AI Summarize

Share

Remote work is becoming increasingly common, and takes place both within one country as well as across borders. It can be flexible for employees, and helps employers to find talent further afield.

However, remote work also creates privacy and security challenges, as well as questions around which labour, health and safety, or employment laws apply. It's important to ensure that you have a remote work policy that is legally compliant, clear, informative, and agreed to by your employees.

This article will cover what remote work policies are, their benefits and risks, how privacy laws affect remote work policies, how employment laws should be considered, and what your remote work policy should cover to stay compliant.

Let's begin.


What are Remote Work Policies?

A remote work policy is a type of legal or formal document that explains the rules for when your employees work remotely. This type of policy would cover which of your employees are allowed to work remotely, on what days (e.g. how many days per week), during which times, security and privacy issues, as well as computer equipment use or protocols.

If you allow your employees to work remotely, you need to make sure your remote work policy is clear, easy to understand and implement, consistent with other policies, and legally compliant. In particular, privacy and security measures need to be considered carefully, as the impacts can be big if there are compliance problems.

What are the Benefits of Remote Work Policies?

Despite some of the challenges with setting up a remote work policy, remote work can have a number of benefits, including flexibility, remote worker and talent acquisition, cost savings, and increased productivity.

For example, if you have a remote work policy, you can find employees in other countries, your employees can save time on commuting, and flexibility can help you to attract a wider range of workers who could help your business to succeed.

A good remote work policy makes sure that any remote workers you have know what is required of them, and ensures that privacy and security compliance issues don't arise. A clear policy is one way that you can educate your employees about regulatory and compliance rules they have to follow.

What are the Risks of Remote Work Policies?

Having a remote work policy also comes with some risks. Most risks relate to security and privacy issues, as well as legal issues around which jurisdiction covers employment, tax, and health and safety laws.

If remote workers are in another jurisdiction, you may need to apply the laws of another country or state to ensure their employment rights are upheld.

In addition, employee devices at home, such as personal computers and cellphones, or the use of work computers on private home networks, can introduce security issues and more vulnerability to attacks.

Privacy issues can also arise when employees have access to the personal information of clients or customers, from home devices. Considering the privacy issues, labour law issues, and the compliance risks of remote work policies are important first steps when drafting one.

Let's take a look at compliance issues now.

How Do Privacy Laws Affect Remote Work Policies?

Privacy laws around the world regulate how personal data should be collected, processed, transferred, shared, and stored.

This includes the General Data Protection Regulation (GDPR) in Europe, the UK General Data Protection Regulation (UK GDPR) in the UK, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) in the US, and many others.

These laws vary in their specifics, but compliance obligations for remote workers will arise in most privacy laws, whether relating to the use of customer or client information from home settings, or the collection of private employee data during their work.

GDPR

The General Data Protection Regulation (GDPR) is one of the world's strictest privacy laws. If you are collecting or processing the data of people in the EU, you'll need to comply.

Article 32 of the GDPR requires you to keep data secure in a number of ways that will affect how you implement your remote work policy.

In particular, it requires that you implement "appropriate technical and organisational measures to ensure a level of security appropriate to the risk" of data processing. In the section below you can see some of the specifics:

GDPR Article 32: Technical and organisational measures are required

This means, when you are collecting the personal data of someone, you need to protect it with technical measures as well as other measures, such as policies and organisational practices. These include:

  • Using pseudonymisation and encryption
  • Ensuring ongoing confidentiality, integrity, availability and resilience of systems
  • The ability to restore the availability and access to personal data if an incident happens
  • Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures

In addition, the GDPR requires you to keep records of data processing activities, and you may need to appoint a Data Protection Officer (DPO) depending on your business. This would be the case, for example, if your business deals with large amounts of sensitive data, such as health data. For these scenarios, you should consider whether remote work is an appropriate choice for your employees.

UK GDPR

The UK GDPR is the UK's implementation of the EU law. It contains national-level requirements that show how the GDPR works in practice.

For example, the GDPR requires you to carry out Data Protection Impact Assessments (DPIAs) to determine the risk of processing. Under the UK GDPR, a failure to carry out a DPIA when necessary, can result in a fine of up to £8.7 million, or 2% global annual turnover.

Below you can see information from the ICO about DPIAs, and the additional wording about technical and organisational measures, like in the GDPR:

UK ICO: Why DPIA are important

When you set up a remote work policy you may need to carry out a DPIA process to help you determine the risks of having one, as your employees could be processing sensitive data on unsecured home networks.

These types of requirements are contained in national implementations of the GDPR, and are enforced by Data Protection Authorities such as the UK Information Commissioner's Office.

CCPA and CPRA

In the US, there is no Federal level privacy law. Instead, state laws govern how personal data is dealt with. In California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are laws that apply if you are collecting the information of California residents.

These laws contain rules on data minimization (collecting only what is necessary), as well as requirements to inform customers on the information collected, purposes of collection, the sharing or sale of data, the length of time personal information will be kept, and so on.

