From location to keystrokes, Australian workers’ data is being gathered by employers – with little privacy protection

14 Sep, 06:00. AU edition

Illustration of a security camera stand with phones recording as cameras — ‘Intrusive surveillance not only strips workers of their privacy but also has the potential to result in biased and discriminatory decision-making against workers,’ says ACTU official. Illustration: Victoria Hart/Guardian Design

Exclusive: Workers speak of being ‘continually monitored’ – and of increasing information being taken for opaque reasons

To get into the office at the Commonwealth Bank, Chris* needs to use an app on his phone. It collects information on his location.

“Instead of having a key card that you use to tap on to get in, it’s an app installed on your phone you’ve got to verify on a regular basis,” the CBA employee says.

“Part of the installation is giving the permissions for the app to access certain features of your phone, one of which is your location.”

Chris, whose name has been changed, says the location information can be accessed by the bank – and not only when using the app.

“We ask the bank: why is it doing this? And they say: ‘Oh, when we designed the software, it’s basically a thing that we have to do.’ But we don’t generally have any guarantee of how they’re using it or when.”

A spokesperson for CBA said the app, Navigate, was not used to track staff.

“We use a CBA-dedicated mobile phone app that provides access to our corporate offices,” they said. “Navigate also shows where someone’s laptop is connected to the network in that building, to better able our people to connect and collaborate with each other in the office.”

Chris is not convinced by CBA’s reassurances that the data collected by the app won’t be used for purposes other than those outlined by the bank. While the information collected by the company is purportedly for work purposes, he says employees don’t know exactly what data is being gathered.

_{Sign up: AU Breaking News email}

“We’re also not sure what’s covered in privacy laws, because there’s that carve-out, which says employee data [collected] in the process of their work isn’t covered by privacy laws,” he says.

A new paper from the University of Melbourne law professor Alysia Blackham, to be published in the Australian Journal of Labour Law, found employers are increasingly gathering large amounts of personal data about workers – including monitoring their locations, emails and keystrokes – but there is little in the way of privacy protection.

“We have a federal Privacy Act, but it has some fairly dramatic exceptions for the workplace,” Blackham says.

Small businesses – the vast majority of businesses in Australia – are exempt from privacy law and there is also an employee records exemption, Blackham says.

“What the case law has illustrated is that while employers may have to disclose certain things before they collect employee data, when data is collected, all the protections disappear due to that exception,” she says. “So it means employee data, when it’s hacked, doesn’t necessarily have any recourse or protection … [it] could be sent to other companies, offshored, sold, and there’s no real protection provided by federal privacy law.”

In 2023, an insurance policy worker lost her job after the company reviewed her keystrokes and found “very low” average activity. The Fair Work Commission rejected her application for unfair dismissal.

Kate*, another worker in the same industry, who did not want to be named, says the case and other monitoring by her employer, such as email tracking, added to work stress.

“You’re continually monitored, particularly in a call centre environment,” Kate says. “They’re actually at the point where [insurance companies] have got a better system than what the police have.”

An employee of a multinational company that installed vehicle tracking devices on its fleet of cars in Australia in the event of accidents or cars going missing told a 2024 Victorian parliament inquiry on workplace surveillance that their state manager routinely used the equipment to track field staff “because he could”.

“He would use it for workplace compliance and would use it as a tool to use against anyone he felt was not doing what we wanted them to be doing,” the worker said.

“We felt that our privacy was being breached and the information gathered was being misused, resulting in a complete lack of trust and respect between us and our manager. I felt so strongly about this abuse of power that I actually resigned from my job of many years.”

Guardian Australia reported last year Virgin Australia had accessed the key swipe logs and CCTV footage from a flight attendant’s hotel room, finding he had a Grindr hook-up prior to asking not to fly the next morning. The Fair Work Commission ordered the employee be reinstated. Virgin appealed and lost in January.

The rise of artificial intelligence also brings increased surveillance. In the Victorian inquiry, a union official in the financial sector reported a member whose entire conversation recorded by AI was marked as having a negative sentiment because the member opened the conversation with, “Unfortunately it’s been really rainy lately”.

“AI is being trained on huge amounts of data, and potentially that includes workers’ data,” Blackham says. “These new technologies thrive on data, and they’re being trained on data, but also new technologies are enabling more and more intrusive surveillance.”

Blackham says AI is being deployed for performance management, such as seeing how many emails someone is sending, to tracking in a warehouse how quickly workers are packing and moving items.

Joseph Mitchell, the assistant secretary of the Australian Council of Trade Unions, said AI has “turbo-charged” workplace surveillance, amid AI-enabled performance management and decision-making.

“Intrusive surveillance not only strips workers of their privacy but also has the potential to result in biased and discriminatory decision-making against workers,” Mitchell said.

“Unions will continue to emphasise the need for AI workplace agreements based on genuine consultation with workers over the introduction of new technologies, transparency over all technology in use, protections for workers’ privacy and around the collection and use of workers’ data.”

The 2023 review of the federal Privacy Act recommended removing the small business exemption and reforming employee records exemption to offer better privacy protection and transparency over what is collected and how it is used, and what happens in the event of a data breach.

These recommendations were not incorporated into the first tranche of privacy legislation passed in the last parliament, but the Albanese government has promised more tranches of legislation.

* Names changed