Monitoring Employee Browsing: Australian Legal Insights for Employers

Most teams rely on the internet to get work done. At the same time, you might worry about productivity, cyber risks and legal liability if staff access risky or inappropriate websites at work.

Monitoring employee browsing can help - but only if you do it lawfully and transparently. Australia has privacy and surveillance laws you need to follow, and there are smart steps to take before you switch on any tracking tools.

In this guide, we’ll walk through when monitoring is legal, what you can (and can’t) monitor, and how to roll out a compliant workplace policy that protects your business and respects employee privacy.

Why Monitor Employee Browsing?

There are legitimate business reasons to monitor internet use at work. Being clear about your purpose makes your approach easier to justify and easier to explain to your team.

• Cybersecurity: Detect malware, phishing and unauthorised data transfers before they become a breach.
• Compliance: Reduce the risk of staff accessing illegal content or breaching licensing and copyright obligations.
• Productivity and bandwidth: Limit distractions and keep critical systems running smoothly.
• Reputation and safety: Prevent harassment, offensive content and other conduct risks on company systems.

The key is proportionality. Target the risks that matter for your business and avoid collecting more personal information than you need.

Is Monitoring Employee Internet Use Legal In Australia?

Yes - with conditions. Lawful monitoring sits at the intersection of state and territory workplace surveillance rules, the federal Privacy Act 1988 (Cth), and other laws (including telecommunications and criminal laws). Your obligations can vary depending on where your employees work and what you monitor.

State and Territory Surveillance Laws

Several jurisdictions have specific workplace surveillance laws, while others rely on general surveillance devices legislation. Requirements commonly include giving advance notice, specifying what’s monitored, and how monitoring occurs.

• New South Wales: The Workplace Surveillance Act 2005 (NSW) requires at least 14 days’ prior written notice before commencing “employee surveillance” (including internet and email). The notice must describe the kind of surveillance, how it will be carried out, when it will start, whether it is continuous or intermittent, and whether it is for a specified period. Additional rules apply to camera surveillance (including signage) and to covert surveillance, which generally requires a magistrate’s authority.
• ACT: Under the Workplace Privacy Act 2011 (ACT), employers must give clear notice about surveillance, including the kind of surveillance, how it operates and how information may be used. Covert surveillance is tightly restricted.
• Other States/Territories: Victoria, Queensland, Western Australia, South Australia, Tasmania and the Northern Territory regulate surveillance devices (audio, optical, tracking, data) and prohibit certain recordings or “interceptions” without consent. Even where a dedicated “workplace” law does not exist, monitoring must still comply with surveillance device and interception laws.

What does this mean in practice? Provide written notice well before monitoring starts, explain the systems in scope (for example, DNS/firewall logs on company networks), and ensure any camera or communications monitoring meets the consent and notice requirements in your location. If emails are in scope, it’s worth understanding the nuances around employer access to employee emails and how to manage that lawfully.

The Privacy Act And The Small Business Exemption

Many private sector employers are covered by the Privacy Act and the Australian Privacy Principles (APPs). However, there is a small business exemption: businesses with an annual turnover of $3 million or less are generally exempt, unless an exception applies (for example, health service providers, those trading in personal information, or those handling certain regulated identifiers).

Even if you are exempt, monitoring still needs to comply with surveillance and telecommunications laws. And if you’re not exempt, monitoring data will often be “personal information” - which means you should collect only what’s reasonably necessary, keep it secure, restrict access and delete it when it’s no longer required. Your approach should also line up with your published Privacy Policy.

The Employee Records Exemption (And Its Limits)

There’s also an “employee records” exemption that applies to personal information about current employees if it’s directly related to the employment relationship and held in an employee record. Importantly, this exemption is narrow. It does not apply to job applicants, contractors or former employees, and not all monitoring data will fall neatly into an “employee record”.

In short, don’t assume browsing logs are automatically exempt. Treat them with care: minimisation, security and deletion should be part of your plan.

What Can You Monitor - And What’s Off Limits?

Most employers can lawfully monitor browsing activity on company-owned networks and devices if they’ve given proper notice and have a clear policy. Typical data includes domains visited, timestamps, bandwidth use, and security alerts from endpoint or network tools.

However, there are limits you should respect.

