Work­place sur­veil­lance in NSW: hav­ing a com­put­er sur­veil­lance pol­i­cy is a manda­to­ry requirement 

There is a view in some busi­ness­es that the imple­men­ta­tion of writ­ten work­place poli­cies are some­thing of a nice to have” or an option­al extra”, and are ulti­mate­ly a mat­ter of choice for the employer.

Whilst there may be no manda­to­ry require­ment to have a pol­i­cy on many work­place mat­ters, the sit­u­a­tion in respect of com­put­er sur­veil­lance and email / inter­net block­ing poli­cies (in NSW at least) is dif­fer­ent: the Work­place Sur­veil­lance Act 2005 (NSW) (the Act’) pro­vides, amongst oth­er things, that unless com­put­er sur­veil­lance and the block­ing of emails / inter­net access is car­ried out in accor­dance with a pol­i­cy, it will be unlawful.

Sec­tion 12 of the Act (deal­ing with com­put­er sur­veil­lance) states as follows:

Com­put­er sur­veil­lance of an employ­ee must not be car­ried out unless:
(a) the sur­veil­lance is car­ried out in accor­dance with a pol­i­cy of the employ­er on com­put­er sur­veil­lance of employ­ees at work, and
(b) the employ­ee has been noti­fied in advance of that pol­i­cy in such a way that it is rea­son­able to assume that the employ­ee is aware of and under­stands the policy.”

Sec­tion 17 of the Act (deal­ing with block­ing emails or inter­net access) states:

(1) An employ­er must not pre­vent, or cause to be pre­vent­ed, deliv­ery of an email sent to or by, or access to an Inter­net web­site by, an employ­ee of the employ­er unless: 

  1. the employ­er is act­ing in accor­dance with a pol­i­cy on email and Inter­net access that has been noti­fied in advance to the employ­ee in such a way that it is rea­son­able to assume that the employ­ee is aware of and under­stands the pol­i­cy; and

  2. [deals with pre­vent­ed deliv­ery notices – see fur­ther below]

Breach of either require­ment can car­ry a fine of up to 50 penal­ty units (ie a fine of up to $5,500)[1]. The Act also in effect pro­hibits the use of infor­ma­tion gained through com­put­er sur­veil­lance, in con­nec­tion with pri­vate sec­tor dis­ci­pli­nary mat­ters, where such sur­veil­lance was covert sur­veil­lance car­ried out oth­er­wise than in accor­dance with the Act and the employ­ers’ com­put­er sur­veil­lance pol­i­cy[2].

It is log­i­cal that any busi­ness will wish to have the right to sur­veil its employ­ees’ use of work­place com­put­er sys­tems (includ­ing email and inter­net use) for rea­sons includ­ing qual­i­ty con­trol, secu­ri­ty and ensur­ing appro­pri­ate behav­iour. Equal­ly, in any work­place where employ­ees are able to send/​receive emails or access the inter­net, an employ­er will wish to able to block emails and inter­net access in appro­pri­ate circumstances.

To be clear: with­out hav­ing a pol­i­cy in place, the employ­er will not be able to take such actions with­out con­tra­ven­ing the Act in New South Wales.

Oth­er requirements

In addi­tion to hav­ing an appro­pri­ate pol­i­cy in place, the Act stip­u­lates that before any com­put­er sur­veil­lance can take place an employ­ee must be giv­en at least 14 days’ writ­ten notice (unless the employ­ee con­sents to a less­er peri­od of notice).
If com­put­er sur­veil­lance is already tak­ing place in the work­place before an employ­ee com­mences work (or if it is due to com­mence less than 14 days after an employ­ee starts work), noti­fi­ca­tion must be giv­en pri­or to the employ­ee start­ing work.

The notice must contain:
(a) the kind of sur­veil­lance to be car­ried out (ie com­put­er, cam­era or track­ing surveillance);
(b) how the sur­veil­lance will be car­ried out;
(c) when the sur­veil­lance will start;
(d) whether the sur­veil­lance will be con­tin­u­ous or intermittent;
(e) whether the sur­veil­lance will be for a spec­i­fied lim­it­ed peri­od or ongoing.

Notice by email con­sti­tutes notice. As stat­ed above, it is also require­ment that the com­put­er sur­veil­lance is car­ried out in accor­dance with a pol­i­cy and the employ­ee has been noti­fied in advance of that pol­i­cy in such a way that it is rea­son­able to assume that the employ­ee is aware of and under­stands the pol­i­cy. Equal­ly, it is a require­ment that no email or inter­net access block­ing may take place before an employ­ee has been noti­fied in advance of the appro­pri­ate policy.

Many employ­ers adopt the process of includ­ing notice of sur­veil­lance in a new employ­ee’s con­tract of employ­ment and enclos­ing a writ­ten pol­i­cy along with the con­tract seek to ensure that these require­ments are met. 

In respect of an employ­er’s oblig­a­tions once it has blocked an email sent to or by an employ­ee there is also a require­ment in the Act that the employ­ee is giv­en notice (a pre­vent­ed deliv­ery notice”) as soon as prac­ti­ca­ble by the employ­er, by email or oth­er­wise, that deliv­ery of the email has been pre­vent­ed, unless this sec­tion pro­vides that a pre­vent­ed deliv­ery notice is not required.”

There are excep­tions from hav­ing to pro­vide a pre­vent­ed deliv­ery notice in rela­tion to spam” com­mu­ni­ca­tions, com­mu­ni­ca­tions which might dam­age the busi­ness’ com­put­er sys­tems or men­ac­ing / harass­ing / offen­sive emails (see sec­tion 17(2) of the Act).

What to include in com­put­er sur­veil­lance and email / inter­net block­ing policies

In order to seek to demon­strate com­pli­ance with the Act we would rec­om­mend that a pol­i­cy includes infor­ma­tion about:

  • why com­put­er sur­veil­lance is car­ried out (secu­ri­ty, qual­i­ty, appro­pri­ate use, etc)

  • how it is car­ried out (what meth­ods are used? what is the extent of the surveillance?)

  • the extent to which employ­ees’ inter­net access details, emails etc are retained

  • which pur­pos­es are employ­ees allowed to use com­put­er sys­tems / emails and the inter­net for? Is pri­vate use allowed? Which mate­ri­als must not be accessed / copied / shared?

  • in what cir­cum­stances will emails / inter­net access be blocked?

Of course, these are not the only mat­ters that may be includ­ed in such poli­cies. Often IT poli­cies con­tain detailed pro­vi­sions about con­fi­den­tial infor­ma­tion, social media usage and secu­ri­ty mea­sures. Giv­en that com­put­er sur­veil­lance nec­es­sar­i­ly will involve access­ing and reten­tion of an employ­ee’s per­son­al infor­ma­tion, con­sid­er­a­tion should be giv­en as to whether there is also a require­ment to com­ply with the noti­fi­ca­tion require­ments con­tained in the Pri­va­cy Act 1988 (Cth).

[1] In respect of com­put­er sur­veil­lance see the note to Part 2 of the Act Sur­veil­lance of an employ­ee that does not com­ply with this Part is covert sur­veil­lance (see the def­i­n­i­tion of covert sur­veil­lance”). Covert sur­veil­lance of an employ­ee is an offence unless the sur­veil­lance is autho­rised by a covert sur­veil­lance author­i­ty (see Part 4).”. The val­ue of penal­ty units is set by sec­tion 17 of the Crimes (Sen­tenc­ing Pro­ce­cure) Act 1999 (NSW).

[2] See sec­tion 37 of the Act.