Running an IT or programming business means employing people who spend long hours at screens, often working remotely or in shifting teams. The duties in this guide apply to running the business and employing people, whatever services you provide. Display screen equipment assessments, mental health and wellbeing, and lone-working arrangements are the particular workplace risks in this sector. If you also provide a relevant digital service — an online marketplace, online search engine or cloud computing service — above the NIS threshold, you must comply with the Network and Information Systems Regulations 2018.

Health and safety law here is largely reserved. The Health and Safety Executive (HSE) is the regulator in Great Britain and the Health and Safety Executive for Northern Ireland (HSENI) in Northern Ireland; the underlying duties are equivalent across the UK. Work through the sections below in order.

A. Meet your general health and safety duty

The Health and Safety at Work etc. Act 1974 is the foundation. You must ensure, so far as is reasonably practicable, the health, safety and welfare of your employees and of anyone else affected by your work. In an IT business that means risk-assessing display screen equipment workstations, managing stress and mental health, and — if your people work from home or client sites — putting lone-working arrangements in place. If you have five or more employees, you must record your risk assessments in writing.

Health and Safety at Work etc. Act 1974 (HASAWA)

The Health and Safety at Work etc. Act 1974 - primary UK workplace health and safety legislation establishing employer and employee duties. Pure data reference.

The Health and Safety at Work etc. Act 1974 (HASAWA 1974) is the primary legislation governing workplace health and safety in the United Kingdom. It establishes the legal framework for protecting the health, safety and welfare of people at work and those affected by work activities.

Legal status: Primary legislation - principal UK health and safety statute
Royal Assent: 31 July 1974
Came into force: 1 April 1975 (in stages)
Geographic scope: Great Britain (separate legislation applies in Northern Ireland)
Applies to: All employers, employees, self-employed persons, and those who control work premises
Primary duty (Section 2): Employers must ensure, so far as is reasonably practicable, the health, safety and welfare at work of all employees
Duty to non-employees (Section 3): Employers must protect persons not in their employment (contractors, visitors, public) who may be affected by work activities
Employee duties (Sections 7-8): Employees must take reasonable care for their own health and safety and that of others, cooperate with employers, and not misuse safety equipment
Enforcement authority: Health and Safety Executive (HSE) and local authorities
Maximum penalties (post-2008 amendments): Unlimited fines in Crown Court; imprisonment up to 2 years for individuals; up to 6 months and/or £20,000 fine in Magistrates' Court
Referenced by regulators: Cited in 31 regulatory documents in the ORDS (Office for Regulatory Delivery and Simplification) dataset
Secondary regulations: Enables creation of health and safety regulations (e.g. Management of Health and Safety at Work Regulations 1999, COSHH, Manual Handling)

Reasonably practicable: The Act uses the term "so far as is reasonably practicable" throughout. This means employers must balance the level of risk against the time, trouble and cost of controlling it. However, the law is weighted in favour of health and safety - employers must demonstrate that control measures would be grossly disproportionate to the risk before they can be considered not reasonably practicable.

Self-employed persons: The Act also places duties on self-employed persons to protect their own health and safety and that of others who may be affected by their work activities.

Health and Safety at Work etc. Act 1974 (legislation.gov.uk)

HSE - Health and Safety at Work etc. Act 1974 guidance

B. Manage fire safety

Even in a low-risk office environment, you must carry out a fire risk assessment and maintain fire-safety arrangements. The responsible person — usually you as the employer or premises occupier — must identify fire hazards, assess the risk, and put measures in place to reduce it. The duty is devolved: the Regulatory Reform (Fire Safety) Order 2005 in England and Wales; the Fire (Scotland) Act 2005 and Fire Safety (Scotland) Regulations 2006 in Scotland; and the Fire and Rescue Services (Northern Ireland) Order 2006 in Northern Ireland.

Regulatory Reform (Fire Safety) Order 2005

The 'responsible person' (employer, owner or occupier) must carry out a fire risk assessment for any non-domestic premises and implement appropriate fire safety measures. This applies to all hospitality premises including hotels, restaurants, pubs and nightclubs.

Who is the responsible person?

The responsible person is the employer, owner, landlord, occupier, or anyone with control of the premises. In hospitality, this is typically the business owner or manager.

