Hybrid Working – What Are The Employment And Digital Pitfalls?

James Tumbridge and Paul Strelitz

Workplace attendance and hybrid working has many opinions, and no consensus. The purpose of this short article is to highlight (i) the importance of its consideration by almost all employers; (ii) the legal framework within which it operates; and (iii) important legal considerations outside of 'pure' employment law matters, such as your data and cyber security.

Before the COVID pandemic, policy-based homeworking or hybrid working for an organisation was largely the product of a few select employers either wishing to widen the recruitable talent pool or who were more readily affected by external disruption (be that weather or transport strikes all the way up to critical functions that needed to be disruptor-proof). Those that sought to work regularly away from an office also had to have the IT set up to enable it, but advances in remote working technology have made it far easier than it once was. It will not have escaped the notice of any reader that the position on the amount of hybrid working since 2020 is very different.

According to Fortune and NewtonX's poll; 63% of high growth companies are working hybrid, with many preferring working remotely with flexible onsite workdays. Accenture published a report with similar findings, based on a global survey of more than 9,000 workers across industries, where they report that 83% of respondents said a hybrid model is 'optimal'. In 2024 the City of London published the findings of their staff survey with 77% responding negatively to being required to attend more than 3 days a week in an office.

The challenge presented on this issue notably spans across sectors. In London some public sector organisations have now mandated attendance and others range from 1-3 days' mandatory attendance a week. Although it is perhaps of note that no London Borough requires more than 3 days in the office at present with 47% of them having no attendance requirement at all and 84% have attendance requirements of less than 3 days a week. The private sector sees a similar range of attendance requirements: Starling Bank, Deloitte, Unilever and Nat West are reported to have no mandated attendance in office, Google and Tesco require 3 days attendance per week with Goldman Sachs and Barclays requiring 5 days' attendance in office per week. According to a September 2023 report by Ipsos, Karian and Box, 3 days of office based work per week is now considered optimal.

Clearly workers like a mix of office and non-office based time, but does it work for your business? It certainly isn't all positives, as we will discuss below from a cyber security point of view, but we will also offer views on why more office based days are hard to enforce if an employee requests flexible working.

Non-employment law aspects to consider

Typical concerns with hybrid working relate to the challenges of building and maintaining relationships between staff, the loss of collaboration and the sparking of new ideas and the challenges of training junior staff. Hybrid working also requires good technology enablement and issues with your IT will greatly inhibit work. The hybrid model's reliance on remote access also significantly heightens security risks, and data breaches are more likely with dispersed access points, indeed your IT security is only as good as the home set ups.

One of the greatest risks to business is their cyber security. Historically the conversations on this focused on; data breaches, like the loss of customer banking information. Whilst that risk remains, we are also seeing growth in disruption of service attacks on businesses, often against businesses that thought they had minimal data risks. For example; a food wholesaler, where they have limited personal data, but their inventory data as to what is in the warehouse is key. If the ability to ask your system what stock you have is lost, that is very painful, and now cyber-attacks are often of that nature. Interfering with your business and demanding a payment to restore access to your systems. This coupled with the embarrassment and damage to reputation of a cyber-attack that stops your business functioning, or the exposure of data onto the web, is a concern no one should ignore in today's inter-connected digital world.

Regrettably once you have remote workers your cyber security arrangements and digital compliance are often only as good as a person's home set up and their memory of how to treat data. Working remotely changes your risk profile and there are several different types of data breaches and cyber-attacks that might affect you. We profile common issues in this article, that you should consider. In order to address them and de-risk, you may need a combination of legal advice and policy/contracts alongside improved IT systems.

