Workplace Surveillance - A Matter of Good Policy

The Workplace Surveillance Act 2005 is now in force in New South Wales. Serious penalties apply for a breach of this Act which goes much further than its predecessor.

The new Act regulates all forms of workplace surveillance including use of video and tracking devices and surveillance of employee email, Internet and other computer use. This article focuses on surveillance of employee email, Internet and computer use. This Act is relevant for all employers. It is particularly relevant for employers who actively protect their intellectual property and confidential information by supervising the electronic activities of their personnel both in terms of creation of intellectual property and disclosure to others.

There are two ways to ensure any workplace surveillance in New South Wales complies with the Act.

The easy way is to give employees a general written notice of what surveillance may be undertaken. This is best done by means of a published (and publicised) policy advising on the nature of the surveillance which may be undertaken.

The hard way is to obtain a "covert surveillance authority" from a Magistrate. Obtaining an authority is expensive and takes time but is the only way to undertake workplace surveillance in New South Wales without a published notice to staff, as set out above.

As indicated, the easiest way for an employer to notify employees of possible surveillance activities is through a general computer policy. However, it is not enough just to have the policy. The policy must cover the intended categories of surveillance and it must be publicised to staff.

The policy should be publicised in the following ways:

• If it is a new policy, by way of a policy launch – the launch can be done at a formal meeting where the content of the policy is outlined or by a well worded internal email to all staff. Bear in mind the possible negative impressions created by introducing a policy of this type. The negative effects can be minimised by measures such as indicating that it is common for companies to have policies dealing with these issues, emphasising the benefit to staff in having a clearly set out policy and also by including a range of other less contentious relevant matters in the policy rather than introducing a policy which only deals with surveillance.
• For both existing and newly introduced policies, the policy should be referred to in a list of policies attached to employee service contracts and letters of appointment with which new employees are required to comply. A copy of the policy should also be given to new employees as part of an induction pack, along with any other relevant policies.
• If you have an Intranet or policy manual, the policy should be included to enable staff to review it at their leisure.
• The policy should be periodically republished/republicised in case it has not been properly publicised as part of the employee’s induction process, and as part of best practice. Again, republishing could happen as part of a general reminder about company policies, to minimise any negative impressions.

Employers should keep records which demonstrate that there is a surveillance policy and that it has been properly publicised. If the employer is unable to prove that the particular employee the subject of the surveillance was (or should have been) aware of the policy, the employer may be found to have breached the Act. Fines of $5,500 per offence apply to improper surveillance. Directors and managers may also receive convictions for breaches of the Act.

Our experience suggests that many employers already have a computer policy in place. However, many of these policies were written some years ago and may not be expressed broadly enough to comply with the new Act. They may also not have been notified to staff for some time (or possibly, at all). Remember: it is not enough to have a policy; staff must be aware of it.

So existing computer policies should be reviewed to ensure that they contain the necessary provisions dealing with surveillance. If the policy does, then it is time to republish it to all staff and ensure that incoming personnel are aware of it, following the procedures set out above.

If you don’t have a policy, now is the time to put one in place. Employees must be given at least 14 days’ written notice before surveillance begins. Accordingly, if you delay preparing the policy until you become aware of a "situation" it will be too late and you will need to obtain authorisation from a Magistrate if you wish to scrutinise an employee’s emails.

Please contact us if you need any help in reviewing, writing, launching or relaunching your computer policy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.