Workplace surveillance in NSW: having a computer surveillance policy is a mandatory requirement
There is a view in some businesses that the implementation of written workplace policies are something of a “nice to have” or an “optional extra”, and are ultimately a matter of choice for the employer.
Whilst there may be no mandatory requirement to have a policy on many workplace matters, the situation in respect of computer surveillance and email / internet blocking policies (in NSW at least) is different: the Workplace Surveillance Act 2005 (NSW) (‘the Act’) provides, amongst other things, that unless computer surveillance and the blocking of emails / internet access is carried out in accordance with a policy, it will be unlawful.
Section 12 of the Act (dealing with computer surveillance) states as follows:
“Computer surveillance of an employee must not be carried out unless:
(a) the surveillance is carried out in accordance with a policy of the employer on computer surveillance of employees at work, and
(b) the employee has been notified in advance of that policy in such a way that it is reasonable to assume that the employee is aware of and understands the policy.”
Section 17 of the Act (dealing with blocking emails or internet access) states:
“(1) An employer must not prevent, or cause to be prevented, delivery of an email sent to or by, or access to an Internet website by, an employee of the employer unless:
the employer is acting in accordance with a policy on email and Internet access that has been notified in advance to the employee in such a way that it is reasonable to assume that the employee is aware of and understands the policy; and
[deals with prevented delivery notices – see further below]
Breach of either requirement can carry a fine of up to 50 penalty units (ie a fine of up to $5,500). The Act also in effect prohibits the use of information gained through computer surveillance, in connection with private sector disciplinary matters, where such surveillance was covert surveillance carried out otherwise than in accordance with the Act and the employers’ computer surveillance policy.
It is logical that any business will wish to have the right to surveil its employees’ use of workplace computer systems (including email and internet use) for reasons including quality control, security and ensuring appropriate behaviour. Equally, in any workplace where employees are able to send/receive emails or access the internet, an employer will wish to able to block emails and internet access in appropriate circumstances.
To be clear: without having a policy in place, the employer will not be able to take such actions without contravening the Act in New South Wales.
In addition to having an appropriate policy in place, the Act stipulates that before any computer surveillance can take place an employee must be given at least 14 days’ written notice (unless the employee consents to a lesser period of notice).
If computer surveillance is already taking place in the workplace before an employee commences work (or if it is due to commence less than 14 days after an employee starts work), notification must be given prior to the employee starting work.
The notice must contain:
(a) the kind of surveillance to be carried out (ie computer, camera or tracking surveillance);
(b) how the surveillance will be carried out;
(c) when the surveillance will start;
(d) whether the surveillance will be continuous or intermittent;
(e) whether the surveillance will be for a specified limited period or ongoing.
Notice by email constitutes notice. As stated above, it is also requirement that the computer surveillance is carried out in accordance with a policy and the employee has been notified in advance of that policy in such a way that it is reasonable to assume that the employee is aware of and understands the policy. Equally, it is a requirement that no email or internet access blocking may take place before an employee has been notified in advance of the appropriate policy.
Many employers adopt the process of including notice of surveillance in a new employee’s contract of employment and enclosing a written policy along with the contract seek to ensure that these requirements are met.
In respect of an employer’s obligations once it has blocked an email sent to or by an employee there is also a requirement in the Act that “the employee is given notice (a “prevented delivery notice”) as soon as practicable by the employer, by email or otherwise, that delivery of the email has been prevented, unless this section provides that a prevented delivery notice is not required.”
There are exceptions from having to provide a prevented delivery notice in relation to “spam” communications, communications which might damage the business’ computer systems or menacing / harassing / offensive emails (see section 17(2) of the Act).
What to include in computer surveillance and email / internet blocking policies
In order to seek to demonstrate compliance with the Act we would recommend that a policy includes information about:
why computer surveillance is carried out (security, quality, appropriate use, etc)
how it is carried out (what methods are used? what is the extent of the surveillance?)
the extent to which employees’ internet access details, emails etc are retained
which purposes are employees allowed to use computer systems / emails and the internet for? Is private use allowed? Which materials must not be accessed / copied / shared?
in what circumstances will emails / internet access be blocked?
Of course, these are not the only matters that may be included in such policies. Often IT policies contain detailed provisions about confidential information, social media usage and security measures. Given that computer surveillance necessarily will involve accessing and retention of an employee’s personal information, consideration should be given as to whether there is also a requirement to comply with the notification requirements contained in the Privacy Act 1988 (Cth).
 In respect of computer surveillance see the note to Part 2 of the Act “Surveillance of an employee that does not comply with this Part is covert surveillance (see the definition of “covert surveillance”). Covert surveillance of an employee is an offence unless the surveillance is authorised by a covert surveillance authority (see Part 4).”. The value of penalty units is set by section 17 of the Crimes (Sentencing Procecure) Act 1999 (NSW).
 See section 37 of the Act.