A substantial amount of media and public attention on the issue of workplace surveillance has been created by an article published in the Sydney Morning Herald on Monday 14 April 2008. That article quoted the Commonwealth Attorney-General Mr Robert McClelland as saying that Labor intended to give extra powers to intercept telecommunications to private-sector companies dealing with critical infrastructure, and that these new powers were necessary to avoid the threat of cyber terrorism. These powers are currently only held by a select few intelligence, police, and anti-corruption organisations specifically named in legislation.
Under the law as it currently stands, it is illegal to intercept a communication passing over a telecommunications system unless the person making the communication knows it is being intercepted. This is why, for example, when you telephone a call-centre you will usually hear a recorded message that your call may be monitored for various purposes. Similarly, if a company’s Internet usage policy notifies employees that their Internet usage may be monitored, then that monitoring would not be an illegal interception under Commonwealth law, although State and Territory laws dealing specifically with the issue of workplace surveillance may impose additional requirements in some states.
It is not entirely clear whether, under the law as it currently stands, automatic spam and virus filtering of incoming email is legal or not. It is at least arguable that this type of commonplace activity contravenes the Telecommunications (Interception and Access) Act 1979. The Commonwealth government has known about this issue since at least 2006 and has failed to act to resolve it in the time since.
After consulting with the Commonwealth Attorney-General’s office, EFA understands that the Commonwealth intends to clarify the legal situation of this type of activity. We are concerned that the Attorney-General’s comments to the media have not accurately reflected the Commonwealth’s intentions in this area.
EFA believes that:
- The existing legislation is unclear and should be clarified;
- The existing legislation gives insufficient protection to the privacy of employees and third parties;
- If legislative amendments are required to ensure that activities such as automated spam and virus filtering of incoming email is legal, we would support those amendments;
- It is not only organisations dealing with ‘critical infrastructure’ who have a need to keep spam and viruses out of their computer networks. If amendments are necessary then they should apply to all organisations;
- There is a world of difference between allowing automated spam and virus filtering and giving employers carte blanche to intercept any telecommunications for any reason;
- The Commonwealth has not made out a case for extending quasi-police interception powers to organisations dealing with critical infrastructure;
- There is a significant risk that such powers would be abused to engage in inappropriate eavesdropping or to conduct corporate witch-hunts;
- Any new powers conferred should be subject to strong safeguards, and should only be able to used for the purposes for which they were intended: that is, ensuring the security of corporate networks, not eavesdropping on employees;
- The negative effects on the privacy of employees and third parties which any legislative changes would create must be weighed against the positive effects to security; and
- It remains to be shown that changes such as those proposed would have any significant positive effect on the security of corporate networks.
We look forward to consulting with the Attorney-General’s department with a view to achieving legislative reform that addresses the uncertainty surrounding spam and virus filtering while ensuring that companies do not gain excessive and intrusive new powers at the expense of their employee’s privacy.