If you run a small business, workplace surveillance can feel like a double-edged sword.
On one hand, cameras, device monitoring and access logs can protect your people, your stock, your premises, and even your reputation if there’s an incident. On the other hand, surveillance can quickly create distrust, privacy complaints, or legal risk if it’s done without clear rules (or without the right notices and consents).
That’s where having a workplace surveillance policy becomes essential. It helps you set expectations, comply with Australian laws, and use surveillance tools in a way that’s fair, transparent and defensible.
Below is a practical guide to what a workplace surveillance policy should cover, how surveillance works legally across Australia (including key differences in NSW and the ACT), and the steps you can take to implement surveillance without derailing your workplace culture.
What Is A Workplace Surveillance Policy (And Why Do You Need One)?
A workplace surveillance policy is a written internal policy that explains:
- what types of surveillance you use (or may use);
- why you use it (the legitimate business reasons);
- where and when it occurs;
- how the information is handled (access, storage, retention and disclosure); and
- what staff can expect, including their responsibilities and rights.
Even when you have a lawful reason to use surveillance, you can still run into trouble if people don’t understand what’s happening or feel blindsided. A clear policy reduces that risk, because it creates transparency and consistency.
From a business perspective, a workplace surveillance policy is also useful for:
- Asset protection: deterring theft or unauthorised access.
- Workplace safety: monitoring entry points or high-risk areas.
- Managing security incidents: having evidence if something goes wrong.
- Reducing disputes: setting a consistent approach to investigations and access to footage/logs.
- Cyber risk and confidentiality: setting rules around business systems and devices.
It’s common to think “we’ll just install CCTV and keep it simple”. But in practice, surveillance can include more than cameras, such as swipe-card records, GPS tracking, software logs, and call recording. That’s why a policy is the safest way to manage the full picture, not just one device.
What Counts As Workplace Surveillance In Australia?
Workplace surveillance can take many forms. Your policy should clearly describe what you use now and what you may introduce in future (so you don’t need to rewrite the policy every time your tech changes).
Common Types Of Workplace Surveillance
- CCTV and security cameras: monitoring entrances, service counters, warehouse floors, or cash handling areas (usually for safety and security).
- Audio monitoring and call recording: recording business calls for training, quality assurance, or dispute handling. This is often regulated more strictly than video, and the legal requirements can differ depending on which state or territory you’re in and whether all parties to the conversation know (and consent) to being recorded. Rules and best practices often overlap with business call recording laws.
- Email and internet monitoring: reviewing usage of business email accounts, browser activity on work devices, or access logs (often for cybersecurity and acceptable use). In some jurisdictions (particularly NSW and the ACT), specific notice requirements can apply to monitoring “computer” or “tracking” activity.
- Device and software monitoring: login records, file access logs, time-tracking tools, keystroke monitoring (higher risk), or monitoring use of internal systems.
- Location tracking: GPS tracking on company vehicles, devices or delivery apps (often for safety and operational planning).
Surveillance Isn’t Just “Watching People”
A key mindset shift for small businesses is that surveillance isn’t only about “catching someone out”. It’s also about:
- security and risk management;
- protecting customers and staff;
- confirming what happened in an incident; and
- meeting operational and compliance requirements.
Your workplace surveillance policy should reflect that. If the policy reads like a disciplinary tool, it can damage trust and morale. If it reads like a safety and security framework (with clear boundaries), it’s more likely to be accepted and followed.
How Do Workplace Surveillance Laws Work Across Australia?
In Australia, workplace surveillance can be regulated by a mix of:
- state and territory workplace surveillance laws (most notably in NSW and the ACT, which have specific legislation regulating camera, computer and tracking surveillance in workplaces, including notice requirements);
- state and territory surveillance devices / listening devices laws (particularly relevant for audio recordings and use of listening devices);
- privacy laws and confidentiality obligations (depending on your business and what information you collect and how you handle it);
- employment law principles (fairness, reasonableness, and proper process); and
- workplace policies and contracts (what you’ve communicated and what employees have agreed to).
Because these rules can differ between states and territories, a “one size fits all” approach can be risky if you have staff in multiple locations.
Cameras (CCTV) In The Workplace
Cameras are common in retail, hospitality, warehousing and offices. But you still need to be careful about:
- notice: signage and written policy disclosures (and in NSW and the ACT, you generally need to comply with specific prior notice requirements for workplace surveillance);
- camera placement: avoiding areas where people expect a higher level of privacy (for example, bathrooms and change rooms); and
- purpose and proportionality: only collecting footage that you genuinely need.
