Privacy Awareness Week is often framed around protecting individuals from the misuse of personal information, and rightly so. But in corporate environments, privacy risk doesn’t just arise from bad actors or external threats. It often stems from something far more routine: unclear expectations.
This becomes particularly visible when an organisation needs to investigate an issue, such as a data breach or regulatory enquiry. One of the most common sources of tension isn’t what is found, but the realisation that this information was visible at all.
When organisations don’t clearly communicate how corporate systems are monitored and what may be reviewed in an investigation, employees are left to make their own assumptions. By the time an issue escalates, organisations are not just dealing with the matter at hand, but with questions of trust, fairness, and whether expectations were ever properly set.
As this year’s Privacy Awareness Week highlights the need to make smarter choices in an age of increasingly intelligent technology, organisations also have a responsibility to ensure those choices are informed. Ultimately, in an environment shaped by increasing scrutiny and smarter technologies, it’s vital that we actively manage how privacy is understood in our corporate systems before those assumptions are put to the test.
Corporate-issued devices are not private spaces, even if they are used that way in practice. Laptops, mobile devices, email accounts, and collaboration platforms are provided to support business operations and, as such, are subject to oversight, monitoring, and governance.
When an organisation needs to investigate an issue, whether that’s misconduct, a data breach, a regulatory enquiry or an internal audit, the scope of review is rarely limited to what appears obviously “work-related”. It can extend to any data accessible on the device or platform, including communications, files, browsing activity, system logs, and account access records. Where corporate systems are used to access personal email, social media or other services, traces of that activity may also be visible.
The issue, in most cases, is not access, but expectation. Many employees assume that no one is looking, that personal logins remain private by default, or that IT visibility is limited to system performance rather than content. These assumptions often go unchallenged until an investigation begins, and this is where expectation management becomes a privacy issue in its own right.
At that point, what might seem routine from an organisational perspective can come as a surprise to the individual. Disagreement over what should be visible can quickly turn into disputes over what may be reviewed, adding friction at exactly the moment clarity is needed most.
The privacy conversation becomes more complex when employees access work systems from personal phones, tablets or computers. Even when an organisation uses modern endpoint controls to reduce “cross-pollination” (for example, separating corporate apps and data from the personal side of the device), BYOD rarely creates a clean technical divide in day-to-day behaviour.
In particular, there is often no practical way to stop people generating corporate information directly inside personal apps. Notes, contacts, screenshots, photos, recordings, and “quick messages” are frequently created outside managed corporate apps because it is faster and feels natural. The result is that corporate information can end up in personal backups and personal cloud services, even when corporate email and documents are otherwise well controlled.
This creates a difficult reality for both sides. From the organisation’s perspective, the information may still be relevant to a security incident, misconduct investigation, regulatory response, or litigation hold. From the employee’s perspective, the device is personal, and the idea of an employer (or a forensic examiner) needing access to personal apps, personal photos, or personal backups can feel unexpected or intrusive. If these trade-offs aren’t addressed up front, BYOD programs can become a predictable source of friction at the worst possible time.
If you allow BYOD, policy and communications should be explicit about:
Clear policies are often viewed as a compliance requirement, but when done properly, they aren’t tools of surveillance; instead, they're tools of fairness and transparency. They set the boundaries employees rely on to understand what is, and isn’t, private when using corporate systems.
At a minimum, organisations should ensure their documentation clearly addresses:
This level of clarity matters. It helps employees understand the limits of personal use, rather than relying on assumptions or informal norms. It also allows investigations to proceed more smoothly, without friction caused by unexpected scope or perceived overreach. Guidance from the Fair Work Ombudsman reinforces the importance of having clear, accessible policies that explain what information may be collected and when it may be disclosed.
Investigation readiness is often treated as a technical capability, focused on system access, logging and data retention. In practice, it is just as much about how well an organisation has prepared its people for what those capabilities mean.
When expectations around corporate systems aren’t clearly defined, investigations rarely proceed smoothly. Organisations can face delays while the scope of review is challenged, disputes over what is proportionate or appropriate, reduced employee cooperation due to uncertainty or being caught off guard, and increased reputational and employee relations damage.
Organisations that address the investigative realities of corporate systems upfront are in a much stronger position. By clearly communicating how corporate systems operate and what may happen when an issue is investigated, they reduce ambiguity at the point it matters most. Moreover, they demonstrate to their employees that privacy and transparency are taken seriously. This reflects the approach set out by the Office of the Australian Information Commissioner, which delivers privacy through organisational practice rather than just policy statements.
At its core, the issue isn’t whether organisations can access information on corporate systems, but whether employees understand when, why and how that access may happen. Where expectations are unclear, even routine investigative activity can create friction, misunderstanding and unnecessary risk.
From a forensic and governance perspective, organisations should be able to clearly answer the following:
Privacy, in this context, is closely linked to predictability. It isn’t about restricting access to information, but about ensuring that people understand when access may occur, why it may occur, and how that information will be handled.
As Privacy Awareness Week highlights the need to make smarter choices in an age of increasingly intelligent technology, this is a timely opportunity for us to reflect on how we communicate those choices internally. If expectations aren’t clearly set, they will be filled by assumption.
If you’re looking to strengthen your approach to managing privacy expectations on corporate systems, reach out to the team at Infotrust to book a consultation and review your policies, communication and investigation readiness.