We had a fantastic response to our recent webinar on sexual harassment and the Employment Rights Act, with hundreds of questions from employers, HR teams, compliance professionals and managers preparing for the October 2026 changes.
Many of the questions focused on the same practical challenge: what does it actually mean to take “all reasonable steps” to prevent sexual harassment, and how can an organisation show that it has done enough?
During the webinar, we covered the legal changes, risk assessments, third-party harassment, training, reporting routes, manager responsibilities and evidence. But there were far more questions than we could answer live.
So we have pulled together the key questions from the session and answered them here. There are a lot, so you might find this more of a useful resource to do CNTRL+F and search for the keywords you are most interested in. Ultimately, the focus is practical: what employers should be thinking about now, how to approach the new standard, and how to build a defensible, risk-based sexual harassment prevention programme ahead of October 2026.
You can also listen again to the webinar or send to a colleague.
Does “all reasonable steps” mean employers must check every employee’s criminal record for sexual offence history?
No. The duty to take all reasonable steps does not create a blanket obligation to carry out criminal record checks on all employees. In many cases, that would be disproportionate, and for higher-level checks it may not be legally available unless the role is eligible.
Criminal record checks should be considered on a role-by-role basis. They may be necessary or appropriate for roles involving children, vulnerable adults, regulated activity, safeguarding responsibilities, or other high-risk work. For ordinary office roles, a blanket criminal record screening programme is unlikely to be required simply because of the sexual harassment prevention duty.
Employers also need to be careful about data protection, rehabilitation of offenders rules, and fairness. Criminal record data is sensitive, and employers should only collect it where they have a lawful and proportionate reason to do so.
So the safer answer is this: criminal record checks can be part of a wider control framework for particular roles, but they are not a universal requirement. The core obligation remains to assess the actual harassment risks in the organisation and put proportionate controls in place.
If we run events, should we add signage asking for responsible behaviour from third parties?
Yes, signage can be a useful reasonable step, especially at events where staff interact with guests, delegates, clients, contractors or members of the public.
It should be framed as a clear behavioural standard, not just a generic wellbeing message. For example, it can say that staff and attendees must be treated with respect, harassment will not be tolerated, and concerns can be reported to a named person, helpdesk or event team.
Signage will not be enough on its own. It should sit alongside other controls, such as event joining instructions, conduct wording in invitations, staff briefings, manager escalation routes, alcohol risk management, and a process for removing or challenging someone who behaves inappropriately.
The main value of signage is that it makes expectations visible to third parties and supports staff if they need to report or escalate poor behaviour.
How do you address a concern if it is reported anonymously?
Anonymous reports should still be taken seriously. The employer should record the concern, assess the information available, and consider whether there is an immediate safety risk, a pattern of behaviour, or enough detail to take further action.
The limitation is that you may not be able to speak directly to the person who raised it, clarify details, or understand what outcome they want. If the reporting system allows two-way anonymous communication, the employer should use that to ask careful follow-up questions and explain what may happen next.
If there is enough information, the employer can investigate or take proportionate action. If there is not enough information for a formal investigation, the report can still justify other steps, such as monitoring, reminding staff of expected standards, reviewing supervision, checking previous concerns, or strengthening controls in a particular team or location.
The key point is that anonymity should not be treated as a reason to do nothing. It may limit what can be done, but the employer still needs to make a reasoned, documented decision and consider whether there is a wider workplace risk.
Do we need a separate sexual harassment risk assessment for every site, or can we do divisional assessments?
You do not necessarily need a completely separate risk assessment for every individual site, but the assessment must be specific enough to reflect the real risks in each working environment.
A divisional approach can be sensible. For example, one assessment for care, one for education and one for corporate teams may work if those divisions have distinct risk profiles and the assessment properly considers the different people, places and activities involved.
However, you should still check whether particular sites have additional local risks. Children’s homes, schools and central offices are likely to have very different exposures, including safeguarding considerations, third-party contact, lone working, parents or visitors, shift work, pupils, residents, contractors and office-based interactions.
A good approach is to use a consistent central framework, then add divisional or site-specific sections where the risks differ. The key is that the organisation can show it has looked at the actual environment, not just produced a generic group-wide document.
What if the incident happens outside working hours at a social event the company did not organise?
It does not automatically fall outside the employer’s responsibility. The question is whether there is a sufficient connection with work.
If it is a purely private social event, organised independently, not encouraged by the employer, not linked to work and not involving work-related power dynamics, the employer may have less direct responsibility. However, if the people involved are colleagues, the conduct affects the workplace, there is a senior-junior relationship, the event follows on from a work event, or the issue creates an ongoing risk at work, the employer may still need to act.
The practical response should be to assess the connection with work and the current workplace risk. That may include supporting the person affected, considering whether the employees need to be separated, preserving relevant evidence, preventing retaliation, and deciding whether an internal investigation or disciplinary process is appropriate.
So the same rules do not apply automatically to every private social situation. But employers should not dismiss a concern simply because it happened outside working hours. If the conduct has a work connection or workplace consequences, it should be handled seriously and proportionately.
