• forIndividuals
  • forBusiness
  • forCommunity
search
About usFact sheetsPrimary legislationWhat's new?
DictionaryTeachingContact usSite mapLinks
click to go home


Our Fact Sheets provide a detailed account of 29 areas of law as they apply to the Internet

Fact Sheets



IIA releases draft Cybercrime Code of Practice in July 2003

Workplace

Surveillance

1. Privacy and the law

There is a general expectation by employees that laws exist which protect their privacy in the workplace. There is no such law.(1) Many activities affecting the privacy of employees are carried out without the knowledge of employees. For example, most software used to operate networks in the workplace (including web servers and mail servers) keep logs of transactions and communications. The logs generally include the email addresses of senders and recipients and the time of transmission. Email content will often be stored on mail servers. Web server logs record data on the sites people visit. System administrators are capable of reading the contents of emails sent and received by the company network.

2. Privacy guidelines

National Privacy Principles have been created and require employees be informed about personal information collected about them and what is done with that information. See Privacy Fact Sheet.

New privacy legislation allows businesses to develop their own codes regulating the storage, collection and disclosure of personal information. The Australian Privacy Commissioner has published Guidelines on Workplace Email, Web Browsing and Privacy (Guidelines). The Guidelines do not have the force of legislation but complement the new privacy legislation. The Privacy Commissioner considers organisations are responsible for their own computer systems and networks and should have the right to make directions or rules as to their use.

The Guidelines require an employer to have an email or Electronic Communications Policy that sets out to staff what activities are permitted and what is forbidden. The National Privacy Principles require an organisation to set out its policy on the management of personal information and must be available to anyone who asks for it.(2)

Where a company intends to monitor email and internet use, this should be stated in the electronic communications policy of the company. For example:

"This document sets out Joe Bloggs business policy for use of its computers generally and for email and Internet use specifically. Please note that:

(a) it is a condition of your engagement, whether as an employee or contractor, that you comply with this policy. Breach of this policy may result in immediate dismissal without notice; and

(b) Joe Bloggs may monitor, access, review and disclose any of your email messages and other data (including personal messages, data and logs of Internet usage) in accordance with this policy."

3. Employee Records

Employee records are exempt from the requirements of the National Privacy Principles. The exemption applies to collection, use or disclosure of information contained in employee records in the context of the employment relationship. Employee records remain exempt until they are no longer used for the purpose of the employment relationship.

Employee record is defined by law and includes health information, personal and emergency contact details, the employee’s membership of a professional or trade association or trade union membership and the employee’s taxation, banking or superannuation affairs. This appears to be a subset of the items that might exist on an employee’s employment record. Great care should be taken with employee records.

4. Screening email and internet use

It has not yet been determined whether an employer who reads his or her employees’ emails will be in breach of telecommunications interception legislation. The legislation prohibits the interception of communications carried on a telecommunications system by listening and recording without the consent of the originator.(3) Screening the email and internet use of employees may be challenged under Commonwealth telecommunications legislation.

However, retaining records of email and internet use on a server is unlikely to constitute an interception of communications under the telecommunications legislation.(4) Email and internet connections held in a digital storage facility are unlikely to constitute electromagnetic energy passing over a telecommunications system. Although undecided in Australia, US experience(5) suggests employees who send email give an implied consent to the storage of their messages.(6)


Other relevant Articles on this site:


Other relevant Fact Sheets:
Cyberspace Crime
Privacy
Telecommunications (long version)
Telecommunications (short version)
Workplace Net Control

End Notes
1. The Office of the Federal Privacy Commissioner receives many enquiries regarding the privacy of workplace email and web browsing activities. See http://www.privacy.gov.au.

2. See National Privacy Principles Clause 5 (Openness on the website) at http://www.privacy.gov.au/news/pab.html

3.Telecommunications (Interception) Act 1979 (Cth)

4.Telecommunications (Interception) Act 1979 (Cth) section 5(1) definition of "telecommunications system"

5. Bohach and Catalano v The City of Reno (1996) 932 F. Supp. 1232.

6. In relation to general issues of unauthorised access to computers, see the Cyberspace Crime Fact Sheet.

"The danger from computers is not that they will eventually get as smart as men, but we will meanwhile agree to meet them halfway."B Avishai
forIndividuals/