UK Work From Home Policy: What Employers Should Include

Remote and hybrid work are now a normal part of running a small business in the UK. Whether you have a fully remote team or the occasional “WFH Wednesday”, a clear work from home policy helps everyone understand how work gets done, what’s expected, and how you’ll meet your legal obligations.

In this guide, we’ll break down what a work from home policy should include, the UK legal requirements you need to cover, and practical steps to roll it out across your business. With some upfront planning, you’ll keep your team productive and protect the business as you grow.

What Is A Work From Home Policy?

A work from home policy (sometimes called a remote work policy) sets the rules, standards and processes for staff working away from your premises. It usually sits alongside your core HR policies or Workplace Policy, and it should apply whether people are at home full time, part time, or ad hoc.

At a minimum, it explains:

• Who can work from home, when and how often (eligibility and approval processes)
• Hours of work, availability expectations and how to record time
• Health and safety responsibilities for both the business and staff
• IT, cybersecurity and confidentiality rules for remote environments
• Equipment, costs, and who pays for what
• Performance, communication and supervision arrangements
• Data protection and acceptable monitoring (if any)

Think of it as your “playbook” for remote work. It gives managers a consistent framework to make decisions and gives employees clarity about how to comply day to day.

Do UK Employers Need A Work From Home Policy?

Strictly speaking, UK law doesn’t mandate a work from home policy. But if your team works remotely in any capacity, having one is very strongly recommended. Here’s why:

• It reduces risk. You’ll set out health and safety standards for home workstations, cybersecurity protocols, and limits around monitoring to avoid legal pitfalls.
• It avoids disputes. When rules are clear (e.g., who buys equipment, how to request WFH, response times), you’re less likely to face grievance or performance issues later.
• It supports compliance. A policy helps you meet duties under employment law, data protection, and the Working Time Regulations.
• It keeps things fair. A consistent process for approving (or refusing) WFH requests helps ensure equal treatment across the business.

Most small employers choose to keep their work from home rules within a single, well-structured policy and signpost to other documents, like your Staff Handbook, IT/security policy, and contracts. That way, your team has one source of truth while you keep the more detailed standards in their own documents.

What To Include In Your Work From Home Policy

Below are the key sections we recommend for UK SMEs. The exact content should fit your industry, risk profile and ways of working, so treat this as a starter list rather than a one-size-fits-all template.

1) Eligibility, Requests And Manager Approvals

Set out who can work from home (role types, probation status, performance thresholds), plus how to request arrangements. Be clear on:

• Types of arrangements: occasional, hybrid, or fully remote
• How to apply: form or email, timeframes, required info
• Decision criteria: business needs, role requirements, security, client service
• Trial periods and review points
• How changes are made (e.g., reverting to office if performance or business needs change)

2) Working Hours, Breaks And Availability

Remote work shouldn’t blur legal working time limits. Cover core hours, flexibility, how to record time, and breaks. Make it explicit that staff must comply with the Working Time Regulations and any agreed patterns in their contract. If you allow flexible hours, explain expectations for response times and meeting attendance.

3) Home Workstation And Health & Safety

Employers still owe health and safety duties to remote workers. Your policy should require employees to maintain a suitable workstation, follow guidance on posture and breaks, and report issues. Include:

• Self-assessment checklist for Display Screen Equipment (DSE)
• Guidance on a safe setup (chair, screen height, cables, lighting)
• How to report accidents or near misses at home
• Expectations for keeping the environment free of hazards (especially if children or visitors are present)

If your team uses their own devices at home, set minimum security standards and direct them to your IT and BYOD rules (more on that below).

4) Equipment, Expenses And Insurance

Clarify what the business provides (laptop, peripherals, software) and what remains the employee’s responsibility. Explain:

• Who owns company equipment and return obligations
• Approval process for purchasing equipment
• What expenses you’ll reimburse (e.g., peripherals) and what you don’t (e.g., home broadband)
• Whether employees need to tell their home insurer about business equipment at the property

5) Data Protection, Confidentiality And Cybersecurity

Remote work increases the risk of data breaches and accidental disclosures. Your policy should require secure connections, strong passwords, updates/patching, and private spaces for calls. It should align with your wider Data Protection documents and any non-disclosure obligations in your contracts.

If staff use their own devices, consider a separate BYOD section that references your mobile/IT policy and practical rules around access controls and device hygiene. Our guidance on BYOD covers common GDPR pitfalls to avoid.

6) Communication, Collaboration And Performance

Spell out the communication channels you expect (project tools, video, phone), how you’ll track deliverables, and how often managers will check in. It’s helpful to include:

• Weekly or fortnightly one-to-ones for outcomes and wellbeing
• Team cadence for stand-ups and progress reviews
• How performance concerns will be managed and documented

When expectations are documented upfront, it’s far easier to address issues fairly and consistently later on.

7) Information Security And Acceptable Use

Link your WFH policy to your IT acceptable use rules: multi-factor authentication, approved apps, storage locations (no personal clouds), and what to do if a laptop is lost or compromised. If you’re rolling out new tools, you may also want an internal AI Use Policy so staff know what’s acceptable when using AI tools with client or personal data.

8) Monitoring And Privacy

If you use any monitoring tools, outline what you monitor, why, and how you’ll respect privacy. Common examples include log-in records, call metadata and device management software. Make sure any monitoring is proportionate, transparent and necessary-and that it’s covered by your privacy and data protection documentation. Our overview of lawful monitoring at work can help you sense-check your approach.

9) Security Incidents, Breaches And Reporting

Explain how staff should report suspected phishing, data loss or device theft, who to contact, and the steps the business will take. Speed matters-fast reporting can significantly reduce harm and help you meet any legal notification timelines.

Legal Must-Haves Under UK Law

A good policy is only one part of compliance. You also need to make sure your day-to-day remote practices meet your legal duties. Here are the key UK laws and obligations to consider.

Employment Law And Contracts

Your contracts should set out the main place of work, permitted flexibility, hours of work, confidentiality, and equipment rules. If you’re introducing hybrid or remote arrangements, check whether you need to vary contracts or issue a side letter. Keep your policy consistent with contracts and your Staff Handbook.

Employees also have the right to request flexible working (subject to eligibility rules). Your policy should include a fair, consistent process for considering such requests, with decisions based on legitimate business reasons.

Health And Safety For Remote Workers

Under UK health and safety law, you owe a duty of care to employees working from home. In practical terms, that means conducting risk assessments appropriate to the role (for example, DSE assessments for desk-based workers), providing guidance on safe setups, and having procedures for reporting incidents. Ensure managers know how to support staff who report pain, stress or other concerns.

Working Time, Rest And Breaks

Remote work doesn’t remove your obligations around working time and rest. Staff should take daily and weekly rest periods, and statutory breaks still apply. Reinforce these obligations in your policy, require accurate time recording, and train managers not to contact staff out of hours except in genuine emergencies. You can also point staff to your guidance on breaks and rest periods through the Working Time Regulations.

Data Protection And GDPR

If employees access or process personal data from home, you’re still responsible for compliance with the UK GDPR and Data Protection Act 2018. In practice, that means applying appropriate technical and organisational measures: secure devices, encrypted storage, restricted access, and training. Align your WFH rules with your privacy notices, data retention and incident response processes within your core Data Protection documentation.

Monitoring, Privacy And Proportionality

Any monitoring of remote workers must be transparent, proportionate and necessary for a legitimate purpose. Avoid invasive tools (like constant webcam surveillance) unless you can justify them and have assessed less intrusive alternatives. Be clear in your policy about what you monitor and why, and update your records of processing activities accordingly. Our article on employee monitoring sets out what employers can and can’t do.

BYOD And Device Management

Bring Your Own Device (BYOD) can be convenient-but it’s also a top source of data risk. If you allow BYOD, set mandatory requirements for device encryption, MDM installation, patching, and immediate reporting if a device is lost. Build these requirements into your policy and point to your separate BYOD rules. If you’re weighing up options, our guide to BYOD highlights the GDPR traps to avoid.

Rolling Out And Enforcing Your Work From Home Policy

Even the best policy only works if people read it, understand it, and managers apply it consistently. Here’s a simple roll-out plan you can adapt.

1) Map Your Risks And Tailor The Draft

Start by mapping how your team works today: who’s remote, what systems they use, what data they handle, and where things have gone wrong before (e.g., missed deadlines, data sprawl, poor workstation setups). Use that to tailor the sections above. Keep the document practical and avoid jargon-people will use it if it feels helpful in the real world.

2) Align With Your Other Policies And Contracts

Check your WFH policy is consistent with contracts, disciplinary and grievance procedures, IT/security rules, privacy/data policies, and your Workplace Policy. If you’re introducing new tools (like AI assistants), decide if those rules belong in your WFH policy or a standalone AI Use Policy that you can update as the tech evolves.

3) Train Managers First

Managers need to know how to approve requests, support safe work, and address performance concerns remotely. Run a short manager briefing covering:

• Approval criteria and fair decision-making
• How to run check-ins and measure outcomes
• What to do if performance slips (and how to document it)
• When to escalate health and safety or mental health concerns
• How to handle data/security incidents quickly

4) Communicate Clearly To Staff

Share the policy, highlight the key points, and explain how it affects day-to-day work. Ask staff to sign an acknowledgement and complete any required self-assessments (e.g., DSE). Provide quick-reference guides or FAQs for common scenarios-like how to request ad hoc WFH, how to expense a chair, and what to do if your broadband goes down.

5) Keep It Under Review

Set a review date (for example every 6–12 months) and track any incidents or feedback so you can improve the policy. Remote work practices evolve quickly-regular reviews keep you compliant and make life easier for managers and staff alike.

Practical Do’s And Don’ts

• Do use simple, plain-English rules that managers can apply consistently.
• Do align your WFH policy with your data protection and IT security documents.
• Do require accurate time recording and reinforce rest breaks and limits.
• Don’t rely on generic templates-tailor to your industry, systems and risks.
• Don’t introduce monitoring without a lawful basis, clear transparency, and safeguards.
• Don’t forget to plan for equipment returns and offboarding for remote leavers.

Key Takeaways

• A work from home policy is your playbook for remote and hybrid work-it sets expectations, supports fairness and helps you meet your legal duties.
• Cover the essentials: eligibility and approvals, hours and availability, health and safety, equipment and expenses, data protection, communication, performance, and monitoring/ privacy.
• Keep your policy aligned with contracts, your core Workplace Policy, your Staff Handbook, and your Data Protection framework.
• Ensure compliance with the UK GDPR and Data Protection Act 2018, health and safety duties, and the Working Time Regulations around hours and breaks.
• If you allow personal devices, set clear BYOD rules-our BYOD guidance flags common GDPR risks when staff use their own phones and laptops.
• Roll out your policy with manager training, staff briefings and regular reviews so it remains practical and effective as your business grows.

If you’d like help drafting a tailored work from home policy-or aligning it with your contracts, IT and privacy documents-our team can help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.