Can My Employer Spy on Me at Work?
In August 2023, the story of a New South Wales woman who worked from home and was fired from her job of 18 years made media headlines and triggered debate about the use of surveillance in the workplace.
Suzie Cheiko was terminated from her consultancy position after her employer implemented mouse tracking and keystroke logging onto her work computer, before providing her with a report which showed she was not working in accordance with her employment obligations – and was consistently absent from her computer for long periods of time.
The Fair Work Commission ultimately rejected Ms Cheiko’s claim for unfair dismissal after finding her employer, Insurance Australia Group, had a “valid reason of misconduct” as evidenced by the fact she had on occasion missed deadlines and been absent and uncontactable.
The Commission did not agree with Ms Cheiko that her dismissal was unreasonable because her employer had used the tracking technology as a means of implementing a “premeditated plan to remove her from the business… due to her mental health issues”.
However, it should be noted the decision does not mean the implementation of surveillance technology onto Ms Cheiko’s work computer was lawful; only that the termination of her employment was not unlawful under unfair dismissal laws.
Workplace surveillance is on the rise
That said, the proliferation of technology has contributed to a rise in unfair dismissal claims and complaints to the Fair Work Ombudsman, some of which have resulted from unlawful surveillance.
Employment lawyers are therefore encouraging employers to ensure they understand the rules that apply and the rights of employees before implementing ‘big brother’ measures.
Video surveillance, computer, phone and email monitoring, social media monitoring and GPS tracking are just some of the ways that employers are keeping an eye on their employees.
There are a number of reasons that an employer might do this – to track productivity, prevent theft, ensure cyber security; the list goes on.
Working from home
And since the pandemic, when a lot of people went home to work and a good number of them stayed there, subsequently renegotiating permanent work from home or hybrid positions – employers have raised concerns that some employees may not be fulfilling their employment responsibilities.
According to some statistics the number of employers now actively using surveillance to check up on employees has doubled in recent years.
But – is it legal for your employer to check up on you using technology and other surveillance tools? The answer is yes, it is legal, provided certain rules are followed. And it is important to add that failing to comply with those rules can amount to an offence under the law.
The Workplace Surveillance Act
In New South Wales, the Workplace Surveillance Act 2005 is the primary piece of legislation that, as the name suggests, regulates surveillance in the workplace – including the use of photographic, video and voice call recording, as well as computer monitoring and location tracking.
Under these laws, companies which intend to monitor employees must notify the workforce at least 14 days prior to doing so.
The laws make a very clear distinction between ‘overt’ surveillance (plainly apparent surveillance) and ‘covert’ surveillance (secret, hidden).
Covert surveillance is strictly prohibited except in circumstances where the surveillance is authorised by a covert surveillance authority, which typically occurs if an employee is suspected of being involved in illegal activity.
Sections 10 to 22 of the Act set out the specific obligations placed on employers regarding the surveillance of employees, and prescribes a number of offences for contravening the rules.
Here’s a rundown of the rules.
To whom do the provisions of the Act apply?
Section 9 of the Act sets out that the provisions that follow apply “to the surveillance of an employee carried out or caused to be carried out by the employee’s employer while the employee is at work for the employer.”
What is the requirement for notice?
Section 10 of the Act set out the requirements placed on employers regarding giving notice to employees about proposed surveillance.
These provisions are:
(1) Surveillance of an employee must not commence without prior notice in writing to the employee.
(2) The notice must be given at least 14 days before the surveillance commences. An employee may agree to a lesser period of notice.
(3) If surveillance of employees at work for an employer has already commenced when an employee is first employed, or is due to commence less than 14 days after an employee is first employed, the notice to that employee must be given before the employee starts work.
(4) The notice must indicate:
(a) the kind of surveillance to be carried out (camera, computer or tracking), and
(b) how the surveillance will be carried out, and
(c) when the surveillance will start, and
(d) whether the surveillance will be continuous or intermittent, and
(e) whether the surveillance will be for a specified limited period or ongoing.
(5) Notice by email constitutes notice in writing for the purposes of this section.
(6) Notice to an employee is not required under this section in the case of camera surveillance at a workplace of the employer that is not a usual workplace of the employee.
Additional requirements for camera surveillance
Section 11 of the Act provides that camera surveillance of an employee must not be carried out unless:
(a) cameras used for the surveillance (or camera casings or other equipment that would generally indicate the presence of a camera) are clearly visible in the place where the surveillance is taking place, and
(b) signs notifying people that they may be under surveillance in that place are clearly visible at each entrance to that place.
