Is your boss reading your emails? Are they keeping an eye on the websites you visit on your work mobile? Are they even allowed to do that?\nThe answer to each is \u2018most probably\u2019 and they have a particularly easy time of it in Australia, according to a Forcepoint commissioned report published today.\n \nA country-by-country analysis of legislation around employee monitoring by legal firm Hogan Lovells, found Australia to be one of the easiest countries for employers to snoop on their workers.\n \nThe firm scored 15 countries on the \u201clevel of effort needed to lawfully implement specific types of employee monitoring activities\u201d. The activities assessed included keylogging, screen capturing, monitoring of email communication and the monitoring of internet browsing.\n \nSecond only to the US, employers in Australia required only a \u2018basic\u2019 compliance effort overall to keep tabs on their employees\u2019 activity on workstations and devices.\n \nThe only monitoring activities considered requiring more compliance work to do legally were checking on behaviour on social media and the monitoring of employee-owned devices.\n \n\u201cAutomated monitoring and manual sampling of employee use of email, instant messaging, and other electronic communications tools is generally permitted under federal, state, and territorial statutes,\u201d the report states, with \u201cexpress consent\u201d generally not required.\n \nIn New South Wales, Victoria, and the Australian Capital Territory, employers must obtain consent to monitor employee activities on devices, but only if it is the employees own device and they are not at work. Notice must be given for other activities under certain circumstances.\n \nEmployee monitoring is considered a useful tool in combatting cyber attacks and avoiding data leaks. However, in many countries, employee privacy is considered a more important principle.\n \n\u201cAny workforce monitoring program must be proportionate, respectful and transparently deployed to ensure the continued trust of the workforce,\u201d said Allan Alford, CISO of Forcepoint.\n\u201cIt\u2019s a careful balancing act: employees and employers must work hand-in-hand to protect each other. We all want better protection for ourselves and our important information and data, but monitoring when, how and why employees interact with various corporate data has some clear and important privacy implications.\u201d\n \nAlford added that the report was the result of rolling out security programmes internally which required Data Protection\/Privacy Impact Assessments be reviewed. The company quickly \u201crealised we needed additional legal guidance\u201d.\n \nFinnish with the spying\nThe compliance challenges faced by businesses in the 15 countries (Finland, France, Germany, Italy, Netherlands, Spain, Sweden, Switzerland, United Kingdom, Australia, Canada, Singapore, South Africa, Turkey and the United States) varies considerably.\nSome countries require that workforce monitoring programmes are only implemented after consultation and consent from workforce representatives or individual employees. At the other end of the spectrum, in the US federal law provides that organisations are exempt from liability to the extent that they monitor their information systems for cybersecurity purposes. \nFinland was considered to be the toughest places for employees to peer into employees computer activities, the country imposing strict limitations on monitoring employees\u2019 use of communications tools.\n \nAny attempt to do so is either banned outright, or requires permission from the Finnish Data Protection Ombudsman. And in most cases \u201cconsent does not serve as a lawful basis for monitoring employee activities\u201d, the report noted.\n \nFinland, along with Italy and Germany had the highest levels of compliance complexity around monitoring, while the US, Australia and South Africa had the lowest levels of complexity.\n \n\u201cIn [monitoring employees], you might collect and process personal information related to your workforce, you could capture private communications sent or received by your workforce, and you may collect information that could allow you to evaluate workforce efficiency,\u201d said the report\u2019s author Harriet Pearson, a partner at Hogan Lovells.\n \n\u201cAs such, cyber defense programs may end up collecting and processing information in ways that implicate laws or regulations governing privacy and data protection, communications secrecy, or employment. These laws and regulations are far from consistent around the world.\n \n\u201cWorkforce monitoring presents a challenge for legal teams, HR departments, IT teams and business owners as they balance the need for data and IP protection with the privacy and legal rights of their own employees,\u201d she added.\n \nLittle protection\nIn Australia, the Privacy Act does not specifically cover the issue of workplace surveillance.\n \nAccording to the Office of the Australian Information Commissioner, IT related monitoring activities are usually permitted.\n \n\u201cIt may be reasonable for an employer to monitor some of its staff\u2019s activities to ensure staff are performing their duties and using resources appropriately. As such, if your workplace monitors its staff\u2019s use of email, the internet and other computer resources, and you have been advised of that monitoring, it would generally be allowed,\u201d the office says.\n \nDespite the lack of legal protections from workplace monitoring in Australia, the Fair Work Ombudsman does recommend some best practices.\n \n\u201cIt is important for employers, employees and their representatives to know what information may be collected and retained by employers and whether it can be passed on to others. Best practice creates certainty and security for both employers and employees,\u201d the ombudsman says.\n \n\u201cEmployee and employer use of internet and email can raise issues about workplace privacy. Password access and login codes may give employees the impression that their email and web browsing activities during work hours are private. Employees may not be aware that these activities can be scrutinised by their employer,\u201d it added.