Australia: Monitoring your employees' use of technology

Global Update


It has become increasingly common for organisations to incorporate the use of social media into their business strategies. Social media has the potential to provide organisations with an unparallelled array of benefits, including the ability to promote the organisation's brand and services to a broad demographic and across international boundaries.

Similarly, increases in the varied uses of technology in the workplace have had incomparable benefits for organisations. At a minimum, technological advances have allowed employees to access work and customers to access products from almost any location across the globe. This has obvious benefits for any organisation.

The proliferation of the use of technology and social media in the workplace also raises concerns for many employers. These concerns include the impact that the use of technology and the access to social media has on productivity as well as the potential that negative comments made by employees will be made public, and the possibility that workplace harassment will take place through the use of these increasingly accessible modes of communication. Even where employee actions are not made public – the internal circulation of offensive material by email, for example – the potential for internal disruption and, in some jurisdictions, the possibility of legal liability continues to exist for an employer.

This article discusses the ability of an employer to monitor the use of its computer systems and to discipline or terminate an employee who uses those systems inappropriately or who makes inappropriate public comment on social media sites or blogs. This article also explores the value of creating policies that govern expected workplace conduct when accessing the employer's computer systems or when participating in social media. The law in seven jurisdictions is considered: Canada, the United Kingdom, Australia, France, Hong Kong, South Africa and Germany.

Can the employer access a computer provided to the employee?

Many employers take the position that it is necessary to monitor email and internet usage in order to detect activity that may negatively impact on the company. There is a broad spectrum of activity that an employer may seek to curtail. Such activity may range from disparaging comments about the company, its products or its customers that are made on social media sites to illegal actions, such as the circulation of pornographic material in the workplace.

However, what an employer believes to be necessary may not be permissible.

In fact, across all seven jurisdictions there are at least some limits placed upon the employer's ability to monitor an employee's email or internet activity, even though the activity being monitored takes place on company systems.

For example, in Canadian jurisdictions in which privacy legislation exists, an employer may be entitled to monitor an employee's e-mail and computer usage provided that it does so in a reasonable manner and with a limited impact on the privacy rights of the employee. Federally regulated employees, for example, are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Employers who are subject to PIPEDA must generally ensure that they collect, use and disclose employees' personal information only for purposes that would be considered appropriate by a reasonable person in the circumstances, in addition to obtaining the employees' consent. (Legislation that is substantially similar to PIPEDA exists in the provinces of Quebec, British Columbia and Alberta and similar considerations would apply to the monitoring of employee email and internet usage in those provinces.)

What is reasonable will generally depend on the purpose for which the monitoring has been undertaken. If the employer is attempting to confirm whether an employee has breached their employment obligations in some manner, reasonableness is more likely to be established. For example, where the employer has become aware that an employee is engaging in workplace harassment by email or through posts on social media sites, it will likely be reasonable that the employee's email communications and internet activity are monitored.

Whether an employee can assert a privacy interest over their email or internet activity will depend upon whether the employee has a reasonable expectation of privacy when using the computer equipment. An employee's privacy interest over their email or internet usage will be diminished where they have been advised that their corporate email account may be accessed by the company and where prohibitions have been placed on the personal use of those systems. To that end, a clear policy governing the use of email and internet systems will assist an employer that wants to monitor its employees' activity whilst on company email and internet systems.

In provinces where there is no privacy legislation, the employer has more latitude to monitor an employee's email and internet activity. This is as a result of the absence of any statutory limitations on the employer's right to access the computer provided by the employer. Special considerations may have to be given in the unionised workplace which may have terms and conditions in collective agreements that dictate whether (and how) such activity can be monitored.

In the United Kingdom, the Regulation of Investigatory Powers Act 2000 (RIPA) regulates an employer's ability to intercept and monitor the emails of its employees on the employer's computer systems. Monitoring an employee's emails will be lawful under the RIPA where the employer reasonably believes that the sender and intended recipient have consented to the interception. A clear policy or wording in an employment contract explaining that such interception could take place is likely to be sufficient to demonstrate employee consent.

In the absence of consent, the employer may also be able to rely on the provisions of the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the Regulations) which authorise monitoring without consent in certain specified circumstances including where it is necessary to ensure compliance with regulatory practices; to ensure that standards of service are maintained - e.g. in call centres; to prevent or detect crime; to protect the communications system itself - e.g. to protect against unauthorised use and potential viruses; or to determine the relevance of the communication to the employer's business - e.g. by picking up relevant messages when someone is away from work.

Even when the employer relies on the Regulations, it is expected to make all reasonable efforts to ensure that its employees know that communications may be intercepted and the monitoring must also comply with the provisions of the Data Protection Act 1998.