If you’re weighing up your options, it can help to understand the general legal landscape around CCTV laws in Australia and, for broader workplace contexts, whether cameras are legal in the workplace (the short answer is often “yes, but there are rules and safeguards”).
Audio Recording And Listening Devices (Often Higher Risk)
Audio surveillance can attract stricter rules than video, particularly where it involves “listening devices” and recording conversations. In many parts of Australia, recording a private conversation without the consent of the people involved can be unlawful (subject to some limited exceptions). If your business records calls, you’ll usually want a process for:
- informing people the call may be recorded (at the start of the call, before any recording occurs);
- obtaining consent where required (and ensuring consent is meaningful, not assumed);
- limiting access to recordings; and
- having a retention/deletion schedule.
State laws can be particularly important here. If you operate (or have staff) in Queensland, the approach can differ from other states, so it’s worth being cautious about recording conversations in Queensland as part of your policy design.
Workplace Surveillance Laws In NSW And The ACT (Special Rules Apply)
If your business operates in NSW or the ACT, you should be particularly careful. These jurisdictions have dedicated workplace surveillance legislation that can regulate:
- camera surveillance;
- computer surveillance (for example, monitoring email, internet usage or activity on a work device/network); and
- tracking surveillance (for example, GPS tracking of vehicles or devices).
In practice, this often means you need to give employees clear prior notice before starting surveillance (for example, notice in writing a set period in advance unless an exception applies), and the notice must include particular information about the type of surveillance, how it will be carried out, and when it will start. These requirements are a common “trap” for businesses that use a single Australia-wide policy without tailoring it for NSW/ACT workplaces.
If you have staff across multiple states, your workplace surveillance policy should be drafted carefully so it doesn’t accidentally promise something you can’t operationalise, or overlook a notice/consent requirement in one jurisdiction.
What Should Your Workplace Surveillance Policy Include?
A strong workplace surveillance policy isn’t just a generic statement that “we monitor the workplace”. It should clearly spell out your approach in plain English, and it should match what you actually do day-to-day.
Here are the key sections we typically recommend including.
1) Purpose: Why You Use Surveillance
List the legitimate business reasons. Common examples include:
- protecting staff and customers;
- preventing theft and managing security risks;
- monitoring entry points and restricted areas;
- supporting incident investigations (for example, safety incidents or complaints);
- protecting confidential information and business systems; and
- training and quality assurance (particularly for call recording, where disclosed and permitted).
This “why” matters, because it helps show the surveillance is reasonable and proportionate, rather than excessive.
2) Scope: What You Monitor
Be specific about surveillance types, for example:
- camera surveillance (and whether it records audio);
- call recording (inbound/outbound, customer service lines, etc.);
- IT monitoring (emails, internet use, system logs), including whether monitoring is continuous or occurs only in defined situations (such as cybersecurity incidents, investigations, or audits);
- vehicle tracking (if applicable); and
- access control systems (swipe cards, alarm logs).
Tip: If you use third-party tools (CCTV vendor, VOIP phone system, time-tracking software), your policy should still cover it. “Outsourced” doesn’t mean “not our responsibility”.
3) Notice And Transparency
Good workplace surveillance compliance is often about notice. Your policy should explain:
- how staff will be notified (employment onboarding, handbook, induction, periodic reminders);
- any additional notice steps required in certain locations (for example, NSW/ACT prior notice requirements for workplace surveillance);
- where signage is displayed for cameras;
- whether customer/visitor notices apply (for example, signage at entrances or call-recording announcements); and
- how updates to the policy will be communicated.
This is also where your employment documents matter. If surveillance relates to use of work systems and devices, it’s common to align your policy with an Employment Contract and your broader workplace policies, so there’s no confusion about expectations.
4) Boundaries: Where You Won’t Use Surveillance
To build trust (and reduce legal risk), your policy should clearly set boundaries. For example, you might state that you won’t use cameras in private areas like bathrooms or change rooms, and you won’t access personal accounts on a work device unless there is a lawful and necessary reason and it’s handled appropriately.
This type of boundary-setting is particularly important if you have a hybrid or remote workforce, where the line between “work” and “home” can blur.
