What you need to know

• Organisations are under increased scrutiny over their data collection and surveillance practices following recent media coverage of the use of data to track students in universities.
• In the workplace, the new right to disconnect puts another perspective on the legal limits of surveillance of workers.
• Employers have often overlooked the extent to which they capture information about their employees, perhaps mistakenly assuming there are no restrictions on doing so and that they are not required to pay attention to their employees’ right to privacy.
• However, not everything falls under the ‘employee record’ exemption, and privacy laws may still apply!
• Conducting a data privacy impact assessment before the deployment of people monitoring could help to significantly mitigate legal risks in your organisation.

Employers continually collect data on their employees by way of monitoring computer activity, deploying on-site surveillance cameras, tracking workers’ devices, logging access and by other means.

As most HR processes move to online platforms, the quantity and quality of data on employees has increased exponentially, with a significant amount of data being held by third party providers. The provider will often harvest data for its own purposes; something that is rarely understood by employers or explained to their employees.

The issue for employers is that the collection of unnecessary data and excess surveillance exposes them to a range of legal risks including potential breaches of privacy laws, employee disputes, allegations of discrimination and other compliance risks.

This raises the question, what is right and wrong in workplace monitoring?

Monitoring vs privacy

Some people may think “I follow the rules and have nothing to hide – surveillance is fine”. However, most employees would prefer not to be constantly watched, even if they follow the rules, due to the fear of being micromanaged or facing disciplinary action for any momentary lapse of judgment or attention.

In reality, most employees acknowledge that some level of surveillance is acceptable, for legitimate reasons such as health and safety or security. Organisations deal with an ever-larger number of people, new internal and external threats, new legal obligations to ensure the safety and wellbeing of people, and market pressures pushing for cost-effective and sustainable workforce solutions.

With new technologies that enable organisations to collect more data than ever, the lines are blurred between the level of surveillance that is actually required, the volume of data being captured and the utility of data for a wide range of purposes. For example, the recent reporting of universities using student Wi-Fi data in support of disciplinary outcomes is being investigated by the Office of the Victorian Information Commissioner. This is a timely reminder of the importance of ensuring that data collected by employers is used lawfully and in accordance with a privacy policy, as employers are likely to also hold Wi-Fi data relating to their employees.

Privacy can have an enabling effect on people. It can create a feeling of autonomy, dignity and trust which can encourage our curiosity, responsibility and performance. This can easily be diminished by any unjustified surveillance. Even initially justifiable monitoring could turn illicit due to “function creep” when monitoring is excessive or used for a secondary purpose. Breaching the confines of a pre-determined purpose or “contextual integrity”, could result in failing any moral justification.[1] Surveillance done right means considering all these consequences in a risk-benefit analysis.

So, some of the key questions are:

• What particular monitoring is carried out?
• Is it lawful?
• What is the role of third parties in the compliance of an organisation?
• What are the consequences of getting it wrong from a legal perspective?

What monitoring is carried out?

To ensure an employer’s surveillance and data collection practices are compliant, we recommend conducting regular audits. Employers should consider:

• Active monitoring tools deployed, such as screen capture, keylogging, CCTV, rostering, time and attendance tools, biometric access gates, fleet vehicle tracking devices, fatigue management in transport, sales platforms with performance management features and others.
• Tools and data not intended for people monitoring but nevertheless available to the IT department or managers and particularly revealing about the activities of employees, such as workstation logs of login/logout or idle times, Wi-Fi activity of personal devices, instant messaging tools with an ‘away from desk’ indicator, activity reports from various platforms, or browsing or network activity data collected for cyber security purposes.
• Data collected by third party platform providers that employees are required to use for their role, e.g. training, HR, payroll, policy management platforms and intranets.
• Frequent employee surveys could also constitute monitoring.

If the data collected could be used to identify and monitor an employee, the privacy risk must be assessed, data collection optimised, and appropriate policy implemented. Consent might be required for some types of monitoring. We see a particular risk in the collection of “sensitive information” such as, biometric data, race, religion, political and similar information, above and beyond what is strictly required.

Refresher: What does the law say?

As monitoring involves significant amounts of data and personal information (PI), it is regulated by data privacy law. The Privacy Act 1988 (Cth) (Privacy Act) imposes obligations on the collection and storage of PI. Although the Privacy Act does not apply to organisations with less than $3 million in annual turnover, many organisations will have other reasons to comply, such as contractual commitments or a desire to mitigate other legal risks. Some organisations gain a reputational boost by formally opting to be covered by the Privacy Act.

Crucially, the Privacy Act contains a carve out for employee records. This means that any record of PI relating to the employment of the employee will not be regulated by the Privacy Act. The employee records exemption may seem helpful to employers at first, but the courts and the Office of the Australian Information Commissioner (OAIC) have traditionally interpreted it narrowly.

