HRBC Forum Summary

Artificial Intelligence, Scans, Spams and More: Why Good Workplace IT Policies Are Important.

In June’s HR Breakfast Club Forum, BAL Lawyer, Dogu Yesildag of the Employment Law & Investigations Team, discussed the importance of getting workplace information technology (IT) policies right as this can have practical and legal ramifications for employees and employers.

At the Forum, Dogu shared his insights into:

  • What workplace policies and IT policies are, and why they are important.
  • What issues workplace IT policies should cover.
  • How the increasing prevalence of artificial intelligence, scams and spams affect workplace IT policies.

What are workplace policies?

Dogu discussed how workplace policies can be utilised as resources for employees to clearly understand the expectations of their employer and their processes to deal with any issues. Workplace policies can be implemented fast and changed efficiently to suit an employer’s needs or reflect changes in society and in the law. If an issue rises, having clear and widely published policies in place can provide mechanisms to address it and mitigate an employer’s exposure to claims of vicarious liability.

Dogu emphasised that workplace policies may be necessary or required under certain circumstances.

For example, under the recent legislative reforms in the Sex Discrimination Act 1984 (Cth), employers now have a positive legal duty to take reasonable and proportionate measures to eliminate certain conduct (section 47C). This includes sex-based discrimination, sexual harassment, sex-based harassment or a sex hostile workplace. Under section 527D of the Fair Work Act 2009 (Cth), employers may be vicariously liable for an employee’s misconduct in relation to sexual harassment unless they took all reasonable steps to prevent the employee from engaging in that misconduct. Taking reasonable steps to prevent or eliminate such misconduct can include having robust workplace policies on these topics.

Another example given by Dogu was the requirement for employees to comply with workplace policies under Work Health and Safety Act 2011 (ACT).

Legal significance of workplace policies

  • Policies can form part of the contract.

Dogu reviewed some caselaw relating to policies, specifically on the question of whether policies form part of the contract. Dogu discussed the cases of Romero v Farstad Shipping (Indian Pacific) Pty Ltd [2014] FCAFC 177 and Goldman Sachs JBWere Services Pty Ltd v Nikolich [2007] FCAFC 120.

Dogu alerted employers to the implications of the language used in workplace policies. For example, promissory language has different legal consequences to explanatory language. In the context of workplace policies, this could have significant implications about their contractual enforceability against employers.

IT policies

  • Why are IT policies useful?

Dogu highlighted the importance of good workplace IT policies. In today’s technological environment, where data can be shared and stored with a single click of a button, IT policies can help employers safeguard their technological and confidential information.

Dogu discussed how IT policies can be an effective tool to prevent employees from clicking on risky websites, protect your workplace from spam and phishing, ensure proper use of hardware, software and intellectual property and monitor employee activity.

  • Policies must be clear and accessible.

Dogu reminded employers that IT policies must be clear and accessible, reasonable, avoid unnecessary legalese and they must be consistently applied, as with other workplace policies. This is especially important where they end up being relied upon to dismiss an employee, as was the case in Eptesam Al Bankani v Western Sydney Migrant Resource Centre Ltd [2023] FWC 557.

Ms Eptesam was unaware that her conduct breached WSMRC’s policy and amounted to ‘serious misconduct’. The Fair Work Commission found that her dismissal was harsh, unjust and unreasonable because the policies were too complex and difficult to understand, amongst other things.

  • Workplace Surveillance

Dogu revisited the obligation of an employer to provide notice to their employees if they are under surveillance under section 13 of the Workplace Privacy Act 2011 (ACT), including data surveillance.

Dogu drew close attention to section 13(4) and (5).

(note additionally, section 16 of the same act with regards to data surveillance, which provides information on what the policy should include about surveillance.)

13 Notice of surveillance required:

(4) The notice must state—

(a) the kind of surveillance device to be used for the surveillance; and

(b) how the surveillance will be conducted; and

(c) who will regularly or ordinarily be the subject of the surveillance; and

(d) when the surveillance will start; and

(e) whether the surveillance will be continuous or intermittent; and

(f) whether the surveillance will be for a stated period or ongoing; and

(g) the purpose for which the employer may use and disclose surveillance records of the surveillance; and

(h) that the worker may consult with the employer about the conduct of the surveillance under section 14.

 (5) A notice may be in the form of a policy of the employer or otherwise.

16 Additional requirements for data surveillance devices

(1) An employer may only conduct surveillance of a worker using a data surveillance device if—

(a) the surveillance is conducted in accordance with a policy of the employer on surveillance of workers in the workplace using data surveillance devices; and

(b) the employer has notified the worker, before conducting the surveillance, of the policy in a way that it is reasonable to assume that the worker is aware of and understands the policy.

(2) For subsection (1) (a), the policy must state—

(a) how the employer’s computer resources may, and must not, be used; and

(b) what information about the use of the employer’s computer resources is logged and who may access the logged information and;

(c) how the employer may monitor and audit a worker’s compliance with the policy.

  • Scams and spams

Dogu also addressed the increasing prevalence of spams and scams targeting businesses. They are increasingly sophisticated and inconspicuous. Having a robust and widely accessible IT policy in place can ensure employees are aware of how to detect scams and spams and protect the business.

  • Artificial intelligence

Finally, Dogu addressed the topical issue of artificial intelligence, such as ChatGPT. Dogu discussed how employers should consider if their current IT policies address risks associated with the use of artificial intelligence, specifically about how companies may harvest confidential information that is input into the chatbot programs.

Closing Remarks

To conclude, Dogu emphasised the importance of good workplace policies in setting employment expectations, preventing issues and mitigating the liability of the employer.

To register for future HR Breakfast Club forums, visit our monthly forum page and register to attend.If you have any questions or wish to discuss your circumstances with a lawyer, please contact the BAL Lawyers Employment Law & Investigations team on 02 6274 0999.


Join our mailing list

Get in touch