In South Africa, the Constitution of the Republic of South Africa entrenches an employee's right to privacy and may in certain circumstances curtail the employer's ability to access the employee's private email and internet communications, even where those communications are made on company equipment. This right is, however, not absolute and in terms of the Regulation of Interception of Communications and Provision of Communication Related Information Act of 2002 (RICA), an exception exists where the employer is investigating or detecting the unauthorised use of its telecommunications systems; where the employer must establish the existence of facts related to a workplace investigation; or where the employee has provided his or her consent in writing to the interception. Consent may be obtained through an employment agreement that sets out the employer's right to monitor email and internet usage on company equipment.

The privacy of the employee is similarly protected in France, where monitoring of email and internet communications on company equipment may be permissible where the monitoring is justified by a legitimate purpose and is carried out in a reasonable manner. However, employees must be given prior notice of the possibility that their internet and email communications may be monitored. This can be achieved through the use of an employment policy.

In addition, the works council of the company and the company's health and safety committee must be informed and consulted about the monitoring in advance of it taking place.

Notably, in France, where an email is identified as "private" or "personal" by the employee, the employer may not access it. To do otherwise is a criminal offence punishable by monetary penalties and/or the imposition of a jail sentence. However, an employer may seek advance authorisation by a court of the search if it wishes to avoid criminal prosecution. Where an electronic file is identified as "private" or "personal" by the employee, the employer must ask the employee to be present when the employer accesses the item.

In Germany, an employer's ability to monitor an employee's internet and email usage will depend upon whether the employee has been permitted to use the employer's computer system for personal use.

Where employees are permitted to use the company's email and internet only for business purposes, the employer can monitor the connection data (e.g. date, time, originating and receiving email / IP addresses, size of submitted data, duration of use) and the content of emails and the websites that have been visited to the extent required for certain reasonable purposes. Those purposes include monitoring the employee's compliance with the rules regarding email and internet use; investigating whether criminal activity has taken place; and maintaining the employer's electronic systems and protecting its technical devices. Accordingly, an employer would generally be allowed to randomly check the content of websites visited by employees in order to make sure that the employees only use the internet for business purposes; 24-7 surveillance of those systems and a review of email content that is obviously private (e.g. on the basis of the subject) would not be allowed.

By contrast, if an employee is allowed to access the company's email and internet for both work related and personal use, the employer is not permitted to collect any data about the employee's use of its systems. The only exception to this general rule is that connection data may be monitored to maintain the electronic systems and protect the company's technical devices and to assess connection fees as well as – to a certain extent – to investigate the abuse of the employer's telecommunication system.

In Hong Kong, the Personal Data (Privacy) Ordinance (PDPO) and various codes and guidelines issued by the Privacy Commissioner for Personal Data (e.g. the Privacy Guidelines on Monitoring and Personal Data Privacy at Work (the Monitoring Guidelines)), regulate the employer's ability to monitor its employees' email correspondence and internet usage. The Monitoring Guidelines do not have the force of law, but represent best practices that are encouraged by the Privacy Commissioner in that jurisdiction.

The Monitoring Guidelines set out certain factors that an employer should take into account when determining whether the monitoring of email or internet usage is appropriate. These factors include the need to assess the risks that the monitoring seeks to address and the benefits that may be achieved by engaging in the monitoring; the impact on the privacy of the employees; the requirement to consider alternatives to monitoring; and how the employer will comply with its responsibility to implement privacy compliant data management policies when handling employees' personal data that it obtains as a result of the monitoring.

In accordance with the PDPO, data may only be collected by means that are "fair in the circumstances" and data collection should be kept to an absolute minimum. To that end, employers are generally required to notify their employees that their email and internet usage may be monitored; the purpose for the monitoring and how the monitoring will be carried out.

Despite the foregoing, 'concealed' monitoring may be permitted where there is a legitimate rationale to undertake it and where all other options have been considered and appropriately rejected. Much will depend on the individual circumstances of the individual case. For example, 'concealed' monitoring may be appropriate where an employer has good reason to suspect theft by an employee and it would impinge on the investigation into the theft if the employee was alerted to the proposed monitoring of his or her email or internet usage. As in other jurisdictions, an employer should have a policy in place that addresses the possibility that workplace computer systems will be monitored. Given the prohibitions set out above, records should be kept of the employer's reasons for needing to engage in 'concealed' monitoring. In addition, the employer should consider and manage the effect of this form of monitoring on its other employees.

In Australia, the regulation of surveillance of employee use of workplace computer systems is done primarily at state level and so the laws are not uniform. In New South Wales, the Workplace Surveillance Act 2005 (NSW) regulates the overt and covert use of camera, computer and tracking devices in the workplace. In order to lawfully conduct surveillance of email and internet use, the employer will be required to notify the employee in advance of the intended surveillance in such a way that it is reasonable to assume that the employee is aware of and understands the policy. However, in Western Australia, the Surveillance Devices Act 1998 (WA) prohibits the use of listening devices or optical surveillance devices to listen to or observe private activities but does not specifically address an employer monitoring an employee's use of computer systems. It is recommended that an employer have a policy allowing for employer monitoring of employee use of email and internet clearly setting out what an employer considers to be reasonable use of such systems. Without such a policy it will be difficult to discipline or dismiss an employee for inappropriate use of an employer's computer system.

