The everyday use of biometric technology in contemporary society is nothing new.

We live in a world where we regularly use fingerprint recognition for home security, facial recognition to open our phones and voice recognition to ask Siri to spice up a party by playing the latest Taylor Swift tune.  Despite the significant advancements and prevalence of biometric technology in everyday society, the legality of the use of biometric fingerprint technology in the workplace has been given a thumbs down in a recent case.

A recent Fair Work Commission Full Bench decision has shed light on the obligations and risks associated with the use of biometric technology by employers.  In the first Full Bench decision considering an employee’s refusal to provide biometric data through fingerprint scanning, it was held in Jeremy Lee v Superior Wood Pty Ltd t/a Superior Wood [2019] FWCFB 2946 (1 May 2019) that directing an employee to provide fingerprint data, in circumstances where the employee did not consent to that collection, was not lawful.

The decision is important for employers to consider as it raises questions around data collection, data policies, the storage of data and whether the refusal to provide sensitive information is a valid reason for dismissal.

Background

In October 2017, Superior Wood Pty Ltd (Superior Wood) announced that it would introduce biometric scanners to record on-site presence at one of its sawmills. Mr Lee objected to the use of the scanners and refused to use them.  He was the only employee of 400 that did so.

Between November 2017 and February 2018, a number of meetings were held between Superior Wood and Mr Lee to discuss his concerns, but he maintained his refusal to use the scanner and proposed that he continue to use the paper sign in process.  He also proposed a swipe card system was more appropriate.

Superior Wood insisted that all employees must use the scanner as it would be impractical to allow one employee to be exempt from an improved safety measure, when all other employees had agreed to do so.  Mr Lee continued to refuse to use the scanners and was ultimately terminated from his employment with Superior Wood on 12 February 2018 on the grounds that he had failed to adhere to Superior Wood’s Attendance Policy.

Mr Lee filed an application for relief from unfair dismissal and asserted that Superior Wood’s direction to adhere to the Attendance Policy was not a lawful and reasonable direction because it contravened a range of Australian Privacy Principles (APPs) and the Privacy Act 1988 (Cth) (Privacy Act).  Superior Wood argued that it had not breached the Privacy Act because the ‘employee records’ exemption under section 7B(3) of the Privacy Act applied.  Section 7B(3) of the Privacy Act provides that “[a]n act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt … if the act or practice is directly related to: (a)  a current or former employment relationship between the employer and the individual; and (b)  an employee record held by the organisation and relating to the individual”.

The Commission found that the employee record exemption does not ameliorate the obligation by Superior Wood to issue to Mr Lee and other employees a privacy collection notice.  Superior Wood was not exempt from complying with the APP in collecting its employee’s sensitive information and it could not have collected Mr Lee’s sensitive information in the circumstances where he did not consent to Superior Wood collecting his sensitive information.

The Commission also raised concerns that neither the provider of the scanners nor Superior Wood had implemented a privacy policy at the time (as it was required by the APPs).  However, despite finding that Superior Wood had contravened the Privacy Act, at first instance the Commission determined that the Attendance Policy itself was lawful.  As a result, the Commission held that Mr Lee failed to follow a lawful and reasonable direction and there was a valid reason for dismissal.

Appeal

Mr Lee lodged an appeal asserting that biometric data is sensitive personal information under the Privacy Act and that Superior Wood was not entitled to require that information from him.

The Full Bench determined that it was not lawful to direct Mr Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection.  Further, the Full Bench confirmed that, if it had been required to determine if the direction to provide fingerprint data was reasonable, it would not have considered the direction to be reasonable.  In accepting Mr Lee’s submissions, the Full Bench made the following considerations:

  1. The employee record exemption under section 7B(3) of the Privacy Act does not extend to records that have not yet been created.
  2. Once biometric information is digitised, it may be very difficult to contain its use by third parties, including for commercial purposes.  There were several separate third party entities that were utilised by Superior Wood to collect and store the data from the scanners.  The Full Bench noted the range of third party entities involved and raised concerns that there was no evidence that any entity had any mechanism in place to protect and manage the information collected by Superior Wood, consistent with its obligations under the Privacy Act.
  3. Mr Lee was entitled to seek to protect his fingerprint data and his concerns were not “devoid of merit”.
  4. Although the Full Bench determined that Superior Wood had affected a procedurally fair dismissal, it was “for a reason that was not valid and in contravention of its obligations under the Privacy Act”.

Accordingly, the Full Bench determined that the dismissal was unjust.

What’s next?

This decision may have significant consequences for employers who are covered by the Privacy Act.  Previously, many organisations assumed that the employee record exemption under the Privacy Act applied to the collection and handling of employee personal records in circumstance where the purpose was directly related to the employment relationship.  However, the Full Bench interpretation severely limits the scope of the exemption.  For this reason, employers should consider the following:

  1. Where consent is required, is a direction lawful and reasonable, such that refusal to comply or give the consent may result in disciplinary action?
  2. Is your process for collecting personal information about your employees compliant with the Privacy Act?

Employers covered by the Privacy Act should ensure that they have a compliant privacy policy.  Also, employers may seek to consider reviewing its employment contracts or on-boarding pack to include a privacy collection statement compliant with the APPs, explaining what information may be collected, how it will be stored and how it will be used.

If you require assistance with the preparation of a privacy policy or advice in relation to your obligations under the Privacy Act, please contact the authors (links above).