Respect workers' privacy when spying on them

Employers continually collect data on their employees by way of monitoring computer activity, deploying on-site surveillance cameras, tracking workers’ devices, logging access, and by other means.

As most HR processes move to online platforms, the quantity and quality of data on employees has increased exponentially, with a significant amount of data being held by third-party providers. The provider will often harvest data for its own purposes; something that is rarely understood by employers or explained to their employees.

The issue for employers is that the collection of unnecessary data and excess surveillance exposes them to a range of legal risks including potential breaches of privacy laws, employee disputes, allegations of discrimination and other compliance risks.

This raises the question, what is right and wrong in workplace monitoring?

Employee monitoring vs. privacy

Some people may think “I follow the rules and have nothing to hide – surveillance is fine.” However, most employees would prefer not to be constantly watched, even if they follow the rules, due to the fear of being micromanaged or facing disciplinary action for any momentary lapse of judgment or attention.

Most employees acknowledge that some level of surveillance is acceptable, for legitimate reasons such as health and safety or security. Organisations deal with an ever-larger number of people, new internal and external threats, new legal obligations to ensure the safety and wellbeing of people, and market pressures pushing for cost-effective and sustainable workforce solutions.

With new technologies that enable organisations to collect more data than ever, the lines are blurred between the level of surveillance that is actually required, the volume of data being captured, and the utility of data for a wide range of purposes. For example, the recent reporting of universities using student Wi-Fi data in support of disciplinary outcomes is being investigated by the Office of the Victorian Information Commissioner. This is a timely reminder of the importance of ensuring that data collected by employers is used lawfully and in accordance with a privacy policy, as employers are likely to also hold Wi-Fi data relating to their employees.

Privacy can have an enabling effect on people. It can create a feeling of autonomy, dignity and trust which can encourage our curiosity, responsibility and performance. This can easily be diminished by any unjustified surveillance. Even initially justifiable monitoring could turn illicit due to “function creep” when monitoring is excessive or used for a secondary purpose. Surveillance done right means considering all these consequences in a risk-benefit analysis.

So, some of the key questions are:

• What particular monitoring is carried out?
• Is it lawful?
• What are the consequences of getting it wrong from a legal perspective?

What monitoring is carried out?

To ensure an employer’s surveillance and data collection practices are compliant, we recommend conducting regular audits. Employers should consider:

• Active monitoring tools deployed, such as screen capture, keylogging, CCTV, rostering, time and attendance tools, biometric access gates, fleet vehicle tracking devices, fatigue management in transport, sales platforms with performance management features and others.
• Tools and data not intended for people monitoring but nevertheless available to the IT department or managers and particularly revealing about the activities of employees, such as workstation logs of login/logout or idle times, Wi-Fi activity of personal devices, instant messaging tools with an “away from desk” indicator, activity reports from various platforms, or browsing or network activity data collected for cyber security purposes.
• Data collected by third party platform providers that employees are required to use for their role, e.g. training, HR, payroll, policy management platforms and intranets.
• Frequent employee surveys could also constitute monitoring.

If the data collected could be used to identify and monitor an employee, the privacy risk must be assessed, data collection optimised, and appropriate policy implemented. Consent might be required for some types of monitoring. We see a particular risk in the collection of “sensitive information” such as, biometric data, race, religion, political and similar information, above and beyond what is strictly required.

As monitoring involves significant amounts of data and personal information (PI), it is regulated by data privacy law. The Privacy Act 1988 (Cth) imposes obligations on the collection and storage of PI. Although the Privacy Act does not apply to organisations with less than $3 million in annual turnover, many organisations will have other reasons to comply, such as contractual commitments or a desire to mitigate other legal risks. Some organisations gain a reputational boost by formally opting to be covered by the Privacy Act.

Crucially, the Privacy Act contains a carve-out for employee records. This means that any record of PI relating to the employment of the employee will not be regulated by the Privacy Act. The employee records exemption may seem helpful to employers at first, but the courts and the Office of the Australian Information Commissioner (OAIC) have traditionally interpreted it narrowly.

