AustLII [Home] [Help] [Databases] [World Law] [Feedback] PLPR Home Page

Privacy Law and Policy Reporter

[Global Search] [PLPR Search] [PLPR Homepage] [Contents] [Help]

Employee privacy in the electronic workplace Pt 1: surveillance, records and emails

Jim Nolan

The significance and all-pervasiveness of computer technology has presented very real challenges for employment relations. The extent to which these challenges have implications for employment and labour law will be considered in this article. There is no doubt that one of the ‘hot topics’ for employment law in recent months has been the use and abuse of email in the employment setting. Other aspects of computer technology also have an impact upon the employment relationship. The issue of employee privacy in the age of computer technology now receives regular attention in the press. A recent article in the Chicago Tribune commenced with the following chilling comment:

Watching your every move, reading your every email message, tracking who you talk to and when, following your cursor around the internet. International espionage? Hardly. We’re talking about your employer. The workplace — where you spend more hours than anywhere but home — is where you have the least amount of privacy. Advanced software and computer-based technologies have made it easy for companies to monitor their employees’ activities — with concealed cameras in elevators, hallways and work areas; software that records email messages, visited internet sites and telephone calls.[1]

This is not journalistic hype, as a recent survey of US employers shows. The US Bureau of National Affairs has recently reported the results of a major survey conducted by the American Management Association. The survey reveals that employers’ electronic monitoring of employees’ communication has doubled since 1997. The BNA report continues:

Nearly three-quarters of major US companies responding to the survey said they record and review their employees’ telephone calls, email messages, internet connections, and computer files. Total, active monitoring of employees’ communications and job performance has increased this year to 74 per cent of responding employers, the AMA reported in its annual survey ...[2]

Even in the litigation happy US, employees’ rights have been found sadly lacking against this trend. This has produced the paradox that whereas the labor market has never been tighter in the US, employees rights have increasingly diminished. In a recent lead article in the New York Times Magazine the author observed:

In the latest phase of America’s one-sided class war, employers have taken to monitoring employees’ workplace behaviour right down to a single computer stroke or bathroom break, even probing into their personal concerns and leisure activities. Sure, there’s a job out there for anyone who can get to an interview sober and standing upright. The price, though, may be one’s basic civil rights and — what boils down to the same thing — self respect.[3]

Similar economic conditions in Australia have coincided with a wholesale attack on employees’ rights. Although the industrial relations systems in NSW and Queensland have held the line against the deregulatory trend, many employees under the federal system and, in particular, Victoria and Western Australia are now denied access to the machinery of an impartial industrial relations tribunal. The immediate eco-nomic consequences of deregulation have left employee privacy and other ‘quality of working life’ issues in the shade as employees endeavour to simply protect existing terms and conditions against erosion.

These understandably more pressing issues have seen employee privacy issues very much subordinated. The authors of a leading text on employment law have identified the issue as an emerging one but, equally, have correctly commented that these issues have received rather less attention than might be expected:

One subject to which this developing concept of managerial reasonableness may have particular relevance is employee privacy. This is an issue which is gradually coming to the fore, in an era when computers and other technology allow employers to have ready access to medical or financial records when screening job applicants, to maintain surveillance on workers and to compile extensive dossiers on them. As yet, employees have few direct legal entitlements to prevent or even to control invasions of their privacy.

Matters such as surveillance, security checks and random drug testing are also capable of being regulated by awards (at least at State level) and agreements, though to date it is probably fair to say that unions have not accorded high priority to private concerns.[4]

The recently coined expression ‘cyber bludging’ (the Australian equivalent to the US ‘cyber slacking’) expresses the other side of the privacy dilemma. Employers are increasingly concerned that easy access to computerised technology has led to a deterioration in employee productivity in some quarters. Recent estimates suggest employees with internet access spend up to three hours a week on personal internet browsing and activity. These and other legitimate employer concerns call attention to the need for balance in considering employee privacy issues.

