Workplace Monitoring in Australia: What Employers Need to Know

Workplace monitoring can help you protect assets, improve safety and meet compliance obligations. Whether it’s CCTV in your shopfront, logging staff emails, recording customer calls, or tracking vehicles, the right systems can add real value to your business.

But monitoring your team also comes with strict legal rules. Different states and territories have surveillance and privacy laws that set out how and when you can monitor - and getting it wrong can damage trust, risk penalties, and even make your evidence unusable in a dispute.

In this guide, we’ll walk you through what workplace monitoring means in Australia, the rules you need to follow, the policies and consents to put in place, and a step-by-step rollout plan. Our goal is to help you set up monitoring in a way that’s compliant, fair, and fit for purpose.

What Is Workplace Monitoring?

Workplace monitoring is any method you use to observe or collect information about workers while they’re at work or performing work-related tasks. Common examples include:

• CCTV and security cameras on premises.
• Computer, email and internet usage logging.
• Telephone and call recording (including VoIP systems).
• GPS tracking in vehicles or devices.
• Access control logs (key cards, swipe passes) and time clocks.
• Application monitoring and keystroke logging.
• Biometric systems (e.g. facial recognition, fingerprint time clocks).

Each method touches different areas of law. For example, listening devices and optical surveillance are regulated differently to data and network monitoring. It’s important to map exactly what you want to monitor, why, and how, so you can choose the correct legal pathway and put the right notices and policies in place.

Is Workplace Monitoring Legal For Small Businesses?

Yes - workplace monitoring is generally lawful in Australia if you comply with state and territory surveillance laws and, where applicable, the federal Privacy Act 1988 (Cth). The detail varies by jurisdiction, but there are consistent themes:

• Give staff clear notice (and often advance written notice) about the kinds of monitoring you will conduct.
• Don’t record in private places (such as bathrooms or change rooms).
• Use monitoring for a legitimate business purpose and keep it proportionate.
• Secure the data you collect and restrict access to people who need it.

Several states regulate overt and covert surveillance differently. Broadly, businesses should assume monitoring must be overt and transparently communicated unless a specific and lawful exception applies. It’s also a good idea to understand the general recording laws in Australia before installing or switching on any monitoring tools.

If you operate in New South Wales, the Workplace Surveillance Act 2005 (NSW) sets strict rules on camera, computer and tracking surveillance, including minimum notice periods and signage. Other states regulate similar activities under surveillance devices legislation. If you use cameras, check your obligations under security camera laws and make sure your notices, signage and policy reflect what you actually do day to day.

Finally, the Privacy Act may apply if your business is covered by it (for example, certain health providers, credit providers, or businesses that meet the annual turnover threshold or handle sensitive information). Even if you’re not caught by the Act, following good privacy practice builds trust and reduces risk.

What Notices, Policies And Consents Do You Need?

Transparency is the backbone of lawful workplace monitoring. The standard approach is to adopt a layered toolkit that clearly explains what you monitor and why:

• An internal monitoring or acceptable use policy that covers computer, email, internet, devices and apps.
• Employment contracts or onboarding forms that set expectations and obtain consent to the extent permitted by law.
• Signage for physical surveillance (for example, CCTV notices at entry points and throughout monitored areas).
• Privacy information that explains how monitoring data is collected, used, stored and disclosed.

For digital monitoring, most businesses combine an Acceptable Use Policy with a broader Privacy Policy so staff and customers understand how information is handled. If you need a single source of truth for internal protocols, you can implement a tailored Workplace Policy that brings your rules together and references your monitoring approach.

It’s also worth adding monitoring clauses to your Employment Contract for new hires, and updating onboarding documents for existing staff. Where you collect employee personal information through monitoring, an internal Employee Privacy Handbook can explain obligations, rights and complaint channels in plain language.

How The Rules Apply To Common Monitoring Scenarios

CCTV And Video Surveillance

CCTV is common for deterring theft, protecting staff, and managing safety incidents. It’s generally lawful to use CCTV in work areas if you put up clear signs, don’t record in private areas, and keep footage secure. Avoid audio recording unless you’re certain it’s permitted - audio can trigger “listening device” rules. Review your camera placement and assess whether the field of view captures any sensitive areas.