Do you need a standalone sexual harassment policy, or can it be part of a broader anti-bullying and harassment policy?
The law does not prescribe one exact policy format. So in principle, sexual harassment can be covered within a broader anti-bullying, dignity at work or anti-harassment policy.
However, the sexual harassment section needs to be clear, specific and substantial. It should not be buried in a general policy or dealt with in a few generic lines. It should explain what sexual harassment means, give practical examples, set out reporting routes, cover victimisation and confidentiality, explain how concerns will be handled, and address third-party harassment by clients, customers, contractors or members of the public.
From a compliance perspective, a standalone sexual harassment policy is often the stronger approach because it is easier to communicate, easier to train on, and easier to evidence if challenged. But the real test is whether employees can understand the standards, know how to report concerns, and whether the employer can show it has taken the issue seriously in practice.
Does the new law apply to employees who work outside the UK?
The Employment Rights Act and Equality Act framework is Great Britain law, so it does not automatically apply to every person working overseas simply because the employer has a UK connection.
However, employees working outside the UK may still be covered where their employment has a sufficiently strong connection with Great Britain. Relevant factors can include where the employee is based, whether the overseas work is temporary or permanent, where the employer is based, who manages the employee, what contract applies, where they are paid, and whether they normally work in Great Britain but travel overseas for work.
Employers also need to consider the local law of the country where the person is working. In many cases, both local employment law and GB compliance standards may be relevant.
Employers should not exclude overseas staff from sexual harassment prevention measures. If employees travel abroad, work at overseas client sites, attend international conferences, or work remotely from another country, those situations should be included in the risk assessment. The employer should apply clear standards, reporting routes, manager guidance and third-party controls, while taking local legal advice where needed.
When might a sexual harassment or sexual assault case go to tribunal, and what evidence can support an internal investigation?
A case may go to an employment tribunal if the person believes their employer has breached employment or equality law, for example by failing to prevent sexual harassment, failing to respond properly to a complaint, victimising them for raising it, or dismissing or treating them unfairly afterwards.
A tribunal is different from a criminal court. Sexual assault may be a criminal offence, and that is a matter for the police and criminal justice system. But the same incident may also form the basis of an employment tribunal claim if it happened in a work context and the employer’s response is being challenged.
For an internal investigation, useful evidence can include contemporaneous notes of what happened, dates, times, locations, names of witnesses, messages, emails, screenshots, call logs, social media messages, meeting notes, reports already made to managers or HR, and any relevant CCTV or access records. The person should keep evidence safely and avoid deleting anything relevant.
Employers should also preserve evidence once a concern is raised. That means securing relevant messages, emails, CCTV, witness accounts and investigation notes, while handling everything confidentially and in line with data protection requirements.
The key point is that a person does not need a perfect evidence file before raising a concern. The employer still has a duty to take the complaint seriously, investigate fairly and decide what action is appropriate based on the evidence available.
If an employee raises a sexual harassment complaint, is it a grievance or whistleblowing?
It can be either, or both. The employee does not have to use the right label for the employer to handle it properly.
A grievance is usually a complaint about how the employee has been treated and what they want the employer to do about it. A whistleblowing disclosure is about reporting wrongdoing, and from 6 April 2026 sexual harassment can be a qualifying disclosure for whistleblowing purposes where the legal tests are met.
So the employer should look at the substance of what has been raised, not just the heading on the email or form. If the employee is complaining about sexual harassment they experienced, it may be handled under the grievance or harassment procedure. If they are raising wider concerns, such as a senior person harassing staff, a pattern of behaviour, cover-up, unsafe reporting routes or risk to others, it may also need to be treated as a whistleblowing disclosure.
The safest approach is to triage it at the outset: acknowledge the concern, clarify what outcome the employee is seeking, explain the process being followed, consider whether whistleblowing protections may apply, and make sure there is no retaliation or detriment. Even where the organisation handles it through the grievance process, it should not ignore the possibility that whistleblowing protection is also engaged.
Does the Employment Rights Act apply only to sexual harassment, or to all forms of harassment?
It depends which obligation we mean.
The proactive duty to take “all reasonable steps” is specifically about preventing sexual harassment. So that part of the Employment Rights Act is not a general duty to prevent every form of harassment across all protected characteristics.
However, the third-party harassment provisions are broader. From 1 October 2026, employers can be liable where an employee is harassed by a third party, such as a client, customer, contractor or service user, and the employer failed to take all reasonable steps to prevent it. That third-party harassment liability is not limited to sexual harassment. It can apply to harassment related to other protected characteristics as well.
So if you are designing compliance controls, you need to separate the two points. Your sexual harassment prevention programme must meet the all reasonable steps standard. But where staff face third-party contact, your risk assessment and controls should also consider wider harassment risks, including race, disability, religion, sex, sexual orientation, age and other protected characteristics.
What happens if both parties claim sexual harassment against each other?
The employer should not assume the complaints cancel each other out, or that one must automatically be false. Each allegation should be treated seriously, assessed on its own facts, and handled through a fair and impartial process.