Contemporary employment privacy issues are numerous. The issues considered in this article will be confined to those which have attracted recent attention in employment settings. (For a comprehensive treatment of many of these issues see Professor Ron McCallum’s monograph Employer Controls over Private Life.)[5]

Legal setting of employment

Notwithstanding the raft of regulation which governs the working life of employees, the legal model which underpins the employment relationship is in essence a remnant of the 19th century known as the ‘contract of employment’. Initiatives taken by employers which have privacy implications for employees — such as computerised surveillance and drug testing — typically become conditions of employment by fiat. The law treats these accretions to terms and conditions of employment as ‘variations’ to each employee’s contract of employment. Where the workplace has no union presence, these ‘variations’ are invariably unilateral.

The employee’s rights in the face of these unilateral changes are more theoretical than real. The legal position is that a contractual variation must be consensual. ‘Consent’ in this context is elusive. In the absence of agreement upon variation, the employee may treat the contract as having been repudiated. The adherence to legal principle in this case, however, comes at a high price. The legal option for the injured party is to treat the contract as having been repudiated and to sue for damages. In the real world this is no option at all. Employees simply succumb.

For non-unionised employees, only the most modest legislative protections regulate employee privacy, at least in the private sector.[6] In New South Wales, the Privacy and Personal Information Protection Act 1998 (NSW) (a successor to the Privacy Committee Act 1975) provides an ‘ombudsman’ style complaints mechanism for complaints about privacy intrusion of all kinds from both private and public sectors. Both the NSW Act and the Privacy Act 1988 (Cth) provide some statutory rights for public sector employees. In the regulated (award covered) sector, the scope for regulation of employee privacy is somewhat more extensive.

Section 89A of the Workplace Relations Act 1996 (Cth) restricts the jurisdiction of the Australian Industrial Relations Commission (AIRC) to 20 ‘allowable matters’. Not included in this catalogue is anything to do with employee privacy. The rationale of this limitation is to compel employment terms and conditions beyond the minimum safety net to be the subject of enterprise based negotiations and included in certified agreements. Accordingly, the ‘safety net’ award system at the Commonwealth level is not well suited to deal with privacy related matters. In some state jurisdictions, however, the scope of industrial tribunals to deal with privacy concerns is not so circumscribed.

As the discussion below suggests, issues of employee privacy are more likely to be agitated after the fact — in unfair dismissal cases.

Examples of employee surveillance

The scope for employee’s surveillance is circumscribed, at least to a degree, by various (especially state) statutes. There is a greater degree of legislative protection in NSW than in the other jurisdictions regarding these matters; by way of examples, reference should be made to the Industrial Relations Act 1996 (NSW), the Workplace Video Surveillance Act 1998 (NSW), the Lie Detectors Act 1975 (NSW) the Listening Devices Act 1984 (NSW) and, federally, in relation to the question of employee’s surveillance, the Telecommunications (Interception) Act 1979. The Lie Detectors Act prohibits the use of lie detectors in NSW. The Listening Devices Act regulates the circumstances in which the audio surveillance can take place. The circumstances of video surveillance are now regulated by the Workplace Video Surveillance Act 1998 (NSW), whereby any employer who seeks to institute video surveillance of its workforce is required to get a warrant from a magistrate. This at least provides some measure of regulation of the practice of employee surveillance in this manner.

Another form of surveillance, telephone monitoring, is a regular practice, particularly in areas where telephone sales staff or call centre staff are concerned. These practices, however, are usually notified to the callers (as is arguably required by the Telecommunications (Interception) Act), usually by way of a message that indicates that the call may be monitored for the purposes of quality management. Employees concerned are notified in advance that their telephone contact with customers may be the subject of monitoring for the purposes of quality assurance. In such workplaces it is the usual practice to provide unmonitored telephones for the occasional personal call which an employee might need to make. There can be no complaint regarding this monitoring in circumstances where the telephone is used as an essential part of the job function and where employees are put on notice that telephone monitoring will occur as a matter of course.