1. Risk Based on End User Access Points – With a traditional in office system, you have limited places an attack could occur via the internet connection, but with a dispersed work force each remote worker's home is a potential point of attack. You need to think about the apportionment of liability and risk between the business and the worker, and ask who is responsible for what aspect of the cyber-security system? The dispersed work force means more endpoint devices, networking connections and software to secure. You therefore need to think about what software security you have in place, can you improve the security of your business and its data? Don't forget that remote work increases the chance that employees use unsecured networks, such as public Wi-Fi, and home networks are also vulnerable to attacks.
2. Line Management and Oversight – Do you have any ability to monitor what your employees are doing when working remotely? Are they using your devices or their own? What settings do you have to monitor what software is downloaded, and what data is being shared? There are many software solutions to monitor or prevent downloading to devices, so you should consider what is the right approach for your business. The 2024 Work Trend Index from Microsoft and LinkedIn which surveyed 31,000 people across 31 countries, suggests your staff might be using AI whether you asked them to or not. Apparently 75-78% of staff are bringing their own use of AI into their work. The worrying thing is that 89% of respondents said they would work around cyber security settings to use AI/meet a business demand. Data loss due to remote work is a real problem, and people sometimes pay less attention to their organisations policies when away from the collective work environment of an office. There are also non-technical issues, if your worker shares their home with others. Do you know what jobs the co-habitees have, could they see something they should not on a screen while your worker is online? If you are in a regulated business, ask yourself, what is the regulatory expectation and the precautions/risk analysis you should take?
3. Personal Data and Digital Regulation -Remote workers can access and share data in ways that might breach data protection laws, and contractual obligations. You need to be asking yourself key questions when you allow flexible/hybrid working: Have you considered if you gave contractual promises not to process data somewhere where your employee is now based? Have you promised a certain minimum level of security that home working cannot meet?
4. Vulnerable hardware – You should ask yourself if your employee is taking suitable precautions with the physical devices they use for their work. Are they locking down their device when not in use? Do the devices have password protections, can you remotely monitor the device location? What if they are burgled and the device is stolen, is the data on the local device at risk? Adequate protection of laptops and smartphones, plus suitable insurance not only for the device but the cyber risk all need to be considered.
5. How secure is your document sharing and video conference? Cyber attackers can exploit the increased use of video conferencing and platforms designed to share and edit documents. If the access to a meeting or documents goes undetected on Zoom and other platforms to obtain information to use to their advantage. You can reduce your risk with contracts, liability apportionment, insurance and enhanced IT security – but you need to decide what suits your business and its risks. Once you take all these points into consideration, you need to think about whether you are able to comply with your contractual obligations, and the law covering; Data Protection (GDPR), e-privacy and communications (PECR) and coming laws and regulation following the development of things like the AI Convention/Treaty and the EU AI Act. Digital compliance is growing, and you need to consider what risks you have and how hybrid working impacts them.

Employment law considerations

There was a time when the decision on whether a person could work on a hybrid basis was purely for the employer, but in the UK that is no longer true. The legal framework in the UK today has evolved into what is called 'flexible working.' Prior to 2002 there was no right for an employee to request flexible working, but it arrived with the Employment Act 2002, which amended the Employment Rights Act 1996, with the employer having a stronger say than the employee on whether it would happen. Today the range of requests has expanded so that an employee can request shorter hours, flexible days and home working. The balance has also shifted further in favour of the requesting party with employers only being permitted to refuse a request on limited statutory grounds where they can show reasonableness.

The statutory provisions on flexible working predominately are in Part VIIIA of the Employment Rights Act 1996 and the Flexible Working Regulations 2014 as modified. From April 6^th 2024 employees' rights (these provisions do not apply to self-employed contractors, consultants or agency workers unless they are returning from parental leave) have enhanced, so that they may make a request from day one of their employment for any reason to be a flexi-worker if it relates to (i) a change in their hours; (ii) a change to the times when they are required to work; or (iii) a change in their place of work including their home. To the astute, those three anodyne categories cover an almost unlimited raft of ways that flexi-working could be sought in addition to the obvious change in the working day; annualised hours, staggered hours, homeworking, hybrid working, rostering, self-rostering, shift working and so on. The employee can also request these changes either permanently or for a defined period. In fact, it is very difficult to think of a form of flexible working request which, if made properly by an employee (be in writing, dated, stating that it is made under the statutory procedure, specifying the change they seek and recording any prior flexi-working requests), would not trigger the employer's legal obligations to deal with it.

So, if such a request is made, what then must the employer do? The employer has two months in which to consult with the employee and reach a decision having considered the request, and a refusal must be reasonable and on one or more of 8 grounds:

1. The burden of additional costs
2. Detrimental effect on the ability to meet customer demand
3. Inability to reorganise work among existing staff
4. Inability to recruit additional staff
5. Detrimental impact on quality
6. Detrimental impact on performance
7. Insufficiency of work during periods employees proposes to work
8. Planned structure changes

An employee has the right to complain to and Employment Tribunal if the employer fails to deal with the request reasonably, fails to inform them of a decision within two months, fails to rely on the incorrect statutory ground or bases the decision on incorrect facts. However, it may be of some comfort to know that a tribunal's role when such a complaint is presented is limited to reviewing the procedure followed, considering whether the request was taken seriously and considering whether the correct facts were used by the employer in reaching its conclusions. It is no part of a tribunal's role to question the commercial rationale or the business reasons behind an employer's refusal.