If you’re weighing up a camera rollout or upgrade, revisit the basics in security camera laws so your signage, retention periods and access controls are compliant.

Phone And Call Recording

Recording customer service calls can improve training and quality, and help resolve disputes. However, recording calls is tightly regulated. In many cases, all parties must be notified that the call is being recorded and why. Best practice is to use a pre-call message and ensure agents can stop recording on request where practical.

Check your obligations under business call recording laws. If you also record staff phone calls between colleagues, you’ll need to cover this in your monitoring policy and ensure recording is reasonably necessary for your stated purposes. If you’re considering recording mobile calls, remember that different rules can apply and it’s safer to rely on clear, prior notice and consent where available.

For phone calls more generally, standards around consent vary by state and territory. If you’re unsure, revisit the principles in is it legal to record a phone call and make sure your procedures match the legal requirements in the locations where you operate.

Email, Internet And Keystroke Monitoring

Most businesses monitor email and internet use to manage security and productivity. This type of monitoring usually requires clear, prior notice. Staff should know that emails may be scanned for malware, data loss prevention, and policy breaches, and that internet usage may be logged. Keystroke monitoring is more invasive and demands a strong, documented business reason and extra care with privacy.

Be explicit in your acceptable use policy about personal use limits, retention periods, and who can access logs. If questions arise about visibility of inboxes or chat logs, it helps to be consistent with the principles in employer access to employee emails and ensure any access is targeted and justified.

GPS Tracking And Vehicle Monitoring

GPS tracking devices are widely used to manage deliveries, schedule jobs, and protect assets. In some jurisdictions, you must provide written notice before activating tracking, including details about the device and when tracking will occur. Be upfront about after-hours expectations, especially for vehicles taken home or BYOD scenarios where staff use personal devices for work.

Keep tracking proportionate: collect only what you need for scheduling, safety or asset management, and set reasonable retention periods.

Remote Work And BYOD

Monitoring a distributed team adds complexity. If staff work from home or use personal devices, your policy needs to address boundaries (e.g. what software will be installed, what data is collected, and whether monitoring is paused outside work hours). Consider separate profiles or managed apps to reduce intrusion on personal data. Make sure your training covers how monitoring works in remote set-ups so there are no surprises.

Biometrics And Facial Recognition

Biometric systems can streamline access control and timekeeping but often involve sensitive information. Treat biometrics as high-risk data: only collect what you need, obtain informed consent where required, provide alternatives where practical, and secure the data with strong controls. If you’re exploring advanced solutions, take cues from the issues raised in facial recognition discussions and proceed carefully with a privacy-by-design mindset.

How To Roll Out Workplace Monitoring (Step-By-Step)

1) Clarify Your Purpose And Scope

Start with your goals. Are you tackling theft, improving safety, training staff, meeting client standards, or managing productivity? Write these down and link each tool you plan to use (CCTV, call recording, email logs) to a clear purpose. This clarity helps ensure your monitoring is necessary, targeted and defensible.

2) Map Your Activities And Data Flows

Document what you want to monitor, how the technology works, what data is captured (video, audio, metadata, content), where it’s stored, and who can access it. Include retention periods and deletion processes. This map becomes the backbone for your policies, notices and vendor contracts.

3) Assess Legal Requirements And Risks

Identify which state or territory surveillance laws apply to your locations and whether the Privacy Act applies to your business. Confirm notice periods, signage requirements, and any prohibitions (e.g. no cameras in bathrooms, limits on audio recording). Consider whether you need a privacy impact assessment for higher risk monitoring.

4) Draft Or Update Your Documents

Put your rules in writing and align them with practice. Update your Workplace Policy or Acceptable Use Policy to reflect monitoring types, purposes, access controls and staff responsibilities. Refresh onboarding documents and your Employment Contract to set expectations from day one. Publish or update your public-facing Privacy Policy if monitoring data is collected through customer-facing channels (e.g. recorded calls or CCTV in a retail space).

