Alex is Sprintlaw's co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
Email is one of the most important tools in your business. It’s where invoices are sent, customer issues get handled, deals are negotiated, and confidential information is shared daily.
That’s also why email access can become a legal risk area for small businesses. Whether you’re an employer checking an employee’s work inbox, a director trying to retrieve emails after a staff member leaves, or a business owner logging in “just this once” to sort out a client problem, it’s important to understand where the legal line is.
So, is it illegal to access someone’s email account in Australia? It can be - and it depends heavily on whose account it is, how you gained access, what you did once inside, and whether you had consent or legal authority.
Below, we’ll break down the key legal issues in plain English, the real-world situations businesses face, and the practical steps you can take to protect your business while staying compliant.
Is It Illegal To Access Someone’s Email Account In Australia?
In Australia, accessing an email account without permission can expose you (and your business) to serious legal consequences. There isn’t one single “email access law” that covers every scenario - instead, different laws can apply depending on the circumstances, including Commonwealth cybercrime offences, state/territory criminal laws, privacy obligations, and (in some places) workplace surveillance rules.
As a starting point, access is more likely to be unlawful if you:
- log in to an email account without the account owner’s consent or authority
- guess, steal, buy or otherwise obtain the password in a dodgy way
- access the account for an improper purpose (for example, to gather evidence, monitor someone secretly, or take confidential information)
- read, copy, forward, delete or alter emails you were not meant to access
On the other hand, access may be lawful where you have a clear legal right to access the account, such as:
- the account is a business-owned work account and access is authorised under an IT policy or employment contract
- you are an administrator of the business email system with defined admin rights
- the user has given informed consent (ideally in writing)
The practical reality for employers is this: if you don’t have the right documents and policies in place, even access you think is “reasonable” can become risky fast.
Which Australian Laws Can Apply To Unauthorised Email Access?
When people search whether it’s illegal to access someone’s email account in Australia, they’re usually trying to work out whether a particular action counts as “hacking” or “unauthorised access”. But for businesses, the legal risk often comes from a combination of cybercrime laws, privacy obligations, surveillance laws, and workplace compliance.
Unauthorised Access (Cybercrime And Criminal Laws)
Generally speaking, accessing someone’s email account without authority may fall within laws dealing with unauthorised access to data or computer systems. At a Commonwealth level, offences relating to unauthorised access, modification or impairment of electronic communications are dealt with under the Criminal Code Act 1995 (Cth) (including “computer offences”). Similar offences can also exist under state and territory criminal laws.
Even if you don’t “break” anything, simply entering an account can still be a problem if you did not have permission or lawful authority to access it.
This risk increases if you:
- bypass security controls
- access the account using credentials you were not meant to use
- download information (especially confidential business information or personal data)
These matters can become criminal in serious situations, particularly if there is intentional unauthorised access, data theft, or damage.
Privacy Obligations (Employee And Customer Information)
Email accounts often contain personal information (for example, customer names, addresses, medical details, complaint histories, or HR records). If you access and handle that information improperly, you may trigger privacy compliance issues.
If your business is covered by the Privacy Act (Cth) (for example, many businesses with $3 million+ turnover, and some smaller businesses that handle particular types of information or services), the way you collect, use, store and access personal information matters a lot. There are also important exemptions and nuances - for example, many private sector employers rely on the “employee records” exemption for certain handling of employee records, but it doesn’t automatically make all monitoring or access risk-free (especially if customer data or other third-party personal information is involved).
This is one reason many businesses put proper governance in place early, including a Privacy Policy and internal access controls, rather than relying on informal “we’ll only check if we need to” practices.
Surveillance And Workplace Monitoring Laws
There’s a big difference between:
- managing business systems (like accessing a shared support inbox to serve customers), and
- monitoring an individual employee’s communications without appropriate notice, consent, or a lawful basis.
Workplace monitoring rules can vary by state and territory. For example, NSW has specific workplace surveillance legislation, and the ACT has workplace privacy laws that may regulate monitoring in an employment context. Other jurisdictions rely more heavily on general surveillance devices laws, privacy/confidentiality obligations, and workplace relations considerations. Because the rules can be jurisdiction-specific, it’s important to check what applies where your employees are located (including remote workers).
If your business is thinking about monitoring employee communications (including email), it’s worth understanding how broader communication monitoring is treated, including business call recording laws and general recording laws in Australia, because the same compliance mindset applies: transparency, notice, and lawful purpose matter.
Employment Law And Contractual Risk
Even if what you did isn’t criminal, it can still create a workplace dispute. Employees may claim (depending on the facts) that the business breached:
- their employment contract
- workplace policies (or the lack of clear policies)
- confidentiality expectations
- workplace rights and obligations around privacy, consultation, and fair process (which can become relevant in employment disputes)
This is why it’s important to clearly set expectations in an Employment Contract and supporting workplace policies, including IT and communications policies.
Common Business Scenarios (And Where The Legal Risk Usually Is)
Most businesses aren’t trying to do the wrong thing. Usually, email access issues come up in very practical situations where you’re trying to keep operations moving.
Here are some common scenarios we see for small businesses, and the key risk points to watch.
1. Accessing A Current Employee’s Work Email
If the email account is issued by your business (for example, name@yourbusiness.com.au), it’s reasonable to assume the account is a business tool. But that doesn’t automatically mean you can access it however you like.
Best practice is to ensure:
- the account is clearly identified as a work account
- your employee has been told (in writing) that the business may access work email accounts for legitimate purposes (such as continuity, compliance, security, or investigations)
- access is limited to what is necessary, and handled by authorised people only
Without those steps, you could face pushback that the access was intrusive, unreasonable, or beyond what the employee agreed to.
