Workplace surveillance under Microsoft 365 — when does monitoring cross the line?

A modern Microsoft 365 tenant collects a vast amount of monitoring data by default — and almost everything else is one toggle away. Within the standard E3 or Business Premium plan you get sign-in logs (who logged in, from where, on what device), unified audit logs (every file accessed, shared, deleted across SharePoint + OneDrive + Exchange + Teams), Microsoft Defender alerts (risky sign-ins, malware, suspicious activity), Teams call detail records, message retention + eDiscovery for chats, and Copilot interaction logs (every prompt + response per user).

None of that is hidden. It's designed to help administrators run a secure environment. But to most employees it would look like comprehensive surveillance. And under Australian workplace surveillance law in several states, comprehensive surveillance without notice and a policy is unlawful.

Australia doesn't have one national workplace surveillance law. It's a state-by-state patchwork sitting on top of the federal Privacy Act 1988.

NSW. The Workplace Surveillance Act 2005 (NSW) requires written notice to employees at least 14 days before camera, computer or tracking surveillance starts. Notice must be specific (what is monitored, how, when, by whom). Covert surveillance generally requires a Magistrate's authority.

ACT. Workplace Privacy Act 2011 (ACT) — similar 14-day written-notice requirement plus a written surveillance policy.

Victoria. The Surveillance Devices Act 1999 (Vic) restricts use of listening, optical, tracking and data surveillance devices generally. There are workplace exceptions but the bar is notice + a legitimate purpose. Victoria's 2026 right-to-work-from-home law adds further notice + reasonable-business-grounds tests when employers monitor remote workers.

Other states. Most rely on a mix of the federal Privacy Act 1988 (employee records exemption complicates this), the Telecommunications (Interception and Access) Act 1979 (covers email interception), and common-law privacy/contract claims.

Across all states, the federal Fair Work Act's general protections (adverse action because someone exercised a workplace right) can capture surveillance that targets a particular employee for exercising a right (e.g. raising a safety complaint).

Sign-in + audit logs. Generally counted as "computer surveillance" under NSW + ACT — written notice + policy required. In other states usually permissible with notice in your acceptable-use policy.

Microsoft Defender alerts (risky sign-ins, malware, account compromise). Almost always defensible as legitimate cyber-security activity — but the policy still needs to disclose that this monitoring exists.

Teams call recording (manual or automatic). If a call is recorded without all parties consenting, you may be capturing a private conversation under state surveillance legislation. Recording a Teams meeting without notification can also breach the Privacy Act if a participant's voice + likeness are personal information.

Teams chat retention + eDiscovery. Retention is generally fine if disclosed in your policy. Reading individual chats requires a workplace-investigation justification + (in NSW + ACT) the surveillance policy already in place.

Copilot interaction logs. Newer territory. Every Copilot prompt the user types + every Copilot response is logged + retained for the admin. We treat this like keyboard surveillance — disclose it in the policy.

BYOD device monitoring (Intune MDM). If employees use personal devices, MDM gives admins visibility into apps, location (sometimes), and compliance status. Personal-device monitoring without explicit informed consent can breach NSW + ACT surveillance acts AND open you up to general protections claims.

1. Write a workplace surveillance policy. Plain English, lists every monitoring feature in use (or available), why, who can see the data, how long it's retained. NSW + ACT require this; everyone else benefits from it.
2. Give 14+ days' written notice before new monitoring starts. Email is fine. Keep a record.
3. Disclose Copilot interaction logging explicitly if Copilot is rolled out. Most existing policies pre-date Copilot.
4. Restrict access to monitoring data internally. The IT team running M365 should not have unrestricted access to HR investigations. Use Microsoft Purview role-based access + customer lockbox where available.
5. Avoid covert surveillance. Almost always unlawful in NSW + ACT without a Magistrate's authority and very hard to justify elsewhere.
6. Have a clear off-boarding process. When an employee leaves, suspend their account, preserve their data for the legal retention period, then delete on schedule. The Privacy Act doesn't want you holding personal data forever.

Need the technology side handled? FairWork Mate's IT partner Frontrow Tech runs Modern Workplace, Copilot rollouts and Essential 8 cyber for Australian businesses — from sole traders setting up Microsoft 365 properly all the way to multi-site enterprise HR teams. Mention FairWork Mate when you contact them.

If you're an employee in NSW or ACT and you weren't given 14 days' written notice + a surveillance policy before computer monitoring started, that's a potential breach of the state surveillance act. Raise it internally first; if not addressed, the relevant state regulator (Privacy Commissioner / NSW Industrial Relations) can investigate.

If monitoring appears targeted at you specifically after you raised a workplace right (safety complaint, unfair-dismissal claim, union activity), the Fair Work Act's general protections (s.340 - s.345) may apply. That's a more powerful pathway than the state act because it's federal + the FWC handles it.

Ask the FairWork Mate AI advisor if you want the law for your specific state + situation. Citations included.