What changed in October 2024
The Worker Protection (Amendment of Equality Act 2010) Act 2023 received Royal Assent in October 2023 and came into force exactly one year later. It introduced a new section — s.40A of the Equality Act 2010 — that fundamentally shifts how employers must think about sexual harassment at work.
Before this change, the legal framework was essentially reactive. An employer could be vicariously liable if one of their employees harassed another, but the focus was on what the employer did or failed to do after a complaint was raised. The new duty is different in kind: it is preventative. Employers must now take reasonable steps to prevent sexual harassment from happening in the first place. The obligation exists whether or not any harassment has occurred, and whether or not any complaint has been made.
This is a meaningful shift, not a technicality. It means that waiting for a complaint before acting — the default posture of many organisations — is no longer sufficient. The law now expects employers to assess risk, train people, and put systems in place before incidents arise.
The 25% uplift: understanding the financial exposure
The financial stakes attached to this duty are significant. Where an Employment Tribunal upholds a sexual harassment claim and also finds that the employer failed to take reasonable steps to prevent the harassment, the Tribunal has the power to increase the compensation award by up to 25%. That uplift is applied to the entire harassment award, not to a capped portion of it.
Important: Sexual harassment compensation in Employment Tribunals is uncapped. It includes an injury to feelings award, potential loss of earnings, and in some cases psychiatric injury damages. A 25% uplift on a substantial award can represent tens of thousands of pounds of additional liability — on top of the base award, legal costs, and any EHRC enforcement action running in parallel.
It is also worth noting that the uplift is discretionary but the duty is not. Even where no harassment claim is brought, the EHRC can investigate an organisation's compliance with the prevention duty and take enforcement action independently. The two risks — Tribunal liability and EHRC enforcement — are entirely separate.
What 'reasonable steps' actually means
The EHRC published a statutory Code of Practice in October 2024 to accompany the Act. The Code does not create new legal obligations beyond those in the Act itself, but a Tribunal must take it into account when considering whether an employer has taken reasonable steps. Practically speaking, that means departing from the Code's guidance without a good reason is a significant legal risk.
The Code sets out a risk-based approach and identifies eight areas employers should consider. None of these are box-ticking exercises — the Code is explicit that a policy alone is not sufficient. What matters is whether the employer can demonstrate that they assessed risk in their specific workplace and took action proportionate to what they found.
- Develop a robust anti-harassment policy. This must be specific to sexual harassment — a general dignity at work policy does not satisfy the duty. The policy should name the duty, describe what sexual harassment is (including third-party harassment), set out the reporting process, and be reviewed regularly.
- Engage with your workforce on risk. This means genuinely consulting workers — not just sending out a survey. Speak to trade unions or staff networks if they exist. Ask people about the environments and situations where they feel at risk. The answers will often surprise you.
- Assess and take steps to reduce risk in your specific workplace. A law firm, a retail store, a hospital ward, and a construction site all have different risk profiles. A generic risk assessment copied from a template is unlikely to satisfy this requirement. The Code specifically asks employers to consider working patterns, client interaction, use of alcohol, lone working, and power dynamics.
- Consider third-party harassment. The Act explicitly extends the preventative duty to harassment by people outside the organisation — see below.
- Report and investigate concerns transparently. Reporting mechanisms must be genuinely safe and accessible. This means anonymous reporting options where possible, multiple channels (not just line manager escalation), and an investigation process that is timely, independent, and communicated clearly to the people involved.
- Train your managers. Managers need specific training on how to receive a report, how to respond to a disclosure, and what the escalation process looks like. They also need to understand their own role in creating the conditions where harassment either happens or doesn't.
- Train all workers. All staff need to understand what sexual harassment is, what to do if they experience or witness it, and that the organisation takes this seriously. Training should be current, scenario-based, and not a one-off event from three years ago.
- Monitor and evaluate your approach. The duty is ongoing, not a one-time exercise. Employers should track reporting rates, training completion, investigation outcomes, and exit interview themes, and use that data to improve their approach over time.
