Victorian workplace surveillance and privacy reforms on the horizon

Reforms to workplace surveillance and privacy laws and regulations may be imminent in Victoria. This follows a recent report underscoring the urgent need for modernised laws to keep pace with the rapidly evolving, technology-driven workplace. It also discussed the growing sophistication of employee monitoring technologies, including the use of artificial intelligence (AI), data analytics and other digital tools that enable employers to track, monitor and assess employee activity in increasingly granular and intrusive ways.

The Legislative Assembly’s Economy and Infrastructure Committee (Committee) tabled a report (Report) to the Parliament of Victoria in May 2025, detailing findings and recommendations from its inquiry into workplace surveillance. As part of the inquiry, the Committee received submissions from a broad range of stakeholders, including the Victorian privacy regulator (the Office of the Victorian Information Commissioner (OVIC)), unions, experts and legal advocates.

The Report identifies gaps between evolving workplace surveillance technology and outdated legal frameworks in Victoria. It highlighted the need for reform that is driven by the rise of remote work and widespread digital tool adoption post-COVID-19. While employee monitoring tools can benefit many aspects of workplace management, including safety, resource allocation and fraud detection, they may also pose privacy, security, wellbeing and human rights risks. The Report is expected to drive reforms in Victoria that may include holistic workplace surveillance legislation and amendments to relevant laws and regulations, including the Privacy and Data Protection Act 2014 (Vic) (PDP Act). These reforms will impact both private and public sector employers and employees.

OVIC has stated that it is broadly supportive of the recommendations made in the Report, particularly those that relate to changes to the PDP Act.

Key regulatory gaps and impacts

The Report identifies the following key issues relating to workplace surveillance in Victoria.

Lack of transparency and notification

A primary concern is the pervasive lack of transparency from employers regarding their surveillance practices. Employees are frequently unaware of the extent to which their activities are monitored, including the types of data collected and the specific purposes for which it is used. This disparity creates an imbalance of power and undermines trust within the workplace.

Intrusive nature of modern surveillance

Technological advancements, particularly the proliferation of sophisticated tracking software, keystroke loggers and always-on cameras, facilitate highly intrusive monitoring. Such surveillance can extend beyond work-related activities, potentially infringing on employees’ personal privacy and autonomy. Ongoing and future technological developments such as neuro-surveillance to assess employees’ cognitive states, including their level of attention and effort, pose increasingly intrusive risks. The full implications of these technological developments for future surveillance practices remain uncertain.

Function creep

There is a risk of ‘function creep'. This is where surveillance systems initially implemented for a legitimate purpose, such as security, are subsequently repurposed for other uncommunicated objectives, like performance management, without employees’ knowledge or consent. Function creep is facilitated by versatile technologies and data collection practices.

Negative employee outcomes

Intrusive surveillance is associated with adverse effects on employee morale, mental health and overall workplace relations. It can cultivate an environment of distrust, diminish job satisfaction, undermine collective bargaining and union arrangements, and stifle innovation by discouraging risk-taking. Further, intrusive workplace surveillance can disproportionately impact marginalised groups or those with compromised bargaining positions, including women, young people, migrants, members of the LGBTIQA+ community, individuals with disabilities and platform or gig economy workers.

Impact of software, data processing and AI

While surveillance technologies have become more affordable and accessible, the collection of data and the software to interpret it have also proliferated. Modern software can monitor keystrokes, login times, search histories, app usage, capture screenshots and alert managers to potential employee distraction. The increasing utilisation of AI to process extensive amounts of surveillance data also poses novel challenges. AI algorithms can analyse behavioural patterns, making inferences that may be inaccurate or lead to unfair treatment. This raises concerns regarding algorithmic bias and the potential for surveillance to be used for discriminatory purposes.

Inadequate legal frameworks

The Report observes that both state and federal laws are inadequate for addressing the challenges posed by modern surveillance practices. Victoria’s current Surveillance Devices Act 1999 (Vic) primarily focuses on intercepting private conversations and optical surveillance in non-workplace contexts, lacking specific provisions for digital workplace monitoring. Similarly, the federal Privacy Act 1988 (Cth) provides limited protection in the private sector due to exemptions for small businesses and ‘employee records’, which substantially limits its applicability to workplace surveillance. Notwithstanding ongoing federal reforms to the Privacy Act, the Committee advocates for Victoria to proactively establish robust protections, rather than wait for future federal changes.

Potential reforms for workplace surveillance regulation in Victoria

The Committee proposes the following pathways and guardrails for workplace surveillance regulation in Victoria, aiming to create a more equitable framework that balances competing rights and interests.

