View Current

Workplace Surveillance Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

Purpose

(1) The purpose of this Policy is to describe the circumstances in which the University conducts Surveillance of its Employees.

(2) The Workplace Surveillance Act 2005 (NSW) regulates Surveillance of Employees at work by means of camera, computer, and tracking devices, and requires that Employees be notified as to the nature of that Surveillance.

(3) This Policy constitutes the provision of notice to Employees of the University's Workplace Surveillance under the Act.

Application and Compliance

(4) This Policy applies to all current Employees, contractors, consultants and University controlled entities who have access to any University premises, equipment, or systems, including IT Resources and Networks.

(5) The University may take disciplinary action, up to and including termination of employment, for any breach of this Policy.

(6) This Policy should be read in conjunction with relevant University policies, including:

  1. Code of Conduct;
  2. Digital Information Security Policy;
  3. Email Policy;
  4. Acceptable Use of Digital Services Policy;
  5. Mobile Telecommunication Devices Policy;
  6. Privacy Policy and Privacy Management Plan; and
  7. Whistleblowing (Reporting Corruption and Other Serious Wrongdoing) Policy.
Top of Page

Section 2 - Definitions

(7) The Act does not separately distinguish between the terms "Surveillance" and "Monitoring", and the term "Monitoring" is defined separately in this Policy to provide clarity. However, it is still a form of "Surveillance" as defined in the Act.

(8) For the purposes of this Policy:

  1. "Act" means the Workplace Surveillance Act 2005 (NSW);
  2. "at work" includes where the employee is at a University Workplace whether or not they are actually performing work at the time, or at any other place while performing work for the University or utilising University resources or services;
  3. "Employee" means current employees, contractors, and consultants who have access to any University premises, equipment, or systems, including IT Resources, adjuncts, conjoints and students;
  4. "IT Resources" means systems, software, hardware, and other forms of technology, communication or other similar services owned or managed by the University;
  5. "Malicious Content" means content of a profane or inappropriate manner including, but not limited to:
    1. pornography;
    2. sexual content;
    3. defamatory content;
    4. content that harasses, threatens or bullies a person;
    5. racist content; and
    6. violent content;
  6. "Monitoring" is a form of Surveillance, and means the collection or storage of information, or the creation of records, in a routine and passive manner. It also includes routine review of that information or those records to ensure the integrity, security and service delivery of the University's systems, including IT Resources and Networks. However, and for the avoidance of doubt, Monitoring does not involve actively investigating or keeping track of an individual or their activities.
  7. "Network" means network hardware and the services operating on the hardware or utilising the hardware to perform tasks, whether wired or wireless.
  8. "Policy" means this Workplace Surveillance Policy and includes any Schedules or attachments;
  9. "Surveillance" of an Employee means surveillance of an Employee by any of the following means:
    1. camera surveillance which is surveillance by means of a camera that monitors or records visual images of activities on premises or in any other place;
    2. computer surveillance which is surveillance by means of software or other equipment that monitors or records the information input or output, or other use, of a computer (including, but not limited to, the sending and receipt of emails and the accessing of internet websites);
    3. tracking surveillance, which is surveillance by means of an electronic device the primary purpose of which is to monitor or record geographical location or movement (such as a global positioning system tracking device);
  10. "Surveillance Information" means information obtained, recorded, monitored or observed as a consequence of Surveillance of an Employee;
  11. "Surveillance Record" means a record or report of Surveillance Information;
  12. "University" means Western Sydney University;
  13. "Workplace" means any University premises, or any other place, where employees work, or any part of such premises or place.
For the avoidance of doubt words or terms used in this Policy have the same meanings given to them in the Act.
Top of Page

Section 3 - Policy Statement

Surveillance Consisting of Monitoring

(9) The University carries out Surveillance in the form of Monitoring to ensure:

  1. the health, safety and welfare of University Employees, students and visitors, for example, by installing fixed cameras throughout University campuses;
  2. the integrity, security and service delivery of its systems and Networks; and
  3. compliance with its legal obligations, including reporting obligations.

