Banking & Finance

Increase text sizeDecrease text sizeDefault text size

Focus: Strengthening Victorian workplace privacy: Victorian Law Reform Commission's final report

8 November 2005

In brief: The Victorian Law Reform Commission's workplace privacy final report, written in response to growing concern about the increased use of surveillance in the workplace, has been tabled in the Victorian Parliament. Lawyer Andrew Ailwood and Special Counsel Karin Clark outline the report's findings.


On 5 October 2005, the Workplace Privacy Final Report was tabled in the Victorian Parliament (the report)1 .The report was prepared by the Victorian Law Reform Commission (VLRC) in response to growing concern about the increased use of surveillance in the workplace and the associated encroachment on individuals' privacy rights.

The report comes within a month of the proclamation of the New South Wales Workplace Surveillance Act 2005 (NSW).

Scope of the report

The report's terms of reference indicate that the VLRC was intent on addressing the impact of modern technology on workplace privacy, including surveillance of workers, their communications, physical and psychological testing of workers and searches of workers and their possessions. The VLRC was also asked to consider any necessary legislative reforms.

The report's findings

Focus on action, not information

The approach adopted by the VLRC is focused on the point of creation or collection of personal information, that is, the acts of surveillance or testing of individual employees. This is in contrast to the operation of the Privacy Act 1988 (Cth) (the Privacy Act), which focuses on ensuring notification at the time of collection of personal information and limits on the subsequent use and disclosure of that information.

The report explicitly states that, given the Privacy Act's employee records exemption, there is insufficient protection of privacy rights in the employment context. In response, the VLRC proposes a two-pronged system of regulation.

Broad principles and codes of practice

The report recommends that broad principles be articulated to provide overarching guidance and regulation of employers' treatment of worker privacy. The proposed principles would require the application of tests of proportionality, causality and reasonableness to any employer activities that may infringe worker privacy. This is intended to introduce a balancing test between the rights of the individual worker and the efficiency required by employers.

The report also proposes that advisory and approved voluntary codes of practice be used to flesh out and strengthen these principles. Mandatory codes are also proposed in order to regulate specific practices, such as drug and alcohol testing.

Strengthening protection: genetic testing and non-work activities

The VLRC has formed the view that controls on privacy infringement must be strengthened when a worker is engaged in an activity that is not work-related and where genetic testing is involved. Specific acts of employers may be authorised by the regulator if they meet tests of reasonableness, proportionality and appropriateness.

Who is a worker?

The proposed regime of broad principles and detailed codes is intended to cover both employees and independent contractors who work in the same manner as employees, and hence the term 'worker' is used. It is also covers outworkers and volunteers in a work context. This is to ensure equality in rights and to prevent the creation of an incentive for employers to adopt one method of engagement over another. The term 'employer' has a similarly broad definition.

The draft Bill

Draft Bill

The report annexes a draft Bill to propose legislation to implement the recommendations of the VLRC, entitled the Workplace Privacy Act 2005 (Vic) (the draft Bill)2. In a 5 October 2005 media release, Victorian Attorney-General Rob Hulls, proposed presenting the report's recommendations to the Standing Committee of Attorneys-General, in an effort to gain national uniformity in this area.3

The draft Bill effectively creates a right to privacy for workers by prohibiting certain acts by employers. The draft Bill thus provides a higher standard of protection for privacy in the workplace than that which is provided outside the workplace. Arguably, this is in recognition of the sensitivity of employment relationships to the economic prosperity of an individual.

The draft Bill regulates those acts or practices that employers may engage in and that may adversely impact on the privacy of workers. An 'act or practice' is defined under the draft Bill as including:

  • the use of a surveillance device;
  • the use of any other device to observe, listen to, record, track, monitor or search a worker or prospective worker;
  • the taking of a sample of breath, blood, saliva, or urine or any other bodily substance for the purpose of testing for the presence of alcohol or drugs;
  • the use of a psychometric test or a medical test;
  • the use of a genetic test;
  • the use of a biometric test; and
  • the use of any other means to search a worker or prospective worker.

