What counts as AI worker monitoring, and why the stakes are rising
AI worker monitoring covers any system that uses software to observe, measure or score employees: keystroke and activity trackers, productivity analytics built into collaboration tools, camera systems with object or behaviour detection, vehicle and device location tracking, sentiment analysis of messages, and AI that scores or ranks workers for performance, rostering or discipline.
The legal exposure is not one law but four overlapping regimes: privacy law, state and territory workplace surveillance law, the Fair Work Act 2009, and work health and safety duties. A monitoring program can be lawful under one and unlawful under another. The practical task for HR is to satisfy all four at once.
One change makes this urgent. From 10 December 2026, new automated decision-making transparency obligations are added to Australian Privacy Principle 1. If an AI system materially drives decisions about your workers, you will need to say so in your privacy policy. That deadline should anchor your review now.
What does the Privacy Act 1988 require?
The Privacy Act 1988 and the Australian Privacy Principles bind organisations with turnover above the threshold and many that handle health or other sensitive information. Three principles do most of the work for monitoring.
APP 1 requires open and transparent management of personal information through a clearly expressed and up to date privacy policy. APP 3 limits collection: you may only collect personal information that is reasonably necessary for your functions or activities. APP 5 requires you to notify individuals, at or before the time of collection, of matters including who is collecting, why, and the consequences if the information is not collected.
For AI monitoring, the discipline is collection limitation. Continuous keystroke capture or full-screen recording collects far more than is reasonably necessary to manage most roles. If a narrower signal achieves the purpose, the broader collection is hard to justify under APP 3.
The new automated decision-making duty from 10 December 2026
The most significant change is the automated decision-making transparency obligation in new APP 1.7, 1.8 and 1.9, inserted by the Privacy and Other Legislation Amendment Act 2024 and commencing 10 December 2026. The OAIC guidance on APP 1 explains the scope.
Where an entity has arranged for a computer program to make, or do something substantially and directly related to making, a decision that could reasonably be expected to significantly affect the rights or interests of an individual, the privacy policy must disclose the kinds of personal information used and the kinds of decisions made. The OAIC notes that making a decision includes refusing or failing to make one, and the obligation applies whether the decision benefits or harms the person.
In a workforce setting, AI that scores performance, flags workers for discipline, drives rostering, or screens conduct can fall within this. HR should map every system that significantly influences a worker decision and prepare the privacy policy disclosure well ahead of the deadline.
What do state and territory surveillance laws require?
This is where many AI monitoring programs come unstuck, because surveillance law is state and territory based and far stricter than the Privacy Act on notice.
In New South Wales, the Workplace Surveillance Act 2005 prohibits surveillance of an employee at work unless it is conducted in accordance with the Act. Section 10 requires written notice at least 14 days before surveillance commences, though an employee may agree to a shorter period. The notice must state the kind of surveillance (camera, computer or tracking), how it will be carried out, when it will start, whether it will be continuous or intermittent, and whether it will be ongoing or for a limited period.
The Act then adds device-specific rules. Camera surveillance requires cameras to be clearly visible and signs to be in place notifying people that they may be under surveillance. Computer surveillance must be carried out in accordance with a policy of the employer that has been notified to employees in advance. Tracking surveillance of a vehicle or thing requires a notice indicating that it is the subject of tracking.
Covert surveillance is the bright line. Part 4 of the NSW Act prohibits covert surveillance of employees at work unless it is authorised by a covert surveillance authority issued by a magistrate, and that authority is confined to investigating suspected unlawful activity. Quietly switching on AI activity monitoring without notice is not a grey area. It is the conduct the Act is designed to prevent.
The Australian Capital Territory takes a similar approach. The Workplace Privacy Act 2011 (ACT) requires written notice of surveillance, with a notice period of at least two weeks, and the notice must cover matters such as the kind of device, how surveillance will be conducted, who will be subject to it, and its purpose. The ACT framework also builds in consultation in good faith with workers who raise issues about the surveillance, and it restricts covert surveillance.