• Content interception: Intercepting the content of communications “in transit” is restricted by telecommunications and surveillance device laws. Focus on system logs and metadata unless you have a clear, lawful basis and appropriate consent.
• Private communications: Monitoring live call audio or recording meetings will usually require express consent. If call capture is part of your approach, make sure you understand business call recording laws in your state or territory.
• Personal devices (BYOD): If staff use their own devices, full device monitoring is risky. Limit monitoring to managed corporate apps, email profiles and company network traffic. Be transparent about what is and isn’t captured.
• Out-of-hours: If tools run 24/7, set guardrails so you’re not tracking private, out-of-hours browsing without a lawful reason or consent. Consider pausing collection or filtering out personal time.
• Sensitive information: Browsing logs can reveal sensitive information (for example, health, religious beliefs or union membership). Treat this with extra care, limit collection, and restrict access on a strict need-to-know basis.

A good rule of thumb is to define your purpose in advance, collect the minimum information required for that purpose, secure it properly and delete it once it’s no longer needed. If you’ll also review message content or inboxes, revisit your approach to emails and mailbox access to stay on the right side of the law.

How To Implement Lawful And Transparent Monitoring

A structured rollout helps you meet your legal obligations and maintain trust with your team. Here’s a practical roadmap that balances risk management and privacy.

1) Map Your Purpose, Scope And Tools

Start with your risks and objectives. Are you targeting malware, data loss, productivity, or all of the above? Choose the least intrusive tool that meets your needs - for example, domain-level logging and content filtering rather than full packet capture or screen recording.

2) Check Local Surveillance Rules

Confirm what your state or territory requires, especially the NSW rule of 14 days’ prior written notice that specifies what, how and when surveillance will occur. Build these requirements into your timeline and templates. Where cameras are used, make sure signage and placement comply. Where communications are monitored, assess whether consent is needed and how you’ll obtain it.

3) Address Privacy And Retention

If you’re covered by the Privacy Act, apply the APPs to your monitoring data: collect only what you need, store it securely, restrict internal access and set retention periods tied to a clear purpose. Align your approach with your Privacy Policy so staff understand how information is handled.

Retention matters. Keep high-level logs long enough to detect and investigate incidents, then securely delete them. Your IT and HR teams should work with legal and information security to agree realistic timeframes, informed by guidance on data retention laws in Australia.

4) Give Clear Notice And Obtain Acknowledgment

Before monitoring starts, provide staff with written notice that clearly explains:

• What you’ll monitor (for example, websites visited on company networks and devices).
• How monitoring occurs (endpoint agent, firewall or DNS logs, content filtering).
• When monitoring occurs (work hours only, or at all times on corporate devices).
• Why you’re monitoring (cybersecurity, compliance, productivity and safety).
• How information will be used, who can access it and how long it will be kept.
• Consequences for policy breaches and the process you’ll follow.

Ask employees to sign an acknowledgement or accept updated terms in your HR system. For new hires, include this alongside their Employment Contract.

5) BYOD, Contractors And Remote Work

If you allow personal devices, set technical and policy boundaries. Mobile device management (MDM) or application “containerisation” can separate work and personal data. Be explicit that you won’t access personal photos, private apps or personal browsing history, and limit monitoring to corporate accounts and managed network traffic.

Extend your policy and onboarding to contractors and temps who access your systems. They should accept the same monitoring terms before access is granted.

For remote and hybrid work, be clear about whether monitoring applies outside the office and how home networks or shared devices are handled. If your approach covers handsets, align it with your broader mobile phone policy.

6) Security, Access Controls And Governance

Treat monitoring data as sensitive. Limit access to authorised personnel on a genuine need-to-know basis, maintain audit trails for access and use, and encrypt data at rest and in transit where possible. Build monitoring into your incident response plan so that alert triage and investigations are consistent and documented.

7) Communicate, Train And Reinforce

Monitoring works best when everyone understands the “why”. Roll out a short training module to explain acceptable use, monitoring scope and how to get help. Reinforce the message with periodic reminders, especially if you tighten controls or add new tools.

8) Responding Fairly When Issues Arise

If monitoring flags a potential breach, follow a consistent process. Consider severity, evidence and context, and give the employee a chance to respond before deciding next steps. Where conduct is serious (for example, accessing illegal content or exfiltrating sensitive data), escalate under your disciplinary procedures and assess whether a notifiable data breach obligation could be triggered.

Essential Documents And Policies

Well-drafted documents are the foundation of lawful monitoring. They set expectations, provide legal cover and make your approach consistent across the business.

