Creating A Work From Home Policy: Legal Tips For Employers

Remote and hybrid work are here to stay for many Australian businesses. Whether your team works from home a few days a week or you operate fully remote, a clear work from home policy is now essential for setting expectations, meeting legal obligations, and keeping your people safe and productive.

A well-drafted policy doesn’t just help staff understand what’s expected - it also protects your business if a question or dispute arises later. From work hours and WHS checks to data security and equipment, the right policy brings structure to flexible work without losing flexibility.

In this guide, we’ll walk through what to include, how to stay compliant under Australian law, and the documents that should sit alongside your policy. By the end, you’ll have a practical checklist you can put into action right away.

What Is A Work From Home Policy?

A work from home policy (sometimes called a WFH or flexible work policy) explains the rules, processes and responsibilities for employees who perform work away from your usual workplace - typically from their home.

It should outline who’s eligible, how to request or approve arrangements, when employees need to be available, and what happens with things like equipment, expenses, data security, and health and safety. In short, it documents how your business will make remote work fair, consistent and compliant.

Why Should Employers Have A Work From Home Policy?

Managing remote work informally can quickly lead to confusion or risk. A written policy gives everyone clarity and helps you meet your obligations as an employer.

• Clarity for everyone: Staff know how to request WFH, their work hours and availability, the tools to use, and how performance will be reviewed.
• Legal compliance: A policy helps you address workplace health and safety duties, Fair Work requirements and privacy/security expectations.
• Consistency and fairness: Clear criteria reduce the risk of ad hoc decisions, favouritism or discrimination claims.
• Risk management: You can set standards for home office safety, data security and company equipment to reduce avoidable incidents.

Even if remote work is occasional, documenting how it’s done will save time, reduce misunderstandings and protect your business in the long run.

How Do I Create A Legally Compliant Work From Home Policy?

Every workplace is different, so resist the temptation to copy a generic template without tailoring it. Start by mapping your operational needs, then build a policy around Australia’s legal framework and your internal processes.

Step 1: Understand Your Legal Obligations In Australia

Several legal areas are relevant when staff work from home. At a minimum, consider:

• Work health and safety (WHS): Under state and territory WHS laws, you must do what’s reasonably practicable to ensure the health and safety of workers - even when the “workplace” is a home office. This usually includes risk assessments, ergonomic guidance, incident reporting and consultation with workers about safety. You can read more about an employer’s duty of care in general.
• Fair Work Act 2009 (Cth): Employees may have the right to request flexible work arrangements in certain circumstances. Ordinary hours, breaks, overtime and record-keeping obligations continue to apply when staff work remotely, just as they do in the office.
• Privacy and data protection: The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) apply to APP entities (for example, most businesses with an annual turnover of $3 million or more, and some smaller businesses based on what they do). Many small businesses under $3 million are exempt, but there are important exceptions (e.g. health service providers, businesses that “trade in” personal information, or those handling tax file numbers). Even if you’re exempt, strong privacy and security practices remain essential and may be required by contracts with clients or suppliers.
• Employment contracts and awards: Your policy should support - not contradict - your Employment Contract, any enterprise agreement and the relevant modern award (if any). If shiftwork or overtime applies, clarify how it works when staff are at home.

Keep in mind there are also state and territory rules in areas like workplace surveillance (e.g. prior notice requirements) that may affect how you monitor work devices or communications. If in doubt, get advice before implementing monitoring or tracking tools.

Step 2: Decide What Your Policy Will Cover

Strong WFH policies answer the questions staff and managers ask most often. Consider including:

