Working from Home Policy (Hong Kong)

A Working from Home Policy in Hong Kong sets out the standards and procedures the organisation expects its people to follow.

Hong Kong employers experienced significant growth in remote and hybrid working arrangements from 2020 onwards, and many have since adopted permanent hybrid models. A written Working from Home Policy is the foundation of a compliant hybrid working programme. Without a written policy, hybrid arrangements are legally ambiguous — employees may claim that informal WFH practices have crystallised into contractual entitlements, and the employer cannot demonstrate compliance with data security and OSH obligations if the Office of the Privacy Commissioner for Personal Data (PCPD) or the Labour Department investigates.

Under the Personal Data (Privacy) Ordinance (Cap. 486), the employer's duties as a data user under the six Data Protection Principles (DPPs) continue in full regardless of where employees perform their work. Data Protection Principle 4 under Schedule 1 of Cap. 486 (Data Security) requires the employer to take all practicable steps to protect personal data — of clients, customers, and colleagues — against unauthorised or accidental access, processing, erasure, loss, or use. When employees work from home, this obligation requires secure VPN connections for accessing company systems, encrypted and password-protected devices, prohibition on using personal email accounts for work data, and proper handling and destruction of physical documents containing personal data. The Office of the Privacy Commissioner for Personal Data (PCPD) has published specific guidance on data security in remote working environments that employers should incorporate into their policy.

Under the Occupational Safety and Health Ordinance (Cap. 509), Section 6 imposes a general duty on every employer to protect, as far as reasonably practicable, the safety and health at work of all its employees — and this duty extends to work performed at home. The Labour Department has acknowledged enforcement challenges in private homes, but employers who provide a home workstation self-assessment checklist, ergonomic equipment guidance, Display Screen Equipment (DSE) advice, and regular health and safety training demonstrate reasonable compliance. Section 4 of the Employees' Compensation Ordinance (Cap. 282) requires employers to maintain compensation insurance covering employees — this coverage extends to injuries sustained while working from home if they arise out of and in the course of employment. The Employment Ordinance (Cap. 57) governs the employment relationship, and Section 32 of Cap. 57 sets out the requirement to give reasonable notice before materially varying employment terms.

Employer monitoring of home-working employees — through IT system access logs, email monitoring, productivity software, or video calls — is subject to restrictions under Cap. 486. All monitoring activities must be disclosed to employees in advance under Data Protection Principle 1 of Schedule 1 of Cap. 486, and the extent of monitoring must be proportionate to the legitimate business purpose. Covert monitoring of home-working employees is particularly difficult to justify. The PCPD's guidance on employee monitoring applies equally in remote working contexts, and the policy must address monitoring transparently. The Inland Revenue Department (IRD) administers the salaries tax framework under the Inland Revenue Ordinance (Cap. 112), and any home office expense allowance paid by the employer may have tax implications for employees. Download this Working from Home Policy template free on forms-legal.com in PDF or Word format.

A Working from Home Policy (Hong Kong) is needed when a company formally adopts or expands remote or hybrid working arrangements for its employees. Several circumstances require this document to properly manage legal obligations and operational expectations.

Companies introducing hybrid working arrangements for the first time — designating certain days as work-from-home days across all or selected teams — need a written policy to define eligibility criteria, the maximum number of approved WFH days per week or month, core hours during which employees must be reachable, and the manager approval process. Without a written policy, hybrid arrangements create inconsistency between departments and legitimate employee claims that the informal WFH practice has crystallised into a contractual entitlement that cannot be withdrawn without consent.

Companies that already have informal WFH arrangements — employees working from home by verbal agreement without any formal framework — should formalise the position with a written policy immediately. Informal arrangements do not reduce legal risk under the Personal Data (Privacy) Ordinance (Cap. 486) or the Occupational Safety and Health Ordinance (Cap. 509); they simply mean the employer has failed to document how it is managing those risks and cannot demonstrate compliance if the PCPD or the Labour Department conducts an investigation.

