Ever get the feeling you’re being watched while working at home? It’s entirely possible your activities are actually being tracked – from your web searches and social activity to what you type on the keyboard. But how much protection does the law offer?
The emergency phase of the COVID-19 pandemic may be over, but it has certainly left its legacy in the workplace. No longer do black-suited employees trudge to the CBD every morning; now many employees work flexibly, spending half the week working from their home study (or the couch, or the dining table), heading into the office only a couple of times a week. It’s known as hybrid working, and it would seem it’s here to stay.
But hybrid working brings challenges of its own for employees as managers navigate how best to monitor their staff members’ output. The result is a proliferation of technologies aimed at determining whether an employee is working and how productive and efficient they really are. This includes things like email monitoring, which many workers would be familiar with, as well as technologies that sound a little more sinister: keyboard activity trackers, cameras and videos that monitor attentiveness, and software that tracks what apps and websites an employee visits.
And this isn’t just limited to office-based work. We’ve all heard of the sort of workplace monitoring that Amazon employees are subjected to. Drivers in truck driving fleets are also often monitored closely for their attention and movements.
Workplace surveillance represents an “interesting intersection point between employment law and privacy law”, according to Peter Leonard, Professor of Practice at UNSW Business School.
That’s because “so much of privacy law remains based on the concept of consent and, in essence, a choice by an individual as to whether they allow data about themselves to be collected and used,” Leonard explains. “And of course that model breaks down in a workplace environment, because people really don’t have an effective choice as to how employers elect to deal with them, other than to complain to the Fair Work Commission or Ombudsman or to resign.
“I think it’s a particularly challenging area to address.”
The scale of the challenge, Leonard says, has also increased since COVID-19 as more employers have implemented technologies that allow them to monitor remote workers.
From an employer perspective, these technologies do have benefits: besides providing proof that employees are actually working when they say they are, they can also allay concerns about cyber crime. With more employees accessing sensitive business information from home, and a rise in cyber crimes, Leonard says employers are “rightly concerned” about who is accessing their information and want to be sure it is the designated employee.
But it’s difficult to pinpoint exactly how many employers track their employees in this way – because they aren’t under any obligation to report it, Leonard says.
How worried are employees?
Employer surveillance is a concern around the world. In the UK, research commissioned by the Information Commissioner’s Office (ICO) and released in October found that 19 per cent of people believe their employer has monitored them. Seventy per cent said they would find workplace monitoring intrusive, and 19 per cent said they would be uncomfortable taking a role where they knew they would be monitored by their employer. The ICO has now published a set of guidelines to assist employers to understand their obligations under data protection law when monitoring staff.
In Australia, research undertaken by law firm Herbert Smith Freehills revealed that 91 per cent of the Australian employers surveyed monitor their remote employees’ locations through software.
Leonard believes there is “no reason” to think the level of concern about workplace surveillance in Australia would be different to that expressed in the UK.
And while many Australians would have been horrified to learn about the sort of tracking experienced by employees of organisations like Amazon, Leonard said he feels that employer practices stateside are “much more aggressive and far-reaching” due to a lack of regulation. In fact, many of the employee monitoring technologies and software being used in other countries around the world originate in the US, he says.
“I think [workplace surveillance] is a lot more pervasive in the US than in Australia,” Leonard continues. “The difference, I suspect, in Australia is that employers have been much more restrained in their implementation of these technologies, perhaps partly because we have the Fair Work Commission and the Fair Work Ombudsman – so there’s more avenues for complaint by employees as to what they might regard as unfair business practices.”
Is it legal?
Each Australian state and territory has surveillance and tracking device statutes in place. But according to Leonard, only NSW and the ACT have legislation that specifically addresses workplace surveillance. This means that in other jurisdictions it’s either “not specifically regulated … or it’s regulated in some respects by general surveillance and tracking device statutes.” Often these are “not well understood” by employers, employees and even by lawyers themselves.
“It’s a bit of a mess,” he adds.
Leonard is not the only one to raise concerns about the lack of specific laws to address the issue. Writing in volume 20 of the LexisNexis Privacy Law Bulletin, he referred to the Australian Law Reform Commission’s comments in 2014 on the inconsistencies between Australia’s different jurisdictions when it comes to this area of law, resulting in “uncertainty and complexity, reducing privacy protection for individuals and increasing the compliance burdens for organisations”.
In fact, in the same Bulletin Leonard wrote, “some states have provisions that directly conflict with provisions in other states”. Additionally, he says, the statutes are outdated and difficult to apply to new surveillance technologies.
And although employees in Australia have paths for remedy available when they feel monitoring of their activities has gone too far, Leonard is concerned about whether this is enough of a constraint on employers implementing surveillance technologies, partly because it requires that employees are aware of what’s going on – and only in NSW and the ACT are employers obliged to inform their staff of any monitoring.
Employees might also be discouraged from going to the commission or ombudsman due to the daunting nature of launching such action, or a lack of knowledge about it.
Nevertheless, Leonard says, workplace surveillance can be a “highly intrusive practice”, and remedies and controls are needed. In his piece for the Privacy Law Bulletin, he wrote about the need to harmonise laws around the country to deal with the rise in monitoring. In his view, any method to address the issue needs to balance multiple interests – as well as being fair to the individuals involved.
