The next phase of workplace regulation: technology, surveillance and data governance at work

Technology is reshaping how work is organised, monitored and managed faster than legal and regulatory frameworks can adapt. Algorithmic scheduling, productivity monitoring, biometrics and artificial intelligence (AI) supported decision-making promise efficiency and scale for business, but they are also multiplying legal exposure and regulatory scrutiny. Legislative change is already underway, with further reforms anticipated, and inaction or reliance on legacy governance approaches will leave organisations playing catch-up. 

At the same time, workplace regulation has moved beyond traditional silos. The next phase is characterised by convergence, as mobility in the labour market, integrity in pay and entitlements, workplace health, safety and wellbeing, and privacy and the use of technology are increasingly regulated as interconnected systems. As these issues converge, boards and senior leaders will be judged less on the mere existence of on-paper policies and more on whether their governance, data and control frameworks operate effectively in practice.

Three interrelated themes are now shaping regulatory expectations around technology at work. First is transparency and consultation – the expectation (and sometimes, the legal imposition) that workers understand what data is monitored and collected about them, how automated or AI-supported decisions are made and how they can be challenged. Second is fairness and bias. Automated screening and performance management and productivity tools must be explainable and auditable for discriminatory outcomes, particularly where they influence pay, progression or termination decisions. Third is health and safety, where intrusive surveillance and pace‑setting software can be psychosocial hazards in their own right. 

These strands are no longer regulated in isolation. Recent developments, such as NSW provisions enabling WHS entry permit holders (with notice) to require reasonable assistance to access and inspect digital work systems relevant to suspected contraventions, illustrate how deeply technology governance now intersects with safety obligations. SafeWork Australia has also identified AI, automation and new forms of work as sources of potential new WHS risks, signalling further regulatory action ahead. The next phase will reward organisations that treat these issues as a single governance challenge – mapping data flows end‑to‑end, allocating clear ownership for model and system performance, and aligning privacy, discrimination and WHS controls within an integrated governance framework that can be demonstrated in practice. 

AI in recruitment and workforce management

The regulatory net around AI at work is tightening rapidly, particularly in recruitment and workforce management. From 10 December 2026, amendments to the Privacy Act 1988 (Cth) will require APP entities to disclose the use of automated decision-making in their privacy policies, capturing AI-driven recruitment screening, performance evaluation and algorithmic management tools. While the employee records exemption offers some relief, its scope is limited and does not extend to recruitment processes or the management of contractors and labour hire workers. With AI-enhanced recruitment reportedly used by a significant proportion of Australian organisations, the resulting uplift in compliance, transparency and governance expectations will be significant. 

Work health and safety regulation is also moving decisively into this space. The Work Health and Safety Amendment (Digital Work Systems) Act 2026 (NSW) is the first Australian law to impose specific WHS duties in relation to AI-enabled and digital systems at work. Under the regime, PCBUs must ensure that such systems do not create excessive workloads, unreasonable performance metrics, intrusive monitoring or discriminatory decision-making. WHS entry permit holders are also granted powers to access and inspect relevant digital work systems on just 48 hours’ notice. These developments reflect a broader regulatory shift toward treating algorithmic management as both a data and safety risk, rather than a purely operational issue.

At the same time, regulatory focus on labour mobility is increasing, reshaping traditional employer controls over workforce movement and retention. Proposed reforms restricting non‑compete clauses for low and middle‑income workers, together with continued judicial scrutiny of restraints more generally, are narrowing reliance on contractual limits. In practice, this shifts emphasis toward alternative governance levers – including data protection, intellectual property control, confidentiality enforcement and cultural retention strategies – all of which intersect directly with how organisations deploy, monitor and manage AI-enabled workplace systems and secure workforce‑related data.

Employee monitoring, workplace surveillance and regulatory risk

Workplace surveillance is under increasing regulatory and legal scrutiny. Proposed reforms in Victoria, backed by the Government in November 2025, would require employers to prove that any surveillance is reasonable, necessary and proportionate to a stated legitimate objective. The legislation is deliberately technology-neutral, covering AI-driven analytics, keystroke loggers, biometrics and neurotechnology without needing amendment for each new tool. Where surveillance data informs automated decisions that could significantly affect a worker, human review will be required, reinforcing regulatory expectations around accountability and oversight. 

Employee redress for getting things wrong has also escalated. Since 10 June 2025, the statutory tort for ‘serious invasion of privacy’ has given people an additional avenue to seek redress for privacy harms through the courts for intrusion on the individual’s seclusion or misuse of their information. While defences remain available, including consent or lawful authority, the new tort materially increases litigation exposure for employers whose surveillance or monitoring practices are unauthorised or misuse personal data. 

