For over a decade, employers have had no direct statutory liability when customers, clients or contractors harass their staff. The Employment Rights Act 2025 changes that — and the obligations it creates are more demanding than the law it replaces.
| AT A GLANCE | |
| Legislation | Employment Rights Act 2025, amending the Equality Act 2010 |
| What changes | Positive duty on employers to prevent third-party harassment — all protected characteristics |
| Previous position | Third-party employer liability repealed by the Enterprise and Regulatory Reform Act 2013 |
| The standard | Employer must take “all reasonable steps” to prevent harassment by third parties |
| Enforcement | Employment tribunal claims; EHRC enforcement. |
| Who is affected | All employers — no minimum headcount threshold |
Why This Matters: A Law Returning With Greater Force
In October 2013, the Coalition Government repealed a provision of the Equality Act 2010 that held employers responsible when third parties harassed their employees. Section 40 of the Equality Act — which imposed liability after a pattern of at least three separate incidents — was removed by the Enterprise and Regulatory Reform Act 2013. With it went any direct statutory route for workers who were harassed by customers, clients, patients or members of the public.
The practical consequences were significant. Workers in customer-facing roles — retail assistants, hospitality staff, healthcare workers, social workers, teachers — were left without a clear statutory remedy unless the harassment crossed into criminal conduct or could be framed as a health and safety failure. Employers, meanwhile, could point to the absence of a specific legal requirement as a reason to deprioritise prevention.
That position is now ending. The Employment Rights Act 2025 reintroduces employer liability for third-party harassment in a substantially more demanding form than the regime it replaces. There is no three-incident threshold. The duty is positive and preventive. It applies across all nine protected characteristics under the Equality Act 2010 — not just sex. And it sits alongside the duty (concerning prevention of sexual harassment) already introduced by the Worker Protection (Amendment of Equality Act 2010) Act 2023, which has been in force since 26 October 2024.
Employers who have not yet addressed third-party harassment risk are operating in territory that will, when commencement takes effect, expose them to direct legal liability.
What the Employment Rights Act 2025 Actually Says
The ERA 2025 amends the Equality Act 2010 to reimpose employer liability for third-party harassment and to create a positive preventive duty. The key elements are as follows.
Reinstatement of employer liability
An employer will be liable where a third party harasses an employee in the course of their employment and the employer has failed to take all reasonable steps to prevent the harassment. This is a direct liability — the employer does not need to have been present or aware of the specific incident. Liability attaches to the systemic failure to prevent, not only to individual incidents.
The ‘all reasonable steps’ standard
The ERA 2025 provisions require employers to demonstrate they took all reasonable steps — mirroring the language used in the Worker Protection Act 2023 for the preventive duty in relation to sexual harassment. The distinction matters: ‘all reasonable steps’ sets a more demanding evidential bar than ‘reasonably practicable steps’.
Scope: all protected characteristics
Third-party harassment liability under the ERA 2025 applies across all nine protected characteristics: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation.
Relationship to the Worker Protection Act 2023
The WPA 2023, in force since 26 October 2024, imposed a positive duty to take reasonable steps to prevent sexual harassment — including by third parties. The ERA 2025 builds on this by extending the preventive duty beyond sexual harassment to all protected characteristics and creating a clearer statutory remedy. The two pieces of legislation are complementary. Compliance with one does not guarantee compliance with the other: employers who have addressed their WPA 2023 obligations must now extend that work across all protected grounds.
| There is no three-incident threshold. The duty is positive and preventive, and it applies to all nine protected characteristics. |
Who Is a ‘Third Party’?
The legislation does not limit its scope to customers and clients. A third party is any person who is not the employer or a fellow employee. In practice this covers a wide range of people that employees encounter in the course of their work:
- Customers, clients and service users — in any customer-facing environment, from retail to financial services
- Patients and their families — with particular relevance to health and social care settings
- Students and parents — in education contexts
- Contractors, consultants and agency workers not engaged as employees of the employer
- Delivery drivers, tradespeople and other visitors to the workplace
- Members of the public encountered in the course of work — housing officers, enforcement officers, outreach workers
- Online interlocutors — individuals who contact employees via work channels, email, or professional social media
The breadth of this definition is significant. Employers in every sector will have exposure, though the nature of the risk will differ sharply between, say, a professional services firm and a busy retail environment. The obligation is to think carefully about the specific third parties your employees encounter — and to address the risks that arise from each category.