The Draft Bill details the processes for complaints handling, investigations and the approval and enforcement of codes of practice (both mandatory and advisory).


The draft Bill proposes that the Governor-in-Council appoint an individual as a regulator for the purposes of enforcing the draft Bill (the regulator). The regulator may not hold office for a term of more than seven years, but may be reappointed. The regulator may employ staff as needed. It is anticipated the regulator will be a statutory office, similar to that of the Victorian Privacy Commissioner.

The regulator would also have broad functions relating to education, preparing codes of practice, dealing with systemic practices, dealing with complaints, giving authorisations and making recommendations to the Minister concerning existing or proposed legislation and its effect on workers' privacy.

Employer duties: work-related activities

The draft Bill prohibits employers from engaging in an act or practice that unreasonably breaches the privacy of a worker, or prospective worker, when the worker is engaged in a work-related activity (the prohibition). An employer unreasonably breaches the privacy of a worker if the employer engages in an act or practice in relation to work that satisfies any one of the following four tests.

The act or practice has a purpose that is not directly connected to the employer's business

This is a test requiring a connection or proximity of the act or practice to the nature of the employer's business. As such, the acts or practices that are appropriate will vary with the type, scale and location of an employer's business.

The act or practice is conducted in a manner that is not proportionate to the purpose of the act or practice

'Proportionate' is defined in the draft Bill as meaning, in relation to an act or practice, the act or practice that achieves the purpose for which it is undertaken but interferes least with the privacy of the worker or workers concerned. Therefore, the necessary test of proportionality is whether it achieves its purpose in the least invasive way in relation to privacy. There is no discussion of reasonableness of cost or effort in achieving that purpose.

The act or practice is done without first taking reasonable steps to inform and consult with workers of the employer concerning the act or practice

The consultation process that employers will need to undertake with respect to any proposed act or practice will involve the employer informing workers of:

    • the act or practice being considered and the reason for its proposed introduction;
    • the number and categories of workers to be affected;
    • the anticipated date of the introduction, and the period of implementation;
    • the alternative acts or practices considered and the reasons why they were not chosen; and
    • the safeguards to be used to ensure that the act or practice is conducted appropriately.

The employer will then need to provide workers with a genuine opportunity to respond to the proposal and must take those responses into account in deciding whether to introduce the act or practice.

The act or practice is done without providing adequate safeguards to ensure that it is conducted appropriately.

This test will require that employers ensure that the discretion of individuals engaged in the act or practice is sufficiently curtailed and that steps are taken to discipline abuse of the practices. Technological limitations may also be necessary to ensure there is no temptation for transgressions.

Employer duties: non-work-related activities

The draft Bill also prohibits any interference with the privacy of a worker in relation to non-work-related activities, unless authorised by the regulator. The extent of the rights of a worker in this context is not made clear in the draft Bill. This uncertainty is likely to create problems.

Employer duties: genetic testing

Employers are also prohibited from conducting genetic testing of workers or prospective workers without authorisation granted by the regulator. Authorisation may be given where the regulator is satisfied with respect to various conditions, including that the worker has consented to the testing.

Employer duties: prohibition of certain uses

There is also a blanket prohibition on any use of a surveillance device to observe, listen to, record or monitor the activities, conversations or movements of a worker in a toilet, change room, lactation room or a washroom in the workplace.

Codes of Practice

The draft Bill proposes three kinds of codes of practice.

Advisory Codes of Practice

The regulator may issue Advisory Codes of Practice in relation to any act or practice in connection with an employer's business (but not concerning non-work-related activities, genetic testing or acts or practices subject to an authorisation) for the purpose of providing guidance to employers concerning their duties and obligations under the draft Bill.

Compliance with Advisory Codes of Practice will be taken to constitute compliance with the prohibition. A contravention of the Advisory Code will constitute a contravention of that provision unless the employer complies with the provision in another way.

Approved Codes of Practice

An employer may seek approval of a Code of Practice by submitting the Code to the regulator. The regulator may approve that Code and subsequent compliance with the Approved Code of Practice will constitute compliance with the prohibition.

