Privacy and Data Rights
Employer Monitors Personal Messages on Company Devices
Understanding the limits of workplace surveillance and your privacy rights
Premium
foundational
7 minutes
The Situation
What They Said
“As your employer, I have the right to monitor all communications on company devices.”
Workplace monitoring of communications is a significant and growing area of conflict between employer interests and employee privacy in Australia. With the widespread use of company laptops, mobile phones, and messaging platforms for work purposes — and often for incidental personal use as well — many employees have no clear idea where the line falls between what their employer can lawfully observe and what remains private. Many employers present monitoring as a self-evident right of ownership: because it's our device, we can see everything on it.
While it is true that employers have legitimate interests in monitoring work-related communications on company equipment, Australian law does not grant employers an unlimited surveillance right over all communications that pass through their devices. The Privacy Act 1988 (Cth) — which governs the collection of personal information by organisations with turnover over $3 million and certain others — imposes obligations on what personal information can be collected, how it is used, and how employees must be informed. State and territory workplace surveillance legislation also applies in most jurisdictions, requiring employers to notify employees before activating computer or email monitoring — and in some states, to obtain explicit consent.
Many employers implement monitoring without adequate disclosure to employees, assert monitoring rights that go beyond what their policies or the law permits, or use monitoring data in ways that were not disclosed. An employee who is told 'we monitor everything' has the right to ask: were you told about this monitoring before it began? Is the monitoring proportionate to a legitimate business purpose? And is the employer treating your personal communications — sent or received on the device for genuinely personal reasons — with the same protections the law applies to personal information?
The Fallacy
Device Ownership Surveillance Fallacy
The employer is reasoning from device ownership to unlimited surveillance authority — the idea that owning the hardware means they can access and use any information that passes through it, without limit. This conflates property rights with information rights. The fact that a message was sent on an employer's device does not transform personal communications into employer property or eliminate the employee's privacy interest in that information.
This fallacy ignores the distinction the Privacy Act draws between information that is collected for a legitimate business purpose and information that is incidentally accessible through monitoring but relates to the employee's private life. An employer who collects personal information about an employee's health, relationships, or beliefs through monitoring workplace communications — even on company devices — may be collecting personal information under APP 3, which requires that collection be necessary for or directly related to the organisation's functions or activities.
The monitoring claim also fails to address the notification requirement. Surveillance that has not been disclosed to employees before it begins may breach state workplace surveillance legislation regardless of whose device is involved. Employees have a right to know they are being monitored, which means 'we have been monitoring you' delivered as a revelation — rather than a disclosed policy — may itself indicate unlawful conduct.
What the Law Says
Your Legal Foundation
Privacy Act 1988 (Cth)
Australian Privacy Principle 3 — Collection of Solicited Personal Information — Collection Must Be Necessary for the Organisation's Functions
“An APP entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity's functions or activities.”
An employer who monitors communications on company devices and thereby collects personal information about employees — including personal messages, health information shared in personal communications, or information about personal relationships — must be able to justify that collection as reasonably necessary for the organisation's functions. Blanket monitoring that captures personal communications beyond what is necessary for a legitimate business purpose may breach APP 3.
Workplace Surveillance Act 2005 (NSW) and equivalent state legislation
Computer Surveillance Notification Requirements — Prior Notice of Computer Monitoring Required
“An employer must not carry out computer surveillance of an employee unless the employer has notified the employee of the nature of the surveillance at least 14 days before the surveillance commences, or the employee agrees to surveillance commencing sooner.”
State and territory workplace surveillance legislation — which varies by jurisdiction but applies consistent principles — requires employers to give advance notice of computer and communications monitoring before that monitoring begins. In most states, monitoring without prior notice is unlawful surveillance. Employees in these states have the right to know they are being monitored before they begin work under that monitoring arrangement, not to be told retrospectively.
Privacy Act 1988 (Cth)
Australian Privacy Principle 5 — Notification of Collection — Employer Must Notify Employee of What Is Collected and Why
“At or before the time an APP entity collects personal information about an individual, or as soon as practicable after, the entity must take reasonable steps to notify the individual of the fact that the entity is collecting the information, the purposes for which the information is collected, and the consequences if the information is not collected.”
An employee is entitled to know what personal information the employer is collecting through monitoring, why it is being collected, and how it will be used. An employer who silently monitors communications without disclosing this in the employment contract, workplace policies, or a privacy notice provided to the employee is likely in breach of APP 5. This notification obligation applies to monitoring as a form of personal information collection.
What Scripture Says
God's Word on This
Proverbs 25:17 (NIV)
“Seldom set foot in your neighbor's house — too much of you, and they will hate you.”
Even in close relationships, biblical wisdom recognises that constant intrusion is destructive. An employer who monitors every communication — including personal messages — treats the employee not as a person with a private interior life but as a subject of total surveillance. Scripture affirms that dignified human relationships require appropriate boundaries, and the law codifies those boundaries in the workplace context.
Job 31:4 (NIV)
“Does he not see my ways and count my every step?”
Job's lament — that his every step was being counted — describes the experience of a person under oppressive scrutiny, with no room for private thought or action. God alone has the omniscience that justifies total knowledge of another person; an employer does not. The legal framework around workplace monitoring reflects this: some observation for legitimate purposes is acceptable, but unlimited surveillance that reaches into private life exceeds what authority can rightfully claim.
🔒
You Know the Law — But Do You Know What to Say?
Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.
Unlock This Scenario — R89/month
Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime
Not ready to subscribe? Get the free checklist first.
10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.
What They'll Say Next
Common Counter-Arguments
After you respond, they may push back with these arguments. Members get the full rebuttal for each.
They might say: “The Privacy Act doesn't apply to us — we're a small business.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
They might say: “We only looked at the communications because we were investigating a misconduct allegation against you.”
🔒 Subscribe to see the full rebuttal and legal counter-argument.
Know Your Rights. Know Your Word.
149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.
Try Free — Identity & Dignity
No credit card · Upgrade anytime for all 17 domains