“On the one hand, you’ve got the desire of employees to be able to work from home and to have a reasonable expectation of privacy when they do so. On the other, you’ve got employers … concerned about protection of confidential information – so wanting to use monitoring to detect hacking or spoofing or other illegal activity – and wanting to know whether employees are actually being productive or not,” he explains.
“And to get that balance right, you need to have laws that prompt both sides to find a compromise around what is reasonably proportionate, to achieve the objective of the employer without unduly impinging on the private life of the employee.”
‘you need to have laws that prompt both sides to find a compromise … to achieve the objective of the employer without unduly impinging on the private life of the employee’
In Leonard’s view, the best way to achieve that balance is to require transparency from the parties involved. He believes that in all states in Australia there should be a requirement for employers to provide advance notice to their employees about any monitoring that will take place, including how that will occur, what devices it will apply on, and possible issues associated with excessive monitoring.
He gives the example of an employee who logs in from home on a device funded or provided by their employer and who may occasionally use that device to check their social media accounts or other personal activities.
“The reality is that most employers won’t be able to, as it were, turn off [and] turn on the monitoring depending upon whether you appear to be conducting a work activity, so employees should be warned that if they’re using a work-provided device, then any monitoring designed to protect the employer and the employer’s confidential business information may inadvertently capture what they’re doing in their private time as well,” Leonard says.
Secondly, he believes the new laws should not rely on consent.
“If you’re working in a warehouse in the western suburbs of Sydney and you’ve got very limited English, [and] you’re a new migrant, the choices available to you [to change jobs] are much more limited, and your capacity to evaluate whether you should give consent is probably much more limited as well. I don’t think consent is a very good mechanism in this place,” Leonard explains.
Instead, he says, there should be a requirement for “objective reasonableness of the monitoring practice”, where the monitoring is required to be “necessary and proportionate to achieve a legitimate purpose”. This could include monitoring whether an employee is working their set hours, the conditions under which they are working, and that the person using the device is the person they say they are, and not, for example, a hacker.
But who decides what’s objectively reasonable?
The legislation should first establish what reasonableness looks like and give some examples of legitimate purposes for workplace surveillance, Leonard says. Then it should provide incentives for parties to determine what is reasonable between themselves and avoid litigation.
‘The legislation should first establish what reasonableness looks like and give some examples of legitimate purposes for workplace surveillance’
After setting out the obligation for employee monitoring to be reasonable, the law should provide a low-cost mechanism for any disputed decisions – where employers and employees can’t agree on what is reasonable – to be reviewed by an independent party like a privacy or information commissioner.
low-cost mechanism for any disputed decisions – where employers and employees can’t agree on what is reasonable – to be reviewed by an independent party like a privacy or information commissioner.
Privacy on the mind
Late last year, Australians were rocked by a series of high-profile hacking scandals. Optus and Medibank customers in particular were hit hard, with the incidents sparking conversations about data, privacy and how much personal information organisations need to hold about their people.
Employees subject to workplace surveillance may hold similar concerns about what data their employer collects, and where it goes. Currently, Leonard said, surveillance and tracking statutes operate in addition to data privacy laws. State-owned agencies and corporations are regulated under state laws while large organisations with a turnover of more than $3 million are covered by federal laws, he said – which means small businesses are not regulated under the Federal Privacy Act.
Many of these smaller employers have already implemented tracking and monitoring technologies since – or during – the pandemic, without consideration about what might be necessary or proportionate.
“So … although the data privacy law statutes are relevant, they don’t cover a very large number of employers in Australia, and many of those employers won’t even have thought about the most basic level of privacy protection because they they’re not legally required to do so,” Leonard explains.
Any organisation looking to implement such technologies should make sure the process is led by HR, and explained to employees in simple terms that they can understand. The organisation should also evaluate what is necessary and proportionate to achieve a reasonable objective.
“That should be a conversation that employers are comfortable having with their employees, and it should include a discussion of the circumstances in which the monitoring may capture activities that an employee might not anticipate would be captured,” Leonard says.
“There is almost… [a] certainty of overreach of monitoring. It’s impossible to get it right, to turn it on [and] turn it off when the employee is actually conducting the work activity.”
Leonard says this is a result of the move to remote working and hybrid workplaces; the relevant laws were developed at a time when more conventional workplaces were the most common, with surveillance laws covering those working within a traditional workplace rather than those working from home, on their own devices or employer-provided devices.
“Hybrid working changed everything. The laws were all developed back in the early 2000s. They need an overhaul,” Leonard says.
“Nobody’s had time to properly focus on the surveillance issue … there’s unfair and excessive invasive surveillance happening, and we need to do something about it.”
Where to next?
The next challenge for Australia will be to harmonise the “mess of state and federal law”, Leonard observes.
In many cases, remote employees work across jurisdictional boundaries – but, he says, “there’s no rational reason why the law in Tasmania or the ACT should be different to New South Wales.”
Leonard believes the issue of workplace surveillance – and coordination of the relevant privacy and data laws around the practice – should be urgently added to the agenda of the relevant ministers, so they can be clarified and harmonised for the modern workplace.
He stresses that he understands why there has been a delay in addressing this issue, with so many other privacy and employment law issues taking priority. Nevertheless, given the momentum of the hybrid working revolution and the proliferation of technology, and the limited understanding of the laws by lawyers, employers and employees alike, reform is crucial.