In practice, the employer should identify the issues clearly, decide whether the complaints should be investigated together or separately, preserve relevant evidence, speak to both parties and any witnesses, and make findings based on the evidence available. It may also be necessary to put temporary measures in place, such as separating the employees, changing reporting lines or limiting contact while the matter is reviewed.
The employer should also be alert to victimisation or retaliation. A counter-allegation may be genuine, but it could also be used to intimidate or undermine someone who has raised a concern. That should not be assumed either way; it should be tested carefully through the investigation.
The key is neutrality, documentation and proportionality. Both parties should be treated fairly, both should be protected from retaliation, and the employer should reach evidence-based conclusions rather than trying to resolve the matter informally because it is complicated.
If we train on sexual harassment, do we also need wider harassment training for third-party harassment?
Training on sexual harassment is a key reasonable step for the specific preventative duty on sexual harassment. However, third-party harassment is broader. From October 2026, employers can be liable for harassment by clients, customers, suppliers or other third parties, and that liability is not limited to sexual harassment.
So if employees face third-party contact, the training and controls should reflect the actual risks. For example, customer-facing staff may need guidance not only on sexual harassment by customers, but also on harassment related to race, disability, religion, age, sexual orientation or other protected characteristics.
That does not mean every employer must run a long separate course on every form of harassment. But if the risk assessment shows that staff are exposed to third-party harassment more broadly, the employer should address that risk through proportionate training, clear reporting routes, escalation procedures, customer or client standards, and manager guidance.
So the answer is not that lack of general harassment training automatically means you have failed. The risk is that if broader third-party harassment is foreseeable and your programme only covers sexual harassment, there may be a gap in your “all reasonable steps” defence.
What is the difference between sexual harassment and sexual assault, and does an employer have to report a crime to the police?
Sexual harassment is primarily an employment and equality law concept. Under the Equality Act, it means unwanted conduct of a sexual nature which has the purpose or effect of violating someone’s dignity, or creating an intimidating, hostile, degrading, humiliating or offensive environment. It can include comments, messages, images, gestures, unwanted attention or physical behaviour.
Sexual assault is a criminal offence. In England and Wales, it generally involves intentional sexual touching without consent and without a reasonable belief in consent. Scotland has its own sexual offences legislation, so the exact criminal definition depends on jurisdiction.
The two can overlap. A sexual assault at work may also be sexual harassment for employment law purposes, but the employer should treat the potential criminal element separately and carefully.
If someone says they have been sexually assaulted or raped at work, Acas says the employer should talk to them about whether they intend to report it to the police, encourage them to report it without pressure, and support them if they choose to do so. If they decide not to report it, the employer should generally respect that decision.
That said, there may be situations where the employer needs to take further advice or act without the individual’s agreement, for example where there is an immediate safety risk, a safeguarding concern involving a child or vulnerable adult, a continuing risk to others, or another legal or regulatory reporting obligation. In an emergency or where someone is in immediate danger, the police should be contacted.
The employer may also still need to take internal steps, even if the matter is or may become a police matter. That could include safeguarding the person affected, separating employees where proportionate, preserving evidence, preventing retaliation, and deciding whether an internal investigation can proceed without prejudicing any criminal process. The key is to support the individual, respect their wishes where possible, and get legal or safeguarding advice in serious cases.
Could reasonable steps include CCTV in public spaces such as lifts or workplace gyms?
Yes, CCTV could be a reasonable control in some settings, but it should not be treated as an automatic answer. The employer would need to show that CCTV is necessary, proportionate and linked to a real risk identified in the sexual harassment risk assessment.
For example, CCTV in reception areas, corridors, lifts, car parks or other shared spaces may be easier to justify where there are safety, security or harassment risks. A gym may be more sensitive because people have a higher expectation of privacy, so the employer would need to think carefully about where cameras are placed and why. CCTV in toilets, showers or changing areas would be very difficult to justify and should generally be avoided.
If CCTV is used, the employer also needs to comply with data protection requirements. That means having a lawful basis, clear signage, a CCTV policy or privacy notice, limited access to footage, appropriate retention periods, and a documented assessment of privacy impact.
So the answer is yes, CCTV can form part of the control framework, but only where it is risk-based, proportionate and privacy-compliant. It should sit alongside other controls such as reporting routes, supervision, staff communications, manager escalation and clear behavioural standards.
What responsibility do employers have for contractors working on their premises?
Contractors should be treated as part of the organisation’s third-party risk assessment. That does not automatically mean you must train every contractor in the same way as your own employees, but you do need proportionate controls.
At a minimum, contractors working on site should be made aware of your standards of behaviour, reporting routes and the fact that harassment will not be tolerated. For higher-risk or regular contractors who are there for extended periods of time, it may also be reasonable to check what training and policies their employer has in place, include harassment expectations in contracts or site rules, and make clear how concerns will be escalated between organisations.
The practical point is that an employer cannot ignore contractors simply because they are not employees. If they are working on your premises and interacting with your staff, the risk is foreseeable and should be managed.
Is standard staff training enough for line managers?
Usually, no. All staff should understand what sexual harassment is, how to report it, and what standards of behaviour are expected. Line managers need an additional layer because they are often the first people employees speak to when something has gone wrong.
