Legally Required HR Policies in the UK (ACAS Guidance)

If you’re hiring your first employee (or even your fifth), it’s completely normal to wonder what HR paperwork you actually need - and what’s just “nice to have”.

From an employer’s perspective, getting this right isn’t just about ticking boxes. The right policies help you manage people issues consistently, reduce the risk of disputes, and show you’re taking your legal duties seriously.

This guide breaks down what people usually mean when they search for HR policies required by law in the UK and ACAS guidance: which documents are genuinely required in certain situations, what ACAS expects you to follow in practice, and how to implement policies in a way that protects your business.

What Does “Required By Law” Mean For HR Policies In The UK?

Let’s clear up a common misconception: in the UK, there isn’t a single “master list” of HR policies that every employer must have in writing from day one.

Instead, your obligations come from a mix of:

• Statutes and regulations (for example health and safety law, data protection law, equality law)
• ACAS guidance and the ACAS Code of Practice (especially for discipline and grievances)
• Your contractual documents (employment contracts and any policies they incorporate)
• Industry-specific rules (for regulated sectors, safeguarding contexts, etc.)

So when small businesses ask “what HR policies are required by law?”, what they usually mean is:

• What do I need to operate legally and safely?
• What will I be expected to have if something goes wrong (for example, a grievance or dismissal)?
• What will an employment tribunal expect a reasonable employer to have done?

ACAS is especially important here. Even where a written policy isn’t strictly mandatory, ACAS guidance often sets the benchmark for what a fair and reasonable employer should do - and that can be crucial if you ever need to defend a decision.

The Core HR Policies Most Small UK Employers Need (And How ACAS Fits In)

Below are the HR policies that commonly come up as “required” (either because the law requires them in certain circumstances, or because ACAS-aligned processes are essential for managing risk).

1) Disciplinary And Grievance Procedures (ACAS Code)

If you’re dealing with misconduct, performance concerns, workplace conflict, or an employee complaint, you’ll almost always rely on your disciplinary and grievance procedures.

Strictly speaking, you don’t always have to have these procedures set out as standalone “policies” to employ someone. But in practice, if you discipline or dismiss someone, you should follow a fair process consistent with the ACAS Code of Practice on Disciplinary and Grievance Procedures.

From a small business owner’s perspective, this matters because:

• A fair process helps you make better decisions (and document them).
• If a dispute escalates, you’re far better positioned to show you acted reasonably.
• Failing to follow the ACAS Code can affect compensation in tribunal cases (for example, uplift/reduction in awards in relevant scenarios).

In practical terms, your disciplinary/grievance policy should cover:

• How issues are raised and investigated
• Informal steps vs formal steps
• Disciplinary meetings and the employee’s right to be accompanied
• Warnings and outcomes
• How appeals work
• Grievance handling steps and timescales

These processes are usually included in an Staff Handbook so your team has one clear “source of truth”.

2) Health And Safety Policy (Required If You Have 5+ Employees)

Health and safety is one of the clearest examples of a policy that can be legally required in writing.

If you employ five or more employees, you generally need a written health and safety policy setting out your general approach and how you manage health and safety in your business.

Even if you have fewer than five employees, you still have health and safety duties - and having a written policy (plus risk assessments and procedures) is often a smart way to evidence that you’re taking those duties seriously.

Your health and safety policy might cover things like:

• Responsibilities (who does what)
• Risk assessments and reporting hazards
• Accident reporting and first aid
• Workstation safety (especially for desk-based teams)
• Fire safety and emergency procedures
• Training and supervision

If you use any workplace monitoring tools (including CCTV), health and safety often overlaps with privacy and data protection. If this is relevant, it’s worth checking whether CCTV at work is being used in a lawful and proportionate way.

3) Data Protection And Privacy Documentation (UK GDPR)

As soon as you employ staff, you’re handling personal data - names, addresses, payroll information, performance notes, absence records, and potentially sensitive data (like health information).

Under the UK GDPR and Data Protection Act 2018, you must handle personal data lawfully, fairly, and transparently. In practice, many businesses use privacy notices and internal procedures to help meet these obligations - but what you must have will depend on your processing activities.

For many small businesses, this often includes:

• A staff privacy notice (explaining what employee data you collect, why, who you share it with, and how long you keep it)
• Internal rules/processes for handling HR data securely (access controls, retention, and deletion)
• Policies for secure use of systems, devices, and passwords

If you need a starting point for your external-facing documents, a Privacy Policy is often relevant - but don’t forget employee-facing privacy information and internal practices may also be needed depending on how your business operates.

4) IT, Email And Internet Use Rules (Acceptable Use)

Small businesses often give employees access to:

• Customer databases and CRMs
• Company email and shared drives
• Messaging platforms (like Teams/Slack)
• Social media accounts
• AI tools and third-party software

You’re not automatically “required by law” to have an IT acceptable use policy in every situation - but without one, it’s much harder to manage:

• Confidentiality risks
• Cybersecurity and data breaches
• Misuse of work systems during work hours
• Monitoring (and doing it lawfully)

This is where an Acceptable Use Policy can be a practical foundation, especially when paired with clear privacy messaging for staff about what is and isn’t monitored.

5) Equal Opportunities / Anti-Discrimination Policy (Strongly Expected)

Discrimination law in the UK (mainly the Equality Act 2010) applies whether or not you have a written policy.

That said, having a clear equal opportunities (or dignity at work / anti-harassment) policy is one of the easiest ways to:

• Set expectations for behaviour early
• Train managers consistently
• Give you a structured way to respond to complaints

For small businesses, this is particularly important because people issues tend to feel more personal in a smaller team - and without clear rules, it’s easier for decisions to look inconsistent.