Of course the provision of other telephones which can be used for necessary personal telephone calls is an indispensable additional condition at the workplace and, it may be suggested, a good human relations policy — although not, of course, one which is required by law.

Employee surveillance has, however, entered an entirely new dimension with the advent of inexpensive means of recording work done on computers. In a recent article in the Wall Street Journal, Michael J McCarthy commented on employee surveillance software:

In a new threat to personal privacy on the job, some companies have begun using surveillance software that covertly monitors and records each keystroke an employee makes: every letter, every comma, every revision, every flick of the fingertip, regardless of whether the data is ever saved in a file or transmitted over a corporate computer network. As they harvest those bits and bytes, the new programs, priced at as little as $99, give employees access to workers’ unvarnished thoughts — and the potential to use that information for their own ends.

Say you draft a rant to the boss or a client, and then, thinking better of it, delete the whole thing. Too late. One by one, all the keystrokes have been sucked up and stored on your computer’s hard drive or sent as email that a computer system administrator or manager can retrieve at his convenience.[7]

These developments in computer software now make surveillance of employees via their use of computers both easy and inexpensive. If these developments from the US are any indication, employee surveillance of this kind will assume a centrally important and potentially controversial place in employer-employee relations.

A recent report conducted by a software company which specialises in surveillance software zeroed in on employee ‘cyber slacking’:

‘Cyber slacking’ at work continues to pose numerous challenges for managers trying to maintain employee productivity, said a study released today. The report, which is based on a new survey jointly conducted by JSB, the producers of the surfCONTROL internet protection software and QuickTake.Com, the web portal, found that new forms of internet content are increasingly distracting employees from doing work. ... recent surveys from Nielsen-NetRatings [show] that Americans spent on the average 21 hours last month (ie more than one hour per day) conducting personal web surfing at work. The ... top content distractions for workers [are] news sites (46 per cent), shopping (25 per cent) and, perhaps more seriously for their employer, job hunting and recruitment websites (32 per cent).[8]

The degree of surveillance promoted by these new software developers may provide a wealth of information, but it may also prove to be a two edged sword. The data collected in such exercises becomes yet another source of material for discovery in employee litigation — especially in sex discrimination and harassment cases.

Employee records

These fashionable topics should not be permitted to overshadow the underlying privacy concerns about employee records; specifically, access to computerised or ‘hard copy’ employee records. These records very often contain extremely sensitive personal information. The modern tendency to collect more information (thanks to computers) has increased the potential for the abuse of this information. Computer security programs, properly implemented, may assist in the protection of these records against unauthorised access.

The current proposals for new federal privacy legislation will not extend the application of privacy laws to most employee records. In NSW, at least, a level of regulation exists via the complaints based mechanism operated by the Privacy Commissioner. There is no reason why matters relevant to access to employee records could not be the subject of an industrial dispute in some of the state jurisdictions.

Employees and email

There is no doubt that the ‘hot topic’ in employment law — at least so far as the press is concerned — is the use and abuse of email. The most frequently asked questions about email are:

Leaving legislation aside,[9] the answer to these questions is a simple one. The law regards an employer’s computer system as a piece of property which is in the same category as other property such as office equipment, vehicles, documents and so on. The use of an employer’s email system in the course of employment, so far as the law is concerned, is simply the use of just another piece of employer’s property. There is no particular magic about the fact that the messages are conveyed electronically.

This bare legal position stands in marked contrast with the expectations of many employees regarding access to employee email. Most employees (and people generally) would be horrified to think that their employer could open and read their personal correspondence — even if they wrote it on the employer’s stationery (but probably not including the employer’s letterhead). Most employees will utilise the email system to send brief personal messages and think nothing of it. Many will use the system to send gripes about the workplace to their colleagues. Some may even be critical or gossipy about their colleagues or superiors. Some will distribute union and social club news. An individual may even compose a letter in the heat of the moment after a disagreement with a supervisor, but think better of it and not press the ‘send’ button. The message may even be deleted.