ACAS have also weighed in on the topic – and they considered its level of importance justified issuing a statutory code of practice; and this should be considered as important because pursuant to section 207 of the Trade Union and Labour Relations Consolidation Act 1992 tribunals must take it into account when considering a relevant complaint before it. If the conclusion is reached that an employer unreasonably failed to have regard to it, this could cause the tribunal to increase the award by 25% for that reason alone. The code suggests reasonableness on the part of the employer requires 'carefully assessing the effect of the requested change for both employer and employee such as potential benefits or other impacts of accepting or rejecting it.' The code also gives further guidance on what is expected from an employer including allowing the employee to be accompanied at a relevant meeting as well as clearly explaining the business reasons and any other information necessary for the employee to understand the refusal.

Enough of the refusals, though; what about if the request is granted?

Firstly, there is a legal obligation to issue a new section 4 statement of terms (an updated contract of employment would contain these) within one month of the changes coming into effect.

Secondly, it may be that other colleagues observe what has happened and an employer should be aware before granting such a request that it cannot later revoke it once the employee has settled into the new regime merely because it is concerned that it has opened the floodgates. Employers should therefore carefully consider this aspect when dealing with the flexi-request in the first place. One way of dealing with such requests where there is a concern as to feasibility would be to agree a trial period, that is no longer than is reasonably required, to see if the flexible working is mutually acceptable. There is nothing in the legislation that would prohibit this although it is the authors' view that if the trial period is then rejected a tribunal would probably still expect the normally required level of detail explaining why it was not being made permanent by the employer.

Thirdly, if the request permits home working or hybrid home working, the employer will then need to ensure that the workplace (which might be an employee's bedroom table) meets their physical requirements to avoid any subsequent personal injury complaints.

In addition to concerns about the level of productivity the employer should also concern itself with the opposite matter too, since an employee can opt out of the Working Time Regulations 1998 but cannot opt out of rest break entitlements. Concerningly (for employers) a failure to take reasonable steps to comply with the limits on working time or the record-keeping requirements will render the employer guilty of a criminal offence under regulation 29(1). So, the employer's obligations should be taken no less lightly merely because the employee's place of work is or includes their home rather than an office building.

Whether granted or not, no sensible employer should ignore the legally complex area (some might say minefield) of discrimination law. The reported decisions of the employment tribunals include plenty of material on the point including: Finding sex discrimination when a female employee's request for flexible working was rejected but was considered by the tribunal to be based on an outdated stereotypical attitude; and finding indirect sex discrimination when employees were required to return to office-based working as this would disproportionately affect female employees. The ambit of this article does not permit us to address the myriad of ways in which equal opportunities law touches upon flexi-working but it does however permit us to do two things. The first is to ensure that the knowledge that employers have is read-through to flexible working requests since there is no separate regime which governs them, and the Equality Act 2010 is just as important in their context. The second, is to pick out what we think are two careful steps that should be taken by an employer faced with a flexi-working request; starting with (i) identifying what protected characteristics might be engaged by the requested being made, granted or refused (where these need not only be those that belong to the requesting employee) any wise employer will look left and right to ensure that none are disregarded, since an employee need not assert such right in order to subsequently rely upon them; and then (ii) asking oneself at each stage of the process following a request being submitted; whether that conduct may disadvantage someone with a protected characteristic. Since the chances are, if it can be conceived of, then a later complaint to an Employment Tribunal based upon such a disadvantage should be considered a real risk.

Key Take Aways

You need to think through how to deal with flexible work requests and take advice if you are unsure how to legally deal with them to avoid the risk of employment claims against your business. You need to think about the commercial consequences from several angles, including cyber security, discrimination, business continuity, impact on the rest of your work force and productivity. Do keep in mind that you have legal and sometimes contractual obligations that may create issues when someone is remote working. You have responsibility for their work area set up, and cyber security and you need to consider how you will justify your decisions. Whatever your decision do review your software and IT security arrangements and consider if you have the right insurance in place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.