Under the Privacy Act, surveillance of employees will only be lawful if it is reasonably necessary for the organisation’s lawful functions or activities. It may be difficult to establish compliance if the organisation failed to consider alternatives to monitoring or alternative types of monitoring that would reasonably achieve the legitimate monitoring purpose. [2] The quality of the monitoring output must enable achieving the monitoring purpose. Inadequate hardware, software or configuration could affect compliance. An assessment of these matters must be objective, and one should avoid overstating the risks which the monitoring is intended to address, or the benefits gained by monitoring.

Covert, excessive, unexpected or disproportionate monitoring might not be lawful and technology that interferes with a personal device, intercepts communications or produces discriminatory outcomes, could be considered unlawful. Individuals have no direct right of action. However, the Privacy Commissioner hears complaints and awards statutory damages for interference with privacy.

Imposing unwarranted surveillance on employees could also result in costly and time consuming employment disputes. Various workplace surveillance laws passed to protect the privacy of workers require a notice and implementing a governance policy prior to deploying listening, optical or tracking devices. They also prohibit optical or listening devices in particular locations (e.g. in washrooms).[3] In Victoria, state courts must interpret all such state laws in accordance with human rights, including the right to privacy.[4] Further, if employees are monitored where information was expected to remain confidential or it was obtained surreptitiously, the organisation could face a claim under the equitable tort of breach of confidence.[5] If monitoring is used to judge an employee who exercised their right to disconnect negatively, this could result in a breach of their right. If an organisation acts in breach of a duty of care and causes harm due to monitoring, the aggrieved individual might have a claim in negligence. Interception of communications including call recording or caller sentiment analysis could result in a breach of telecommunication laws.[6]

The narrow employee records exemption

In 2019, the Full Bench of the Fair Work Commission considered the collection of an employee’s biometric data for use with a fingerprint scanner to sign in and out of site (Jeremy Lee v Superior Wood Pty Ltd[7]). The case concerned the lawfulness of a direction to an employee to provide his biometric data and critically, the Fair Work Commission found that:

• the employee records exemption applies to records obtained and held by an organisation; and
• a record is not held if it has not yet been created and the exemption does not apply to the creation of future records.

This meant that the Privacy Act applied to the request for and collection of the employee’s biometric data – most importantly that the employee had to consent to its collection and could not be forced to provide either his consent or biometric data.

In short, the exemption applies to monitoring activities which relate to a record of an employee’s conduct. However, it does not necessarily exempt any data collection prior to creating a record, any monitoring not directly related to employment or any monitoring of contractors or site visitors.

Surveillance technology providers

An organisation cannot fulfill its data privacy obligations, including in respect of employees, without the support of its monitoring provider. Therefore, it is crucial to establish firm contractual commitments, as compliance with the Privacy Act remains the organisation’s primary responsibility.

Given their deep understanding of the technology and access to all relevant data, the monitoring provider is often in the best position to handle enquiries and complaints from employees. However, this role will not be assumed or facilitated by the provider unless explicitly agreed upon from the outset.

The provider’s use of data under the contract must be strictly limited. Allowing a third party to use PI for its own purposes could lead to the ‘disclosure’ of such data for a ‘secondary purpose,’ which would breach the Privacy Act.

Providers may claim that the data they use is aggregated and does not qualify as PI. However, data is often most valuable when it remains attributable to a specific individual. Even if names are not included, patterns that can be associated with a particular person over time may still be considered PI.

Lastly, while it is common to seek guidance from the provider on various matters, it is important to remember that a provider’s advice may be biased towards its own interest in selling its solution. Relying on the provider’s guidance for legal compliance would likely not be prudent.

What if an employer gets it wrong?

Failure to comply with the law could give rise to a number of risks: 

• Directions to employees being unlawful.
• Complaints to regulators.
• Employment related claims, breach of confidence, negligence, etc.
• Regulatory enquiries.
• Reputational damage and its effects.
• Unwanted scrutiny from business partners and suppliers.
• Remediation cost.

Where to go from here and how KHQ can help your business

People monitoring is subject to various complex and overlapping legal requirements. Just because a technology is available, it does not mean that its unrestricted use is lawful. An internal governance framework, policies, supplier contracts, due diligence, technical expertise and transparency will be essential for compliance.

Transparency and a prior consultation could provide a good opportunity to gauge the general feeling of individuals about monitoring, which can pre-empt any risks down the line. Enquiries and complaints might arise if ethical lines are breached, even if the Privacy Act does not apply in the circumstances.

It will not be possible to provide satisfactory outcomes and mitigate risk without identifying the specific objectives of the monitoring, having a good understanding of how the monitoring technology works, how people could be affected and how privacy intrusion could be mitigated, and without an appropriate contract with the technology provider.

Carrying out a privacy impact assessment might just be the best way to go about it. KHQ combines expertise in workplace relations and data privacy laws and can guide clients through workplace and technology-related data privacy issues. If you would like to know more about the privacy impact assessments that we are currently conducting for clients, then please get in touch with us.

Finally, the recently published tranche 1 data privacy reform Bill introduces a statutory tort of serious invasion of privacy, new civil penalties and wide court redress powers. Once passed, the Bill may further increase the risk of surveillance at work. Our article offers more information about Australia’s data privacy reform. Investing in compliance now will not be a wasted effort.