Is It Legal to Access an Employee’s Email Account?

In Australia, an employer can legally access an employee’s work email account. Work email systems are the employer’s property, which means employers have a right to access them, but that right comes with important legal conditions that vary by state and can be challenged if they’re ignored. If you’ve ever sent a personal email from your work account, or you’re an employer who needs to check a staff member’s inbox, the question of whether that access is legal isn’t as simple as “yes, it’s your server.” Most employment disputes in this area come down to one thing: whether the employer followed the right process before monitoring began.

Is It Legal to Monitor Employee Emails in Australia?

Yes. Work email accounts are the employer’s property, which means employers generally have the right to access them. But “the server is mine” is not a complete defence. Australian law sets conditions (across multiple pieces of legislation) on how and when that access can happen. The short version: access is lawful when it’s for a legitimate business purpose, supported by a clear written policy, and employees have been given proper notice. Skip any of those three, and you move from lawful access into potential surveillance breaches, unfair dismissal exposure, and evidence that a Fair Work Commission member may refuse to consider. For most businesses, the fix is straightforward: an IT Policy that clearly sets out monitoring rights, and an Employment Agreement that references it. Employees who’ve been told monitoring may occur, and who have signed to confirm they understand, give employers the clearest legal footing.

What Does Australian Law Say About Employer Access to Employee Emails?

There is no single national law governing workplace email monitoring in Australia. Instead, several laws operate together, and the rules that apply to you depend on which state your employees are based in.

New South Wales: the Workplace Surveillance Act 2005

NSW has the most detailed rules. Under the Workplace Surveillance Act 2005 (NSW), employers must give employees written notice at least 14 days before computer surveillance begins. That notice must cover what kind of surveillance will occur, when it will start, and whether it is ongoing or for a defined period. Computer surveillance under this Act explicitly includes monitoring the sending and receipt of emails. So if you’re an NSW employer who has accessed an employee’s inbox without this notice being in place, any evidence you gathered may be legally compromised, and an employee who is dismissed based on that evidence has a credible argument to take to the Fair Work Commission.

ACT: the Workplace Privacy Act 2011

The ACT has similar notice and policy requirements. Employers must have a documented policy that employees can access, and covert surveillance is tightly restricted. The notice period requirements mirror NSW in substance.

Victoria and other states: policy-based compliance

Victoria, Queensland, Western Australia, South Australia, Tasmania, and the Northern Territory don’t have dedicated workplace computer surveillance legislation for the private sector. In these states, email monitoring is managed through the terms of employment contracts, IT policies, and broader privacy and surveillance device laws. That doesn’t mean employers in these states can monitor emails without telling anyone. It means the legal mechanism is different. An employer without a clearly communicated monitoring policy is still exposed, just via a a different set of obligations. The Fair Work Ombudsman’s best practice guide on workplace privacy recommends that all employers, regardless of state, to maintain clear IT policies and communicate them during onboarding.

The Privacy Act 1988 (Cth): the employee records exemption

At the federal level, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) cover how personal information is handled. For most businesses with annual turnover above $3 million, accessing an employee’s email may involve collecting or using personal information. There’s a nuance many employers don’t know about: the employee records exemption. In broad terms, the Privacy Act doesn’t apply to an employer’s handling of employee records when that handling is directly related to the employment relationship. This reduces Privacy Act risk for things like HR investigations or management of misconduct. But it’s not a free pass. The Office of the Australian Information Commissioner (OAIC) has flagged that not all emails in an employee’s work inbox are automatically “employee records.” An employee’s personal banking emails forwarded to their work address, for example, probably aren’t. The exemption also does not cover contractors . If youre accessing a contractor’s email, the Privacy Act’s full framework applies. If you’re unsure which category your situation falls into, talking to an employment lawyer is the fastest way to find out.

State-by-state summary

State / Territory	Key law	Written notice required?
NSW	Workplace Surveillance Act 2005	Yes: 14 days minimum
ACT	Workplace Privacy Act 2011	Yes: notice and policy required
VIC, QLD, WA, SA, TAS, NT	Privacy Act + employment law principles	No mandatory period, but policy and communication strongly recommended

What About the Right to Disconnect?

Australia’s right to disconnect came into effect for non-small business employers in August 2024, and extended to small businesses (fewer than 15 employees) from August 2025. Under section 333M of the Fair Work Act 2009 (Cth), employees have the right to refuse to monitor, read, or respond to employer contact outside of working hours, unless that refusal is unreasonable. This intersects with email monitoring in a way most employers haven’t considered. If you’re monitoring emails around the clock and then taking action (disciplinary or otherwise) based on what an employee sent or didn’t respond to outside their rostered hours, you may be walking into a right to disconnect breach. Access to the inbox is one question. What you do with what you find there is another.

What We See in Lawpath Consultations

Lawpath lawyers regularly work with employers who have drafted monitoring clauses, issued IT policies, and still ended up in disputes. Three patterns come up repeatedly.

The BYOD clause that’s too broad

The most common mistake is a BYOD (bring your own device) clause that says the employer may monitor “all devices used to conduct company business.” An employee reads that as “they can see everything on my personal phone.” It’s technically defensible, but in practice it creates significant unease and is frequently challenged. Lawpath advisors consistently recommend narrowing the language: state that monitoring applies to company-managed accounts and platforms accessed on personal devices (for example, the company email app, CRM, or Office suite), not the personal device itself. That one change resolves most of the pushback.