That training should cover how to receive a disclosure, what to record, when to escalate, the limits of confidentiality, how to avoid victimisation, how to preserve evidence, and how to support the employee without prejudging the outcome.
It does not always need to be a long separate course, and what is reasonable will depend on the organisation and the manager’s role. But if managers supervise people, handle concerns, manage third-party contact, or are involved in investigations, standard awareness training alone is unlikely to be enough.
What obligations apply in co-working spaces where people from different organisations work together?
In shared or collaborative working spaces, each employer remains responsible for protecting its own staff. The fact that the risk comes from people employed by another organisation does not mean it can be ignored. It should be treated as a third-party harassment risk.
The reasonable steps will depend on the level of control and the nature of the arrangement. For occasional contact, it may be enough to make behavioural expectations clear and ensure staff know how to report concerns. For regular shared working, employers should consider stronger controls, such as shared site rules, contractual wording, induction materials, named escalation contacts, and an agreed process for handling complaints between organisations.
The important point is coordination. If multiple organisations are sharing a workspace, there should be clarity on expected standards, reporting routes, who investigates what, and how immediate safeguarding steps will be taken. Employers do not have to control every person in the building, but they do need to show they recognised the risk and put proportionate arrangements in place.
How should all reasonable steps apply to social events that take place out of office hours?
Work-related social events should be included in the employer’s sexual harassment risk assessment, even if they take place outside normal working hours or away from the office. If the event is organised, funded, encouraged or connected to work, the employer should assume that workplace conduct standards still apply.
That does not mean employers have to stop social events or remove all risk. It means they should take proportionate steps based on the event. That may include reminding staff beforehand about expected behaviour, making clear that harassment will not be tolerated, managing alcohol-related risks, ensuring managers understand their responsibilities, considering travel or late-night arrangements, and making sure people know how to report concerns after the event.
The key point is foreseeing risk. Social events, alcohol, senior-junior dynamics, travel, hotels and after-parties can all increase risk. If those risks are foreseeable, they should be planned for and documented as part of the employer’s wider approach to all reasonable steps.
What specific steps could be taken in a male-dominated construction business?
A construction business should start with a site-specific risk assessment. The risks may include isolated areas of the site, welfare facilities, travel to and from site, overnight work, subcontractor interaction, agency workers, apprentices, and a culture where inappropriate comments are dismissed as “banter”. It is also important to recognise that just because a business or specific site is primarily dominated by one sex does not mean sexual harassment cannot happen or is less likely. Unwanted conduct of a sexual nature can also take place between members of the same sex.
Reasonable steps could include clear site rules, induction messages for employees and subcontractors, supervisor training, visible reporting routes, and a clear escalation process if behaviour crosses the line. Contracts and site agreements should also make clear that harassment by subcontractors, clients or visitors will not be tolerated.
The key point is that training needs to be practical for the environment. A generic office-based module may not be enough. Workers and supervisors need examples that reflect site life, power dynamics, contractor relationships and the realities of operational work.
Is once-a-year sexual harassment training enough?
Annual training may be enough for some lower-risk employees, but it should not be treated as automatically sufficient. The right frequency depends on the organisation’s risk assessment, the nature of the work, the workforce, and whether there have been incidents, complaints or changes in the business.
For higher-risk roles, such as managers, customer-facing staff, lone workers, night workers, apprentices or employees attending work events and business travel, more regular or more targeted training may be reasonable. That could include refresher modules, toolbox talks, manager briefings, scenario-based sessions or reminders before higher-risk events.
The important point is that training should be current, relevant and effective. Employers should be able to show not just that training happened once a year, but that it matched the risks in the organisation and was updated when needed.
What extra mechanisms should be considered when staff work directly with people with disabilities or people with mental health challenges?
Employers should include this in their risk assessment, but with care. The starting point should not be an assumption that disabled people or people with mental health conditions are inherently a risk. The assessment should focus on the actual work being done, the setting, the level of one-to-one contact, communication needs, safeguarding issues, and whether staff may be exposed to inappropriate behaviour from service users, patients, clients or members of the public.
Reasonable controls might include clearer behavioural expectations, staff training on boundaries and de-escalation, accessible reporting routes, lone-working procedures, buddy systems, escalation plans, safeguarding referral routes, and guidance on when to involve managers, carers, clinicians or other responsible professionals.
The employer should also consider reasonable adjustments and communication needs on both sides. A disability or mental health issue does not mean harassment has to be tolerated, but the response may need to be proportionate, sensitive and informed by safeguarding, professional standards, health and safety considerations.
How should employers define and assess what counts as sexual harassment?
Start with the legal definition. Sexual harassment is unwanted conduct of a sexual nature which has the purpose or effect of violating someone’s dignity, or creating an intimidating, hostile, degrading, humiliating or offensive environment for them.
In practice, employers should explain this through clear examples in policies and training. That should include comments, messages, images, jokes, gestures, unwanted attention, inappropriate questions, physical conduct, online behaviour and conduct at work-related events.