• Workplace Surveillance/Acceptable Use Policy: Explains what is monitored, how, when and why, plus responsibilities and consequences. A tailored Workplace Policy helps ensure you capture the details required in your jurisdiction.
• Employee Privacy Handbook: Describes how you handle employee data across the employment lifecycle, including monitoring logs, access and retention. An Employee Privacy Handbook keeps HR practices aligned with privacy obligations.
• Privacy Policy: Sets out how your business collects, uses and secures personal information. Make sure it reflects your monitoring practices and is consistent with staff-facing documents. If yours needs an update, consider a tailored Privacy Policy.
• BYOD/Mobile Device Policy: Clarifies the limits of monitoring on personal devices, software requirements, and what data may be collected. This complements your handset and app settings and your mobile phone policy.
• Employment Contracts: Include clauses on acceptable use, confidentiality, IP, and compliance with workplace policies to create a contractual basis for monitoring and enforcement.
• Disciplinary And Investigation Procedures: Outline the steps you’ll take if a breach occurs, ensuring procedural fairness and consistent documentation.

Not every business will need the same level of detail, but most will benefit from a clear policy, consistent onboarding acknowledgments, and alignment across HR, IT and legal documents.

How Policies Interact With Other Obligations

Your monitoring framework should sit alongside broader safety and conduct obligations. Blocking harmful websites and reinforcing respectful communications can support your WHS and duty of care responsibilities. If monitoring uncovers potential harassment or discrimination, your anti-bullying and complaint procedures should kick in promptly.

Common Pitfalls To Avoid

• Silent monitoring: Turning on tracking without clear, prior notice undermines trust and may breach surveillance laws (notably in NSW, where 14 days’ written notice is required).
• Over-collection: Capturing detailed content when metadata would do exposes you to unnecessary privacy risk.
• Policy–practice gaps: Policies that promise one thing while tools do another create legal exposure. Keep them aligned and up to date.
• Ignoring BYOD: If personal devices access company systems, address them explicitly and technically separate work and personal data.
• Weak security: Monitoring data is valuable to attackers. Restrict access, log it and encrypt where possible.

A Quick Word On Communications Monitoring

Browsing data is one thing; live communications are another. Recording calls or capturing message content often requires express consent and must comply with state and federal laws. Before extending monitoring into communications content, get advice and ensure your notices, consent mechanisms and technical controls are set up correctly. If emails are within scope, revisit your approach to email access and storage so your practice matches your policy.

Rolling Out Changes Without Damaging Culture

Transparency and fairness go a long way. Explain the business reasons, invite questions and show staff how the controls protect everyone - for example, by blocking phishing sites or stopping accidental data leaks. Share positive outcomes (fewer malware incidents, faster incident response) so people can see the benefits.

Practical FAQs

Do I Need Consent To Monitor Browsing?

In many cases you’ll rely on notice rather than consent for internet and system log monitoring on company devices, provided you comply with state/territory surveillance rules. However, explicit consent may be required for recording calls or accessing the content of communications. If you plan to capture communications content, revisit the relevant call recording laws and build consent into your scripts and systems.

Can I Monitor Employees Outside Work Hours?

Be cautious. If your tools collect data 24/7 (for example, on a corporate laptop used at home), you should minimise collection outside work hours unless there’s a lawful reason or consent. Ideally, configure tools to pause or filter personal use, and be transparent about when monitoring occurs.

How Long Should We Keep Browsing Logs?

Only as long as needed for your stated purpose (for example, security investigations and compliance). Document your retention periods and automate deletion where possible, taking cues from your information governance framework and guidance on data retention laws.

What About Mobile Phone And App Use?

Apply the same principles: purpose, notice and proportionality. Clarify what is monitored on company phones and managed apps, and ensure your approach is consistent with your mobile phone policy.

Key Takeaways

• Monitoring employee browsing in Australia is lawful when you give proper notice, comply with state/territory surveillance rules and apply privacy best practice.
• In NSW, give at least 14 days’ written notice that specifies the kind of surveillance, how it will run and when it starts; other jurisdictions have similar notice and consent requirements.
• Don’t assume the Privacy Act covers (or exempts) you: the small business exemption may apply, and the employee records exemption is narrow - treat most monitoring data as personal information.
• Be proportionate: collect the minimum data needed to manage cybersecurity, compliance and productivity risks, secure it, restrict access and delete it when it’s no longer required.
• Cover BYOD, contractors and remote work explicitly so you’re not accidentally monitoring personal activity or breaching privacy or surveillance obligations.
• Put strong foundations in place - an Acceptable Use/Surveillance Policy, aligned staff documents like an Employee Privacy Handbook, an up-to-date Privacy Policy and robust Workplace Policies - and embed monitoring terms into your Employment Contracts.
• If you monitor emails or calls, be extra careful about consent and limits - start with system metadata and escalate only when there’s a lawful, documented need.

If you’d like tailored advice or help drafting a compliant monitoring and acceptable use framework for your workplace, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.