Under the CCPA/CPRA, you must also "implement reasonable security procedures and practices appropriate to the nature of the personal information" that you are collecting. This is stated in 1798.100 (e) of the CCPA below:

US CCPA or CPRA: Reasonable security procedures

There are a number of steps you can take, and requirements that you need to include in your remote work policy, to ensure that "reasonable security procedures and practices" are carried out. These steps will be similar to what is required for "appropriate technical and organisational measures" under the GDPR.

Cross-Border Challenges

When working with employees remotely, you could run into issues with cross-border data transfers. For example, if you are a company based in the EU but you have employees in the US, you will need to consider data transfer restrictions or rules in the GDPR.

For example, for EU-US transfers, such as to US-based employees or services, you'll need to use Standard Contractual Clauses (SCCs). For other countries, you also need to check whether there are any adequacy decisions that have been made. Adequacy decisions are made by the European Commission, and determine whether another country has sufficient privacy and security protections in place for personal data.

When transferring data through remote work practices, you also need to make sure that security measures such as encryption are applied.

Be careful when using remote work tools such as Zoom, Slack, or Google Workspace, as these tools can be considered as transferring data through the use of their servers.

Cross-border issues with remote work can also lead to conflicts in privacy laws that apply.

Now we'll take a brief look at labour laws that are also relevant to remote work policies, and what factors you need to consider if you have remote employees.

What Labour Laws Are Relevant to Remote Work Policies?

In addition to privacy laws, you also need to consider labour laws. Remote workers across jurisdictions can trigger local employment, tax, and IP compliance issues.

You also need to consider wage and hour laws for remote workers, including their ability to take breaks. Health and safety issues can also arise with remote work, such as work injuries caused by a poor ergonomic set up.

In the United States, laws like the Fair Labor Standards Act (FLSA) can apply, as well as state laws like the Industrial Welfare Commission (IWC) Wage Orders and the California Labor Code. In the EU you'll need to consider laws like the Working Time Directive, which sets out appropriate working conditions.

Tax and Employment Laws

If you employ remote workers in other jurisdictions, you need to be careful that you don't accidentally establish a "permanent" establishment in that jurisdiction. This happens when you have employees in a particular country, and the government considers you subject to the local tax and employment laws.

You need to consider what jurisdiction applies to your remote workers, in terms of where they are taxed and what employment laws apply to them.

In the EU, for instance, the Posted Workers Directive sets out that employees in other EU countries are subject to the country's laws where they are employed, not where they are based. However, the Posted Workers Directive also sets out that employees can instead rely on the employment laws of the host country if they are "more favourable", as you can see below:

Posted Workers Directive: Labour Laws based on Employer Country

In the US, each state has different employment and tax laws. You'll need to consider which state's laws apply to your employees, whether that's the state you are based in, or where your employees are.

Now let's take a look at other kinds of labour laws.

Health and Safety Laws

Health and safety laws are also very important for remote workers. Crucially, allowing remote work does not remove your responsibility to ensure a safe working environment, even if your employees are at home.

For example, the European Framework Agreement on Telework sets out that the "employer is responsible for the health and safety at work of his/her employees, irrespective of where this work is performed", as you can see below:

European Framework Agreement on Telework: Employer is responsible for health and safety of workers

Part of these requirements for remote workers mean ensuring that employees have ergonomic set ups for desks and chairs, appropriate screen distance, and back and wrist support.

Hour and Wage Laws

In addition, hour and wage laws from your own country or the country of your remote workers may apply. These laws relate to things like working hours, overtime, permitted or mandatory breaks, and pay entitlements.

For instance, in the US, the Fair Labor Standards Act (FLSA) requires that employees be paid at least minimum wage and receive overtime pay for hours worked over 40 hours per week. These work hours have to be tracked accurately, even if employees are working from home.

Another example is the IWC Wage Orders in California, which set out rules around meals, rest times, and additional requirements. Remote employees are also entitled to the protections the IWC Wage Orders provide. For example, you can see below the requirements for rest breaks:

IWC Wage Orders: California Rest Periods

For tracking these breaks for remote workers, you can use time-tracking technologies and other approaches to ensure that your employees work an appropriate number of hours, and take necessary breaks.

In the section below we'll go through what topics you need to cover in your remote work policy to comply with privacy and labour laws, as well as other sections that you should include in your policy.

What Should Your Remote Work Policy Cover?

Your remote work policy should cover a number of key sections to make sure that the policy is clear, effective, and compliant. The sections you need to include are:

  • Eligibility for remote work
  • Workspace and equipment requirements
  • Security and privacy measures
  • Performance metrics
  • Non-compliance

You also need to make sure that you get clear agreement to your remote work policy, ideally with a signed document from your employees. This helps to make sure that they are aware of expectations, and are more likely to comply.

Let's take a look at the content now.