(10) In the course of carrying out Monitoring, the University collects, creates and stores records and information (including logs, images, backups, and archives) using any one or more of the following methods:

  1. Telephone Monitoring - the University Monitors the input and output of telephone (both fixed line and mobile) devices provided by the University for use by Employees. These are continually Monitored and may be accessed and provided to the University for administrative purposes;
  2. Camera Monitoring - the University has installed fixed security cameras throughout all campuses, both inside and outside of buildings and other facilities. These cameras (including any casings) are not covered or hidden, and Monitor activities on an ongoing and continuous basis;
  3. Computer Monitoring - the University conducts ongoing Monitoring of the following:
    1. University email accounts, and emails sent or received using a University email account or a University server;
    2. internet usage, including browsing history, content downloads and uploads, video and audio file access, and any data input using the IT Resources; and
    3. access (including logons) to, and all activity on, the IT Resources including computer hard drives and servers, and any files stored on IT Resources;
  4. Tracking Monitoring - the University does not Monitor or track the location or movement of individual Employees. However, it does provide and make available for use by Employees equipment and devices that have functionality to monitor and record their geographical location or movement, for example:
    1. mobile telephones, hand-held radios, laptops, tablets and similar devices;
    2. access cards into University buildings;
    3. University-owned vehicles with global positioning systems installed;
    4. fuel cards issued for University-owned vehicles; and
    5. wired and wireless data point connections installed in University buildings.

(11) In carrying out Monitoring, the University records and stores information and creates records (including reports) in relation to the following that are Surveillance Information and Surveillance Records for the purposes of the Act:

  1. movements within a Workplace;
  2. access to secure University facilities (buildings and locations within buildings);
  3. connection of devices (whether or not owned by the University) to IT Resources and the Network. This includes logging access at specified wired and wireless data points;
  4. emails sent or received using University email accounts or through University servers, storage volumes, download volumes, browsing or downloading history on IT Resources; and
  5. any information or data created or managed on, downloaded to and stored on IT Resources, servers and other devices that the University supplies or otherwise makes available for use, including University email.

Surveillance and Surveillance Information and Records

(12) The University may from time to time:

  1. conduct Surveillance, including Surveillance of individual Employees; or
  2. access, use or disclose information or records obtained in the course of Monitoring for Surveillance in relation to individual Employees.

(13) The University may use or disclose Surveillance Information or Surveillance Records for purposes authorised under the Act and in accordance with the procedures set out in Section 4 of this Policy. These specifically include:

  1. for legitimate purposes related to the employment of Employees;
  2. for the legitimate business activities or functions of the University, including internal inquiries and investigations of alleged unlawful activities or activities that are alleged to be in breach of any University rule, policy or code of conduct or in breach of a person's duties to the University as its Employee;
  3. for use or disclosure in any legal proceedings (including an inquiry by the Independent Commission Against Corruption or the NSW Ombudsman) to which the University is a party or is directly involved;
  4. disclosure to a member or officer of a law enforcement agency for use in connection with the detection, investigation or prosecution of an offence;
  5. where otherwise required or authorised by law to do so (for example, if the University is required to comply with a search warrant or subpoena);
  6. where the University considers this is reasonably necessary to avert a serious and imminent threat of:
    1. serious violence to a person;
    2. damage to property (including disruption to the University's business, systems or operations).

(14) Part 4 of the Act prohibits covert surveillance (which is Surveillance other than that requiring notification in accordance with Part B below) by an employer without a covert surveillance authority issued under that Act.

Prohibited Surveillance

(15) The University will not carry out and does not condone any of the following which are prohibited under the Act:

  1. Surveillance of Employees in a change room, toilet facility or shower or other bathing facility in the Workplace;
  2. Surveillance of Employees using work Surveillance devices when Employees are not at work, except as permitted under the Act and this Policy; and
  3. blocking emails or internet access of an employee except as permitted under the Act and University policies, including Part C of this Policy.
Top of Page

Section 4 - Surveillance Procedures

Part A - Authorisation

(16) Employees are prohibited from conducting any form of Workplace Surveillance or from accessing Surveillance Records or Surveillance Information, except the following Employees who are only authorised for the purposes of performing their designated duties as Employees:

  1. Employees (including those within Cyber Security Assurance and Operations and Information Technology and Digital Services) whose normal duties include routine back up or restoration of data, conduct of audits, review of web filtering, email filtering, document retrieval or logs, or other activities relating to the University's systems, including IT Resources and Networks;
  2. Employees (including those in Campus Safety and Security) whose normal duties include review of camera footage and of building access (including use of building access devices); or
  3. Employees who are specifically authorised under this Part A to conduct Surveillance or to access Surveillance Information or Surveillance Records.