The important point is that intent is not the only issue. Someone may say they meant it as a joke, but the question is also how the conduct affected the person experiencing it, and whether it was reasonable for it to have that effect in the circumstances.
Employers should therefore train managers and staff to recognise both obvious and less obvious forms of sexual harassment, and to escalate concerns rather than dismissing them as banter, misunderstanding or personality conflict.
What practical steps can employers take to reduce third-party harassment risks during business travel and meetings abroad?
Business travel and overseas meetings should be included in the sexual harassment risk assessment, especially where employees are meeting clients, suppliers, partners or other third parties away from the normal workplace.
Practical controls could include pre-travel guidance, clear behavioural expectations for employees and third parties, a code of conduct for meetings or events, named contacts for escalation, check-in arrangements, safe travel and accommodation planning, and guidance on alcohol, socialising and late-night meetings. Where appropriate, employers can also include conduct expectations in invitations, agendas, supplier terms or client communications.
For higher-risk travel, it may be reasonable to avoid lone meetings, arrange buddy systems, ensure staff have access to support while abroad, and agree in advance what should happen if a client, guest or other third party behaves inappropriately. That might include ending the meeting, removing the employee from the situation, changing the account contact, or escalating the issue to the other organisation.
The employer will not control every aspect of an overseas environment, and local laws may also be relevant. The key compliance point is to show that the risk was foreseeable, assessed and managed through proportionate controls before the travel or meeting took place.
If “all reasonable steps” is subjective, how can employers know they are doing enough?
There is no single universal checklist that guarantees compliance. The standard is contextual, so what is reasonable will depend on the employer’s size, sector, resources, working environment and risk profile.
The best way to manage that uncertainty is to take a structured approach: assess the risks, decide what controls are proportionate, implement them, document the reasons for those decisions, and keep the position under review. Existing Acas and EHRC guidance are also important benchmarks, even while further guidance and regulations develop.
Do we need to risk assess guests invited to meetings and conferences, and do we have the same responsibility for them as we do for staff?
Not in exactly the same way. Your primary employment law duty is to protect your own employees and workers. However, invited guests, speakers, clients, delegates and conference attendees should be treated as a third-party harassment risk where they interact with your staff.
That does not mean individually risk assessing every guest as a matter of routine. Usually, the focus should be on the event, the setting and the type of interaction. For example, consider whether there will be alcohol, evening networking, one-to-one meetings, travel, senior-junior dynamics, overnight stays or previous concerns about particular attendees.
Reasonable controls could include event conduct expectations, wording in invitations or joining instructions, a named contact for concerns, briefing staff and hosts, clear escalation arrangements, and the ability to remove or challenge a guest if necessary.
So the responsibility is not identical to the responsibility owed to employees, but employers should still plan for the risk. If guests are invited into a work-related setting, and staff are exposed to them as part of their work, that risk is foreseeable and should be managed. Probably the best step is to have a clear reporting route if there was an incident, and enable someone who may feel uncomfortable in a one to one situation to have an additional colleague present.
What should employers consider when protecting a dispersed workforce?
For a dispersed workforce, the risk assessment should look beyond the main office. Employers need to consider home working, regional sites, client premises, travel, lone working, digital communication, team messaging platforms, online meetings and work-related social events.
The main risk is that misconduct or warning signs may be less visible. Managers may not see changes in behaviour, exclusion, inappropriate messages, or problems developing in isolated teams. That means reporting routes, manager check-ins and staff communications become especially important.
Reasonable steps could include clear guidance on online conduct, reminders that harassment rules apply in digital spaces, accessible reporting channels, regular manager contact, training tailored to remote and travelling staff, and specific controls for client visits or lone working.
The key point is that dispersed work should not mean dispersed responsibility. Employers still need to understand where their people are working, who they are interacting with, and how concerns will be raised and acted on.
How can employers encourage people to report sexual harassment without fearing job loss, retaliation or being seen as “having it in” for someone?
The starting point is trust. Employers need to make clear, repeatedly and in practical terms, that reporting sexual harassment is encouraged, that victimisation or retaliation will not be tolerated, and that concerns raised in good faith will be taken seriously.
That has to be backed up by process. Staff should have more than one reporting route, including options outside the line manager chain, and managers should be trained to receive concerns calmly, record them properly and escalate them without judgment.
Confidentiality should be explained honestly. Employers should not promise absolute confidentiality, because some issues may need to be investigated or escalated, but they can commit to handling information sensitively and only sharing it with those who need to know.
The biggest confidence-builder is consistency. If people see concerns dismissed, delayed or turned against the person who reported them, they will not trust the system. If they see fair handling, protection from retaliation and appropriate action, reporting becomes much safer in practice.
Is there a time limit for raising historic sexual harassment concerns?
Internally, there should not be an arbitrary cut-off. If someone raises a historic concern, the employer should still take it seriously, record it, assess whether there is any current risk, and decide what proportionate action is possible.
That does not mean every old allegation can be investigated in the same way as a recent incident. Evidence may be harder to obtain, witnesses may have left, and memories may have faded. But historic does not mean irrelevant, especially if there is a pattern, a continuing risk, or the same person is still in the organisation.
