We are watching you – Workplace Surveillance and the Law

A practical guide for employers on what you can (and can’t) monitor — and what happens when you get it wrong.

You already know your business has legitimate reasons to monitor what happens in your workplace. Protecting IP, managing productivity, investigating misconduct — none of that is controversial. The temptation to keep a closer eye on what your people are doing on your systems, on your time, on your premises is entirely understandable.

The Workplace Surveillance Act 2005 (NSW) does not stop you from surveilling your workforce. It requires you to be transparent about it. The Act regulates three distinct categories — cameras, computers, and tracking — each with its own compliance requirements. A separate criminal framework — the Surveillance Devices Act 2007 (NSW) — also applies and can be engaged at the same time.

Fall foul of either, even with the best of intentions, and you could find yourself unable to use the very evidence you gathered, facing criminal penalties, or handing a disgruntled employee the ammunition for a claim against you.

Here is what every NSW employer needs to know.

Note, while this guide focuses on the NSW legislative framework, employers across Australia are subject to a general obligation to conduct workplace surveillance lawfully and transparently, a principle that is reflected in the legislation of each state and territory. The specific requirements vary by jurisdiction, but the core obligations regarding notice, consent, and the prohibition on covert surveillance are broadly consistent. Employers with staff or operations outside NSW should obtain specific advice on the applicable laws in each relevant jurisdiction.

The Universal Requirement: 14 Days’ Written Notice

Every form of workplace surveillance requires prior written notice to each affected employee, served at least 14 days before monitoring begins. The notice must specify the type of surveillance, how it will be carried out, when it starts, whether it is continuous or intermittent, and whether it is time-limited or ongoing. For new starters joining a workplace where surveillance is already operating, the notice must be given before they commence work. This can be done as part of their written contract of employment.

This is not a formality. Surveillance conducted without a compliant section 10 notice is likely to be treated as prima facie covert and unlawful, rendering any evidence gathered potentially inadmissible.

1. Camera Surveillance

CCTV is the most visible form of workplace monitoring, and the rules reflect that. Section 11 of the Act requires two things: cameras (or casings or equipment indicating a camera’s presence) must be clearly visible where surveillance occurs, and signs notifying people they may be under surveillance must be clearly visible at each entrance to that area.

There is an absolute prohibition on cameras in change rooms, toilet facilities, and any area where employees might reasonably be expected to undress. No amount of notice or signage will make surveillance in those locations lawful.

What this means in practice: If you are installing or upgrading CCTV, audit every camera location against these requirements. Ensure signage is current and positioned at every entrance — not just the main one. And confirm that no camera captures footage of a prohibited area, even incidentally. If your CCTV system records audio as well as video, the Surveillance Devices Act 2007 (NSW) may also apply: using a listening device to record a private conversation without the consent of the parties is a criminal offence under that Act, and compliance with the Workplace Surveillance Act does not provide a defence.

2. Computer Surveillance

Computer surveillance — monitoring emails, internet browsing, keystrokes, Slack messages, or any other input, output, or use of a computer, attracts an additional requirement beyond the standard notice obligation. Under section 12 of the Act, computer surveillance must not be carried out unless it is conducted in accordance with a policy that has been meaningfully communicated to employees in advance.

What this means in practice: A clause in the employment contract is not enough. A policy buried on the intranet is not enough. You need a standalone (or clearly identifiable) computer surveillance policy, meaningfully communicated to staff, plus the formal written notice. If you have rolled out new monitoring tools — endpoint detection, productivity software, DLP platforms — and have not updated both documents, you have a compliance gap.

One important carve-out: Not every examination of an employee’s computer constitutes “surveillance” under the Act. A one-off, manual inspection of a work device, such as an IT administrator copying files onto a USB for review, is generally understood to fall outside the definition, because it lacks the element of continuous monitoring. The Act targets ongoing, automated tracking of computer use, not a targeted forensic review. This distinction is critical if you are investigating suspected misconduct: a carefully scoped manual review may be permissible where installing monitoring software without notice would not be. Note, however, that the Surveillance Devices Act 2007 may apply independently to monitoring software that captures private communications.

3. Tracking Surveillance

If your business uses GPS in company vehicles or issues mobile devices with location tracking enabled, you are conducting tracking surveillance. The general notice requirements apply, and there is a narrow exception for computer surveillance of employer-provided equipment, but the hard rule remains: tracking surveillance of employees when they are not at work is prohibited. If a company vehicle with a tracker is used outside working hours, the tracking must not be active during personal time.