Third-party harassment: the new frontier
One of the most significant practical changes introduced by the Act is the explicit inclusion of harassment by third parties. For the first time, employers have a clear statutory duty to protect their workers from harassment by people they do not employ — clients, customers, contractors, service users, members of the public.
The sectors where this bites hardest are those with the highest levels of client or customer-facing work. In hospitality and retail, staff regularly face harassment from customers with limited ability to remove themselves from the situation. In client-facing professional services — law, accountancy, recruitment — junior employees may feel unable to challenge the behaviour of valuable clients. In healthcare, staff have long faced harassment from patients and their families in circumstances where the power dynamics are complex and removal is rarely straightforward.
What the duty requires in these contexts is not that you prevent all third-party harassment — that would be impossible. It requires that you take reasonable steps to reduce the risk: briefing staff on what third-party harassment is and that they are protected from it, establishing clear protocols for reporting it and escalating it, ensuring managers know how to respond when it is reported, and being willing to challenge or exit relationships with clients or contractors who engage in it.
A note on client relationships: Some employers are genuinely reluctant to challenge high-value clients whose behaviour crosses the line. This reluctance is understandable commercially, but it is legally and reputationally costly. An employer who knowingly tolerates a client harassing their staff, and does nothing, is likely to struggle to demonstrate 'reasonable steps' before a Tribunal.
EHRC enforcement: the other risk
The EHRC's enforcement powers in relation to the prevention duty are broad and do not depend on an individual bringing a claim. The EHRC can investigate organisations on its own initiative, including where it has received intelligence from workers, trade unions, or media reports. If it finds non-compliance, it can issue an unlawful act notice, enter into a binding agreement with the employer requiring specific steps, and — if that agreement is breached or not entered into — apply to the courts for an injunction.
EHRC investigations are time-consuming, resource-intensive, and public. They carry significant reputational risk even where they do not result in formal findings. The EHRC has already signalled that it intends to use these powers actively in relation to the Worker Protection Act, and early enforcement action will be watched closely by employment lawyers and HR professionals across the sector.
It bears repeating: an organisation could face an EHRC investigation and one or more individual Employment Tribunal claims simultaneously, arising from the same set of facts. These are not mutually exclusive risks.
What to do right now: a practical checklist
If your organisation has not yet taken structured action in response to the Worker Protection Act, the following steps represent the minimum required to begin building a defensible position.
- Review and update your anti-harassment policy. It must be specific to sexual harassment, reference the new preventative duty, and cover third-party scenarios. A general dignity at work policy is not enough.
- Conduct a harassment risk assessment for your specific working environment. Consider the physical spaces, working patterns, power dynamics, client relationships, and use of alcohol at events. Document your findings and the steps you take in response.
- Audit your training. When was anti-harassment training last carried out? Does it cover what sexual harassment is, how to report it, and what third-party harassment looks like in your industry? Is it current and scenario-based, or a dated e-learning module ticked off years ago?
- Review your reporting mechanisms. Are they genuinely safe? Are they accessible to people who work different shifts, don't have a permanent desk, or aren't confident raising concerns through a line manager? Do workers actually know they exist?
- Check your investigation process. Is it independent? Is it timely? Do the people conducting investigations have appropriate training? Are timelines communicated to those involved?
- Identify elevated-risk environments in your organisation: lone working, client entertainment, shift-based or unsocial-hours work, environments where alcohol is present, roles with significant power imbalances.
Culture is the floor, not the ceiling
It is worth being direct about something the Act and the Code both gesture towards but do not spell out: legal compliance is a minimum, not an achievement. An organisation that has a properly drafted policy, up-to-date training, and a functioning reporting process has met its legal obligations. It has not necessarily created a workplace where people feel safe.
The organisations that are genuinely protected — from Tribunal claims, from EHRC enforcement, and from the talent, reputational, and cultural damage that harassment causes — are those where people feel that if they raise a concern, it will be taken seriously and handled well. That is not primarily a legal question. It is a question of how managers behave on a day-to-day basis, how leadership responds when difficult situations arise, and whether the organisational culture makes it easier or harder to speak up.
The Worker Protection Act has raised the legal floor. What you do above it is the real measure of where your organisation stands.