• Introduction of new, technology-neutral laws: The core recommendation is for Victoria to enact new, dedicated workplace surveillance laws that are technology-neutral. This would mean that they are sufficiently broad to encompass current and future surveillance technologies without becoming rapidly outdated.
  
  
• Principles-based approach: The proposed laws should adopt a principles-based approach, ensuring that workplace surveillance is reasonable, necessary and proportionate to achieve a legitimate business or safety objective. This framework would provide flexibility to address legitimate concerns, while establishing clear boundaries to prevent function creep and mitigate privacy and wellbeing risks.
  
  
• Review of automated decision-making: The Committee recommended that employers ensure any automated decisions made using workplace surveillance data that may significantly impact the rights, interests or employment status of a worker (such as disciplinary action or dismissal), are reviewed by a person with the appropriate delegated authority.
  
  
• Transparency and consultation: The Committee made several recommendations to enhance transparency through employee consultation. Specifically, employers would be required to provide employees with clear, written notification about all surveillance practices prior to implementation. Additionally, the Committee recommends that employers consult with workers (or their representatives) regarding the purpose, scope and methods of surveillance. Further, a workplace surveillance policy would be mandated, which would be provided to employees and updated regularly.
  
  
• Appoint a regulator: The Committee recommended appointing the Office of the Victorian Information Commissioner, WorkSafe Victoria, or another suitable body as the regulator, equipped with adequate resources and powers to inspect, investigate, prosecute and oversee workplace surveillance legislation.
  
  
• Amendment to privacy legislation: The Committee suggests that the PDP Act, which currently only applies to the Victorian public sector, should be expanded to private sector employees by requiring that employers who engage in workplace surveillance activities comply with the Information Privacy Principles (IPPs). Further recommended changes include expanding the definition of ‘sensitive information’ to explicitly include biometric data.
  
  
• Introduction of a mandatory incident notification scheme: It also suggested that the PDP Act should have a mandatory incident notification scheme for all information security and privacy incidents affecting the Victorian Public Service. This would align Victorian requirements to similar ones under the Federal Privacy Act and other states such as New South Wales and Queensland (from July 2025).
  
  
• Regulation of data collection, use and storage: The new framework should mandate transparency and strict rules governing how employee data obtained through surveillance is handled, including its collection, use, storage, disclosure and destruction. This would also entail addressing the use of AI in data processing, prohibiting the sale of collected data to third parties, and ensuring employees have mandatory access to their collected data upon request.
  

Next steps for employers

The Report marks an initial step towards legislative reform. With the precise details of forthcoming changes subject to ongoing consultation, it provides valuable insight into emerging risks associated with workplace surveillance and the potential direction of its regulation in Victoria and beyond.

The key takeaways for employers are:

• Implement best practices: Employers should seek to align their surveillance practices and policies with established best-practice principles. The Report highlighted that Victorian employers leading in this space provide advanced notification to employees, consult with staff, maintain clear and accessible workplace surveillance policies and conduct assessments to determine the necessity and purpose of new surveillance methods.
  
  
• Evaluate the purpose of surveillance against legal obligations: Many employers use surveillance for legitimate purposes and to comply with obligations under other laws. How the Report’s findings can be reconciled with the scope of positive duties that require employers to act under safety and discrimination legislation remains to be seen. Employers who seek to justify the use of technologies on this basis should be prepared to identify how these legal obligations specifically authorise or require the adoption of surveillance.
  
  
• Implement AI-enabled surveillance system in a safe, reliable and fair manner: Utilising AI to process surveillance data and analyse patterns may facilitate workplace management and enhance efficiency. However, improper use may lead to inaccurate data, unfair employee treatment or potential discrimination. When implementing AI technologies in the workplace and interpreting statistical insights, employers should factor in Australia’s 8 AI Ethics Principles and relevant human rights considerations. For example, employers should ensure AI systems respect human rights, diversity and individual autonomy, are inclusive and accessible, avoid unfair discrimination, uphold privacy rights and maintain transparency and data security.
  
  
• Review workplace practices involving automated decision making: Employers should identify existing practices involving automated decision-making. They must ensure that significant decisions impacting workers’ rights and interests (such as dismissal) are being reviewed by persons with the relevant authority.
  
  
• Monitor changes to privacy legislative landscape: As the position currently stands, private sector employers are bound only by the federal Privacy Act, not the PDP Act, which generally regulates only the Victorian public sector. This position may change if amendments are made to the PDP Act. Amendments could include potentially introducing an IPP that obliges organisations to comply with the IPPs, including biometric data in the definition of sensitive information, introducing a mandatory incident notification scheme and extending privacy protections to employees in all sectors. These amendments are supported by OVIC and would have a significant impact on the surveillance practices of private sector employers. Employers are advised to closely monitor developments in this space.