Third party harassment: Preparing for October 2026

From October 2026, employers will face a new statutory duty to protect workers from harassment carried out not only by colleagues, but also by third parties. That includes harassment perpetrated by customers, service users, contractors, and members of the public against employees.

In some ways, this duty is "new", but at its heart, it reintroduces a protection that previously existed until 2013, when it was repealed by the Conservative government. Its return reflects the government’s intention to strengthen workplace protections and increase accountability for employers in public-facing sectors.

Employers are already required to protect employees from harassment, but the new duty reaches wider and further. It requires employers to take “all reasonable steps” to prevent such harassment from occurring in the first place. That's quite the development. It means reactive steps (e.g., intervening positively and quickly after an incident) may no longer be sufficient to protect against claims. Employers will need to demonstrate proactive planning, risk assessment and preventative measures to prove that "all" reasonable steps have been taken.

We do not yet know exactly what will be required of employers, but we do know that the bar will be relatively high. There is a growing consensus about what this duty is likely to require. Detailed regulations and guidance are expected closer to implementation. However, employers should be planning now for a duty that is likely to include:

1. Conducting and updating risk assessments

Businesses in hospitality, retail, transport, healthcare and other public facing sectors which are more vulnerable to incidents of harassment by customers or service users, should examine the likelihood of third-party interaction causing risks to staff.

2. Reviewing and updating policies

Anti-harassment policies will need explicit references to third party conduct, including clear reporting routes, examples of prohibited behaviour, and reassurance that complaints will be taken seriously.

3. Staff training and awareness

Employees, especially those in customer-facing roles, should receive training on how to de-escalate situations, when to withdraw from unsafe interactions, and how to report concerns. Likewise, senior management and line management teams should know how and when to intervene in high-risk scenarios.

4. Setting boundaries with customers and clients

Employers may need to display signage, introduce behavioural policies for customers, or implement procedures such as “stop lists,” where service can be refused to individuals who pose repeated risks.

There will, of course, still be an expectation that employers take reasonable action after incidents take place. Reasonable action could include removing an abusive customer from premises, banning them, contacting the police where appropriate, or adjusting staffing arrangements to reduce the risk of recurrence. The expectation is that employers will need to show a tangible, systematic approach rather than ad hoc reactions to one-off events.

Public-facing businesses will need to act early to ensure they are ready for the new duty. Waiting for secondary legislation or detailed guidance may leave too little time to update training programmes, revise policies, engage with staff representatives and manage operational changes. This is not a tick-box exercise. The potential reputational and financial consequences of failing to comply could be significant, and some businesses will be required to fundamentally change their operating practices and culture, to ensure they meet the new duty.

By the end of this year, employers will be liable for harassment of their staff by the public if they have not taken all reasonable steps to stop it. If your business would like to know more about how it can prepare for this risk, and discuss how it can mitigate the impact of the new duty in advance of the October 2026 deadline, then please do get in touch.