An equal opportunities policy often covers:

• Non-discrimination principles in recruitment, promotion, and pay
• Harassment and bullying definitions and examples
• How complaints are raised and handled (usually linked to grievance steps)
• Consequences for breaches

6) Written Employment Terms (Not A “Policy”, But Essential)

While not technically an HR “policy”, the single most important legal document for any employer is your employment documentation.

In the UK, employees and workers are entitled to written information about their terms (often referred to as the written statement of employment particulars), and most businesses do this through a properly drafted contract plus supporting policies.

From a risk perspective, your Employment Contract should do heavy lifting on issues like:

• Pay, hours, and job role
• Holiday entitlement (and how it’s booked)
• Sick pay rules (statutory and any enhanced company sick pay)
• Notice and termination
• Confidentiality and IP
• Whether policies form part of the contract or are non-contractual

This is also where you can reference your handbook and key policies so they’re clearly linked to the employment relationship (without accidentally making everything contractually binding).

HR Policies You’re Not Strictly Required To Have (But ACAS-Relevant And Worth It)

Once you’ve covered the basics above, the next step is building a policy set that matches how your business actually runs.

Here are policies that aren’t always “mandatory”, but are commonly expected in practice (especially if you want to reduce disputes and manage staff fairly).

Sickness Absence Policy

Absence can be one of the biggest pressure points for small teams. A sickness policy helps you manage things consistently and avoid awkward, ad-hoc decision making.

It can cover:

• How staff report sickness and when
• Evidence requirements (self-certification vs fit notes)
• Return-to-work discussions
• Trigger points for absence review meetings
• How long-term sickness is managed

Performance Management Policy

ACAS-aligned performance management is about giving people a genuine opportunity to improve - while still protecting your ability to run the business.

This is where having a clear process (and documenting it) really helps, particularly if you ever need to move toward a capability dismissal.

Flexible Working Policy

Flexible working requests are now a standard part of modern employment. Even when you can’t approve every request, a consistent policy helps you handle requests fairly, document reasons, and keep the relationship constructive.

Family Leave Policies (Maternity, Paternity, Adoption, Shared Parental Leave)

You don’t want to be figuring these out on the fly. Even a short, clear policy can help you manage leave requests, pay entitlements, and “keeping in touch” arrangements.

Whistleblowing Policy

Whistleblowing protections exist regardless of whether you have a policy. But having a whistleblowing process can make it far easier for you to:

• Encourage staff to raise serious concerns internally first
• Investigate issues appropriately
• Demonstrate you’ve taken concerns seriously and acted lawfully

For some regulated industries, whistleblowing policies can be particularly important.

How To Set Up Your HR Policies So They Actually Protect Your Business

Having policies “in a folder somewhere” isn’t the goal.

The goal is to set your team up with clear rules that you can actually rely on when you need to make decisions - especially tough ones.

1) Put Policies In The Right Place (Usually A Staff Handbook)

Most small businesses keep policies in a staff handbook because it:

• keeps everything consistent and easy to find
• supports onboarding (new starters know the rules from day one)
• reduces disputes caused by miscommunication

If you’re growing, it’s usually better to build a handbook early rather than bolting policies on later. A Staff Handbook can also be updated over time as your business changes.

2) Decide What’s Contractual (And What Isn’t)

This is a big one.

If you make every policy “contractual” by accident, you can end up stuck with processes you can’t change easily - even if they stop working for your business.

Many employers choose to:

• keep core terms (pay, hours, notice, confidentiality) contractual in the employment contract
• keep most policies non-contractual, so you can update them reasonably as you grow

This is a drafting detail, but it can make a massive difference later.

3) Train Your Managers (Even If “Manager” Means You)

In small businesses, the “HR department” is often the founder, the operations lead, or a senior employee who’s wearing multiple hats.

Make sure whoever is responsible for people management understands:

• how to run a fair investigation
• how to document meetings and decisions
• when to escalate to formal steps
• when to get professional advice

If you also want consistency across the team, a tailored Workplace Policy framework can make expectations clearer (and much easier to enforce).

4) Keep Records (Because Memory Isn’t Evidence)

Good records are one of the simplest ways to protect your business.

That might include:

• signed employment contracts
• acknowledgements of key policies
• notes of return-to-work meetings
• grievance/disciplinary meeting notes
• performance objectives and progress reviews

This isn’t about creating bureaucracy - it’s about being able to show that you acted fairly and consistently if your decision is challenged later.

5) Review Policies As You Grow

A policy set that works for a 2-person startup often won’t work the same way when you have 10 staff, shift work, remote workers, or managers running teams.

A good rhythm for many small businesses is:

• reviewing policies annually, and
• reviewing again after any major change (new systems, restructures, new services, new workplace risks)

Key Takeaways

• There isn’t one universal checklist of HR policies required by law in the UK, but there are core areas where policies and processes are practically essential for small employers.
• ACAS guidance (especially the ACAS Code for disciplinary and grievance procedures) is a key benchmark for fairness - and it matters most when you’re dealing with disputes or dismissal risk.
• If you have 5+ employees, you’ll generally need a written health and safety policy, and you should still manage health and safety properly even under that threshold.
• Data protection obligations apply as soon as you handle employee personal data, but the exact documentation you need will depend on your processing activities. Clear privacy information and sensible internal practices help reduce risk.
• Your employment paperwork matters as much as your policies - a well-drafted employment contract and a consistent handbook can prevent costly misunderstandings later.
• Policies only protect you if they’re implemented properly: keep them accessible, train managers, document key decisions, and review them as your business changes.

If you’d like help putting together HR policies that fit your business (and align with ACAS expectations), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.