People + Culture Strategies

How far can you push employee surveillance? Can an organisation monitor employees’ activities out of hours? What rights to privacy do employees have?

It can be difficult for organisations to get the balance right between respecting the privacy of employees and ensuring they have the ability to monitor and control their business operations, processes, systems and reputation effectively. There are a myriad of surveillance and privacy laws and regulations concerning when and how organisations can legitimately examine employees’ activities both within and outside the workplace and with which organisations should ensure their policies and practices are consistent.

How does privacy law impact on my employees?

The Privacy Act 1988 (Cth) (the “Privacy Act”) requires organisations (other than small businesses) to adhere to a set of Privacy Principles (the “Principles”) in their collection and management of “personal information”. The Principles include the requirements to take reasonable steps to protect personal information from misuse, interference, loss, or unauthorized access. From 12 March 2014 there will be changes to the Principles which include shifting the onus from the individual to the organisation to take ‘reasonable steps’ to make corrections to changes in personal information.

An important exception to compliance with the Principles (which is not new) covers “employee records” of current or former employees. An employee record is defined quite broadly to include personal or health records relating to employment which can go so far as to capture documents concerning the termination of an employee. This exemption does not cover prospective employees, contractors or employees of other companies (such as labour hire employees, or employees of a subsidiary).

Failure to comply with relevant privacy laws may lead to disciplinary action from the Privacy Commissioner through enforceable determinations, undertakings and/or civil penalty orders. The amendments have increased the type, strength and consequences of sanctions available.

When and how can I perform employee surveillance?

Your organisation can conduct surveillance on your employees when they are at work through camera, tracking or computer devices in certain circumstances, provided certain conditions are met (which will vary depending on your relevant state or territory). For example, in New South Wales (one of the few jurisdictions with prescriptive regulation across all forms of surveillance) surveillance can only be performed whilst the employee is at work, with 14 days’ written notice required prior to commencement of surveillance which must specify certain details about the form and nature of the surveillance. Although for new employees, if surveillance is already being undertaken prior to their commencement, they just need to be notified prior to their first day. In addition where computer surveillance is used it must be carried out in accordance with an organisation’s policy where the employee has been notified in advance about the application of the policy.

Where using camera or tracking surveillance such devices must be in clear view as well as other specific requirements being met. Surveillance of any form is also expressly prohibited in a change room, toilet or similar facility, with some restrictions also attaching to the ability to block employee emails and internet access.

When can I consider (and monitor) employee conduct outside the workplace?

There can be some uncertainty around when organisations can legitimately regulate employees’ behavior outside of work. Generally, it is not about the physical time or place within which the behavior occurs but rather, whether it occurs in front of or with co- workers and/or has the capacity to impact upon work relationships.

This has become a vexed issue in particular with the increasing popularity of social media and more organisations deciding to monitor and take action in respect of employees’ conduct in these forums. Courts and tribunals are no longer inclined to be lenient towards employees pleading ignorance of social media, however, employers should still clearly delineate acceptable uses of social media and when out of hours conduct may impact on employment.

It is recommended that your organisation puts in place appropriate policies to regulate the conduct of employees in their private time as long as the policies are reasonable and related to the practices of the business.

“surveillance can only be performed whilst the employee is at work, with 14 days’ written notice required prior to commencement.”