In all of these cases the messages concerned may be read by the system administrator and the employer. Otherwise private communications may be inspected and inevitably employee discipline will follow. Against the reasonable expectation of privacy, it must be conceded that email systems have been used by recalcitrant employees to harass, flame (send abusive email) or defame others (including their work colleagues and supervisors), to disclose confidential information or to transmit pornography. These activities can lead to potential employer liability on a variety of grounds. Like all privacy interests, a balance has to be struck between the interest in the protection of private and personal communications and the equally legitimate interest in the protection of the employer’s lawful interests and property.

Employees who use an employer’s email system usually disclose the employer’s name as the originator of the message. Accordingly, if the employee downloads copyrighted materials or engages in any other inappropriate conduct, an injured party could argue that the employer had a duty to stop such conduct. The employer may end up liable for copyright infringement. Employers also need to make sure that their employees are not improperly obtaining access to and sending confidential information or trade secrets of the employer over the internet.

While there may be a commonly held belief that employees have a reasonable expectation of privacy in email communications, the Courts — even the usually progressive US Federal Courts — have not shared that view. In Smyth v Pillsbury Co a US District Federal Court interpreting Pennsylvania common law on privacy concluded that an employee has no reasonable expectation of privacy in their email. The Court held that a reasonable person would not consider an employer’s interception of email communications to be a substantial and highly offensive invasion of privacy. The employer’s interest in preventing inappropriate and unprofessional comments or even illegal activity over its email system was found to outweigh any privacy interest that the employee may have had.

Closer to home and more recently, ASU v Ansett[10] raised an issue of an employee’s use of the employer’s email system. This was a case which raised allegations of the victimisation of a union delegate. Justice Merkel of the Federal Court had to consider whether a union delegate’s utilisation of Ansett’s email system was unauthorised and, as such, constituted an act of misconduct which justified her dismissal.

The employee, Ms Gencarelli, was a union delegate involved in enterprise bargaining negotiations. She distributed material via the email system which was critical of Ansett’s role in the negotiations. Employees were permitted to use the email system for ‘authorised business uses’. The issue in the case was whether this particular use could be regarded as an authorised business use. Merkel J observed:

Notwithstanding Ansett’s contentions to the contrary, the communication of a Joint Work Group outcome does not fall within any category of the Policy that would render an authorised lawful business activity to be an ‘unacceptable’ use of the email system. The critical question is whether the communication of the bulletin was an authorised business activity.

In my view Gencarelli’s use of Ansett’s email system was impliedly authorised by Ansett, as it was an authorised business activity under the IT Policy. That conclusion is based upon:

The objectives and terms of the 1999 agreement made it quite clear that Joint Work Group activities were for Ansett’s business purposes. Gencarelli’s use of the email for the purpose of communicating Joint Work Group activities to ASU members is sufficiently associated with the activities of the Group and its objectives so as to regard the communication process itself as an incident of those activities, albeit that meeting outcomes might be jointly or separately communicated by the ASU and management representatives. Ansett relied upon the Award provision for a union notice board as the appropriate means of communication. However, that provision relates to union information generally and is discrete from, and additional to, communications in relation to Joint Work Group activities.[11]

The judge found that the use of the system was impliedly authorised as Ansett’s email guidelines permitted ‘authorised business uses’. Since there was an arrangement between the union and Ansett regarding the communication of agreement negotiations, it was held that this communication fell within the category of an authorised business uses. If this arrangement had not been in place, in the face of an employer policy against the use of the email system, the employee could have been disciplined. Whether in the circumstances the usage in question was such as to justify dismissal is another matter.[12]

Emails are evidence

The other important — and perhaps overlooked — issue regarding email is the fact that like any other ‘document’, emails are evidence and may be retrieved in litigation by discovery or on subpoena. It is said that email is becoming the proverbial ‘smoking gun’ in litigation.