Using policies effectively

As is clear from the foregoing, whether an employer can access an employee's computer for the purpose of monitoring email or internet usage may depend upon whether a workplace policy exists. This is because, in most jurisdictions, employers must establish a clear policy that puts employees on notice that corporate systems may be accessed for the purpose of monitoring email and internet usage. Similarly, where the employer wishes to prohibit personal communications on social media sites, a policy outlining the nature and scope of the prohibited communications will be required. The exception to the foregoing is found in Germany, where a policy may only apply to the use of the employer's equipment and not to private communications made outside the workplace. In any case, in Germany, the policy related to the employer's equipment could be subject to the works council co-determination rights.

An effective workplace policy will clearly set out what the employer considers to be appropriate and inappropriate use of social media, internet and email systems, both within and outside the workplace. For example, a policy with respect to communications made on social media sites or blogs should prohibit an employee from making derogatory or inflammatory remarks about the employer, its products and services or its clientele. The policy should warn employees that private conversations and actions, made public by the unrestricted nature of social media communications, may be regarded as misconduct that will attract discipline. If the policy is unclear as to the employer's expectations, it will be open to the employee to argue that they did not understand that their behaviour could attract discipline. However, the policy should make some effort to balance the employer's legitimate business interests and an individual's right to make public comment on matters that will not bring the company's reputation into disrepute. Making this effort helps to bolster the reasonableness of the employer's policy by reinforcing that it is not every minor transgression that will result in discipline or discharge.

Policies with respect to the use of the employer's equipment, including email systems, should also set out the behaviours that the employer considers unacceptable in the workplace. A commonly prohibited use of the employer's email system is the circulation of offensive jokes or photographs, including pornographic materials. The employer should also confirm that the computer and the email communications remain the property of the company. Again, this will limit the employee's ability to argue that they were unaware that their behaviour was culpable.

In short, a properly prepared policy with respect to social media usage and the appropriate use of company computer equipment has two primary benefits: it alerts the employee to the behaviour that the employer considers inappropriate and it puts the employee on notice that engaging in inappropriate behaviour may result in disciplinary action up to and including termination of employment. Where a policy is implemented, it will be important that any company policy be consistently enforced and that it specifically addresses the consequences that will arise where an employee breaches the expectations in the policy. If the policy is not consistently enforced, or if it is unclear what the result of a breach of the policy may entail, an employee could defensibly take the position that they were unaware that their actions were impugned by the company.

The policy was not adhered to: the need to terminate for inappropriate activity

An employee who chooses to ignore the employer's policy with respect to the use of its computer systems or social media communications may be disciplined and/or terminated for cause, depending on the nature and/or frequency of the employee's transgression.

Whether cause for termination or discipline will be established will substantially depend upon the nature of the communications; whether the communications potentially or actually bring the employer's reputation into disrepute; whether the employee had advance notice that their communications could be considered inappropriate; and whether there is a link between the employee's misconduct and the employer's legitimate business interests. Those communications that impugn the employer, criticise clientele or constitute harassment or discrimination will more likely warrant discipline and/or termination for cause.

In most jurisdictions, it is not necessary that the employee carry out the impugned activity while on company property or during working hours. It is a reflection of the ubiquitous nature of internet and email communications that the location from which the communications are made will be irrelevant; it is the impact of the communications themselves that is relevant.

Of course, if the evidence of the employee's transgressions has been inappropriately obtained, the employer may not be able to rely upon that evidence. This highlights the importance of accessing employee email and internet information only in a reasonable manner and in accordance with local laws.


The ability to monitor employee email and internet communications can be invaluable to an employer. Monitoring employee communications may prevent negative publicity, illegal activity and inappropriate comment from being made on the employer's computer systems or about the employer in the public domain.

However, an employer should consult with counsel in their jurisdiction prior to undertaking surveillance of an employee's email and internet communications. Local laws may affect the right of the employer to monitor even their own computer systems.

Furthermore, employers should establish clear policies that delineate the communications that are considered inappropriate and that may result in the termination of the employee. Such policies may address the employee's participation in social media and blogging sites. However, the policies must be consistently enforced to be of value to the employer. There must also be a clear indication to employees that the violation of those policies will result in disciplinary action up to and including termination.

By adhering to these principles, an employer can obtain the benefit of the global reach of technological communications while minimising the risk that those same communications may pose in the workplace.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions