UK Remote Working Policy Template

What is a UK remote working policy?

Quick answer. A UK remote working policy is the framework governing how flexible, hybrid, and remote work arrangements are requested, granted, and operated securely. Required indirectly by the Flexible Working Act 2023 (day-one right), explicitly by ISO 27001 Annex A.6.7, and aligned with UK GDPR Article 32 obligations on personal data handling at home.

The remote working policy operates as a hybrid HR/security document — unusual among UK policies. The HR side handles the statutory flexible-working right introduced by the 2023 amendments to the Employment Rights Act 1996, which made the right available from day one of employment (previously after 26 weeks) and increased the maximum number of requests per year from one to two. Employers must respond to requests within two months and can only refuse on one of eight statutory grounds. The security side handles endpoint controls, network expectations, physical security at home, and data handling — all the operational consequences of personal data being processed outside the office. Both halves of the policy must be present for it to work; a policy that addresses only flexible-working requests is HR-complete but security-incomplete, and vice versa.

Who needs a UK remote working policy?

Quick answer. Every UK employer with remote, hybrid, or flexible workers — which post-2020 means almost every UK SME above 10 employees. Particularly critical for: ISO 27001 candidates (auditor checks A.6.7 evidence), regulated firms (FCA SYSC 4 requires home-working controls), employers with EU-resident remote workers (cross-border tax + employment implications), and any employer wanting to handle flexible-working requests defensibly under the new Act.

The Flexible Working Act 2023 made the policy effectively mandatory for any UK employer. The new day-one right means a flexible-working request can land in week 1 of employment; without a documented procedure to handle it, employers face procedural-fairness challenges. ACAS publishes a Code of Practice on flexible working requests that tribunals consider when ruling on disputes. Beyond the HR side, ISO 27001-pursuing organisations face explicit Annex A.6.7 evidence requirements at audit. FCA SYSC 4 requires regulated firms to maintain controls over remote-working arrangements that handle client data. Cross-border remote workers (UK employee living in EU, or vice versa) add tax-residency and posted-worker complications that the policy must reference even if it doesn't solve. The single biggest gap we see is policies that handle one half (HR or security) but not both.

What must a UK remote working policy include?

Quick answer. Eight clauses: scope and eligibility (which roles, contract types, locations are covered), the flexible working request process per Flexible Working Act 2023, security baseline (encryption, MFA, antivirus, network expectations), data handling rules (no public Wi-Fi for personal data, no sensitive data on personal devices), expense reimbursement and HMRC tax position, working time and rest break compliance, performance management approach for remote staff, and termination/leaver procedures (device return, account revocation).

• Scope and eligibility — which roles, contract types, and locations are covered — description with citation.
• Flexible working request process per Flexible Working Act 2023 — day-1 right, 2-month decision window, 8 statutory grounds for refusal — description with citation.
• Security baseline — encryption, MFA, antivirus, OS update window, network expectations (per ISO 27001 A.6.7) — description with citation.
• Data handling rules — no public Wi-Fi for personal data, no sensitive data on personal devices, clear-screen at home — description with citation.
• Expense reimbursement and HMRC tax position (homeworking allowance, equipment provision) — description with citation.
• Working time and rest break compliance — Working Time Regulations 1998 applies regardless of location — description with citation.
• Performance management approach — output-based measurement, regular check-ins, no covert monitoring — description with citation.
• Termination and leaver procedures — device return, account revocation, data deletion certification — description with citation.

How does this map to UK hr regulation?

Quick answer. The policy bridges three regulatory regimes: Flexible Working Act 2023 + ACAS Code of Practice for the HR side; ISO 27001 Annex A.6.7 for security; UK GDPR Article 32 for data protection during home working. FCA SYSC 4 adds sector-specific controls for regulated firms.

The policy must satisfy all three regimes simultaneously, which means HR and IT/security must collaborate on drafting. The most common drafting mistake is treating it as either an HR document (covers requests but ignores endpoints) or a security document (covers endpoints but ignores statutory request rights). When drafted well, the policy provides a single reference for: an employee asking how to request hybrid working (HR side); a manager deciding whether to grant the request (HR statutory grounds); the IT team setting up the laptop (security baseline); the auditor checking A.6.7 evidence (both sides). Cross-reference: this policy works alongside the information security policy, the access control policy (covered inside the information security policy), and the disciplinary policy (for handling breaches of remote-working rules).

Related UK hr resources

Frequently asked questions