Surveillance, privacy, and governance: Navigating the new landscape in Australian workplaces

CCTV AI Facial Recognition Camera Zoom in Recognizes Person. Elevated Security Camera Surveillance Footage Face Scanning of a Crowd of People Walking on Busy Urban City Streets. Big Data Analysis

The rapid evolution of surveillance technologies, from facial recognition in retail to AI-powered monitoring in the workplace, has outpaced the development of regulatory frameworks in Australia. Recent high-profile decisions by the Privacy Commissioner, ongoing legislative inquiries, and international enforcement actions underscore the urgent need for governance professionals to understand, anticipate, and shape best practice in this complex area. This article synthesises recent developments, regulatory guidance, and practical recommendations to help boards and executives navigate the shifting landscape of workplace and retail surveillance.

Facial recognition in retail: Lessons from the Kmart decision

The use of facial recognition technology (FRT) in retail settings has come under intense scrutiny. The Privacy Commissioner’s recent decision regarding Kmart’s deployment of FRT in 28 stores between June 2020 and July 2022 provides a cautionary tale for organisations considering similar technologies. Importantly, the Kmart decision followed the Bunnings decision, which at the time of writing, is under appeal. Both cases involve the use of FRT in retail at about the same time and concern similar facts and breaches. While retail cases involve shoppers, they also impact employees and contractors who visit stores and whose privacy is at risk in those settings.

Key findings

Inadequate consent: Kmart collected sensitive biometric data from store visitors without obtaining adequate consent. Notices were inconsistently displayed, and those that were present failed to inform visitors of the full extent and purpose of data collection.
Transparency failures: Kmart’s privacy policies did not sufficiently disclose the types of personal information collected, how it was collected, or how it would be used and stored, breaching Australian Privacy Principle (APP) 1.
Insufficient notification: The Commissioner found that store entry notices alone were not enough. Visitors needed to be clearly informed about the purpose of data collection, the consequences of non-consent, and how to access or correct their data.
No exemption for security purposes: Kmart argued that FRT was necessary to prevent refund fraud, but the Commissioner held that this did not exempt the retailer from obtaining consent or considering less privacy-intrusive alternatives. Bunnings sought to rely on a similar exemption for security purposes.

Governance implications

The decision sets out a “shopping list” for privacy compliance:

Conduct robust privacy risk assessments, especially when deploying novel or sensitive technologies.
Ensure collection notices are prominent, accessible, and detailed.
Obtain explicit consent for the collection of sensitive information.
Maintain transparency in privacy policies, including disclosure of metadata and secondary data generated by FRT.
Balance the proportionality of surveillance against the privacy rights of individuals, considering both the scale and sensitivity of data collected.

Retailers and other organisations must recognise that using technology to prevent unlawful activity does not override the need for consent and transparency. The Kmart decision is a clear signal that regulators expect organisations to go beyond minimal compliance, seek to rely on narrow exemptions for broad usage that could have been addressed by adequate signage and policies and proactively address privacy risks.

The changing face of workplace surveillance

Workplace surveillance in Australia is expanding in both scope and sophistication, driven by advances in AI, automation, and biometrics. Yet, as the Victorian Government’s recent inquiry highlights, regulation has not kept pace with technological change. The Victorian findings would appear to apply across Australia.

Inquiry findings

The Economy and Infrastructure Committee’s inquiry into workplace surveillance in Victoria found:

Surveillance is increasingly powered by AI and automation, raising concerns about fairness, transparency, and the potential for bias.
Employees are often unaware of being monitored or how their data is used.
There is limited evidence that surveillance improves productivity, and intrusive monitoring can harm workplace culture, morale, and even health and safety.
Surveillance can exacerbate power imbalances, discourage collective action, and disproportionately impact marginalised and platform workers.

Recommendations for reform

The Committee made 18 recommendations to bring Victoria’s surveillance laws to a fit for purpose state, including:

Requiring employers to undertake risk assessments to justify surveillance.
Mandating clear, written notice to employees before surveillance begins.
Consulting employees before introducing or changing surveillance practices.
Reviewing automated decisions based on surveillance data and protecting that data, including oversight of third-party contractors.
Prohibiting covert or intrusive surveillance except in limited, independently overseen circumstances.

While these recommendations are not yet law, they signal a shift towards a more principles-based, proportionate, and transparent approach to workplace surveillance. Employers should anticipate these changes and begin aligning their practices accordingly.

Surveillance in practice: Legal, regulatory, and reputational risks

The broader context for surveillance in Australian workplaces is one of increasing legal exposure and regulatory scrutiny. Several trends and case studies illustrate the risks and the need for proactive governance.

Regulatory gaps and international precedents

Limited regulation: Australian privacy laws currently provide limited protection for employee records, and surveillance devices legislation is inconsistent across jurisdictions. Consent remains a key principle, but its application is often unclear.
International enforcement: Recent fines in Europe highlight the risks of excessive surveillance. In 2023, Amazon was fined €32 million in France for an “excessive” system that monitored employee activity and generated alerts on work speed and break times. In 2024, a French real estate company was fined €40,000 for software that monitored employees’ computer activity, including periods of inactivity and website visits, while working from home.
Emerging hazards: There is growing recognition that workplace surveillance can constitute a psychosocial hazard, with potential implications for work health and safety (WHS) obligations.

Best practice for governance of workplace surveillance

Deploying workplace surveillance should only be considered after developing an implementation plan that:

Consults with affected employees and representatives, consistent with WHS laws and industrial instruments.
Provides clear, informed, voluntary, and time-bound consent mechanisms.
Undertakes Privacy Impact Assessments (PIAs) and WHS risk assessments before deploying new technologies.
Limits surveillance to what is necessary and proportionate to the business need.
Establishes governance frameworks, including policies, standard operating procedures, training guides, and escalation protocols.
Maintains ongoing transparency regarding the collection, use, disclosure, and storage of surveillance records.
Engages proactively with regulators and seeks early guidance where appropriate.

Legal and compliance teams should also be prepared to draft and review PIAs, consent forms, privacy policies, and governance frameworks, as well as to conduct surveillance justification reports to assess whether the technology is actually achieving the stated and intended outcome.

The path forward: Principles for responsible surveillance

The convergence of privacy, technology, and workplace governance demands a new approach—one that is grounded in principles of proportionality, transparency, and accountability.

Key principles

Proportionality: Surveillance must be justified by a legitimate business need and balanced against the privacy rights and interests of individuals.
Transparency: Organisations must be open about what data is collected, how it is used, and the rights of individuals to access and correct their information.
Accountability: Boards and executives must ensure that surveillance practices comply with legal requirements and reflect community expectations and key executives need this compliance to be part of their KPIs.

Preparing for change

With ongoing regulatory reform on the horizon and public expectations rising, governance professionals should:

Review and update privacy and surveillance policies to reflect current and emerging standards.
Invest in staff training and awareness to foster a culture of privacy and respect.
Monitor developments in law and technology, and engage with industry bodies and regulators to shape best practice.
Consider the broader ethical and reputational implications of surveillance, beyond mere legal compliance.

Conclusion

Surveillance in Australian workplaces and retail environments is at a crossroads. The lesson from recent regulatory decisions, legislative inquiries, and international enforcement actions is clear: organisations must move beyond compliance to embrace a proactive, principled approach to privacy and governance. By doing so, they can not only mitigate legal and reputational risks but also build trust with employees, customers, and the wider community.

Author

Lyn Nicholson, General Counsel, Holding Redlich
Email:  lyn.nicholson@holdingredlich | Phone: +61 2 8083 0463
Profile:  www.holdingredlich.com/lyn-nicholson