Most HR leaders dealing with duty of care for the first time aren’t struggling with the principle. They know they must protect people. The problem is operational. One employee flags stress in a one-to-one, another needs a home workstation review, a manager reports a near-miss, and someone in HR still has to prove what was done, when, by whom, and whether it was reviewed.
That is where good intentions usually fail. Not because the organisation lacks concern, but because the evidence sits in inboxes, spreadsheets, shared drives, paper forms, and manager memory.
In UK organisations, duty of care is no longer something you can treat as a general culture statement. It has to be translated into repeatable processes, documented decisions, and auditable records. If you run Microsoft 365 and Dynamics 365, that translation can happen inside systems your teams already use, rather than through disconnected tools that create more risk than they remove.
Beyond the Buzzword What Duty of Care Means in 2026
Duty of care has become a catch-all phrase, and that creates problems. When a term means everything, teams often reduce it to almost nothing. They file it under wellbeing, health and safety, or employee relations, then assume someone else owns it.
In practice, duty of care means taking reasonable, documented steps to protect employees’ health, safety, and welfare in the actual conditions they work in. That includes the obvious issues, such as physical hazards and training gaps. It also includes less visible issues, such as work-related stress, remote working risks, and known individual vulnerabilities.
Why the old approach breaks down
Most mid-market firms still manage this with a patchwork of:
- Email trails that don’t show a complete decision history
- Spreadsheets that go out of date the moment a manager forgets to update one
- Separate forms for incidents, absence, occupational health, and adjustments
- Policy documents that describe a process but don’t enforce it
That setup creates two failures at once. The first is operational failure, because actions slip through the gaps. The second is evidential failure, because the business can’t clearly show that it identified the risk, acted proportionately, and followed up.
Practical rule: If your organisation can’t show the workflow, it will struggle to show the duty was met.
The better approach is to treat duty of care as a business process, not just a legal concept. Risk identification, reporting, escalation, intervention, review, and retention all need owners, triggers, and records.
Why this is also a people strategy
Handled properly, duty of care isn’t just defensive compliance. It helps organisations build trust and productivity because employees can see that concerns are taken seriously, managers know what to do next, and HR isn’t relying on ad hoc judgement every time a case appears.
What works is consistency. Employees don’t expect perfection. They expect a sensible response, timely communication, and evidence that the employer acted.
What doesn’t work is broad language about wellbeing with no operational backbone. A policy that says managers should “check in regularly” is not a process. A process needs a trigger, a task, a due date, a review point, and somewhere reliable for the record to live.
The Legal Foundations of Employer Duty of Care in the UK
The legal position matters because it defines what HR and operational systems must support. In the UK, the core issue is not whether employers should care. It is that they have enforceable obligations and need evidence of compliance.
The main statutory pillar is the Health and Safety at Work Act 1974. UK employers have a legally enforceable obligation to ensure, “so far as is reasonably practicable”, the health, safety and welfare of employees. That duty requires formal risk assessments documenting identified risks, mitigation measures, and ongoing review. The compliance burden is therefore not just action, but documented action, as outlined in Croner’s summary of employers’ duty of care.
Statutory duty means records, not just policy
Many organisations underestimate the problem. They have a health and safety policy and perhaps a set of templates, but the law drives toward a demonstrable audit trail.
That means your organisation should be able to show:
- What risks were identified for a role, task, location, or person
- What controls were put in place such as PPE, process changes, training, or supervision
- Who reviewed the position and when
- What changed afterwards including follow-up actions, corrections, and reassessments
If those records are partial or scattered, legal exposure increases. This is one reason practical guidance on preventing HR lawsuits often comes back to consistency and documentation rather than policy wording alone.
Common law adds another layer
Statute is only one side of the picture. UK common law also shapes employer duty through the employment relationship itself. You can think of this as the structural frame of a house. The policy documents are fixtures and fittings, but the frame is already there whether you mention it or not.
The employment relationship carries obligations around safe systems of work, a safe working environment, and competent people management. That is why duty of care isn’t something an employer can contract away through wording in a handbook or contract schedule.
For HR leaders, the practical point is simple. The law expects more than a folder of documents. It expects systems and behaviours that can be evidenced.
A useful benchmark for that wider operational view sits in this DynamicsHub article on human resources compliance, especially where compliance moves from document control into live workflow.
The safest organisations are rarely the ones with the most policies. They are usually the ones that can show those policies actually triggered action.
What reasonably practicable looks like in real life
“Reasonably practicable” doesn’t mean doing everything possible regardless of context. It means taking proportionate steps in light of the risk, the role, and what the employer knows.