• Eligibility and scope: Which roles can work from home? Are there probation or performance criteria? Is the arrangement ad hoc, hybrid or fully remote?
• Request and approval process: How to apply, who approves, what factors you’ll consider (e.g. role requirements, customer needs, WHS suitability), and how long approvals last.
• Work hours and availability: Standard hours, core hours, breaks and expectations about responsiveness. Clarify how overtime is approved and recorded.
• Communication and collaboration: Which channels to use (e.g. email, Teams/Slack, phone), meeting etiquette (camera on/off), and expected check-ins with managers.
• Health, safety and incident reporting: How employees should set up a safe workspace, what checklists they must complete, and how to report hazards, injuries or near misses.
• Equipment and expenses: What the business provides (e.g. laptop, chair, peripherals), acceptable use rules, responsibility for maintenance, and if/when you reimburse expenses such as internet or phone.
• Data security and confidentiality: Access controls, password standards, multi-factor authentication, secure Wi‑Fi use, rules for printing at home, and restrictions on personal devices or shared household computers.
• Performance and output: How performance will be measured, what visibility managers need (without over-surveillance), and how underperformance will be addressed.
• Leave and unplanned changes: What to do if the home setup becomes unsafe or unavailable, and how sick leave, carer’s leave or emergencies are handled on WFH days.
• Review and return to office: When arrangements will be reviewed, notice periods for changes, and how to manage a temporary or permanent return to the office if required.

Step 3: Draft, Communicate And Review Your Policy

Once you’ve defined the scope, draft the policy in plain English and align it with your existing policies and contracts. If you already have a general Workplace Policy framework or staff handbook, ensure everything fits together logically.

Before rollout, consult with managers and seek feedback from staff where appropriate. Then communicate the policy clearly, offer training for managers, and store it somewhere easy to find - for example, inside your Staff Handbook. Schedule regular reviews (at least annually) and whenever there are changes to your operations, technology or the law.

What Documents Support A Work From Home Policy?

Your WFH policy is just one piece of your compliance stack. Most businesses will also need a set of supporting documents to manage risk in a remote or hybrid environment:

• Employment Contract: Confirms the terms and conditions of employment, and can refer to your WFH policy if it’s part of the role. Ensure your Employment Contract aligns with working hours, location and overtime rules for remote work.
• Privacy Policy: Explains how you collect, use and store personal information, including when staff are working remotely. Many businesses will require a Privacy Policy due to the nature of their activities or contractual commitments, even if the small business exemption might otherwise apply.
• Information Security Policy: Sets standards for passwords, access, encryption, remote access and device management. A clear Information Security Policy is essential where staff access systems off-site.
• Data Breach Response Plan: Details how you’ll respond to security incidents or potential privacy breaches. A documented Data Breach Response Plan helps you act quickly and meet notification duties if the Notifiable Data Breaches scheme applies to you.
• Acceptable Use Rules: This may be part of your IT policy or WFH policy, covering acceptable use of company equipment and systems, personal device restrictions and secure handling of information.
• Safety Checklists and Procedures: A home office self-assessment, hazard reporting and incident forms to help you meet WHS duties consistently across your teams.
• Staff Handbook: Brings all core policies together in one place, making it easier for people to follow them as they move between home and office. Consider compiling your policies into a coherent Staff Handbook.

Depending on your industry, you may also need specialist policies (for example, health data handling or sector‑specific security controls). If clients impose security standards, bake those requirements into your policies and onboarding.

Common Legal Issues And How To Avoid Them

Remote work doesn’t remove your obligations - it changes how you meet them. Here are common pitfalls and practical ways to stay on track.

1) WHS Gaps At The Home Office

Risk: If you don’t consider the home as a workplace, you can miss hazards like poor ergonomics, trip risks, or psychosocial hazards such as isolation and unreasonable workloads.

What to do: Require a home office self‑assessment, provide ergonomic guidance, and set a simple incident reporting process. Encourage regular breaks and discussion about workload and wellbeing as part of your ongoing duty of care.

2) Unclear Hours, Overtime And Record-Keeping

Risk: Without clarity on hours, core availability and overtime approvals, you can run into underpayment risks or burnout from after-hours emails.

What to do: Define standard hours, core hours (if any), break times and how to request or approve overtime. Ensure accurate timekeeping for award-covered staff. Reinforce that employees should not work additional hours unless approved and reasonable.

3) Weak Data Security And Confidentiality

Risk: Remote access can expose your systems to insecure Wi‑Fi, shared household devices, or careless printing and disposal practices.

What to do: Roll out multi-factor authentication, secure VPNs, device encryption and clear rules against using personal devices without approval. Your Information Security Policy and WFH policy should work together to set minimum standards for remote access, storage and sharing.

