Employee surveillance – when is it legal?

According to Bryony Binns, partner at Baker & McKenzie, employers' monitoring of the use of wearable devices in the workplace must comply with multiple legislative regimes.

For employers in New South Wales and Australian Capital Territory, there are specific workplace surveillance laws which extend to computer and tracking device surveillance.

“The legislation does not prohibit surveillance,” Binns said. “Practically, it requires employers to be overt, not covert, in the way they collect and use data for the most part – although there is an ability to seek orders for covert surveillance. This involves the use of signage where applicable, as well as ensuring that employees are aware how and why the data is being collected.”

She adds that companies in these jurisdictions must have policies in place around the type of surveillance that might be carried out in these respects, which should include signage “on or near [surveillance or tracking] devices”.

Context is key

Employee records used in the context of current or former employment agreement are not subject to the usual federal privacy protections that personal data would be outside the employment relationship, Binns explained.

“Employer data collection and usage in relation to employee records are currently subject to an exception under the Privacy Act 1988,” she told HC. “However, the exception is limited, and only applies to employee records obtained and used in the context of a current or former employment relationship.”

For example, if the employer is providing data to a company contracted to provide payroll or insurance, it would be considered as occurring within the context of the employment relationship.

Otherwise, an employer can collect personal data – such as the personal information stored on an employee's device – with consent. This can potentially be obtained through policies about the use of employer systems or devices for purposes not related to work.

“If data is passed on purely for commercial purposes, then that wouldn’t be lawful – unless there’s been notification prior to the data being collected that this will be done,” Binns adds.

“Practically speaking, there are some protections around surveillance and data collection and use, but they do not prohibit the monitoring and collection of data. Even if employees are doing things at home, if they are using work provided technology, it is still possible that the employer can lawfully monitor that activity.

“If workers are using devices or accessing systems that store their employer's information, it’s natural that the employer will want to monitor and protect that data. In most instances, employers will put employees on notice that use of employer devices or systems is a condition of use, including non-work related use.”

“It’s a fine balance between employee privacy and the protection of the employer’s interest, but increasingly the jobs being done remotely are information-based – and that information is the core property of the employer.”

Be aware of constant usage

“Another angle that employers need to think about is how employees might use these devices covertly,” Binns told HC. “One of the things that seems to happen quite often these days is conversations being recorded on devices during disciplinary processes.”

 She advises that it could be much easier for employees to engage in this clandestine activity using wearable devices such as the Apple watch.

“Generally speaking, an individual is prohibited from recording or publishing a conversation that’s private, unless they have consent to do so under state and territory surveillance legislation, although there are some nuances from state to state. In some cases, violating the prohibitions can be a criminal act.”

However, there are some exceptions; for example, if someone is protecting their lawful interest, then they may fall within a relevant carve out, depending upon the jurisdiction.

Have a policy in place

Binns also advises employers that the best practice around providing wearables is to have a policy in place that outlines what is and isn’t acceptable to use the devices for.

“In any event, it’s best practice to have a policy around work equipment,” she explained. “Ensure that you’re being upfront about what you intend to do with the devices, as well as providing clarity on what employees can and cannot do with them.”

Another thing to include in the policy, Binns said, is a clause that makes it understood that the data collected by the device could disappear.

“It’s common now for people to bring their own devices to work,” she told HC. “Employers are increasingly agreeable to BYO devices, but do need to think about what happens if those devices are lost or stolen. It is increasingly common for employers to retain T the ability to wipe lost or stolen BYO devices remotely – so staff being allowed to use their own devices understand that their data may be erased at the company’s discretion.”

Binns adds that organisations should consider whether wearable or other easily concealed devices with recording or photography capabilities should be allowed near sensitive proprietary information, or otherwise in sensitive commercial meetings. “In industries where technological development or other intellectual property is very important, visitors will often be required to hand in their phones or other smart devices - this will no doubt extend to wearable devices.”

What should the policy include?

“The policies’ clauses depend on what’s already in place and the nature of what you want to achieve with them,” Binns said.

For example ,for businesses based in NSW, employers are required to address certain items for computer surveillance in order to comply with the Workplace Surveillance Act 2005 (NSW), such as the type of monitoring the devices will enable, and how often it will occur – will the monitoring be continuous and ongoing?

Surveillance laws in NSW apply to camera surveillance, computer surveillance and tracking surveillance – which is what GPS devices will carry out.