That is an important distinction. Employers don’t need a perfect crystal ball. They do need a defensible process for spotting foreseeable issues, acting on them, and revisiting them when circumstances change.
The Expanding Scope of Modern Employer Responsibility
The biggest mistake I see is assuming duty of care still sits mainly in the traditional health and safety box. It doesn’t. Physical safety remains essential, but modern employer responsibility now reaches into mental health, hybrid work, individual vulnerabilities, and the handling of sensitive employee data.
UK common law makes that expansion impossible to ignore. It extends employer duty of care to mental health and psychiatric illness caused by work-related stress, and it requires employers to respond to known vulnerabilities. It also creates an implied term in every employment relationship that can’t be written away, as explained by the CIPD’s health and safety guidance.
The duty is individual, not generic
A common failing of standardised programmes occurs when a business, despite having an employee wellbeing policy, stress awareness training, and an EAP, still mishandles a case because no one acted on what they knew about a particular person.
Examples include:
- A manager knows an employee has been struggling with workload and does nothing beyond informal sympathy
- HR receives medical information but doesn’t connect it to working pattern adjustments
- A remote worker reports pain, fatigue, or isolation, but the issue stays in a line manager’s notes
- A phased return is agreed verbally, then lost because there is no central record or review date
The legal and practical point is the same. Duty of care becomes sharper when the employer knows, or should know, about a specific risk affecting a specific employee.
Hybrid work widened the risk surface
Hybrid work changed more than location. It changed visibility. Managers now have fewer informal signals, and HR teams often learn about problems later than they would in a fully office-based environment.
That creates several categories of risk:
| Risk area | What often goes wrong | Better control |
|---|---|---|
| Home ergonomics | Self-assessments are sent once and forgotten | Trigger reassessment when role or home setup changes |
| Work-related stress | Long-hours culture stays hidden in calendars and Teams activity | Review work patterns and intervene early |
| Isolation | Regular meetings happen, but meaningful welfare checks do not | Log structured wellbeing conversations |
| Adjustments | Informal arrangements are made but not tracked | Record agreed support, owner, and review date |
For organisations reviewing responsibilities in this area, this DynamicsHub guide to health and safety employees responsibilities is useful because it reinforces that employee and employer duties must connect, not sit in separate policy silos.
Employers get into difficulty when they treat stress, ergonomics, absence, and performance as separate stories when they are often the same story viewed from different systems.
Mental health evidence needs process, not sentiment
Many businesses now speak comfortably about mental health. Far fewer have a reliable method for documenting when an issue was raised, who reviewed it, what support was offered, and whether the intervention changed anything.
What works:
- Capability reviews tied to actual job demands
- Reasonable adjustment records with review dates
- Escalation routes when a manager notices stress indicators
- Consultation logs showing the employee was heard and the employer responded
What doesn’t work:
- One-off wellbeing campaigns
- Manager discretion with no prompts
- Confidential notes stored privately
- Generic policies with no case workflow
The scope has expanded because work has expanded. The law now meets people where they work, not where the office floorplan says they should be.
Building Your Framework with Practical HR Policies
A workable duty of care framework starts before technology. Software can automate, route, remind, and report, but it can’t rescue vague policy design. If the rules are unclear, the workflow will only automate confusion faster.
The strongest frameworks are usually boring in the best possible way. They define responsibility clearly, tell managers what to do next, and remove guesswork from routine situations.
The core policies every organisation should tighten
Start with the documents and procedures that carry the greatest day-to-day load.
-
Risk assessment policy
This should cover physical, ergonomic, and psychosocial risk. It needs ownership, approval routes, review cycles, and clear triggers for reassessment. -
Incident and near-miss reporting procedure
If staff only report serious incidents, the organisation loses the warning signs that would have prevented them. Near-miss reporting needs to be easy, blame-free, and followed by visible action. -
Wellbeing and stress management procedure
This should define warning signs, manager responsibilities, escalation paths, support options, and when HR or occupational health must become involved. -
Reasonable adjustments process
Many firms have good intentions here but poor administration. The process should show who requests, who approves, what is implemented, and when it is reviewed. -
Remote and hybrid working safety procedure
Home workstation checks, communication expectations, equipment provision, lone working considerations, and review triggers all need to be explicit.
What a policy must do in practice
A policy isn’t just a statement of values. It should answer operational questions fast.
Ask whether each policy tells managers:
- When to act
- What form or record to use
- Who must be told
- What deadline applies
- How follow-up is checked
If it doesn’t, it is likely guidance rather than a process.
Field lesson: The best policy wording in the world won’t help when a line manager is under pressure and needs a clear next step in under a minute.
