The full bench gives the ‘thumbs down’ to employer’s collection of biometric templates to clock on to work
Employers still need consent to collect ‘sensitive information’ from their employees.
While the use of biometric templates, such as using your fingerprint to sign-in to your smartphone, is increasingly common, a recent Full Bench decision from the Fair Work Commission (FWC) in Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946 (the Decision) makes clear that employers still need consent to collect ‘sensitive information’ from their employees – and that such consent must be truly voluntary. Our Privacy and Employment specialists team up to give you a rundown of the decision and the impact on businesses.
Key lessons - What does the decision mean for businesses?
Businesses should exercise great care and diligence to comply with their privacy obligations when collecting biometric templates and other kinds of sensitive information from their employees.
There are three key lessons from the Decision that relate to a business’ privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs):
- Consent required to collect sensitive information under APP 3 must be truly voluntary. Employers may not be able to require an employee to ‘consent’ to the collection of sensitive information by threatening disciplinary action or termination of their employment.
- Collection of sensitive information under APP 3 must be ‘reasonably necessary’. Improved efficiency or administrative convenience may not satisfy the threshold required for an entity to lawfully collect sensitive information.
- The employee records exception only applies to the collection of records in question. The FWC has found that the employee records exception in the Privacy Act does not apply to the actual collection of personal information, only to acts in connection with that information after it has been collected.
Jeremy Lee, an employee of Superior Wood, refused to use the fingerprint scanners to sign in and out of work due to privacy and security concerns about his biometric information. Superior Wood had numerous discussions with Mr Lee attempting to allay his concerns, but was unsuccessful in doing so. After issuing Mr Lee with a direction to comply with its Site Attendance Policy and issuing several warnings for refusing to do so, Superior Wood dismissed Mr Lee in February 2018.
Mr Lee made an unfair dismissal claim. He lost at first instance, but won on appeal for the reasons explained below.
The importance of voluntary consent
The fingerprint scanners used by Superior Wood collected a biometric template (a digital representation) of fingerprints. Biometric templates are considered ‘sensitive information’ under the Privacy Act. APP 3 states that an entity cannot collect an individual’s sensitive information without their consent.
‘Reasonably necessary’ – a higher threshold then previously thought?
In addition to the requirement of consent, the collection of sensitive information is only authorised under APP 3 if it is reasonably necessary for one or more of the entity’s functions or activities.
Superior Wood argued that the fingerprint scanners were introduced to consolidate payroll functions and remove the paper-based payroll system. It also argued that fingerprint scanners improved safety by providing the ability to quickly and conveniently access attendance records on their phones in the event of an emergency and account for employees.
The FWC ruled that, while the fingerprint scanners provided ‘administrative convenience’, this was not enough. There was no compelling evidence that the introduction of fingerprint scanners was reasonably necessary. There was evidence that Superior Wood continued to use physical sign in and sign out sheets to register attendance at work sites and that it had not considered using alternatives that were available to it, such as swipe cards. There was no evidence that Mr Lee posed a risk for inaccurate time recording or fraud, and there was no evidence that it was exceedingly burdensome for Superior Wood to provide an alternative method by which Mr Lee could sign in or out.
Superior Wood therefore breached APP 3.
Employee records exception does not apply to records that do not exist
The Privacy Act provides an exemption for acts or practices which are directly related to an employee record held by an organisation that directly relates to the current or former employment relationship between the individual and the entity.
The FWC ruled that biometric templates would fall under the exception, and that their use would not be regulated by the Privacy Act after they had been collected.
However, the FWC also found that the exception only applied to records actually held, and that therefore, employers are required to comply with the Privacy Act up until the point of collection. The obligations under APP 3 apply prior to the collection of sensitive information, and so Superior Wood was required to comply with the obligations imposed by it.
It is important to note that this Decision was heard in the FWC and related to whether Superior Wood’s dismissal of Mr Lee was harsh, unjust or unreasonable within the meaning of the Fair Work Act 2009, and did not make any finding about a breach of the Privacy Act. The interpretations it offers on the Privacy Act are helpful, but are not binding on the Office of the Australian Information Commissioner (OAIC) or on the courts. Importantly, the FWC has no power to enforce the Privacy Act.
However, this decision is relevant to all employers and how they approach collecting sensitive information from employees. Employers will need to ensure that if they wish to obtain employee consent to the provision of sensitive information that they:
- ensure they have proper privacy systems and protections in place so employee concerns about the security of their information are minimised
- consider whether the information is reasonably necessary for the purpose for which it is collected and that there are no alternative measures which would adequately address the issue, without the need to collect the relevant information.
The decision also highlights increasing complexities surrounding privacy, the collection of sensitive information and obtaining consent as well as the adverse impacts on employers that do not comply with their privacy obligations.
Maddocks has unique experience advising clients on the use of biometric solutions from biometric fingerprint scanners in the workplace to the use of ground-breaking ‘couch to gate’ facial recognition technology at Sydney Airport.
ACCC updates advertising and selling guide
By Laura Cantillon
The ACCC has updated its guidance to Australian businesses on what is required to ensure compliance with the ACL
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
Franchisors, it’s time to update your disclosure documents
Key considerations when updating the franchising disclosure documents as per the Franchising Code of Conduct (Code).
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clause
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.