In a recent well publicised US case, Northwestern Airlines obtained discovery against flight attendants who were allegedly implicated in organising an employee ‘sick out’ last Christmas. The suggestion appears to be that the ‘sick out’ — in other words an illegal strike — was organised by disaffected flight attendants following frustration at their union’s failure to negotiate a new collective agreement.

Northwestern struck out with an application, which was granted by the US Federal Court judge, for an order for discovery by inspection of the personal home computers of two of the alleged ‘ringleaders’. This decision is currently under appeal. It stands as a timely reminder that the means of modern communication are not immune from the processes of legal discovery.

Privacy Commissioner’s guidelines

Following the spate of recent publicity about employee emails, the Federal Privacy Commissioner has issued guidelines on Workplace Emails and Privacy (available at <http://www.>). The Commissioner has observed that it is for each organisation to determine what it considers to be appropriate usage of its system. He says:

to simply say that all activity must be ‘work-related’ may not be clear. There may be scope for guidelines outlining what personal use of email both within the organisation and externally, to other organisations, is appropriate.

The Commissioner points out that other activities may be specifically prohibited, for example the use of email to harass, flame, defame, disclose confidential information or transmit pornography.

The policy should also state the circumstances in which IT staff can legitimately access staff emails and browsing logs. The policy should also indicate the organisation’s attitude to disclosure of the contents of emails and logs. Understandably, the issue of ‘appropriate usage’ may be harder to define in respect to web browsing.

The Privacy Commissioner points out that the sex, race and disability Discrimination Acts and workplace relations laws apply in both the public and private sectors. Employers need to be aware of their obligations under these Acts to protect their employees against sexual harassment, racial vilification and other forms of unlawful discrimination which could occur through email and internet use.

The Privacy Commissioner’s Email Guidelines are as follows:

Developments in NSW

In New South Wales, at least, there is continuing debate about whether employees’ expectation of privacy in email communications should be recognised in law. The former Minster for Industrial Relations and Attorney General Jeff Shaw has confirmed that the NSW Privacy Commissioner will be asked to develop email privacy guidelines while the NSW Law Reform Commission considers a reference on privacy to be provided to the NSW Government.[13]That reference will consider whether legislation is appropriate to protect employee privacy interests.

Jim Nolan is a barrister specialising in industrial law at Denman Chambers, Sydney, and was formerly Executive Member of the NSW Privacy Committee in the 1980s. This article was originally presented at an IIP Conference in Sydney under the title ‘Employee rights in the electronic workplace — some aspects of employee privacy in the Electronic Age’. Part 2 of the article will cover drug testing of employees, ‘out of hours’ conduct and employment references.

[1] Sopranos K ‘The eyes have it in today’s technology driven workplace — privacy is not on the list of benefits’ Chicago Tribune 5 March 2000.

[2] 2000 AMA Survey, Workplace Monitoring & Surveillance BNA Daily Labor Report 2 May 2000.

[3] 5 March 2000.

[4] Creighton B and Stewart A Labour Law — An Introduction (3rd ed) Federation Press 2000 p 257.

[5] UNSW Press 2000.

[6] This will change in some situations if the Privacy Amendment (Private Sector) Bill 2000 (Cth) is enacted, but that Bill is not covered by this article.

[7] ‘Keystroke Cops: New software raises troubling questions on worker privacy’, citing Michael J McCarthy of the Wall Street Journal MSBC highlights 7 March 2000.

[8] Dennis S ‘Cyberslacking Threatens Productivity Newsbytes March 8 2000.

[9] The implications of the Telecom-municatons (Interception) Act 1979 (Cth), various State listening devices Acts, and any privacy legislation governing collection of personal information might all have to be considered in particular situations.

[10] [2000] FCA 441 (April 7 2000).

[11] Paragraphs 51-54.

[12] See Bryne & Frew v Australian Airlines (1995) 185 CLR 410 especially per McHugh & Gummow JJ.

13. Workers On Line weekly email newspaper Labour Council of New South Wales, Issue 53, May 12 2000.

[Global Search] [PLPR Search] [PLPR Homepage] [Contents] [Help]