Build the manual before the dashboard
Many organisations jump too early into reporting. They ask for dashboards before they have stable underlying processes. That usually produces attractive charts with unreliable data.
A better sequence is:
-
Define the event
What counts as a concern, incident, stress flag, or adjustment request? -
Define the owner
Which role acts first, and which role reviews? -
Define the evidence
What records must exist at each stage? -
Define the review point
When is the case reassessed, and by whom? -
Define retention
How long is the information kept and under what access controls?
A practical policy checklist
Use this as a quick test of whether your framework can support duty of care properly.
- Documented triggers for risk assessment, reassessment, and escalation
- Named accountabilities across HR, line management, operations, and health and safety
- Consistent forms rather than multiple local versions
- Review dates embedded into every intervention
- Employee consultation records where concerns are raised or support is agreed
- Training records showing managers know how to use the process
- Business continuity links so emergency processes align with people data
A framework like this gives technology something useful to automate. Without it, the system ends up mirroring the same disorder that existed on paper.
Automating Duty of Care with Dynamics 365 and the Power Platform
Once the policy framework is sound, the Microsoft stack becomes very effective for turning it into controlled execution. Many organisations gain their biggest improvement from this, not because the technology is flashy, but because it removes inconsistency.
A key challenge for UK mid-market firms is connecting duty of care with tools such as Right to Work checks and GDPR-aware record handling in Dynamics 365. The available source material also points to significant work-related ill health and musculoskeletal issues linked to poor home ergonomics, and highlights the gap in platform-specific automation for hybrid setups in Dynamics 365 environments, as discussed in this Saferedge overview of duty of care risk considerations.
Use Dataverse as the system of record
If duty of care data lives in email, SharePoint folders, and manager spreadsheets, you don’t have a system. You have fragments.
Dataverse gives you a structured data model for:
- employee records
- risk assessments
- incidents and near-misses
- reasonable adjustments
- case notes
- training completion
- review schedules
- workflow status
That matters because duty of care often involves cross-functional facts. A manager may report a wellbeing concern, HR may coordinate adjustments, IT may provide equipment, and health and safety may review the risk. Dataverse allows those threads to sit against one governed record structure rather than becoming four disconnected admin trails.
Power Apps should make reporting easier than avoidance
The best digital forms are short, role-aware, and easy to complete on a phone or laptop. Power Apps is ideal for this because you can create specific interfaces for different users.
A strong setup usually includes:
- Employee self-service forms for workstation checks, incident reporting, or adjustment requests
- Manager forms for stress concerns, return-to-work reviews, and risk sign-off
- HR case forms for intervention tracking and review notes
- Health and safety forms for hazard control plans and reassessments
The key design principle is friction. If reporting an issue takes too long, staff won’t do it. If the form is short and routes automatically, reporting increases and data quality improves.
Power Automate is where compliance becomes routine
This is the layer that turns a recorded concern into action.
Examples of useful flows include:
| Trigger | Automated action | Compliance benefit |
|---|---|---|
| New incident logged | Notify manager and HR, create investigation task | Immediate escalation with audit trail |
| Homeworking risk flagged | Assign reassessment and track due date | Prevents issues being parked indefinitely |
| Adjustment agreed | Notify relevant owner and schedule review | Keeps support active and visible |
| Training overdue | Remind employee and line manager | Reduces drift in mandatory compliance tasks |
This is the benefit of workflow. It reduces dependence on memory, goodwill, and inbox discipline.
A compliant process is usually just a well-timed sequence of prompts, approvals, and recorded actions.
Power BI should support judgement, not surveillance
Duty of care data is sensitive. Dashboards must help leaders spot patterns without turning wellbeing management into intrusive monitoring.
That means Power BI is most useful when it surfaces:
- anonymised wellbeing trends
- overdue risk reviews
- incident categories
- training completion status
- outstanding actions by business area
- return-to-work follow-up rates
It is less useful when it tries to infer too much from individual activity patterns without context. That is where HR teams can drift into over-monitoring and create fresh employee relations issues.
For firms standardising their platform approach, this DynamicsHub article on Dynamics 365 HR is a practical starting point for understanding how core HR records and process automation fit together inside the Microsoft ecosystem.
UK-specific controls matter
In real projects, UK compliance almost always requires more than generic HR workflow. You need to think about:
- Right to Work checks linked to employee lifecycle events
- GDPR-aligned retention rules for sensitive case records
- Role-based security so managers only see what they should
- Microsoft Entra ID access controls for secure authentication
- Teams and Outlook integration so tasks and approvals appear where people already work
Native Microsoft architecture helps. When the process sits inside the same tenant and governance model as the rest of your business systems, compliance is easier to manage and evidence.