Fire risk assessment

The responsible person must carry out and regularly review a fire risk assessment covering:

Identification of fire hazards (ignition sources, fuel, oxygen)
Identification of people at risk (employees, customers, vulnerable persons)
Evaluation and reduction of risks
Recording findings and fire safety plan (if 5+ employees)
Regular review and updates

Fire safety measures

Based on the risk assessment, implement appropriate measures including:

Fire detection and warning systems (smoke alarms, fire alarm panels)
Fire-fighting equipment (extinguishers, fire blankets)
Emergency escape routes and lighting
Fire safety signs and notices
Fire doors kept clear and free to close
Staff training on fire procedures
Emergency evacuation plan and drills

Fire Safety Act 2021 (from January 2022)

For buildings containing two or more sets of domestic premises (e.g. hotels, aparthotels), the responsible person must now assess fire risks in external walls, entrance doors to flats, and windows.

Step 1: Appoint a competent person to conduct fire risk assessment (may be yourself if trained)
Step 2: Complete fire risk assessment identifying hazards and persons at risk
Step 3: Implement control measures to reduce fire risk
Step 4: Ensure fire detection systems are installed and maintained
Step 5: Provide adequate fire-fighting equipment (extinguishers) and arrange annual servicing
Step 6: Establish clear evacuation routes with emergency lighting and signage
Step 7: Designate assembly point and ensure staff know evacuation procedures
Step 8: Train all staff on fire safety procedures during induction
Step 9: Conduct regular fire drills (at least annually)
Step 10: Record fire risk assessment findings if you employ 5 or more people
Step 11: Review fire risk assessment annually or after significant changes

Fire safety risk assessment guidance

C. Hold employers' liability insurance

As soon as you employ anyone, you must hold employers' liability compulsory insurance — normally at least £5 million of cover — and display or make available the certificate. This is a legal requirement across Great Britain, with an equivalent duty in Northern Ireland.

Employers' Liability Insurance Requirements

Legally required insurance for businesses that employ staff

Legal requirement: LEGALLY REQUIRED if you employ anyone (even part-time or family members working for you)
Minimum cover: £5 million minimum (most policies provide £10 million)
Penalty for non-compliance: £2,500 fine per day without insurance, plus £1,000 fine for not displaying certificate
What it covers: Compensation claims from employees injured or made ill at work
Exemption: Close family businesses may be exempt

Employers' Liability Insurance

D. Meet your equality duties

As an employer you must not discriminate against, harass or victimise people because of a protected characteristic. In Great Britain this is governed by the Equality Act 2010; in Northern Ireland separate equality legislation applies, enforced by the Equality Commission for Northern Ireland.

E. Handle personal data lawfully

IT and programming businesses routinely process personal data — about your own staff, and often about your clients' customers and users too. You must comply with the UK GDPR and the Data Protection Act 2018, and in most cases pay the data protection fee to the Information Commissioner's Office (ICO). If you process personal data on behalf of clients, you are a data processor and must meet the specific processor obligations under the UK GDPR. This applies UK-wide.

UK GDPR lawful bases for processing personal data

The 6 (now 7) lawful bases under UK GDPR Article 6 for processing personal data.

Under UK GDPR Article 6, you must have a valid lawful basis to process personal data. You cannot process personal data without identifying at least one lawful basis that applies to each processing activity.

1. Consent (Article 6(1)(a)): The individual has given clear, specific, informed consent for you to process their personal data for a specific purpose
2. Contract (Article 6(1)(b)): Processing is necessary to fulfil a contract with the individual, or to take steps at their request before entering a contract
3. Legal obligation (Article 6(1)(c)): Processing is necessary to comply with a common law or statutory obligation under UK law
4. Vital interests (Article 6(1)(d)): Processing is necessary to protect someone's life
5. Public task (Article 6(1)(e)): Processing is necessary for performing a task in the public interest or for official functions that have a clear basis in law
6. Legitimate interests (Article 6(1)(f)): Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's interests, rights, or freedoms

Consent requirements: Must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give.

Legitimate interests: Requires a documented Legitimate Interest Assessment (LIA) balancing test. Not available to public authorities for their core tasks.

7. Recognised legitimate interests (NEW - from June 2025): Processing necessary for certain pre-approved purposes without requiring a balancing test (Data Use and Access Act 2025)
Recognised purposes include: National/public security, defence, emergencies, crime prevention/detection, safeguarding vulnerable individuals
Effective date: 19 June 2025

Note: Direct marketing and intra-group data sharing still require a Legitimate Interest Assessment even under recognised legitimate interests.