In this context, the collection and use of facial recognition technology and biometric data represent a particular flashpoint. Biometric data is classified as ‘sensitive information’ under the Privacy Act and attracts a higher degree of protection. While the employee records exemption remains at play, it does not apply in all use-cases, and the Australian Privacy Principles (APPs) apply to the solicitation and collection of sensitive information from employees. As a result, consent frameworks and data security practices need to be front of mind, with organisations required to demonstrate clear necessity, informed consent (where relied upon), robust access controls and defensible data‑handling practices in operation, not just on paper.

Wage integrity and real‑time regulatory assurance

As regulatory expectations around technology at work intensify, similar shifts are occurring in relation to pay and payroll compliance. Wage and payroll compliance risk is moving from episodic audits to near real‑time regulatory assurance. Upcoming reforms, including the shift to payday superannuation and tougher responses to underpayment, significantly raise expectations around the accuracy, auditability and timeliness of payroll systems. These changes increase the stakes for boards, particularly where payroll data relies on automated inputs, digital rostering tools, labour‑hire arrangements or algorithmic decision‑making.

In this environment, wage integrity becomes a systems problem rather than a transactional one. Organisations need confidence in the quality of underlying data, clarity on ownership of payroll inputs across business units and suppliers, and the ability to detect, investigate and remediate issues quickly. As with AI governance more broadly, regulatory risk will turn less on isolated errors and more on whether controls are designed to operate continuously and at scale.

Shadow AI in the workplace: governance, security and liability risk

Shadow AI – the use of AI tools and platforms by employees without organisational approval or oversight – is a growing blind spot for employers. Often operating beyond the visibility of IT, security and legal teams, shadow AI introduces legal and operational risks across data security, information management, model outputs and decision-making at a scale that many organisations are not yet equipped to govern.

From a security perspective, unapproved AI tools can introduce unmanaged integrations, unsecured APIs, and personal device access points into a company’s systems, giving hackers easy access to attack surfaces that security teams may be unable to identify, let alone defend. These risks are compounded where sensitive commercial or personal data is entered into third‑party tools with opaque training, storage or reuse practices.

Legal exposure also materialises where senior leaders had no oversight. Employers may face vicarious liability for biased or discriminatory AI‑assisted decisions, as well as potential copyright infringements if tools are trained on protected data or produce outputs similar to existing works, even when the employer had no idea the tool was being used. As regulators focus more closely on practical governance and accountability, shadow AI highlights the limits of policy‑only controls and reinforces the need for clear acceptable‑use rules, detection mechanisms and enforceable oversight across AI use in the workplace.

Departing employees, data theft and regulatory exposure

Data theft by departing employees – including the taking of client lists, pricing structures, technical specifications or source code to personal devices or cloud accounts – is a growing trend that gives rise to commercial and regulatory risk at the intersection of contract, intellectual property, privacy, criminal and (particularly, but not exclusively for ASX-listed entities) corporate law. Where highly sensitive commercial information or personal data is involved, data exfiltration can give rise to an obligation to report to national or state privacy regulators, or to ASIC or APRA. 

Regulatory scrutiny of employee data exfiltration is also extending beyond traditional contractual and intellectual property claims. The focus is increasingly on how organisations detect, escalate and respond to such incidents in practice. Effective responses require close coordination between legal, data security and governance functions, supported by early preservation of digital evidence and clear escalation pathways to enable timely regulatory engagement. This, in turn, reinforces the importance of integrating technical controls, forensic capability and legal response planning across the employment lifecycle rather than treating data theft as a purely post‑departure issue.

What boards need to know about converging workplace regulation

The next phase of workplace regulation is defined by convergence. As technology, data use, wage integrity and safety obligations are increasingly assessed as interconnected systems, the focus of regulatory scrutiny is shifting away from policy design and toward operational effectiveness. Boards are being judged less on articulated intent and more on whether governance, data and control frameworks function reliably across the full lifecycle of work.

This expectations shift extends beyond technology and people risk to financial exposure. Entitlements risk – including accrued leave, superannuation and termination liabilities – is now widely recognised as a balance‑sheet and liquidity issue, requiring proactive oversight rather than reactive remediation during periods of change or stress. Taken together, these developments reinforce a clear message: organisations that integrate controls across disciplines, anticipate regulatory interaction and can demonstrate that systems work in practice will be better placed to manage risk, meet evolving regulatory, workforce and stakeholder expectations, and mitigate reputational harm.