2. Accessing A Former Employee’s Email After They Leave
This is one of the most common situations: the employee resigns (or is terminated), and suddenly the business can’t find key client communications, supplier details, or project history.
From a business continuity perspective, you may need access. The risks are usually:
- the employee used the work email for personal messages (which can create privacy sensitivities)
- the business doesn’t have a clear policy saying access may occur after termination
- multiple people share passwords informally (which makes it hard to show access was authorised and controlled)
A practical approach is to have systems in place so you’re not relying on “logging in as them”. For example, consider shared mailboxes, forwarding rules, or admin-managed access with audit logs, rather than password sharing.
3. Accessing An Employee’s Personal Email (Gmail, Outlook, iCloud)
This is where legal risk skyrockets.
Even if you believe an employee used their personal email for work, it does not mean your business has the right to access it. Logging into a personal email account without clear, informed consent is far more likely to be treated as unauthorised access.
If there’s a genuine concern (for example, suspected data theft or misconduct), it’s usually safer to:
- preserve evidence internally (devices, system logs, work accounts)
- get legal advice before taking further steps
- follow a proper investigation process
Where investigations are involved, you’ll want to handle matters carefully and consistently, including using a fair process (for example, a show cause letter where appropriate) and ensuring any evidence collection is lawful.
4. Accessing A Shared Inbox Or Admin Account
Shared accounts (like support@, accounts@, bookings@) are usually safer from a legal perspective because they are clearly business-facing and not tied to one individual’s private communications.
Even then, access should be controlled. You should still:
- restrict access to relevant team members
- have clear user permissions and offboarding processes
- avoid using shared credentials without tracking (because it becomes a security and accountability issue)
5. “We Had The Password, So It’s Fine”… Right?
Not necessarily. Having a password does not automatically mean you have legal authority to use it.
For example, problems can arise if:
- the password was obtained without consent (for example, by guessing, coercion, or accessing a saved password on a device without authority)
- the employee gave the password informally but there was no policy authorising access
- you access content that goes beyond your legitimate business purpose
From a risk management perspective, it’s far better to rely on your business’s admin access and written policies, rather than informal password sharing.
What Should Your Business Do Instead Of “Checking Their Email”?
If your goal is legitimate (for example, serving customers, protecting confidential information, or ensuring compliance), there are safer ways to achieve it than logging into someone’s inbox in a way that could later be challenged.
Set Up Clear Email And IT Policies
Many disputes happen because expectations weren’t set upfront.
Your policies should clearly explain:
- who owns and controls work email accounts
- acceptable use (including whether limited personal use is allowed)
- when and why the business may access accounts (for example, security, continuity, compliance, investigations)
- how access is performed (for example, by admin only, with logging)
This should also align with your broader privacy approach, including any Privacy Collection Notice you use when collecting personal information.
Use Admin-Level Access (Not Impersonation)
Where possible, avoid “logging in as the person.” Instead, use admin tools that allow you to:
- delegate mailbox access to a manager
- export necessary business records
- place legal holds (where relevant)
- retain an audit trail showing who accessed what and when
This reduces the risk of accusations that you were secretly “pretending to be the employee,” and it strengthens your cybersecurity posture.
Build A Strong Offboarding Process
Email access problems often arise because the offboarding process is rushed or unclear.
Some practical offboarding steps include:
- changing passwords and removing access to business systems on the employee’s last day
- setting up an auto-reply and forwarding rule for a defined period (where appropriate)
- ensuring critical client communications are moved into shared systems (CRM, ticketing tools, shared inboxes)
- reminding staff about confidentiality and return of company property
If you’re managing a sensitive termination, it’s also worth ensuring your process is consistent and lawful (including how you handle notice). For example, where appropriate, payment in lieu of notice may be relevant, but it needs to be handled carefully and in line with the employment contract and workplace laws.
What Legal Documents Help Protect Your Business?
If you want to reduce the risk of email-access disputes, the right legal documents do a lot of heavy lifting. They make expectations clear, support lawful access where appropriate, and help you respond confidently if a dispute arises.
Depending on how your business operates, consider the following.
- Employment Contract: This should set expectations about company systems, confidentiality, and policies. An Employment Contract can also cross-reference workplace policies so they become enforceable in practice.
- Workplace Policies (IT, Communications, Privacy): Policies help define acceptable use and what monitoring or access may occur. They’re particularly important if you have multiple staff or remote workers.
- Privacy Policy: If your business collects personal information online or through service delivery, a Privacy Policy is a key part of setting expectations and meeting compliance obligations.
- Confidentiality Terms: Confidentiality obligations help protect your business information from being taken or misused via email, especially when staff leave.
- Authority Controls: Where someone needs to act on behalf of the business (for example, an office manager dealing with certain inboxes), having clear authority structures matters. In some situations, an letter of authority can help formalise who is allowed to handle particular communications or accounts.
Key Takeaways
- If you’re asking whether it’s illegal to access someone’s email account in Australia, the real answer is: it depends on authority, consent, and purpose - and it can become unlawful quickly if those aren’t clear.
- Accessing an employee’s personal email (like Gmail or iCloud) without informed consent is far more likely to create serious legal risk than accessing a business-owned work inbox.
- Even when the email account is a work account, you should rely on clear written policies and admin-controlled processes, not informal password sharing.
- Email access issues often overlap with privacy compliance, workplace monitoring expectations, and fair employment processes, so it’s important to take a whole-of-business approach.
- Strong legal foundations (like an Employment Contract, IT policies, and a Privacy Policy) help you protect your business and reduce the chance of disputes.
If you’d like help setting up the right workplace policies, privacy documents, or employment contracts for your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