Approved Codes of Practice may not relate to any act or practice to which a Mandatory Code of Practice applies. Approved Codes bind any employer that sought approval of it and any employer that by notice in writing to the regulator states that it intends to be bound by it (and that Code is capable of applying to that employer). Employers may also give written notice that they intend to cease to be bound by the Code.

Mandatory Codes of Practice

The draft Bill states that the regulator must prepare Mandatory Codes of Practice relating to:

  • covert surveillance of workers in the workplace;
  • the taking from workers and prospective workers of samples of breath, blood, saliva or urine or any other bodily substance for the purpose of testing for the presence of alcohol or drugs; and
  • any other act or practice that is prescribed as requiring a Mandatory Code.

Mandatory Codes of Practice may be approved by the Governor-in-Council, on the recommendation of the Minister acting on the advice received from the regulator. The regulator must be of the opinion that the Mandatory Code of Practice is consistent with the legislation itself.

Employers must comply with a Mandatory Code of Practice. A contravention of a Mandatory Code of Practice is deemed to be a contravention of the legislation.


A worker who claims that an act or practice breaches the privacy of the worker may complain to the regulator. Representative bodies, proxies of the disabled and parents and guardians may complain on behalf of workers. Complaints must be in writing and must set out the details of the alleged breach.

Once the regulator accepts the complaint, it may conciliate the complaint, make a ruling or decline to deal with the complaint. The worker may require the regulator to refer the complaint to the Victorian Civil and Administrative Tribunal (VCAT).

Resolution and remedies

The draft Bill does not propose to create any civil causes of action or any criminal liability other than the enforcement of a legal right in accordance with the procedure set out. Methods of resolution and remedies include:

  • conciliation – the regulator may require the employer and worker to attend conciliation to settle the matter in the form of a written conciliation agreement;
  • investigation and ruling – the regulator may investigate a complaint and make a ruling as to whether the act or practice was in breach of the draft Bill. The ruling may require the employer to cease engaging in the infringing act or practice, take actions to remedy the breach and damage suffered, publish an advertisement as directed, or take specific steps to protect the privacy of workers other than the complainant. Rulings are enforceable through VCAT. The regulator may also investigate any other contraventions that it becomes aware of as a result of a complaint or in any situation where an act or practice is inconsistent with the draft Bill and it is not appropriate to endeavour to effect settlement;
  • compliance notice – the regulator may serve a compliance notice on an employer if the employer has flagrantly or seriously breached the draft Bill. Such notice may require the employer to take specific action to ensure privacy is not breached and report on the taking of that action to the regulator;
  • pecuniary penalties – the regulator may apply to the Magistrates' Court  for an order that an employer pay a pecuniary penalty for a contravention of the sections of the draft Bill relating to breach of privacy during non-work-related activities, genetic testing, surveillance in bathrooms and toilets, compliance with a ruling or compliance with a compliance notice. The maximum penalty payable for a body corporate is $300,000 and $60,000 for all other entities. A maximum penalty of $1000 is payable for breach of a ruling; and
  • injunction – the regulator may apply to the Magistrates' Court  for an injunction requiring the employer to cease contravening the same provisions as those for which a pecuniary penalty may be ordered.


The draft Bill and its associated policy would apply much more broadly than the equivalent New South Wales legislation. They entrench a higher standard of privacy protection in the workplace and take a different approach to the conventional 'personal information' record that is the focus of other Australian privacy laws. Employers will need to be aware of the tight restrictions that will be placed on their ability to monitor their employees without their consent, and the creation of a new right to individual privacy for their workers.

We will continue to monitor the progress of these proposals. If you have any queries in relation to this, or any other privacy issues, please contact one of our experts.

  1. Victorian Law Reform Commission, Workplace Privacy: Final Report, October 2005.
  2. Appendix 5 to Victorian Law Reform Commission, Workplace Privacy: Final Report, October 2005.
  3. Media Release of Victorian Attorney-General, 'Victorian Report Casts Spotlight on Workplace Privacy', 5 October 2005.

Share or Save for later

What are these?


To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.



You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...