Additional requirements for computer surveillance
Section 12 of the Act states that computer surveillance of an employee must not be carried out unless:
(a) the surveillance is carried out in accordance with a policy of the employer on computer surveillance of employees at work, and
(b) the employee has been notified in advance of that policy in such a way that it is reasonable to assume that the employee is aware of and understands the policy.
Additional requirements for tracking surveillance
Section 13 of the Act provides that tracking surveillance of an employee that involves the tracking of a vehicle or other thing must not be carried out unless there is a notice clearly visible on the vehicle or other thing indicating that the vehicle or thing is the subject of tracking surveillance.
Exemption for certain surveillance by agreement
Section 14 of the Act provides an exemption for employees where the surveillance is by mutual agreement.
It states that surveillance of an employee is taken to comply with the requirements of this Part if the employee (or a body representing a substantial number of employees at the workplace) has agreed to the carrying out of surveillance at the premises or place where the surveillance is taking place for a purpose other than surveillance of employees and the surveillance is carried out in accordance with that agreement.
Prohibited surveillance
The sections that follow prescribe situations where surveillance of employees is prohibited.
Surveillance of change rooms and bathrooms prohibited
Section 15 of the Act sets provides that an employer must not carry out, or cause to be carried out, any surveillance of an employee of the employer in any change room, toilet facility or shower or other bathing facility at a workplace.
Contravening this provision is an offence, which carries a maximum penalty of 50 penalty units.
At the time of writing, one penalty unit is equivalent to $110, meaning the maximum fine for the offence is $5,500.
Prohibition on surveillance using work surveillance device while employee not at work
Section 16(1) provides that an employer must not carry out, or cause to be carried out, surveillance of an employee of the employer using a work surveillance device when the employee is not at work for the employer unless the surveillance is computer surveillance of the use by the employee of equipment or resources provided by or at the expense of the employer.
Again, the maximum penalty for breaching this rule is 50 penalty units.
What is a work surveillance device?
Subsection 2 defines a work surveillance device as a device used for surveillance of the employee when at work for the employer.
And subsection 3 makes clear the section does not apply to the carrying out, or causing to be carried out, of surveillance by an employer that is a law enforcement agency.
Restrictions on blocking emails or Internet access
Section 17 of the Act sets out the restrictions placed on employers who are considering blocking an employee’s access to digital communications and the internet generally.
The section provides that:
(1) An employer must not prevent, or cause to be prevented, delivery of an email sent to or by, or access to an Internet website by, an employee of the employer unless:
(a) the employer is acting in accordance with a policy on email and Internet access that has been notified in advance to the employee in such a way that it is reasonable to assume that the employee is aware of and understands the policy, and
(b) in addition, in the case of the preventing of delivery of an email, the employee is given notice (a prevented delivery notice) as soon as practicable by the employer, by email or otherwise, that delivery of the email has been prevented, unless this section provides that a prevented delivery notice is not required.
Contravening the above rules can result, once again, in a maximum fine equivalent to 50 penalty units.
The section proceeds to prescribe the following exceptions to prevented delivery notice requirements:
(2) An employee is not required to be given a prevented delivery notice for an email if delivery of the email was prevented in the belief that, or by the operation of a program intended to prevent the delivery of an email on the basis that:
(a) the email was a commercial electronic message within the meaning of the Spam Act 2003 of the Commonwealth, or
(b) the content of the email or any attachment to the email would or might have resulted in an unauthorised interference with, damage to or operation of a computer or computer network operated by the employer or of any program run by or data stored on such a computer or computer network, or
(c) the email or any attachment to the email would be regarded by reasonable persons as being, in all the circumstances, menacing, harassing or offensive.
(3) An employee is not required to be given a prevented delivery notice for an email sent by the employee if the employer was not aware (and could not reasonably be expected to be aware) of the identity of the employee who sent the email or that the email was sent by an employee.
(4) An employer’s policy on email and Internet access cannot provide for preventing delivery of an email or access to a website merely because:
(a) the email was sent by or on behalf of an industrial organisation of employees or an officer of such an organisation, or
(b) the website or email contains information relating to industrial matters (within the meaning of the Industrial Relations Act 1996).
Restrictions on use and disclosure of surveillance records—notified surveillance
The rules relating to the disclosure and use of surveillance records are contained in section 18, which states:
An employer who carries out or causes to be carried out the surveillance of an employee of the employer while the employee is at work for the employer, not being covert surveillance, must ensure that any surveillance record made as a result of that surveillance is not used or disclosed unless that use or disclosure is:
(a) use or disclosure for a legitimate purpose related to the employment of employees of the employer or the legitimate business activities or functions of the employer, or
(b) disclosure to a member or officer of a law enforcement agency for use in connection with the detection, investigation or prosecution of an offence, or
(c) use or disclosure for a purpose that is directly or indirectly related to the taking of civil or criminal proceedings, or
(d) use or disclosure that is reasonably believed to be necessary to avert an imminent threat of serious violence to persons or of substantial damage to property.
