It's Not All Zoom And Gloom: Balancing An Employee's 'Right To Privacy'

With new technology and the reality that 'work' is no longer being confined to the employer's physical workplace, new concerns have been raised about the effectiveness of privacy laws in Australia.

Employers have long used surveillance to monitor employees' health and safety in the workplace. This practice is generally lawful when conducted within the boundaries of state and territory legislation, which operates to protect employees (and other individuals) by regulating the use of surveillance and monitoring devices such as listening devices, optical surveillance and tracking devices by law enforcement (police), employers and individuals.

Where employees work remotely, the employer can lawfully monitor productivity if the surveillance complies with federal, state and territory legislation, such as the Privacy Act 1988 (Cth)and the Workplace Surveillance Act 2005 (NSW).

However, the question of balance of an employee's right to privacy to the employer's interests in monitoring productivity, involves considering:

• management of possible areas of exposure to liability, such as use of surveillance to monitor workplace health and safety
• the need for businesses to take steps in order to reasonably defend their decisions by using objective data obtained by forms of surveillance, such as dismissal or disciplinary action for low productivity or misconduct such as in the case of Cheikho v Insurance Group Australia Group Services Limited [2023] FWC 1792
• the ethics of monitoring an employee; and
• the impact of surveillance and monitoring on workplace culture.

Does a 'right to privacy' exist in the workplace?

Until 10 June 2025, employees in Australia had no enforceable legal right to privacy against other individuals. The 'right to privacy' was encapsulated in the United Nations International Covenant on Civil and Political Rights (1966) (UNICCPR). Australia ratified the United Nations International Covenant on Civil and Political Rights on 13 August 1980.¹ However, the UNICCPR has not been completely incorporated into the Australian Human Rights Commission Act 1986 (Cth) (AHRC) to the extent that it gives rise to a cause of action under the AHRC (or any other domestic legislation, including the Victorian Charter of Human Rights and Responsibilities).² Without domestic remedies it was unlikely that an aggrieved employee would seek action in the United Nations Human Rights Commission (UNHRC).

On 10 June 2025, amendments to the Privacy Act 1988 (Cth) came into effect to include a statutory tort protecting individuals against serious invasions to privacy.³

To succeed in a claim under this new tort, a plaintiff (employee) must establish all five of the following elements:

• A person (defendant employer) invades another person's (employee's) privacy by:
  • intruding on the employee's seclusion; and / or
  • misusing information that relates to the employee.
• A person in the position of the employee would have had a reasonable expectation of privacy in all of the circumstances; and
• the invasion of privacy was intentional or reckless; and
• the invasion of privacy was serious; and
• the public interest in the employee's privacy outweighed any countervailing public interest.

What is a 'countervailing public interest'?

This may include a number of matters such as public health and safety, national security, freedom of the media and freedom of expression.

What is a 'reasonable expectation of privacy'?

The Court may consider the means of the invasion of privacy, including the use of technology used by the defendant employer.

Review of the 'employee records exemption'

The Commonwealth Attorney-General reviewed the Privacy Act⁴ and considered submissions to their Discussion Paper including amending the existing 'employee records exemption' contained in section 7B(3) of the Privacy Act. Reform of this exemption may result in employees' performance evaluations, data surveillance or other personal or sensitive information collected by employers being subject to increased standards of protection relating to use, storage, disclosure and destruction under the Australian Privacy Principles.

This may be a good step toward clarifying not only methods of workplace monitoring but what to do with data collected by technology used to monitor productivity.

What does this mean for business owners?

The introduction of the statutory tort to prevent serious invasions of privacy increases the risk that individuals within a business, (not only Directors, but managers and HR professionals), could be personally sued for implementing or enforcing certain surveillance measures.

Importantly, a breach of this new tort may also overlap with other legal risks commonly encountered in workplace settings, particularly in relation to health and safety obligations.

Psychosocial hazards

Low job control, low autonomy and engaging in isolated work are common psychosocial hazards as set out under approved state codes of practice published by safety regulators across Australia.⁵ This duty is mirrored across all Australian states with Safe Work Australia publishing a Model Code of Practice. See table below.

Excessive monitoring or surveillance of employees may, in some cases, involve a breach of the 'primary' statutory duty of the employer to provide and maintain (so far as is reasonably practicable), an environment for employees that is safe and without risks to health.⁶

However, there are statutory obligations to monitor the health and safety of employees, such as those arising under section 22 of the Occupational Health and Safety Act 2004 (Vic). But excessive monitoring may be unlawful where it goes beyond what is necessary to monitor health and safety, and, instead, is used to track performance or engagement in a manner that may cause the employee to experience risk to health and safety.

For example, deliberate and intrusive monitoring which is unreasonable to effectively monitor an employee's performance could amount to workplace bullying or a legitimate psychosocial hazard.

Repeated unreasonable behaviour which creates a risk to an employee's health and safety and is not reasonable management taken in a reasonable manner is likely to meet the definition of workplace bullying under section 789FD(1) of the Fair Work Act 2009 (Cth). This gives the employee rights to a civil claim against the employer.

Conclusion

For now, striking the right balance between an employee's 'right to privacy' and an employer's interest in monitoring and enforcing productivity or taking steps to defend its decision-making hinges on transparency and clear communication by employers.

In practical terms, employers can take the following steps to reduce legal risk and maintain trust:

Set clear expectations by conveying precise and measurable performance expectations. This may not only minimise the risk of a workplace dispute or psychosocial hazard but also help employers narrow what means of surveillance is reasonably necessary to effectively monitor an employee's performance or conduct.

Obtain informed, written consent from employees before implementing measures designed to monitor productivity, and provide appropriate notice as required under specific state legislation.

Consider the effectiveness and proportionality of the possible forms of surveillance to monitor conduct, and productivity.

For example, monitoring an employee's first and last events on their work computer to determine when they logged in and logged off at the end of the day is likely to be less invasive than monitoring the number of keystrokes performed by the employee per hour, which again may be less invasive than monitoring the employee working from home via video surveillance.

Footnotes:

¹ Chart of Australian Treaty Ratifications (May 2012): URL: Chart of Australian Treaty Ratifications as of May 2012 - Human rights at your fingertips | Australian Human Rights Commission.

² International Human Rights Law', Interim Report Commonwealth of Australia, published 30 November 2017, Joint Standing Committee on Foreign Affairs, Defence and Trade - Parliament of the Commonwealth of Australia [paragraph 2.6].

³ Section 7(1) of Part 2 of Schedule 2 of the Privacy Act 1988 (Cth) sets out the tort prohibiting serious invasions of privacy.

⁴ Privacy Act Review Report 2022 publishedhere.

⁵ See for example, the Model Code of Practice, 'Managing psychosocial hazards at work', which is an approved code of practice under section 274 of the Work Health and Safety Act published by Safe Work, July 2022 work linked here.

⁶ The duty is imposed by section 21(1) Occupational Health and Safety Act 2004 (Vic).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.