Under the Privacy Act, surveillance of employees will only be lawful if it is reasonably necessary for the organisation’s lawful functions or activities. It may be difficult to establish compliance if the organisation failed to consider alternatives to monitoring or alternative types of monitoring that would reasonably achieve the legitimate monitoring purpose. The quality of the monitoring output must enable achievement of the monitoring purpose. Inadequate hardware, software or configuration could affect compliance. An assessment of these matters must be objective, and one should avoid overstating the risks which the monitoring is intended to address, or the benefits gained by monitoring.

Excessive monitoring of workers

Covert, excessive, unexpected or disproportionate monitoring might not be lawful and technology that interferes with a personal device, intercepts communications or produces discriminatory outcomes, could be considered unlawful. Individuals have no direct right of action. However, the Privacy Commissioner hears complaints and awards statutory damages for interference with privacy.

Imposing unwarranted surveillance on employees could also result in costly and time-consuming employment disputes. Various workplace surveillance laws passed to protect the privacy of workers require a notice and implementing a governance policy prior to deploying listening, optical or tracking devices. They also prohibit optical or listening devices in particular locations (e.g. in washrooms). In Victoria, state courts must interpret all such state laws in accordance with human rights, including the right to privacy.

Further, if employees are monitored where information was expected to remain confidential or it was obtained surreptitiously, the organisation could face a claim under the equitable tort of breach of confidence. If monitoring is used to judge an employee who exercised their right to disconnect negatively, this could result in a breach of their right. If an organisation acts in breach of a duty of care and causes harm due to monitoring, the aggrieved individual might have a claim in negligence. Interception of communications including call recording or caller sentiment analysis could result in a breach of telecommunication laws.

The narrow employee records exemption

In 2019, the Full Bench of the Fair Work Commission considered the collection of an employee’s biometric data for use with a fingerprint scanner to sign in and out of site (Jeremy Lee v. Superior Wood Pty Ltd [2019] FWCFB 2946). The case concerned the lawfulness of a direction to an employee to provide his biometric data and critically, the Fair Work Commission found that:

• The employee records exemption applies to records obtained and held by an organization.
• A record is not held if it has not yet been created and the exemption does not apply to the creation of future records.

This meant that the Privacy Act applied to the request for and collection of the employee’s biometric data – most importantly that the employee had to consent to its collection and could not be forced to provide either his consent or biometric data.

In short, the exemption applies to monitoring activities which relate to a record of an employee’s conduct. However, it does not necessarily exempt any data collection prior to creating a record, any monitoring not directly related to employment or any monitoring of contractors or site visitors.

What if an employer gets it wrong?

Failure to comply with the law could give rise to a number of risks: 

• Directions to employees being unlawful.
• Complaints to regulators.
• Employment related claims, breach of confidence, negligence, etc.
• Regulatory enquiries.
• Reputational damage and its effects.
• Unwanted scrutiny from business partners and suppliers.
• Remediation cost.

People monitoring is subject to various complex and overlapping legal requirements. Just because a technology is available, it does not mean that its unrestricted use is lawful. An internal governance framework, policies, supplier contracts, due diligence, technical expertise and transparency will be essential for compliance.

Transparency and a prior consultation could provide a good opportunity to gauge the general feeling of individuals about monitoring, which can pre-empt any risks down the line. Enquiries and complaints might arise if ethical lines are breached, even if the Privacy Act does not apply in the circumstances.

It will not be possible to provide satisfactory outcomes and mitigate risk without identifying the specific objectives of the monitoring, having a good understanding of how the monitoring technology works, how people could be affected and how privacy intrusion could be mitigated, and without an appropriate contract with the technology provider.

Finally, the recently published tranche 1 data privacy reform Bill introduces a statutory tort of serious invasion of privacy, new civil penalties and wide court redress powers. Once passed, the Bill may further increase the risk of surveillance at work.

Alex Dittel is a principal solicitor and head of the Data Privacy, Cyber and Digital practice at KHQ Lawyers in Sydney.