Legally snooping on employees a doddle in Australia, finds law firm analysis

Is your boss reading your emails? Are they keeping an eye on the websites you visit on your work mobile? Are they even allowed to do that?

The answer to each is ‘most probably’ and they have a particularly easy time of it in Australia, according to a Forcepoint commissioned report published today.

A country-by-country analysis of legislation around employee monitoring by legal firm Hogan Lovells, found Australia to be one of the easiest countries for employers to snoop on their workers.

The firm scored 15 countries on the “level of effort needed to lawfully implement specific types of employee monitoring activities”. The activities assessed included keylogging, screen capturing, monitoring of email communication and the monitoring of internet browsing.

Second only to the US, employers in Australia required only a ‘basic’ compliance effort overall to keep tabs on their employees’ activity on workstations and devices.

The only monitoring activities considered requiring more compliance work to do legally were checking on behaviour on social media and the monitoring of employee-owned devices.

“Automated monitoring and manual sampling of employee use of email, instant messaging, and other electronic communications tools is generally permitted under federal, state, and territorial statutes,” the report states, with “express consent” generally not required.

In New South Wales, Victoria, and the Australian Capital Territory, employers must obtain consent to monitor employee activities on devices, but only if it is the employees own device and they are not at work. Notice must be given for other activities under certain circumstances.

Employee monitoring is considered a useful tool in combatting cyber attacks and avoiding data leaks. However, in many countries, employee privacy is considered a more important principle.

“Any workforce monitoring program must be proportionate, respectful and transparently deployed to ensure the continued trust of the workforce,” said Allan Alford, CISO of Forcepoint.

“It’s a careful balancing act: employees and employers must work hand-in-hand to protect each other. We all want better protection for ourselves and our important information and data, but monitoring when, how and why employees interact with various corporate data has some clear and important privacy implications.”

Alford added that the report was the result of rolling out security programmes internally which required Data Protection/Privacy Impact Assessments be reviewed. The company quickly “realised we needed additional legal guidance”.

Finnish with the spying

The compliance challenges faced by businesses in the 15 countries (Finland, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, United Kingdom, Australia, Canada, Singapore, South Africa, Turkey and the United States) varies considerably.

Some countries require that workforce monitoring programmes are only implemented after consultation and consent from workforce representatives or individual employees. At the other end of the spectrum, in the US federal law provides that organisations are exempt from liability to the extent that they monitor their information systems for cybersecurity purposes.

Finland was considered to be the toughest places for employees to peer into employees computer activities, the country imposing strict limitations on monitoring employees’ use of communications tools.

Any attempt to do so is either banned outright, or requires permission from the Finnish Data Protection Ombudsman. And in most cases “consent does not serve as a lawful basis for monitoring employee activities”, the report noted.

Finland, along with Italy and Germany had the highest levels of compliance complexity around monitoring, while the US, Australia and South Africa had the lowest levels of complexity.

“In [monitoring employees], you might collect and process personal information related to your workforce, you could capture private communications sent or received by your workforce, and you may collect information that could allow you to evaluate workforce efficiency,” said the report’s author Harriet Pearson, a partner at Hogan Lovells.

“As such, cyber defense programs may end up collecting and processing information in ways that implicate laws or regulations governing privacy and data protection, communications secrecy, or employment. These laws and regulations are far from consistent around the world.

“Workforce monitoring presents a challenge for legal teams, HR departments, IT teams and business owners as they balance the need for data and IP protection with the privacy and legal rights of their own employees,” she added.

Little protection

In Australia, the Privacy Act does not specifically cover the issue of workplace surveillance.

According to the Office of the Australian Information Commissioner, IT related monitoring activities are usually permitted.

“It may be reasonable for an employer to monitor some of its staff’s activities to ensure staff are performing their duties and using resources appropriately. As such, if your workplace monitors its staff’s use of email, the internet and other computer resources, and you have been advised of that monitoring, it would generally be allowed,” the office says.

Despite the lack of legal protections from workplace monitoring in Australia, the Fair Work Ombudsman does recommend some best practices.

“It is important for employers, employees and their representatives to know what information may be collected and retained by employers and whether it can be passed on to others. Best practice creates certainty and security for both employers and employees,” the ombudsman says.

“Employee and employer use of internet and email can raise issues about workplace privacy. Password access and login codes may give employees the impression that their email and web browsing activities during work hours are private. Employees may not be aware that these activities can be scrutinised by their employer,” it added.