For tribunal claims, strict legal time limits apply. In most sexual harassment cases, the current time limit is usually three months less one day from the most recent act complained of, subject to Acas early conciliation and the tribunal’s discretion to extend time where it considers it just and equitable. This is expanding to six months under the Employment Rights Act. Employers should therefore avoid giving definitive limitation advice and should encourage individuals to seek advice promptly if they are considering a claim.
Is what counts as reasonable different for small non-profits?
Yes, proportionality matters. A small non-profit will not usually be expected to have the same systems, budget or HR infrastructure as a large employer. Size, resources, sector and risk profile are all relevant when deciding what is reasonable.
However, being small or non-profit does not remove the duty. Small organisations still need to take reasonable steps to prevent sexual harassment, including having clear standards of behaviour, reporting routes, appropriate training or briefing, and a way to respond to concerns.
The risk profile may also be higher in some non-profits, for example where staff work with volunteers, service users, beneficiaries, donors, trustees or members of the public. So the main thing to consider is “what risks exist in the way we work, and what proportionate steps can we take to manage them?”
How should employers adapt their approach for an exclusively male factory floor?
An exclusively male workforce should not be treated as low risk. Sexual harassment can happen between men and should be treated just as seriously as harassment between men and women. In a single-sex environment, the risk may also be easier to minimise or dismiss as banter, initiation, joking, horseplay or part of the workplace culture.
The starting point should be a risk assessment that reflects the actual working environment. That might include shift patterns, changing areas, isolated parts of the site, supervisor-worker power dynamics, agency workers, apprentices, subcontractors, and the way people communicate on the factory floor or in messaging groups.
Practical steps could include clear examples in training of male-to-male sexual harassment, supervisor briefings, visible reporting routes, and a clear message that humiliating, sexualised or intimidating behaviour is not acceptable regardless of the sex of the people involved.
The key point is that a male-only workplace still needs a serious prevention strategy. Employers should not assume sexual harassment risk only exists where men and women work together.
How can we best communicate to clients and contractors that we are taking all reasonable steps to prevent sexual harassment?
The safest approach is to communicate clear standards, rather than simply declaring that you have taken “all reasonable steps.” Clients and contractors should understand what behaviour is expected, what is not acceptable, and what will happen if concerns are raised.
That can be done through contract clauses, supplier codes of conduct, visitor rules, event joining instructions, onboarding materials, site inductions and clear notices in public-facing environments. The wording should make clear that harassment of staff will not be tolerated, that concerns can be reported, and that the organisation may take action such as raising the issue with the client or contractor, removing someone from site, changing working arrangements, or ending access to services or premises where appropriate.
For regular clients or contractors, it is also sensible to have named escalation contacts on both sides and an agreed process for handling concerns. The aim is to show that third-party harassment has been anticipated, communicated and built into the way the relationship is managed.
How does the law apply to a charity with fewer than 50 employees, and does responsibility extend to volunteers?
The duty applies to small charities as well as larger employers. There is no exemption just because an organisation has fewer than 50 employees. However, what is reasonable will be proportionate to the charity’s size, resources, structure and risk profile.
A small charity may not need the same systems as a large employer, but it should still have clear standards of behaviour, reporting routes, appropriate training or briefing, and a process for responding to concerns.
Volunteers need careful treatment. Pure volunteers may not always have the same employment law status as employees or workers, so their individual legal rights may differ. However, from a risk management perspective they should still be included in the charity’s approach. Volunteers may interact with employees, service users, beneficiaries, trustees, donors and members of the public. They may be affected by harassment, witness it, or be the source of risk themselves.
So the safest approach is to include volunteers in the policy, induction, reporting routes and behavioural standards. Even where the strict legal duty is framed around employees and workers, a charity should not leave volunteers outside the prevention framework.
Should an employee be automatically dismissed if they admit to sexual harassment?
Not automatically. Sexual harassment may amount to gross misconduct, and dismissal may be appropriate in serious cases. However, the employer still needs to follow a fair process, consider the facts, assess seriousness, and give the employee an opportunity to respond before deciding on the outcome.
Relevant factors may include what was admitted, the nature of the conduct, the impact on the complainant, whether there was a power imbalance, whether there was repetition, whether the conduct was deliberate, and whether there are any mitigating circumstances. The employer should also consider its own disciplinary policy and how similar cases have been handled.
Employers should be careful to avoid being overzealous. A rushed dismissal without proper investigation or process can create its own tribunal risk, including unfair dismissal risk. The correct approach is firm, fair and proportionate: take the matter seriously, protect those affected, investigate properly, and decide on an outcome that is justified by the evidence and seriousness of the conduct.
What is necessary for a small company with fewer than 10 employees?
Small employers are still covered by the duty. There is no exemption because the business has fewer than 10 employees. However, what is reasonable will be proportionate to the size, resources and risk profile of the organisation.
For a very small company, the essentials are likely to include a clear sexual harassment policy or written standard, basic but effective training or briefing for all staff, a named route for raising concerns, a process for responding to complaints, and a simple risk assessment that identifies where problems could arise.