Your Step-by-Step Implementation Guide
Most organisations don’t need a grand transformation programme to improve duty of care. They need an ordered sequence, sensible scope, and clear ownership. Start with one business-wide model, then refine.
Step one review your current gaps
Before you configure anything, examine how the organisation currently handles risk, reporting, and follow-up.
Look for practical weaknesses such as:
- concerns raised informally but never logged
- inconsistent versions of assessment forms
- no central record of reasonable adjustments
- unclear ownership of review dates
- retention practices that vary by team
This stage is not glamorous, but it reveals where legal risk sits. In most cases, the issue isn’t absence of policy. It is inconsistency between policy and practice.
Step two map the workflow before the technology
Draw the lifecycle of a real case. Start with a trigger and finish with closure and review.
For example:
- employee raises concern
- manager records issue
- HR reviews and triages
- action is assigned
- support is implemented
- review date is scheduled
- case outcome is recorded
Do this for several scenarios, not just one. Stress concerns, ergonomic issues, incidents, and return-to-work cases often need slightly different paths.
Step three configure for evidence, not just convenience
At configuration stage, many teams focus on what is easiest to enter. That matters, but evidence quality matters more.
Design the system so it captures:
- who submitted the record
- when it was submitted
- who approved or reviewed it
- what action was agreed
- whether the employee was consulted
- when the next review is due
Recent discussion around ACAS code updates in England suggests organisations may need evidence-based audits of right to disconnect policies, with potential fines for non-compliance. The practical balance is to use anonymised wellbeing reporting and controlled time-tracking evidence rather than intrusive individual surveillance, as outlined in this World Clinic discussion of duty of care developments.
That trade-off matters. You want enough evidence to show responsible management of work patterns, but not so much monitoring that the organisation creates new privacy and trust problems.
Good implementation draws a line between visibility and intrusion. Cross that line and the system starts undermining the culture it was meant to protect.
Step four train managers on decisions, not screens
Manager training often fails because it focuses too heavily on button clicks. The system matters, but judgement matters first.
Train managers to recognise:
- when a concern should be logged formally
- what can remain informal and what cannot
- when HR or health and safety must be involved
- how to document support conversations correctly
- why review dates are part of the duty, not admin overhead
Then show them the screen flow that supports those decisions.
Step five launch with tight scope
Don’t launch everything at once. Begin with the highest-risk workflows.
A sensible first phase often includes:
| First phase workflow | Reason to prioritise |
|---|---|
| Incident and near-miss reporting | High evidential value and clear process |
| Remote workstation assessments | Common hybrid risk with repeatable form logic |
| Stress and wellbeing escalations | Frequently handled inconsistently |
| Reasonable adjustment tracking | Critical for review discipline |
Once those are stable, expand into broader employee relations and workforce planning processes.
Step six review and refine quarterly
No implementation is finished on go-live. Review the live data and ask hard questions.
- Are managers bypassing the workflow?
- Are review dates being missed?
- Are forms too long?
- Are records too vague to be defensible?
- Are dashboards helping leaders act, or just decorating meetings?
That is how the system matures. Not through abstract transformation language, but through repeated correction of where process and behaviour still diverge.
Future-Proofing Your Organisation Through Proactive Care
The organisations that handle duty of care well don’t treat it as a reactive compliance burden. They treat it as part of operational design. That difference matters because work will keep changing. Hybrid arrangements evolve, wellbeing expectations shift, and the boundary between HR, compliance, and technology keeps shrinking.
A proactive model gives you room to adapt. When risk assessments, interventions, review cycles, and evidence sit inside governed systems, the organisation can respond faster and with more confidence. That reduces legal exposure, but it also improves credibility with employees and managers.
Future-proofing also means recognising that duty of care and data governance now sit side by side. If you’re building more digital HR workflows, you also need to protect client data and employee information through sensible access controls, retention rules, and secure system design. Care without governance is incomplete. Governance without care is brittle.
The practical goal isn’t perfection. It is traceability, consistency, and proportionate action. When those three are in place, duty of care becomes manageable.
DynamicsHub helps UK organisations turn duty of care from fragmented admin into auditable, Microsoft-native HR processes. Experience HR transformation built around your business. Hubdrive’s HR Management for Microsoft Dynamics 365 is the premier hire-to-retire solution, more powerful, more flexible, and more future-ready than Microsoft Dynamics 365 HR. To discuss your requirements, contact DynamicsHub or phone 01522 508096 today.