4) Assuming The Privacy Act Doesn’t Apply

Risk: Some small businesses are exempt from the APPs, but many are not - and certain activities (like providing health services or trading in personal information) remove the exemption. Client contracts often impose privacy obligations regardless.

What to do: Assess whether you’re an APP entity, and implement privacy practices appropriate to your risk profile. A practical Privacy Policy and staff training on secure handling of personal information are smart moves even if you’re technically exempt.

5) Over-Surveillance Without Notice

Risk: Monitoring tools can help manage remote performance and security, but state or territory workplace surveillance laws may require prior written notice or consent (for example, in NSW and the ACT), and overly intrusive monitoring can damage trust.

What to do: Be transparent about what you monitor and why, give required notices, and limit monitoring to what’s reasonably necessary for safety, compliance and performance.

6) Policies That Don’t Match Contracts (Or Reality)

Risk: If your policy conflicts with the Employment Contract or the relevant award, or you don’t follow your own procedures, you increase the risk of disputes.

What to do: Make sure your policies align with your contracts and that managers apply them consistently. Train leaders on how to approve requests, manage workloads and document decisions.

What Should I Include In The Policy? (A Practical Checklist)

Use this checklist to shape a policy that’s clear, fair and aligned with Australian law. Tailor each point to your business and workforce.

• Purpose and scope: Why the policy exists, who it covers, and how it applies to hybrid or full-time remote roles.
• Eligibility criteria: Role types, performance expectations, and any exclusion periods (e.g. during probation).
• Application and approval: Forms to complete, assessment criteria, decision-maker, review dates and renewal process.
• Work location and setup: Suitable workspace requirements, WHS self-assessment, and a process for addressing hazards.
• Work hours and breaks: Standard hours, core hours, breaks, overtime approvals and timekeeping.
• Communication expectations: Tools to use, meeting etiquette, and response expectations (while avoiding unreasonable after-hours contact).
• Security and confidentiality: Device standards, MFA/VPN, secure Wi‑Fi, storage and disposal, printing restrictions, and rules for personal devices.
• Equipment and expenses: What the business supplies, what’s BYO, care and return of equipment, and reimbursable costs (if any).
• Performance and conduct: Output measures, support, feedback and how any underperformance will be handled.
• Leave and availability: How to report illness, emergencies or caring responsibilities on WFH days.
• Monitoring and privacy: Any workplace surveillance, notice requirements, and reference to your privacy and IT policies.
• Review and changes: When arrangements are reviewed and how you’ll give notice of changes or a return to office.
• Reference documents: Cross-refer to your Privacy Policy, Information Security Policy, Data Breach Response Plan and Staff Handbook so staff can find the details easily.

It’s also helpful to embed short, practical tools alongside your policy - for example, a home office setup checklist, incident form, and a one-page summary for managers.

Best Practices For Rolling Out Your WFH Policy

• Lead with safety: Provide ergonomic guidance and encourage proactive reporting of hazards or injuries - whether at home or on-site.
• Train your managers: Give leaders practical scripts and templates for approving requests, checking workloads and documenting decisions fairly.
• Standardise your tools: Choose core communication and collaboration tools so teams don’t splinter across platforms.
• Keep security simple: Use strong default settings (MFA on by default, device encryption, automatic screen locks) so compliance is easy for staff.
• Prepare for incidents: Test your Data Breach Response Plan and rehearse who does what if a laptop is lost or an account is compromised.
• Review regularly: Revisit your policy at least annually or when your operations, systems or laws change, and version-control updates in your Staff Handbook.

Key Takeaways

• A work from home policy makes flexible work clear, fair and compliant - covering eligibility, approvals, hours, safety, equipment and security.
• Your WHS duties apply at the home office too, so include risk assessments, ergonomic guidance and simple incident reporting.
• Fair Work obligations still apply remotely: set clear hours and overtime approvals, and keep accurate records.
• Privacy law applies to APP entities and some small businesses (depending on activities); in any case, practical safeguards like a Privacy Policy and Information Security Policy are essential.
• Align your policy with contracts and supporting documents, including your Employment Contract and Data Breach Response Plan.
• Communicate the policy, train managers and review it regularly so it keeps pace with your business and the law.

If you’d like a consultation on creating or updating your work from home policy, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.