5) Configure Technology To Match The Policy

Align settings with your documented approach. Turn off features you don’t need (e.g. disable audio if you’re not lawfully recording it), set retention times, control administrative access, and enable audit logs. If vendors store data offshore, review their security and contract terms carefully.

6) Provide Notice, Train Staff And Roll Out

Give written notice within the required timeframe and install clear signage. Train your team on why monitoring exists, how it works, and how their information is protected. Reassure staff that monitoring is focused on safety, compliance and business improvement - not unnecessary surveillance.

7) Monitor, Review And Respond

Regularly audit access logs, review whether monitoring remains necessary, and update documents as your business evolves. Have an incident response plan if monitoring data is breached or misused, ideally complemented by a broader data security playbook like an information security policy and a data breach process.

What Happens If You Get It Wrong?

Non-compliant monitoring can create significant problems:

• Evidence may be unusable in internal processes or litigation if it was collected unlawfully.
• You may face penalties under surveillance devices legislation or privacy law.
• Staff trust can be damaged, making retention and culture harder.
• Customer-facing recording (e.g. calls or in-store CCTV) done without proper notice can trigger complaints and reputational harm.

Most risks can be avoided with good planning: clear notice, proportionate monitoring, secure systems, and consistent documentation that matches your operational reality. If you’re unsure about a grey area, it’s best to get advice before you switch on a new monitoring tool.

What Legal Documents Should You Have In Place?

The right documents make your monitoring program transparent and enforceable. Consider the following:

• Employment Contract: Sets expectations about acceptable use, device management and monitoring for new hires. Include references to your policies and lawful monitoring. A tailored Employment Contract helps prevent disputes.
• Workplace Or Acceptable Use Policy: Explains computer, email, internet and device monitoring, retention and access rules, and the consequences of misuse. A consolidated Workplace Policy can house these settings.
• Privacy Policy: If you collect personal information from customers or visitors through CCTV or recorded calls, your public-facing Privacy Policy should outline how that information is handled.
• Internal Privacy Handbook: Helps employees understand how their information is collected and used, complaint pathways, and data subject requests. See the Employee Privacy Handbook.
• Call Recording Notice Scripts: Standardised messages for inbound and outbound calls so you consistently notify callers when recording.
• Vendor Agreements: Contracts with technology providers that include security, access control, retention, and data location commitments consistent with your policy and legal obligations.
• Monitoring Signage: Clear, visible signs that state monitoring is in use, the purpose, and how to contact you for privacy queries.

If you also have a bring-your-own-device (BYOD) environment, add BYOD-specific rules about managed profiles, remote wipe, and separation of personal and work data.

Practical Tips For A Fair And Effective Program

• Be proportionate: collect the least amount of information needed to achieve your goal.
• Separate security from performance management where possible, and define when monitoring data can be used for HR decisions.
• Limit access: only trained managers and system admins should view monitoring data, and keep audit logs of access.
• Set retention periods you actually follow. Don’t keep footage or logs “just in case” without a clear reason.
• Communicate early and often. People accept monitoring more readily when they understand the “why”.
• Document exceptions (e.g. pausing monitoring in sensitive areas or after hours) and stick to them.

Where monitoring intersects with customers or the public (storefront CCTV, recorded support calls), ensure your customer-facing notices align with the obligations in business call recording laws and your privacy messaging.

Key Takeaways

• Workplace monitoring is lawful in Australia if you follow surveillance and privacy rules, give clear notice, and avoid private areas.
• Be transparent and proportionate: explain what you monitor and why, and configure tools to collect only what you need.
• Put the right documents in place, including an internal policy, monitoring clauses in your Employment Contract, and a public-facing Privacy Policy where customer data is involved.
• Specific activities (CCTV, call recording, email logs, GPS) have additional rules - check the relevant frameworks such as security camera laws and recording laws.
• Roll out monitoring with a clear plan: map data flows, train staff, standardise notices and signage, and review regularly.
• Getting monitoring wrong can lead to penalties, unusable evidence and reputational damage - careful planning and documentation will help you avoid pitfalls.

If you’d like a consultation on setting up workplace monitoring in your business, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.