ICO guide to lawful basis

F. NIS digital service provider duties

If you provide one of the relevant digital services — an online marketplace, an online search engine, or a cloud computing service — and you meet the threshold (headquartered or with a representative in the UK, and not a micro or small enterprise), the Network and Information Systems Regulations 2018 require you to take appropriate and proportionate technical and organisational measures to manage the risks to your network and information systems, and to report significant incidents to the Information Commissioner's Office (ICO) as the competent authority. This applies UK-wide.

Network and Information Systems Regulations 2018 (NIS)

The NIS Regulations require operators of essential services and relevant digital service providers to implement security measures and report significant cyber incidents. Tech businesses providing cloud computing, online marketplaces, or search engines may be in scope.

Who must comply

Operators of Essential Services (OES): Critical infrastructure in energy, transport, water, health, digital infrastructure.

Relevant Digital Service Providers (RDSP):

Online marketplaces (bringing together buyers and sellers)
Online search engines
Cloud computing services (IaaS, PaaS, SaaS)

Exemptions: Micro and small enterprises (fewer than 50 employees or turnover/balance sheet under €10m) are exempt from RDSP requirements.

Security requirements

You must:

Implement appropriate technical and organisational measures to manage security risks
Take measures to prevent and minimise impact of incidents
Follow NCSC guidance and industry best practices
Maintain business continuity plans

Incident reporting

Notify the relevant authority within 72 hours of becoming aware of an incident that has a significant impact on service continuity. Significant impacts include:

Service unavailable to substantial number of users
Data breach affecting user data
Financial loss or reputational damage

For RDSPs, report to ICO. For OES, report to sector-specific regulator.

NIS2 Directive (upcoming)

The EU's NIS2 Directive expands scope and requirements. UK implementation expected through the Cyber Security and Resilience Bill, expanding coverage to more digital services and managed service providers.

Step 1: Determine if your business qualifies as an RDSP (check service type and size exemptions)
Step 2: If in scope, designate a point of contact and notify the ICO of your RDSP status
Step 3: Implement NCSC Cyber Essentials controls as a baseline
Step 4: Conduct regular risk assessments of your systems and supply chain
Step 5: Establish incident detection and response procedures
Step 6: Create an incident reporting plan with ICO notification within 72 hours
Step 7: Document all security measures and maintain evidence of compliance
Step 8: Review third-party supplier security arrangements
Step 9: Monitor NCSC alerts and advisories

NIS Regulations guidance

1

1. Carry out your DSE and workplace risk assessments

Assess display screen equipment workstations, manage stress and mental health risks, and put lone-working arrangements in place for remote and client-site workers under HASAWA 1974.
2

2. Carry out your fire risk assessment

Identify fire hazards in your office or data centre, assess the risk, and put fire-safety measures in place under the regime for your nation.
3

3. Take out employers' liability insurance and register with the ICO

Arrange at least £5 million of cover before anyone starts work, and pay the data protection fee unless you are exempt.
4

4. Review your data processing arrangements

If you process personal data on behalf of clients, confirm you have data processing agreements in place and meet the UK GDPR processor obligations.
5

5. Check whether NIS applies to you

If you provide an online marketplace, search engine or cloud computing service and are not a micro or small enterprise, register with the ICO as a relevant digital service provider and put your NIS security measures in place.

What to do next

This spine covers the duties of running the business and employing people. Confirm you have covered everything with the IT and programming compliance checklist.

Official sources

Authoritative health and safety, data protection and NIS guidance.

Set up and run a safe IT and programming business

IT and programming business: compliance checklist

Software licensing compliance

E-commerce regulations for online selling

Protecting Your Software Intellectual Property

Set up and run a safe mineral products factory

A. Meet your general health and safety duty

B. Manage fire safety

C. Hold employers' liability insurance

D. Meet your equality duties

E. Handle personal data lawfully

F. NIS digital service provider duties

1. Carry out your DSE and workplace risk assessments

2. Carry out your fire risk assessment

3. Take out employers' liability insurance and register with the ICO

4. Review your data processing arrangements

5. Check whether NIS applies to you

What to do next

Official sources

Related guides in Digital & Technology

A. Meet your general health and safety duty

B. Manage fire safety

C. Hold employers' liability insurance

D. Meet your equality duties

E. Handle personal data lawfully

F. NIS digital service provider duties

1. Carry out your DSE and workplace risk assessments

2. Carry out your fire risk assessment

3. Take out employers' liability insurance and register with the ICO

4. Review your data processing arrangements

5. Check whether NIS applies to you

What to do next

Official sources