The maximum fine that applies to contravening these rules is equivalent to 20 penalty units, which is currently $2,200.
Restrictions on covert surveillance of employees at work
The subsequent sections of the Act prescribe the rules relating to covert surveillance.
Covert surveillance prohibited without covert surveillance authority
Section 19 makes clear that an employer must not carry out, or cause to be carried out, covert surveillance of an employee while the employee is at work for the employer unless the surveillance is authorised by a covert surveillance authority.
The maximum penalty for this offence is 50 penalty units.
What does a covert surveillance authority authorise?
Section 20 sets out the conduct that a surveillance authority permits, providing that:
(1) A covert surveillance authority that is issued to an employer or employer’s representative authorises the covert surveillance generally of any employees while at work for the employer but only for the purpose of establishing whether or not one or more particular employees are involved in any unlawful activity while at work for the employer.
(2) The authority conferred is subject to the following conditions:
(a) a condition that the conduct of the covert surveillance authorised by the authority must be overseen by a surveillance supervisor for the authority,
(b) any other conditions imposed on the authority by or under this Act.
(3) A covert surveillance authority does not authorise the carrying out, or causing to be carried out, of covert surveillance of any employee:
(a) for the purpose of monitoring the employee’s work performance, or
(b) in any change room, toilet facility or shower or other bathing facility.
Exceptions—law enforcement, correctional centres, courts, casino
Exceptions to the above rules are contained in section 21 of the Act, which provides that it is not an offence:
(a) for a member or officer of a law enforcement agency to carry out, or cause to be carried out, surveillance in the exercise of a function conferred or imposed on the member or officer by or under any other Act or law, or
(b) for a person to carry out, or cause to be carried out, camera surveillance in a correctional centre or in any other place where a person is in lawful custody, or
(c) for a person to carry out, or cause to be carried out, camera surveillance for the purpose of monitoring operations carried out in a casino in accordance with the Casino Control Act 1992, or
(d) for a person to carry out, or cause to be carried out, camera surveillance of any legal proceedings or proceedings before a law enforcement agency in the exercise of a function conferred or imposed on the person by or under any other Act or law.
Defence—surveillance for security of the workplace
And section 22 contains a defence against surveillance for the purpose of security, which encompasses CCTV cameras in common areas. The section provides that:
(1) It is a defence to a prosecution for an offence against this Part involving the covert surveillance of an employee at a workplace of an employer for the employer to prove that:
(a) the surveillance was carried out, or caused to be carried out, solely for the purpose of ensuring the security of the workplace or persons in it and that surveillance of any employee was extrinsic to that purpose, and
(b) there was a real and significant likelihood of the security of the workplace or persons in it being jeopardised if covert surveillance was not carried out, and
(c) the employer notified employees at the workplace (or a body representing a substantial number of the employees) in writing of the intended surveillance for that purpose before it was carried out.
(2) Evidence of any surveillance record made as a consequence of surveillance of employees in the workplace for the purpose referred to in this section that is unrelated to the security of the workplace or persons in the workplace is not to be admitted in evidence in any disciplinary or legal proceedings against an employee unless the desirability of admitting the evidence outweighs the undesirability of admitting evidence that has been obtained in the way in which the evidence was obtained.
Employers must also comply with the Privacy Act 1988 and the Australian Privacy Principles (APPs).
The ‘grey’ areas
While employers argue that ‘spyware’ is simply the next step in ‘people management’ as workforces become more geographically diverse, and could even be used to motivate teams.
HR experts on the other hand are warning that such technology doesn’t always account for the value that employees can add in other ways, beyond keystrokes and mouse clicks and time spent at a screen, and further, this type of surveillance reporting can amount to ‘bullying’.
They also warn that it can have negative connotations and impact on an organisation’s brand and reputation as an employer.
Certainly there are also ethical concerns, particularly around individual privacy, and HR experts say there are always better ways to manage performance than to resort to invasive types of technology.
Workplace surveillance laws differ across states and territories and sometimes the legislation is not clear cut – it may form a part of more broader types of surveillance legislation. Further, many Australians are surprised to find that individuals have no implicit right to privacy, meaning that privacy too, is often regulated by a web of Federal and State legislation.