What this means in practice: If you have fleet vehicles with always-on GPS, you need a mechanism to suspend tracking outside working hours, or you need to prohibit personal use of the vehicle. Simply leaving the tracker running 24/7 is a contravention. The same logic applies to location-tracking features on company phones. Note also that the Surveillance Devices Act 2007 (NSW) separately prohibits installing or using a tracking device on a vehicle or person without consent, a prohibition that applies regardless of whether the Workplace Surveillance Act notice requirements have been satisfied.

What Happens When You Get It Wrong

The consequences stack up quickly.

Your evidence becomes unusable. Under section 138 of the Evidence Act 1995 (NSW), evidence obtained in contravention of an Australian law will generally be excluded, though a court retains a discretion to admit it if the circumstances warrant. You may for example, catch an employee stealing IP or falsifying records and be unable to rely on the proof in any proceeding.

You hand the employee a claim. An employee who discovers unlawful surveillance has a potential general protections claim under the Fair Work Act 2009 (Cth) where adverse action follows and is connected to the employee’s exercise of a workplace right, such as making a complaint about the surveillance. Courts have granted injunctions preventing employers from using unlawfully obtained recordings in disciplinary proceedings, effectively neutralising the employer’s case while exposing it to a cross-claim.

A separate criminal law also applies. The Surveillance Devices Act 2007 (NSW) operates independently of the Workplace Surveillance Act and creates standalone criminal offences for using listening devices to record private conversations, using optical surveillance devices to record private activities (most relevantly in areas where employees have a reasonable expectation of privacy, such as change rooms), installing tracking devices without consent, and deploying data surveillance software to capture private computer activity. Penalties under the Act include substantial fines and imprisonment. Critically, compliance with the Workplace Surveillance Act,  including giving the requisite notice, does not provide a defence under the Surveillance Devices Act. The two regimes operate in parallel.

In Chappell v Griffin Coal Mining Company Pty Ltd [2016] FCA, the Federal Court found it was arguable that a workplace conversation in Western Australia, that had been both recorded and videoed constituted a private conversation within the meaning of surveillance devices legislation, and that recording it without the consent of each party was arguably unlawful. The Court did not have to decide whether there was an actual breach of the relevant surveillance legislation, as it was hearing an injunction application to have the recording prohibited from use in supporting the employer’s position as to the reasons for dismissal. The Court granted the injunction, meaning the Employer was unable to use the recording of the employee and what he said. It was this very conversation that resulted in the employee’s termination. Although the case arose under the equivalent Western Australian legislation, which operates on broadly similar principles to the NSW regime, it illustrates a risk employers commonly underestimate: an apparently routine workplace interaction if recorded without the necessary consent or legislative requirements is useless in assisting the employer, if they seek to rely on it.

The compounding effect is what makes this especially costly: you invest in the technology, conduct the investigation, gather the material, commence the disciplinary process — and then discover the whole foundation is compromised because the notice or policy was deficient.

A Quick Compliance Audit

If you are reviewing your compliance position, these are the questions to ask:

1. Have we served a section 10 written notice on every current employee specifying each type of surveillance, how it operates, and whether it is continuous or intermittent? This can be done in the employment contract.
2. Do we have a standalone computer surveillance policy, and can we demonstrate it has been meaningfully communicated to all staff?
3. Are all cameras clearly visible, with signage at every entrance — and are any cameras capturing footage of change rooms, bathrooms, or similar areas?
4. Is GPS and location tracking disabled when employees are off duty, or have we prohibited personal use of tracked vehicles and devices?
5. Do we have a documented process for one-off device investigations that distinguishes manual forensic review from ongoing software-based monitoring?
6. Have we reviewed all of the above since introducing new technology, monitoring tools, or hybrid working arrangements?
7. Have we considered our obligations under the Surveillance Devices Act 2007 (NSW), including whether any CCTV captures audio, any monitoring software intercepts private communications, or any tracking devices operate outside working hours?

If the answer to any of these is no, or uncertain, you have exposure.

The Bottom Line

The Workplace Surveillance Act is not hostile to employers. It assumes you will monitor your workforce. It simply insists you tell them you are doing it, in a specific way, before you start. The employers who get into trouble are almost never the ones conducting surveillance openly. They are the ones who assume a clause in the employment contract is enough, or who install monitoring software without following the notice requirements, or who leave the GPS tracker running on the weekend.

Get the notice right. Get the policy right. Keep the cameras visible and the GPS off after hours. And if you need to investigate suspected misconduct urgently, take advice first, because the evidence you gather improperly may be the evidence you can never use.

How we can help

If you wish to discuss any aspect of this article or require specialist advice or assistance in relation to an employment law issue, please do not hesitate to contact us.