The policy that never gets updated

Employers often treat the IT policy as a one-off document. They issue it during onboarding, file the signed copy, and move on. The problem is that surveillance technology evolves. If you introduce new monitoring software (screen capture tools, keystroke logging, AI-assisted email review) and haven’t updated the policy or notified employees, any evidence gathered through those new tools is on shaky ground, even in states where no mandatory notice period applies. A policy review every six to twelve months is a reasonable cadence. If you introduce a new tool, update and reissue the policy before you start using it.

Accessing a former employee’s inbox post-termination

There’s no blanket prohibition on accessing a former employee’s email. Business continuity is a legitimate reason, but access should be time-limited, scoped to work-related emails only, and covered by your existing policy. Accessing a former employee’s inbox to look for personal communications useful in a dispute is a different matter. That involves Privacy Act risk the employee records exemption won’t resolve. Get legal advice before going down that path.

How to Set Up a Lawful Email Monitoring Policy

The mechanics are straightforward. The documents you need are an IT Policy and, ideally, an Employment Agreement that references it. Here’s what the policy should cover:

• A clear statement that work email accounts and systems are the employer’s property and may be monitored
• What types of monitoring may occur (email content, internet usage, access logs)
• The purpose of monitoring (misconduct investigations, security, business continuity)
• Whether personal use of work email is permitted, and if so, how that affects privacy
• Who has access to monitored data and under what circumstances
• How long data may be retained
• For BYOD environments: a precise scope clause (company-managed accounts and platforms only, not the entire device)
• The consequences of misuse

For NSW and ACT employers, the policy must be issued with at least 14 days’ notice before monitoring begins, or before onboarding, if new employees are being hired into a workplace where monitoring is already in place. In other states, issue it at the point of onboarding and get a signed acknowledgement. That acknowledgement, stored in the employee’s file, is the evidence you need if the matter is ever disputed. These rules apply regardless of which email platform your business uses. Microsoft 365 (Outlook), Google Workspace, and any other system are all subject to the same legal framework. The platform doesn’t change the obligation. The policy does. You can get started with Lawpath’s IT Policy template or the Surveillance Policy template, both customisable for your business. For more complex situations (BYOD, remote workers across multiple states, or a past access dispute), an employment lawyer can review what you have and advise on any gaps.

Frequently Asked Questions

Can my employer read my personal emails on my work account?

Generally yes, if a proper monitoring policy is in place. Work email accounts belong to the employer. However, personal emails on a work account that have no connection to employment (such as banking correspondence sent to your work address) may fall outside the employee records exemption under the Privacy Act, which gives those emails a degree of additional protection in Privacy Act-covered organisations. The safest approach: keep personal correspondence on your personal account.

Can an employer monitor emails without telling employees in Australia?

In NSW and the ACT, no: written notice of at least 14 days is legally required before computer surveillance begins. In other Australian states, covert monitoring is not prohibited by specific legislation, but any evidence gathered without a clear, communicated policy may be challenged in an unfair dismissal proceeding or privacy complaint. Covert surveillance is high risk everywhere.

What happens if an employer accesses emails without proper notice?

In NSW and the ACT, surveillance without required notice breaches the relevant Act. Evidence gathered that way may be inadmissible. If an employee is dismissed based on that evidence, the Fair Work Commission may find the dismissal procedurally unfair. In other states, the risk is via unfair dismissal or general protections claims rather than a specific surveillance breach.

Can an employer access a former employee’s email account?

Yes, for business continuity purposes: redirecting incoming client emails, archiving work records, or securing confidential information are all legitimate reasons. The access should be time-limited, documented, and limited to work-related emails. Trawling a former employee’s inbox for personal communications in connection with a dispute raises separate Privacy Act concerns and should be done only with legal advice.

Does the Privacy Act stop employers from accessing work emails?

Not directly. The Privacy Act’s employee records exemption means employers handling employee emails for employment-related purposes are generally exempt from the Australian Privacy Principles. But the exemption has limits: it doesn’t cover contractors, doesn’t cover emails unrelated to the employment relationship, and doesn’t remove obligations in states with specific surveillance legislation.

Are work emails private in Australia?

No. Work email accounts belong to the employer, not the employee. Once an employee has been notified that monitoring may occur, any reasonable expectation of privacy in a work inbox is significantly reduced. This applies whether you’re using a named address ([email protected]) or a generic one ([email protected]). The practical takeaway: if you wouldn’t want your manager to read it, don’t send it from your work account.

Can my boss see my emails in Outlook?

Yes, if the right policy and notice are in place. Microsoft 365 gives administrators access to mailbox content, and employers with a compliant IT or surveillance policy can use that access lawfully. The platform doesn’t change the legal position. What matters is whether employees have been told monitoring may occur and whether it’s for a legitimate business reason.

Does the right to disconnect affect email monitoring?

Potentially, yes. The right to disconnect under the Fair Work Act 2009 gives employees the right to refuse to read or respond to work contact outside hours. If an employer uses monitoring data, including emails sent or not sent outside rostered hours, to discipline an employee, this may constitute action on the basis of the employee exercising a protected right. Legal advice is worth getting before using out-of-hours monitoring data in a disciplinary context. You’re not alone in finding this complicated. The rules genuinely vary by state, and the interaction with newer laws like the right to disconnect is something even experienced HR managers are still working through. The practical answer is that a clear IT policy, communicated at onboarding and updated when your monitoring practices change, covers most situations. If you need a policy that holds up to scrutiny, customise Lawpath’s IT Policy for your business, free to get started. For BYOD environments, multi-state workforces, or past access disputes, speak with a Lawpath employment lawyer.