(17) Requests to authorise Surveillance that go beyond Monitoring, or to authorise access to Surveillance Information or Surveillance Records by persons other than those listed in clause (16), may only be made by one or more of the following persons and only for a purpose specified in clause (13):

  1. the Vice-Chancellor and President;
  2. the Senior Deputy Vice-Chancellor;
  3. a Deputy Vice-Chancellor and Vice-President;
  4. a Vice-President;
  5. a Dean;
  6. the General Counsel;
  7. the University Secretary; or
  8. the Chief Audit and Assurance Officer.

(18) Only the Vice-Chancellor and President can approve a request on advice from the General Counsel.

(19) For the avoidance of doubt, Surveillance requests made under clause (17) will only be approved if the Vice-Chancellor and President is reasonably satisfied that:

  1. the request is for a purpose specified in clause (13);
  2. if the request is for a purpose specified in clause 13(b):
    1. there is no less intrusive alternative, reasonably available, in the circumstances, including, but not limited to, any need for urgency;
    2. the proposed method and length of Surveillance or access to information and records is reasonable and appropriate in the circumstances; and
    3. reasonable precautions will be taken to ensure the integrity and security of data, including compliance with the University's Privacy Policy and Privacy Management Plan.

Part B - Notice Requirements

(20) This Policy is formal notice to Employees that the University does the following in accordance with this Policy:

  1. it conducts Surveillance in the form of Monitoring in the Workplace;
  2. where authorised under the Act or this Policy, it conducts Workplace Surveillance other than Monitoring; and
  3. it creates, accesses, uses and discloses information or records in relation to Surveillance, including as part of Monitoring.

(21) The University also provides notice to Employees about Surveillance (including Monitoring) in other formats as follows:

  1. in the case of Monitoring by cameras, by means of physical signage at the entrances to or within campus grounds;
  2. by obtaining a signed acknowledgement when an employee commences employment;
  3. by means of regular (usually every six months) reminder notifications to all Employees by the Senior Deputy Vice-Chancellor or Vice-President, Strategy and Governance;
  4. by means of an online notice referring to this and other relevant policies when an employee activates their University account for the first time;
  5. for new methods of Monitoring, specific written notice to all Employees (which may be given by email) at least 14 days before that routine Monitoring commences.

(22) For Surveillance approved under Part A, the University must send a written notice to an individual employee (which may be given by email) before that Surveillance commences.

(23) A notice under clause (21) e. or (22) must be given or authorised by either the Chief Information and Digital Officer or the University Secretary, and must specify:

  1. the type of Surveillance or new form of Monitoring to be carried out;
  2. how it will be carried out;
  3. when it will start;
  4. whether it will be continuous or intermittent; and
  5. whether it will be for a specified limited period or ongoing.

(24) Written notice to an employee under clause (22) will not be provided:

  1. where there is a risk of disclosure of the identity, or exposure to reprisals, of a person who has made a public interest disclosure under the University's policy relating to public interest disclosures;
  2. where Surveillance information or records are aggregated in a format that does not identify specific individuals, including Employees, for example, for operational support reasons.

Part C - Blocking of Email or Internet Use

(25) The Act prohibits the University from blocking an employee from accessing the internet or sending or receiving emails unless:

  1. the University acts in accordance with its policies relating to email or internet access that have been notified to the employee in advance in such a way that it is reasonable to assume the employee is aware of and understands the relevant policy; and
  2. if the University intends to prevent delivery of an email, the University gives the employee notice (which can be by email) that delivery of the email will be blocked.

(26) The University is not required to give notice under clause (25)b if:

  1. the University regards the content of the website or email, including any attachment, as menacing, harassing or offensive, for example, pornographic, gambling or terrorist websites;
  2. the email is or contains a commercial electronic message, as defined in the Spam Act 2003 (Cth);
  3. the content or attachments of the email would or might result in unauthorised interference with, damage to or operations of an IT Resource (including any program run or data stored on any IT Resource);
  4. the sender of the email has been identified as having previously sent malicious content to the organisation;
  5. the University is not aware (and cannot reasonably be expected to be aware) of whether an employee has sent that email or of the identity of the employee who has sent that email.
Top of Page

Section 5 - Guidelines

(27) Nil.