| Sector spotlight: where third-party harassment risk is elevated |
| Retail and hospitality: customer-facing staff are at elevated risk, particularly in licensed premises or high-footfall environments where the employer has limited ability to control the conduct of those who enter. |
| Health and social care: staff working alone with patients, in residential settings, or in community care face significant exposure. Regulated employers should note the interaction with care quality and safe working standards. |
| Transport: drivers, conductors and customer service staff encounter large volumes of the public, often with limited ability to disengage from an escalating situation. |
| Education: teachers and support staff face harassment from students, parents, and members of the public in community-facing settings. The power dynamics involved require particular attention. |
| Financial and professional services: advisory staff handling complaints, debt recovery, or enforcement are routinely subjected to abusive conduct. Remote and telephone-based working adds a specific dimension to the risk. |
The Employer’s New Duty: What ‘All Reasonable Steps’ Means in Practice
The phrase ‘all reasonable steps’ imports a proportionality principle: what is reasonable will likely depend on the circumstances, such as the size and resources of the employer, the nature of the business, and the known risks faced by employees. A sole trader is likely to be not expected to implement the same framework as a national retailer with 50,000 employees. But every employer is expected to do something — and to be able to demonstrate what they have done is all the reasonable steps in their scenario.
The EHRC’s approach to the equivalent standard under the WPA 2023 provides useful guidance on the types of steps likely to be regarded as reasonable. Transposing that guidance to the third-party context, employers should treat the following as core components of their response:
Risk assessment
Identify the third parties your employees encounter, the environments in which they work, and the specific nature of the harassment risk. A risk assessment that expressly addresses third-party harassment — rather than being buried in a general health and safety review — will be an important piece of evidence if a claim is brought.
Policy and Contracts
An anti-harassment policy that expressly covers third-party conduct — defining what it is, how it should be reported, and what the employer will do in response — is a fundamental starting point. A policy that addresses only colleague-to-colleague harassment will not satisfy the new duty. The policy must be current, communicated, and enforced.
Training
Employees need to know what third-party harassment looks like, that they are entitled to be protected from it, and how to report it. Managers need to understand their obligations when incidents are reported to them. Generic harassment awareness training that does not address the third-party context is unlikely to be sufficient.
Operational safeguards
Depending on the sector and the risks identified, this may include physical measures such as CCTV, panic buttons, or two-person working policies; operational procedures such as protocols for handling abusive contacts and scripts for disengaging from escalating situations; or contractual provisions with clients or customers or suppliers including zero-tolerance clauses and rights to exclude perpetrators or terminate for abusive conduct.
Response procedures
When third-party harassment is reported, employers must have a clear process for investigating it, supporting the employee, and acting against the third party where appropriate. This includes mechanisms for excluding customers, terminating client contracts, reporting criminal conduct to the police, and supporting employees through any subsequent process.
Monitoring and review
Reasonable steps are not a one-time exercise. Employers should monitor reports, review incidents, assess whether their steps are working, and update their approach. A risk assessment conducted on day one but never reviewed will provide thin evidential cover in litigation three years later. Context changes, work and duties change, and with it comes a need to update risk assessments and review measures.
Enforcement, Compensation and EHRC Powers
Where an employer fails to take all reasonable steps to prevent third-party harassment and an employee suffers harassment by a third party as a result, the employee may bring a claim in the Employment Tribunal. There is no minimum service requirement. ACAS early conciliation remains a precondition to issuing proceedings.
What a tribunal can award
Compensation for harassment claims is uncapped. Awards typically comprise:
- Injury to feelings — assessed by reference to the Vento bands (currently: lower band £1,200 to £12,100 (less serious cases); a middle band of £12,100 to £36,400 (cases that do not merit an award in the upper band); and an upper band of £36,400 to £60,700 (the most serious cases), with the most exceptional cases capable of exceeding £60,700. These figures dating to March 2025 will be updated again shortly for 2026.
- Personal injury — where the harassment has caused identifiable psychiatric harm, with medical evidence.
- Aggravated damages — where the employer’s conduct has been high-handed, malicious or oppressive
EHRC enforcement
The EHRC retains its powers to investigate employers, issue unlawful act notices, and enter into legally binding agreements where it identifies systemic failures to comply with equality law. The ERA 2025 provisions, sitting within the Equality Act 2010 framework, fall squarely within scope. Employers in high-risk sectors should expect the EHRC to focus particular attention on third-party harassment compliance as the new provisions bed in — as it has already indicated it will do in the context of the WPA 2023 sexual harassment duty.