The business should also keep records. That might include the risk assessment, notes of training or briefings, policy communications, and any action taken if a concern is raised.
A small employer does not need a large-company HR system, but it does need to show that it understood the risk, communicated expectations clearly, gave people a safe way to report concerns, and acted promptly if something went wrong.
How should employers train and implement this with a workforce that is 100% remote?
A fully remote workforce still needs a sexual harassment prevention programme. The risk may look different from an office environment, but it does not disappear. In remote teams, harassment may happen through messaging platforms, emails, video calls, social media, online meetings, informal chat channels, virtual socials, or one-to-one digital communication.
The risk assessment should therefore focus on how people actually interact. That includes Teams or Slack messages, private chats, late-night communication, screen-sharing, online comments, exclusion from digital spaces, remote supervision, and any client or third-party contact.
Training s should include examples of remote and digital harassment, explain expected standards of online behaviour, and make clear that workplace rules apply even when people are working from home.
Managers also need specific guidance. In remote teams, warning signs can be harder to spot, so managers should understand how to receive disclosures, hold regular check-ins, escalate concerns, preserve digital evidence, and avoid dismissing issues as informal online banter.
The key point is that remote working changes the risk profile. It does not reduce the employer’s responsibility to assess the risk, communicate standards, provide reporting routes, train staff and act when concerns are raised.
In large public sector organisations, what is considered reasonable in terms of cost, training and communications?
For a large public sector organisation, the expectation will usually be higher than for a small employer. Reasonableness is still proportionate, but size, resources, workforce complexity and public-facing responsibilities all matter.
That does not mean unlimited spending or training everyone constantly. It means the organisation should be able to justify that its approach matches its risk profile. A large organisation would usually be expected to have documented risk assessments, clear policies, accessible reporting routes, regular staff training, manager-specific training, communications campaigns, and controls for third-party risks involving service users, contractors or the public.
Cost is relevant, but it is unlikely to be a complete answer if a reasonable and practical control was available. The better approach is to record why certain measures were chosen, why others were not proportionate, and how the organisation keeps the position under review.
For public sector bodies, visibility and consistency are especially important. Staff, managers, contractors, service users and the public should understand the expected standards of behaviour and how concerns can be raised.
Does training need to be solely about sexual harassment, or can it cover wider harassment and bullying?
It can be part of wider harassment, bullying or equality training, but sexual harassment must be covered clearly and specifically. Employers should not assume that a general respect-at-work module is enough if it only touches briefly on sexual harassment.
Training should explain what sexual harassment means, give practical examples, cover reporting routes, explain bystander responsibilities, and make clear how managers should respond to concerns. It should also reflect the organisation’s own risks, including third-party harassment, social events, online conduct, lone working or customer-facing roles where relevant.
So wider training can be useful, but the sexual harassment element needs to be visible, substantive and evidenced. If challenged, the employer should be able to show that staff and managers were trained properly on sexual harassment prevention, not just on workplace behaviour in general.
What is the best way to deliver training if people are not signing up to in-person sessions?
Online training can be an effective and defensible option, especially if it is delivered through an LMS. The important point is that the training is relevant, completed, understood and recorded.
An LMS gives you a clear evidence trail. You can show who was assigned the training, who completed it, when they completed it, whether reminders were sent, and whether there were knowledge checks or assessment results. That data can be very useful if you later need to demonstrate that training was actually delivered across the workforce.
The key is not the format alone. It is whether the training reaches the right people, reflects the risks in the organisation, and gives the employer evidence that staff and managers were trained properly.
Where is the line between reasonable and unreasonable?
There is no fixed line that applies to every organisation. Reasonableness depends on your risk profile, your sector, your size, your resources and the nature of the work being carried out.
The practical test is whether there was a further step available that the employer could reasonably have been expected to take. If the answer is yes, and that step was not taken, that is where the risk begins.
So organisations need to make their own assessment, but they should not treat that as a purely internal judgment.
They need to be able to explain why a control was adopted, why another control was not proportionate or practical, and how that decision was reviewed. The more foreseeable the risk, the harder it will be to argue that doing nothing, or doing only the basics, was reasonable.
How do you balance complainants not wanting to proceed with a formal process, but multiple pieces of evidence?
This is a difficult but common situation. The starting point is to respect the individual’s wishes and not force them into a formal process if they do not want that. At the same time, the employer cannot simply ignore credible information, especially if there may be a continuing risk to that person or to others.
The right approach is to record what has been disclosed, confirm what the individual does and does not want to happen, explain the limits of confidentiality, and then carry out a proportionate risk assessment.
If there are multiple pieces of evidence, previous concerns, witnesses, messages, or a pattern involving the same person, the organisation may need to take action even without a formal grievance.
That action does not always mean launching a full disciplinary process immediately. It may mean closer monitoring, separating individuals, seeking specialist advice, or commissioning an independent investigation if the risk is serious. The important point is that the employer makes a reasoned, documented decision, supports the person who raised the concern, and does not allow informal status to become an excuse for inaction.
What reasonable steps can employers put in place to prevent harassment by clients, customers and other third parties?