Victoria has no single equivalent workplace surveillance statute. The Surveillance Devices Act 1999 (Vic) regulates the use of listening, optical, tracking and data surveillance devices generally, including restrictions on recording private conversations and activities, but it does not impose the NSW style 14 day workplace notice regime. The position differs again across other states. Because of this patchwork, a national employer cannot assume one policy fits every jurisdiction. The safest course is to apply the strictest applicable standard, which in practice means the NSW and ACT notice rules.
What to never do: do not deploy covert or undisclosed AI monitoring of NSW or ACT workers to test productivity or catch out behaviour. Without notice, and in NSW without a magistrate's covert surveillance authority, it is likely unlawful regardless of what the worker may have signed.
How does the Fair Work Act 2009 apply?
Three Fair Work issues sit alongside privacy and surveillance law.
First, consultation. Most modern awards and enterprise agreements contain a consultation term. As the Fair Work Ombudsman best practice guide on consultation explains, where an employer decides to introduce major change in production, programming, organisation, structure or technology likely to significantly affect employees, the employer must notify affected employees and their representatives, discuss the change as soon as practicable, provide written information about it, and consider matters raised. Introducing a workforce wide AI monitoring system is a strong candidate for a technology change that triggers this duty.
Second, reasonable management action. Monitoring that is genuinely about legitimate work management, conducted in a reasonable way, is defensible. Monitoring that is excessive, punitive or used to single out individuals is not, and can sit at the centre of bullying, general protections and unfair dismissal claims.
Third, adverse action. Under the general protections in the Fair Work Act 2009, section 340 prohibits an employer from taking adverse action against an employee because they have, or exercise, a workplace right, and section 342 defines adverse action to include dismissing, injuring the employee in their employment, or altering their position to their prejudice. If an AI system flags a worker who has raised a safety concern or made a complaint, and the employer acts on that flag, the causal link to the protected right can ground an adverse action claim. AI does not dilute the prohibition, and the reverse onus means the employer must prove the protected reason was not a substantial reason for the action.
How does AI monitoring interact with WHS psychosocial duties?
This is the most overlooked angle. Under the model work health and safety laws, a person conducting a business or undertaking has a duty to manage psychosocial risks so far as is reasonably practicable. The Safe Work Australia model Code of Practice: Managing psychosocial hazards at work identifies job demands, low job control and other factors as psychosocial hazards.
Intrusive or constant monitoring can itself be a psychosocial hazard. Surveillance that workers experience as relentless, opaque or unfair can increase stress, reduce job control and erode trust, all of which the Code treats as risks to be assessed and controlled. The duty is positive: you must proactively identify and minimise these risks, not wait for a complaint. So before rolling out AI monitoring, run a psychosocial risk assessment that asks how the system will feel to the worker, not only what it measures. Consultation with workers is a WHS duty in its own right and overlaps neatly with the Fair Work consultation obligation.
A practical checklist for compliant AI monitoring
Bring the four regimes together into one operating standard.
Define a lawful, specific purpose first. Name the problem the monitoring solves and the smallest data set that solves it. If the purpose is vague, the program is not ready.
Apply data minimisation and proportionality. Prefer aggregated or sampled signals over continuous full capture. Set retention limits. Restrict who can see the data and log access. Document why each data point is reasonably necessary, which is the APP 3 test.
Give written notice and a policy. Meet the NSW 14 day notice and the device-specific rules, the ACT notice and consultation requirements, and the equivalent in other jurisdictions. Notify under APP 5 and keep your privacy policy current, including the automated decision-making disclosure required from 10 December 2026.
Consult genuinely. Where an award or agreement consultation term applies, follow it. Even where it does not, consultation discharges your WHS duty and reduces dispute risk. Give workers a real opportunity to influence how the system runs.
Never go covert. Treat undisclosed monitoring as off limits unless you hold a magistrate's covert surveillance authority for suspected unlawful activity in a jurisdiction that allows it.
Keep a human in the loop. Do not let an AI score or flag drive a performance, disciplinary or termination outcome on its own. A person who can see the worker's context should review the output, test it for error and bias, and own the decision. This is good practice today and aligns with the direction of the automated decision-making transparency reforms.
Get the order of operations right and AI monitoring is a manageable, well governed tool. Get it wrong, especially on notice, covert use or proportionality, and a single program can breach privacy law, surveillance law, the Fair Work Act and WHS duties at the same time.
TheAICommand. Intelligence, At Your Command.