Following a data security incident arising from remote working — such as an employee leaving a work laptop containing client personal data on public transport, or a phishing attack succeeding because an employee was using an unsecured home Wi-Fi network — a Working from Home Policy update is typically required as part of the PCPD investigation response, data breach notification process, or insurance claim documentation. The PCPD's enforcement notices following data breach investigations frequently require organisations to implement or update remote working data security policies.

Companies expanding their workforce internationally — hiring remote employees in other jurisdictions while maintaining a Hong Kong headquarters — need a WFH policy that addresses cross-border data transfer implications under Cap. 486, as personal data processed by remote workers abroad may engage additional requirements.

Companies that provide employees with company-owned laptops, mobile phones, monitors, or other devices for home use must address the ownership, acceptable use, data security obligations, and return of those devices in a written policy. The policy provides the contractual basis for requiring return of all equipment on termination of employment, and for monitoring usage of company-issued devices. Without a written policy, device ownership disputes and data security liability are significantly harder to manage.

The policy should be issued to all employees who work from home, signed as an acknowledgement of their legal and operational obligations, and incorporated by reference into the employment contract or the company's staff handbook. Annual reissuance with updated signatures is recommended to maintain the policy's currency and enforceability.

A well-drafted Working from Home Policy for Hong Kong employers should include the following elements to address legal obligations and operational requirements.

Eligibility and approval: Which roles and employees are eligible for WFH arrangements, the maximum number of WFH days per week or month, the approval process (line manager and HR sign-off), and the grounds on which WFH approval may be withdrawn — for example, performance issues, data security concerns, or business requirements.

Core hours and availability: The hours during which WFH employees must be available for meetings and communications, and the standards for response times. Core hours should reflect the employer's operational needs and should not effectively require employees to work more than their contracted hours.

Equipment and technical requirements: What equipment the employer provides (laptop, monitor, keyboard, mouse, VPN token), what the employee must provide (adequate home broadband, a private workspace), and the employer's acceptable use and return policy for company-issued equipment. Equipment provided for home use remains company property and must comply with the IT security policy.

Data security obligations: Specific requirements reflecting the employer's duties as a data user under PDPO (Cap. 486) — mandatory use of VPN when accessing company systems, prohibition on using personal email for work data, secure storage and destruction of physical documents, and prohibition on accessing company data on personal devices unless authorised. Reference to DPP 4 (Data Security) and the PCPD's remote working guidance.

Health and safety: Reference to the employer's obligation under Cap. 509 and the requirement for employees to complete a home workstation self-assessment checklist. Guidance on ergonomic workstation setup, screen time breaks, and reporting of home-working injuries. Confirmation that employees' compensation insurance under Cap. 282 extends to home working injuries.

Expense reimbursement: Whether the employer pays a monthly home office allowance, reimburses specific documented expenses, or provides no additional payment. Tax treatment under IRD salaries tax rules should be noted.

Monitoring: Disclosure of any monitoring activities — IT system access logs, email monitoring, productivity software — as required for PDPO compliance. The policy should specify the purpose and scope of monitoring. Download this Working from Home Policy template on forms-legal.com in PDF or Word format.

Termination of WFH arrangements: The policy must address how and when WFH arrangements may be withdrawn — for example, if the employee's performance deteriorates, if a data security breach occurs, if the nature of the role changes, or if the business requires full-time office attendance. The Employment Ordinance (Cap. 57) requires reasonable notice before materially changing employment terms; if WFH has become a contractual entitlement, the employer may need the employee's written consent or to provide contractual notice before withdrawing the arrangement. The policy should clarify whether WFH is a discretionary privilege revocable at management's discretion or a contractual benefit requiring mutual agreement to change.

Policy acknowledgement and compliance: Every employee covered by the policy should sign and return an acknowledgement form confirming they have read, understood, and agree to comply with the policy. The acknowledgement is particularly important for the data security and OSH provisions — it creates a documented record of the employer's notification obligation under Data Protection Principle 1 of Cap. 486 and confirms the employee's awareness of their obligations under Cap. 509. Policy updates should be accompanied by a new acknowledgement. The employer's HR records should contain a copy of each employee's signed acknowledgement.