Buying an AI monitoring tool feels like an IT decision. Legally, it is a surveillance decision. The moment software watches what an employee types, reads, sees on screen or does on camera, and turns that into a productivity score, a sentiment reading or a flag for review, you are conducting surveillance of workers, and Australian workplace surveillance law applies.
The complication is that this law is not national. It is set by each state and territory, and the tests differ. That means a single monitoring rollout across offices in different states can be lawful in one and an offence in another. The safe starting assumption is that any AI that observes staff is regulated, and that you must confirm the position in every jurisdiction where your people work.
What workplace surveillance law requires
Workplace surveillance in Australia is governed by state and territory legislation rather than a single Commonwealth statute, and the obligations vary by jurisdiction. The clearest computer surveillance regime is the Workplace Surveillance Act 2005 (NSW). Under that Act an employer must give employees at least 14 days written notice before commencing computer surveillance, or a shorter period if the employee agrees. The notice must genuinely inform staff about the monitoring before it starts, not after.
The Australian Capital Territory has a similar Act. Other states take a different route. Victoria, for example, regulates through a Surveillance Devices Act with different tests rather than a dedicated workplace notice regime. The through line is consent and notice: most regimes are built around telling workers, in advance and in a defined form, that they are being watched and how.
Covert monitoring is a different category
Covert surveillance of employees, meaning monitoring done without their knowledge, is treated far more seriously than notified monitoring. In New South Wales, covert surveillance of employees generally requires a covert surveillance authority issued by a magistrate. Monitoring staff covertly without that authority is not merely a compliance gap. In some jurisdictions it carries criminal liability. This is the line an AI tool can cross silently, because monitoring software is easy to switch on quietly and easy to forget to disclose.
The 2024 statutory privacy tort
Alongside the surveillance Acts, the Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort for serious invasions of privacy. This adds a private right of action, meaning an individual can sue directly. Intrusive monitoring of employees is exactly the kind of conduct this tort is capable of reaching. So even where a monitoring practice might technically satisfy a surveillance notice rule, disproportionate or intrusive AI monitoring can still generate civil exposure through this separate route.
Where AI trips the surveillance rules
The reason AI monitoring gets employers into trouble is that it rarely looks like the old idea of surveillance. There is no camera in the corner. There is a dashboard. But the law follows the observation, not the packaging.
Screen and email monitoring. Tools that capture screen content or read the contents and metadata of work email are computer surveillance. Deploying them without the required written notice breaches the notice duty in jurisdictions like New South Wales.
Productivity analytics. Platforms that score how long staff are active, which applications they use and how much they produce are surveillance of workers. Rolling out an analytics layer over existing systems is often treated as commencing new surveillance, which restarts the notice obligation.
Keystroke logging. Logging what employees type is a direct form of computer surveillance and one of the clearest triggers for notice requirements.
Sentiment analysis. AI that reads the tone of employee messages or communications to infer mood or engagement is monitoring of workers and can be among the most intrusive practices, making it a strong candidate for the statutory privacy tort as well as the surveillance regimes.
Video analytics. Applying AI to camera feeds, for attendance, behaviour or presence detection, converts ordinary CCTV into active surveillance of individuals and can engage both camera and computer surveillance rules depending on the state.
The most dangerous pattern is the quiet pilot. A team trials a monitoring feature without formal notice because it is only a test. If employees are not told, that pilot can be covert surveillance, and in some states covert monitoring of staff without a magistrate's authority is a criminal matter.
What to have in place before you monitor
Inventory the monitoring. List every tool and feature that observes employees, including screen capture, email monitoring, productivity analytics, keystroke logging, sentiment analysis and video analytics. Include features bundled inside broader platforms that you may not think of as surveillance.
Map each tool against every operating state. For each jurisdiction where staff work, confirm which surveillance law applies and what it requires. Do not assume the New South Wales rule travels. Confirm the position in each state and territory before you rely on it.
Issue compliant written notice before continuing. Where notice is required, give it in the form and timeframe the relevant Act specifies before monitoring commences. In New South Wales that means at least 14 days written notice, or a shorter agreed period, before computer surveillance begins.
Eliminate accidental covert monitoring. Confirm no tool is running silently on staff without disclosure. Treat covert monitoring as prohibited unless you hold the specific authority the jurisdiction requires, given the criminal exposure attached to it.
Test proportionality against the privacy tort. Ask whether the monitoring is genuinely necessary and proportionate to a real purpose. Intrusive practices such as sentiment analysis can still attract a private claim under the 2024 statutory tort even where a notice box is ticked.
Keep the record. Retain copies of the notices issued, the dates, and the jurisdictional mapping, so you can show you assessed and disclosed the monitoring before it began.
Because the rules turn on which tools you run and where your people sit, the fastest way to see which of these obligations your AI actually triggers is to run the free AIRA Health Check and let it surface the surveillance and privacy duties attached to how you monitor staff today.