5) Access, Storage, Retention And Security
A workplace surveillance policy should include practical controls, such as:
- who can access footage/recordings/logs (by role, not by name);
- how access is granted and logged;
- where data is stored (on-site, cloud, third party);
- how long it’s kept (retention period) and how it’s deleted; and
- how you protect it from misuse or unauthorised access.
As a small business, you don’t need an enterprise-level system, but you do need a clear and consistently applied process. If surveillance information is mishandled, the surveillance itself can become the least of your problems.
6) When Surveillance Data Can Be Used (Including Investigations)
Surveillance is often relied on when something goes wrong. Your policy should explain when you may use surveillance information, such as:
- investigating suspected theft, fraud, misconduct or safety breaches;
- responding to complaints from customers or staff;
- meeting legal obligations (for example, responding to lawful requests); and
- training and quality purposes (where disclosed and permitted).
It’s also a good idea to outline the basic steps of a fair process. For example, “we may review relevant footage and provide the staff member an opportunity to respond where appropriate.”
Depending on what you collect, surveillance data can be “personal information” (or at least sensitive workplace information). If your business is subject to privacy compliance obligations, your workplace surveillance policy should align with your broader privacy practices, including any requirements around collection, use, disclosure, storage and security of personal information.
In many businesses, this sits alongside a customer-facing Privacy Policy (for example, if you operate online, collect customer details, or store call recordings involving customers).
How To Implement Workplace Surveillance Without Damaging Culture
Even if your surveillance is legal, a poor rollout can cause resignations, distrust, or “quiet quitting” behaviour. A workplace surveillance policy should be part of a bigger approach: communicate early, set clear boundaries, and be consistent.
Step 1: Identify The Real Business Risk You’re Solving
Before installing cameras or enabling monitoring tools, ask:
- What problem are we trying to solve?
- Is surveillance the only option, or are there less intrusive controls?
- What level of monitoring is actually necessary?
This helps you avoid the common mistake of over-monitoring, which creates more risk (and resentment) than it prevents.
Step 2: Choose Proportionate Surveillance Measures
A good rule of thumb is: use the least intrusive method that still achieves the purpose.
For example:
- If you want to reduce theft at a point-of-sale area, CCTV facing the cash handling zone may be enough.
- If you want to protect confidential data, strong access controls and IT security policies may achieve more than reading staff emails (and in some jurisdictions, monitoring emails/internet use may require specific prior notice).
It’s much easier to introduce surveillance when you can point to a clear written policy that explains the “what” and “why”. It’s also easier to enforce your expectations consistently.
If you’re changing how you monitor staff, consider updating your wider workplace documentation at the same time, such as your employee privacy framework or handbook (many businesses do this through an Employee Privacy Handbook approach).
Step 4: Train Your Managers (Not Just Your Staff)
One of the fastest ways to create legal risk is to have managers who “freestyle” surveillance access (for example, looking up footage out of curiosity, or searching employee logs without a clear purpose).
Your policy is only as good as your training and enforcement. Make sure managers understand:
- what they can and can’t do;
- when to escalate to the business owner/HR/legal; and
- how to document reasons for accessing surveillance data.
Step 5: Review Regularly (Especially If You Expand Or Go Hybrid)
Surveillance settings that make sense in a single retail shop may not suit a multi-site business, a remote team, or a business with sensitive client data.
We often see issues arise when a business grows quickly and adds new tools (like time tracking or monitoring software) without updating its workplace surveillance policy.
Key Takeaways
- A clear workplace surveillance policy helps you protect your business while staying transparent, consistent, and legally safer.
- Workplace surveillance can include CCTV, call recording, IT monitoring, access logs, GPS tracking and software tools - your policy should cover what you use now and what you may introduce later.
- Australian surveillance and recording rules can vary between states and territories. In particular, NSW and the ACT have specific workplace surveillance legislation (including prior notice requirements) that can apply to camera, computer and tracking surveillance.
- A strong policy should cover purpose, scope, notice, boundaries, access controls, retention, and when surveillance data can be used (including investigations).
- How you roll out surveillance matters: communicate early, train managers, and keep monitoring proportionate to the business risk you’re managing.
Note: This article provides general information only and does not constitute legal advice. Workplace surveillance obligations can vary depending on your location, industry, systems and the type of monitoring you use. If you need advice on your specific circumstances, you should speak to a lawyer.
If you’d like help preparing or reviewing a workplace surveillance policy (and aligning it with your employment documents and privacy obligations), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.