| Note on commencement |
| The third-party harassment provisions of the ERA 2025 require commencement by statutory instrument before they take legal effect. Not all provisions of the ERA 2025 commence simultaneously. Employers should monitor the Government’s commencement timetable closely and seek legal advice on the specific dates applicable to third-party harassment obligations. |
| This article reflects the provisions as enacted. It does not constitute legal advice. The EHRC is expected to publish updated guidance covering third-party obligations; employers should follow that guidance when it is issued. |
Key Dates and Implementation Timeline
| October 2013 | Section 40 Equality Act 2010 (third-party harassment liability) repealed by the Enterprise and Regulatory Reform Act 2013. Third-party statutory route removed. |
| 26 October 2024 | Worker Protection (Amendment of Equality Act 2010) Act 2023 comes into force. Positive duty to prevent sexual harassment — including by third parties — now applies to all employers. |
| 24 July 2025 | Employment Rights Act 2025 receives Royal Assent. |
| To be confirmed | Commencement of ERA 2025 third-party harassment provisions by statutory instrument. Phased implementation expected. Monitor Government announcements. |
| Ongoing | EHRC expected to publish updated Employer Code of Practice and technical guidance covering third-party obligations across all protected characteristics. |
| Now | Begin compliance preparation. Build your risk assessment, update policies, and brief managers. Acting before commencement is significantly less costly than acting after a claim. |
Ten Steps Every Employer Should Take Now
The following checklist reflects the minimum actions employers should consider in preparing for the ERA 2025 third-party harassment provisions. The appropriate steps for any given organisation will depend on its size, sector, and risk profile. Legal advice should be taken before treating this list as a complete compliance framework.
| EMPLOYER ACTION CHECKLIST | |
| 1 | Map your third-party landscape Identify every category of third party your employees encounter in the course of their work — customers, clients, patients, contractors, members of the public, online contacts. Be thorough. Risk you have not identified cannot be managed. |
| 2 | Conduct a dedicated risk assessment Carry out a third-party harassment risk assessment distinct from your general health and safety review. Document the risks identified, the environments involved, and your current controls. Date and sign it. An assessment records of past reports and incidents, complaints and claims, will enable an evidenced based approach, as well the use of employee surveys. Consider appointing a committee or individual to lead your organisation’s ongoing work to prevent harassment, assess risks and implement preventative steps. |
| 3 | Update your anti-harassment policy Review your existing policy and ensure it expressly addresses third-party conduct across all protected characteristics. A policy covering only colleague harassment will not satisfy the new duty. Ensure it is current and accessible. |
| 4 | Review your client and customer contracts Check whether your standard contracts include provisions permitting termination or exclusion for abusive or harassing conduct. Clauses setting out expectations of behaviour, training and compliance with legal obligations. Consider introducing them where they do not exist. |
| 5 | Update your training Revise your harassment training to include third-party scenarios relevant to your sector, and potentially different areas of your business / roles. Ensure managers understand their obligations when third-party harassment is reported to them. Record attendance and dates, and update employee training records. Build in refresher training. |
| 6 | Establish a clear reporting pathway Ensure employees know how to report third-party harassment, to whom, and what will happen when they do. Anonymous reporting should be considered for high-exposure environments. Test whether the route is genuinely accessible. |
| 7 | Create an operational response protocol Document the steps your business will take when a third-party harassment incident is reported: acknowledgement, investigation, support for the employee, action against the third party, and record-keeping. |
| 8 | Review physical and operational safeguards Assess whether your premises, staffing models and operational procedures adequately protect employees in practice. Lone working policies, CCTV coverage and communications protocols should be reviewed against the identified risks. |
| 9 | Monitor commencement and EHRC guidance Subscribe to EHRC and Government updates. The statutory Code of Practice will be the authoritative guide to what ‘all reasonable steps’ means in practice. Follow it when published. |
| 10 | Build and maintain your audit trail Your ability to defend a claim — or avoid EHRC enforcement — will depend on demonstrating what steps you took and when. Create a compliance record from now: dated documents, training logs, risk mitigation actions, incident reports, risk assessment reviews. |
In Summary
Third-party harassment is a compliance area that many employers have overlooked for over a decade. The absence of a specific statutory duty made it easy to treat as someone else’s problem — the police’s, or the individual manager’s, or the customer’s. The Employment Rights Act 2025 makes clear that it is the employer’s problem.
The duty it creates is positive and preventive: employers must act to prevent third-party harassment before it occurs, not just respond to it after the fact. The ‘all reasonable steps’ standard sets a demanding bar. And the compensation consequences of falling short — with a potential uncapped awards — provide a powerful financial incentive to take the obligation seriously.
The time to act is before commencement, not after a complaint has been received. Employers who begin building their compliance framework now — assessing their risks, updating their policies, training their managers, and strengthening their operational safeguards — will be in a substantially stronger position than those who wait.
| Need help preparing for the ERA 2025 changes? Our team can carry out a third-party harassment compliance review, update your policies, and help you design a training and reporting framework that meets the ‘all reasonable steps’ standard. We also deliver training for staff, with sector specific optionality. Contact us to arrange a confidential initial discussion. antiharassment.co.uk/contact |
Legal Disclaimer
The contents of this article are intended to be be for general information purposes only and do not amount to (nor are they intended to be) legal, tax or financial advice or a complete or authoritative statement of the law nor should they be treated as such. No warranty or promise is given, express or implied, as to accuracy of the information on this page and no liability is accepted for any error or omission. You should instruct a specialist employment solicitor to advise you on your particular situation and not act or rely on the information on this page.
