions).
  • Identify preventive measures for each risk.

A risk assessment doesn’t have to be lengthy. One page per identified risk is enough. But you need it documented.

4. Clear reporting mechanisms.

Staff need to know how to report harassment. Options include:

  • Direct line manager (if the harassment isn’t from the line manager)
  • Alternative manager or senior staff member
  • HR contact (if you have one)
  • Anonymous helpline or feedback service (if you use one)
  • External advisor (e.g., ACAS helpline — free)

Make sure reporting channels are communicated. Include them in the policy, in the handbook, in manager training, and in any harassment awareness materials.

5. Monitoring and action.

You should:

  • Keep records of all harassment complaints or concerns raised (even informal ones).
  • Investigate promptly and thoroughly.
  • Take action if harassment is confirmed (whether from colleagues or third parties).
  • Follow up with the affected person to check the harassment has stopped.
  • Review the policy, training, and risk assessment annually — or sooner if patterns emerge.

Documentation is key here. Keep a record of what happened, what was investigated, what was found, and what action was taken. These records are your evidence of “all reasonable steps.”

How to Check It Worked

After you’ve implemented these five elements, verify:

Policy:

  • Harassment policy is written, dated, and accessible to all staff
  • Policy defines harassment clearly with examples
  • Policy includes third-party harassment
  • Policy is in your employee handbook or accessible via shared folder/intranet

Training:

  • All staff have received harassment prevention training
  • Training was documented — dates, attendees, content covered
  • Managers have received more detailed training on handling reports
  • Training is planned to be refreshed at least annually

Risk Assessment:

  • You’ve identified harassment types most likely in your workplace
  • Risk assessment is documented and dated
  • Preventive measures are mapped for each identified risk

Reporting Mechanisms:

  • Multiple reporting channels are identified and documented
  • Reporting channels are communicated to all staff
  • At least one reporting channel is outside normal line management (if line manager is source of harassment)

Monitoring and Records:

  • A log of harassment complaints or concerns is maintained
  • Investigations are documented with findings and actions
  • Follow-up with affected persons is recorded
  • Records are kept confidential and secure
  • Policy and risk assessment are reviewed at least annually

If you can tick all of these, you have evidence of “all reasonable steps.” If you can’t, you have gaps to close before October 2026.

Common Implementation Mistakes

“We have a policy, so we’re covered.” Policy alone isn’t “all reasonable steps.” You also need training, risk assessment, clear reporting channels, and documented monitoring. All five elements together = all reasonable steps.

“We trained staff once, so we’re covered.” Training needs to be refreshed regularly and properly documented. A one-off training session that nobody can prove happened doesn’t count.

“We don’t need a formal risk assessment.” You do. It’s the bridge between “we have a policy” and “we’ve thought about where harassment is most likely and taken steps to prevent it.” Without it, the other elements look like box-ticking.

“We don’t include customer harassment in our policy.” You must. Employer liability for third-party harassment applies. If a customer harasses your staff and you’ve done nothing to prevent or respond to it, you’re liable.

“We don’t keep records of harassment complaints.” You must. Records demonstrate monitoring and action. No records = no evidence of “all reasonable steps.”

Sector-Specific Considerations

Hospitality and retail: High-turnover, customer-facing roles face the highest harassment risk — from customers, from shift patterns that create tension, from tipping disputes or service complaints. Your risk assessment should specifically identify customer harassment as a high risk and map preventive measures (staff support, clear escalation paths, backing staff in customer disputes, etc.).

Professional services and office-based: Lower turnover and more formal structures mean different risks. Harassment from colleagues is more relevant than customer harassment. Your risk assessment should consider hierarchy (harassment from senior to junior), isolated roles (lone workers), and any specific workplace dynamics.

Care and support services: Residents or service users may engage in harassment. Staff turnover is high. Your risk assessment needs to identify both client-related harassment and colleague-related harassment in a high-stress environment. Training needs to include how to handle harassment from vulnerable people appropriately.

What’s Next

October 2026 is Phase 2 of the four-phase cascade. Before October, Phase 1 (April 2026) will have already landed — day-one rights, SSP changes, statutory probation framework. The harassment duty arrives on top of that, along with extended tribunal time limits (three to six months). This combination — new duty + longer claims window — substantially increases both compliance and risk exposure.

Start on this now. Don’t wait until October. A well-documented harassment prevention programme takes time to build evidence for (training records, risk assessment, monitoring records). October will arrive faster than you expect.

For a full employment compliance assessment covering all four phases, including phase-by-phase action plans, Bartram HR screens your current position and delivers a prioritised roadmap. To stay informed about employment law changes and other regulatory updates, subscribe to our fortnightly newsletter.

And if harassment emerges as a pattern in your business — multiple complaints, specific roles affected, systemic issues — that’s the time to involve external support. ACAS offers free advice; a solicitor can help with specific cases. But prevention through policy, training, and documented monitoring is your best defence.

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your HR compliance →

More from this hub

Day-One Employment Rights — What Changes in April 2026

From April 2026, key employment rights apply from day one. Here's what day-one rights mean for UK employers, what's actually changing, and what stays the same.

Read article →

Employment Compliance for Hospitality and Retail — Zero-Hours, Tips, and Day-One Rights

The Employment Rights Act 2025 reshapes hospitality and retail. Here's what changes for zero-hours, tips, day-one rights, and what your sector needs to do.

Read article →

How to Prepare for the Fair Work Agency

The Fair Work Agency launches in April 2026 with powers to investigate employers proactively. Here's what it does, what it can check, and how to prepare.

Read article →