Reasonable steps will depend on the nature of the business and the type of third-party contact involved. The starting point is to identify where employees are exposed to clients, customers, patients, service users, suppliers, contractors or members of the public, and then put controls around those situations.
In practice, that can include clear policy wording that harassment by third parties will not be tolerated, visible communications to clients or customers, contractual clauses with clients and suppliers, and a clear escalation route when a third party behaves inappropriately.
For public-facing or higher-risk roles, the steps may need to be more operational. That could include lone-working procedures, buddy systems, security arrangements, alarms, better lighting or layout, or clear authority for managers to warn, remove or ban customers where necessary.
The important point is that employers should not treat third-party harassment as unpredictable simply because the harasser is outside the organisation. If third-party contact is part of the work, the risk is foreseeable, and the employer needs to show that it planned for it.
What evidence should an employer keep to show it has taken all reasonable steps?
Training records are important, but they are only one part of the evidence. An employer should be able to show the full chain of prevention: what risks were identified, what decisions were made, what controls were put in place, who was trained, how reporting routes were communicated, and how concerns were handled.
In practice, that means keeping copies of documents like risk assessments, action plans, policy updates, training records, manager guidance, staff communications, investigation records and things like that. The point is to show a logical, active and documented process. A tribunal or regulator will want to see whether the employer understood the risk, acted on it, checked whether the controls were working, and improved the system where needed.
How do you challenge senior leaders without creating defensiveness, and what works beyond training to sustain behaviour change?
The most effective approach is to frame this as governance, risk and culture, rather than as a personal criticism of individual leaders. Senior leaders should understand that their behaviour sets the standard for the organisation, and that silence, inconsistency or informal tolerance of inappropriate conduct can undermine the whole prevention programme.
A useful way to approach this is through evidence: risk assessment findings, staff survey data, reporting trends, exit interview themes, case studies and tribunal risk. That makes the conversation less subjective and more focused on what the organisation needs to control.
Beyond training, behaviour change needs reinforcement. That can include leadership commitments, manager expectations, regular communications, clear consequences for misconduct, bystander intervention, anonymous reporting routes, culture surveys, and reviewing how concerns are handled in practice.
The key point is consistency. If senior leaders attend training but their conduct, decisions or tolerance of poor behaviour contradict the message, the programme will not be credible. Sustainable change comes from repeated signals that respectful behaviour is expected, monitored and enforced at every level.
How should employers deal with reluctant witnesses or cases where there is no concrete evidence?
Employers should not assume that a concern cannot be taken forward simply because a witness is reluctant or there is no single piece of decisive evidence. Workplace investigations often involve partial evidence, conflicting accounts and people who feel nervous about getting involved.
The first step is to handle witnesses carefully. Explain why their evidence may be important, reassure them that victimisation will not be tolerated, and make clear that information will be handled sensitively. At the same time, avoid pressuring them or promising complete confidentiality if the matter may need to be investigated.
Where there is no concrete evidence, the employer should still assess all available information: accounts from the complainant and respondent, witness evidence, messages, emails, CCTV where relevant, previous concerns, patterns of behaviour, and any surrounding circumstances. The decision should be based on the evidence available and the civil standard of the balance of probabilities.
If the evidence is not strong enough to make a finding, that should be recorded clearly. It does not mean the employer should do nothing. It may still be appropriate to remind teams of expected standards, monitor the situation, separate individuals where proportionate, offer support, or review whether wider controls need strengthening.
The key is to run a fair, documented and proportionate process, while protecting the complainant, witnesses and the integrity of the investigation.
Beyond policies and mandatory training, what evidence would an Employment Tribunal expect to see?
A tribunal is likely to look for evidence that the employer’s approach was active, risk-based and implemented in practice, not just written down.
That could include a sexual harassment risk assessment, records of how risks were identified, an action plan showing what controls were put in place, evidence of staff communications, manager-specific guidance, reporting routes, investigation procedures, and records showing how concerns were handled.
Where relevant, the employer should also be able to show that it considered higher-risk areas such as social events, business travel, online communications, lone working, customer-facing roles and third-party harassment.
The most important evidence is the logic connecting the risk to the action taken. If an employer can show that it identified foreseeable risks, took proportionate steps to address them, reviewed its approach after incidents or changes, and kept records of that process, it will be in a much stronger position than an employer relying only on a policy and annual training record.
Does “all reasonable steps” apply to harassment across all protected characteristics, or only sexual harassment?
For the preventative duty, the “all reasonable steps” requirement is specifically about preventing sexual harassment. It is not a general proactive duty to prevent harassment across every protected characteristic. Sexual harassment is specific and defined in law.
However, the third-party harassment change is broader. From October 2026, employers will be liable where a third party harasses an employee in the course of employment, unless the employer has taken all reasonable steps to prevent it. That applies to all forms of harassment covered by section 26 of the Equality Act, including harassment related to age, disability, gender reassignment, race, religion or belief, sex and sexual orientation.
So the short answer is: the new proactive prevention duty is focused on sexual harassment, but the new third-party harassment liability is broader and can involver protected characteristics.
You can also listen again to the webinar or send to a colleague.