Eligibility for Remote Work

First, your remote work policy needs to cover eligibility for remote work. This section should cover who is allowed to work remotely, and any conditions, such as set working hours or days. This section should also specify if remote working is always allowed, hybrid only, or a rare occurrence.

Here's one example from the Hunt Electric Corporation:

Hunt Electric Corporation Work Policy: Employees Work Hours

In this example you can see that only certain employees are eligible for remote work, and that the work hours for all employees must be between 6am and 6pm.

Here's another example from the town of Southborough:

Southborough Work Policy: Conditions for remote work

Here you can see that there is a difference between occasional remote work, and routine remote work. Most companies have different policies and approaches for occasional instances and permanent remote conditions.

Consider what is appropriate for your business, and make sure that your policy outlines the conditions clearly for each.

Workspace and Equipment Requirements

Your remote work policy also needs to set out any requirements that you have for workspaces or equipment. This should cover whether equipment is provided by your business, or whether the employee should use their own device. If they should use their own device, you also need to set up a Bring Your Own Device (BYOD) policy.

Here's an example from the Minnesota State Government about equipment:

Minnesota State Government Work Policy: Equipment and Materials

You can see that there are policies that apply to both agency-provided equipment, and employee-owned equipment. Here's another example from the Toronto City Government that outlines the workspace requirements:

Toronto City Government Work Policy: Workspace Requirements

In this example you can see that health and safety considerations are also important. When workers are working remotely, you need to make sure they know how to set up a safe and appropriate workspace.

Security and Privacy Compliance Measures

In addition, security and privacy compliance measures are particularly important.

To comply with relevant laws such as the GDPR or CCPA/CPRA when allowing remote work practices, you need to create data security processes such as encryption, the use of virtual private networks (VPNs), secure storage, access controls, consent management, auditing and system testing, as well as incident and breach response processes.

You also need to ensure that all remote devices are required to use encryption. First, the hard drives of Android, iOS, macOS, and Windows devices can all be encrypted. In addition, saved files e.g. through Microsoft Word, can also be encrypted. Employees should use firewalls, password management, and proxy servers when necessary.

Here's an example from the Toronto City Government:

Toronto City Government Work Policy: Employees data security requirements

In this example you can see that employees are required to maintain data security practices, not share information outside of the company, and only use approved applications and tools. Information must also be secured, protected, and managed in line with privacy guidelines. Breaches also must be immediately reported.

Here's another example from Climate Explorers:

Climate Explores Work Policy: Security of Data and GDPR principles when working remotely

In this example you can see other security and privacy practices, such as taking into account GDPR principles, locking devices, using encryption, protecting passwords, PINs, and keys, safeguarding company information, and understanding digital risks.

Here's another example from the University of North Carolina at Pembroke:

University of North Carolina Pembroke Work Policy: Data Security for Employees

In this example note in section 6.3 that employees have to complete a remote work module that educates them about security policies, data handling, and information security. Approaches like this, such as educating your employees, make sure that they are well-informed about what is expected of them and how to carry it out.

The University of North Carolina at Pembroke also provides a separate remote work plan and agreement, in which employees have to agree that they have read and understood the remote work policy.

University of North Carolina Pembroke Work Policy: Remote Work Plan

You can see that the agreement is required to be signed and dated. This is another measure that you can take to ensure compliance, and make sure that employees are aware that their obligations should be taken seriously.

Performance Metrics

Your policy also needs to cover performance metrics, or issues that could arise in relation to performance and remote work. This could be, for example, specifying if you have core hours during which employees should be available for messages or calls.

Here's an example from Hubspot:

Hubspot Work Policy: Responsiveness

Here you can see, for example, that responsiveness is required during working hours, which are set at 6am to 9pm. There are separate rules for phone and video calls, as well as Slack messages. For remote employees, make sure performance expectations and behaviour expectations are clear, so you don't run into employment disputes or issues.

Non-Compliance

Finally, your remote work policy also needs to cover the consequences for non-compliance. It should also outline what happens if permission for remote work practices is withdrawn.

Here's an example from Hubspot:

Hubspot Work Policy: Termination of Remote Privileges

You can see that if remote working agreements will be terminated, in this case 30 days notice will be provided. In addition, non-compliance with the remote work policy is potential grounds for the termination of employment. Here's another example from the Toronto City Government, which takes a similar approach:

Toronto City Government Work Policy: Provision for Non-Compliance with Policy

If your policy outlines the consequences for termination, and sets strict penalties such as termination as a possible result of non-compliance, employees know that the details of the policy are important.

Summary

A good remote work policy is an important part of managing your employees, particularly in relation to labour laws, privacy and security compliance issues. Your policy needs to outline eligibility, equipment rules, health and safety issues, performance metrics, non-compliance consequences, and most importantly, privacy and security considerations.

Stay aware of any changes to privacy or labour laws that could affect your policy, and make sure you get clear agreement from your employees before they begin remote work.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy