The full bench gives the ‘thumbs down’ to employer’s collection of biometric templates to clock on to work
Employers still need consent to collect ‘sensitive information’ from their employees.
While the use of biometric templates, such as using your fingerprint to sign-in to your smartphone, is increasingly common, a recent Full Bench decision from the Fair Work Commission (FWC) in Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (the Decision) makes clear that employers still need consent to collect ‘sensitive information’ from their employees – and that such consent must be truly voluntary. Our Privacy and Employment specialists team up to give you a rundown of the decision and the impact on businesses.
Key lessons - What does the decision mean for businesses?
Businesses should exercise great care and diligence to comply with their privacy obligations when collecting biometric templates and other kinds of sensitive information from their employees.
There are three key lessons from the Decision that relate to a business’ privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs):
- Consent required to collect sensitive information under APP 3 must be truly voluntary. Employers may not be able to require an employee to ‘consent’ to the collection of sensitive information by threatening disciplinary action or termination of their employment.
- Collection of sensitive information under APP 3 must be ‘reasonably necessary’. Improved efficiency or administrative convenience may not satisfy the threshold required for an entity to lawfully collect sensitive information.
- The employee records exception only applies to the collection of records in question. The FWC has found that the employee records exception in the Privacy Act does not apply to the actual collection of personal information, only to acts in connection with that information after it has been collected.
While not covered by the Decision, we also recommend that businesses consider conducting a privacy impact assessment (PIA) before introducing new systems and processes for collecting and handling personal and sensitive information. A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. In this case a PIA may have identified the need for a privacy policy, a privacy collection statement and the maintenance of an alternative sign-on method in the case where workers did not consent to using the new biometric template system.
What happened?
Superior Wood Pty Ltd (Superior Wood) operates two saw mills in Queensland. In October 2017, it introduced fingerprint scanners on their worksites to register the attendance of employees. Employees would need to sign in and out using the fingerprint scanners rather than by manually signing a book previously used for that purpose. Superior Wood included this requirement in their Site Attendance Policy, but did not provide employees with a privacy collection notice. At all material times, Superior Wood did not have a privacy policy.
Jeremy Lee, an employee of Superior Wood, refused to use the fingerprint scanners to sign in and out of work due to privacy and security concerns about his biometric information. Superior Wood had numerous discussions with Mr Lee attempting to allay his concerns, but was unsuccessful in doing so. After issuing Mr Lee with a direction to comply with its Site Attendance Policy and issuing several warnings for refusing to do so, Superior Wood dismissed Mr Lee in February 2018.
Mr Lee made an unfair dismissal claim. He lost at first instance, but won on appeal for the reasons explained below.
The importance of voluntary consent
The fingerprint scanners used by Superior Wood collected a biometric template (a digital representation) of fingerprints. Biometric templates are considered ‘sensitive information’ under the Privacy Act. APP 3 states that an entity cannot collect an individual’s sensitive information without their consent.
The FWC ruled that ‘a necessary counterpart to a right to consent to a thing is a right to refuse it,’ and that any consent given by Mr Lee would have been negated by the threat of disciplinary action and dismissal. Superior Wood’s direction to Mr Lee was ruled unlawful and unreasonable, particularly as the FWC found Mr Lee’s concerns about the security of his personal information were justified in circumstances where Superior Woods did not even have a privacy policy in place.
‘Reasonably necessary’ – a higher threshold then previously thought?
In addition to the requirement of consent, the collection of sensitive information is only authorised under APP 3 if it is reasonably necessary for one or more of the entity’s functions or activities.
Superior Wood argued that the fingerprint scanners were introduced to consolidate payroll functions and remove the paper-based payroll system. It also argued that fingerprint scanners improved safety by providing the ability to quickly and conveniently access attendance records on their phones in the event of an emergency and account for employees.
The FWC ruled that, while the fingerprint scanners provided ‘administrative convenience’, this was not enough. There was no compelling evidence that the introduction of fingerprint scanners was reasonably necessary. There was evidence that Superior Wood continued to use physical sign in and sign out sheets to register attendance at work sites and that it had not considered using alternatives that were available to it, such as swipe cards. There was no evidence that Mr Lee posed a risk for inaccurate time recording or fraud, and there was no evidence that it was exceedingly burdensome for Superior Wood to provide an alternative method by which Mr Lee could sign in or out.
Superior Wood therefore breached APP 3.
Employee records exception does not apply to records that do not exist
The Privacy Act provides an exemption for acts or practices which are directly related to an employee record held by an organisation that directly relates to the current or former employment relationship between the individual and the entity.
The FWC ruled that biometric templates would fall under the exception, and that their use would not be regulated by the Privacy Act after they had been collected.
However, the FWC also found that the exception only applied to records actually held, and that therefore, employers are required to comply with the Privacy Act up until the point of collection. The obligations under APP 3 apply prior to the collection of sensitive information, and so Superior Wood was required to comply with the obligations imposed by it.
Conclusion
It is important to note that this Decision was heard in the FWC and related to whether Superior Wood’s dismissal of Mr Lee was harsh, unjust or unreasonable within the meaning of the Fair Work Act 2009, and did not make any finding about a breach of the Privacy Act. The interpretations it offers on the Privacy Act are helpful, but are not binding on the Office of the Australian Information Commissioner (OAIC) or on the courts. Importantly, the FWC has no power to enforce the Privacy Act.
However, this decision is relevant to all employers and how they approach collecting sensitive information from employees. Employers will need to ensure that if they wish to obtain employee consent to the provision of sensitive information that they:
- ensure they have proper privacy systems and protections in place so employee concerns about the security of their information are minimised
- consider whether the information is reasonably necessary for the purpose for which it is collected and that there are no alternative measures which would adequately address the issue, without the need to collect the relevant information.
The decision also highlights increasing complexities surrounding privacy, the collection of sensitive information and obtaining consent as well as the adverse impacts on employers that do not comply with their privacy obligations.
Maddocks has unique experience advising clients on the use of biometric solutions from biometric fingerprint scanners in the workplace to the use of ground-breaking ‘couch to gate’ facial recognition technology at Sydney Airport.
Need assistance to conduct a privacy impact assessment, structure consents or advice regarding meeting your privacy obligations?
Contact the Cyber & Data Resilience team.
Keep up to date with our legal insights and events
Sign upRecent articles
New VCAT decision in relation to outsourcing under the Privacy and Data Protection Act 2014 (Vic)
A recent decision provides clarity and reassurance for the Victorian Government regarding liability under the PDP Act.
Our top 8 tips for carrying out product recalls
We offer our ‘top tips’ for conducting a voluntary product recall.
Merger control in Australia to become mandatory
From 1 January 2026, the current regime will be replaced by a mandatory pre-merger notification regime.
The LiveBetter case: $1.8m civil penalty for NDIS provider
We unpack the learnings from LiveBetter’s $1.8m civil penalty following the death of an NDIS participant
Consultant
Sydney