The Full Bench of the Fair Work Commission’s decision in Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 highlights the increasing tension between technology and privacy in the workplace.
Facts
Mr Jeremy Lee was employed as a general hand by Superior Wood who operate sawmills in Queensland.
In October 2017, Superior Wood introduced a new policy which directed employees to register their fingerprints and use fingerprint scanners to register their attendance at work.
Mr Lee refused to comply with the policy, claiming ownership of the biometric data contained in his fingerprint and citing concerns over the inadvertent release of this information to a third party.
Despite assurances from the scanner supplier that the data collected could only be used to link a payroll ID with a time stamp, Mr Lee refused to supply his fingerprint and continued to oppose the policy. After several meetings between parties, Mr Lee’s employment was terminated on 12 February 2018.
Mr Lee brought an unfair dismissal application in the Fair Work Commission (FWC).
The Decision
In considering Mr Lee’s claim, the FWC accepted that the policy was reasonable; it provided a clear way to ascertain employee attendance on site, particularly in the event of an emergency, and operated to improve the integrity and efficiency of payroll.
The FWC decided that Mr Lee’s refusal to comply with his employer’s reasonable request meant that his dismissal was not harsh, unjust or unreasonable. Mr Lee subsequently appealed.
The Appeal
The Full Bench was asked to consider whether the direction to comply with the Policy was a lawful direction with regard to the Privacy Act 1988 (Cth) (Act).
The FWC found that the biometric data collected by the scanners was personal information under the Act and further, fell within the more limited meaning of sensitive information under the Act. This meant that Superior Wood was required to comply with the Australian Privacy Principles (APP) which governs the collection of solicited personal information. APP 3.3 requires, in respect of sensitive information, that an entity obtain the consent of the individual and that the information is reasonably necessary for one or more of its functions.
Notably, the FWC held that APP 3.3 applies to both the solicitation and collection of sensitive information. This ultimately meant that the direction to Lee to provide his fingerprint was wholly inconsistent with the notion of consent required by APP 3.3. Additionally, any consent he may have provided would have been defective owing to the threat of discipline or dismissal. Therefore, the direction was not lawful and there was no valid reason for Lee’s dismissal.
Superior Wood attempted to rely on the employee records exemption under the Act to argue that it was exempt from complying with the APP. However, the FWC considered that the plain meaning of the statute indicates that the exemption only applies to records under the entity’s present possession or control. Therefore, the APP applied to Superior Wood up to the point of collection, and it was only once the sensitive information was obtained that the exemption applied.
Key takeaways for employers
It is increasingly common to find systems that use an employee’s data to control worksite access, or for payroll and time keeping purposes. The decision in Lee raises important considerations about collection of sensitive information, consent and the need for compliance with the APP in relation to employees.
Employers who use, or are looking to introduce, fingerprint scanners in their workplace should ensure their policies, contracts and practices are reviewed in light of the decision in Lee.
More generally, all employers covered by the Act should ensure that they have a privacy policy that deals with consumers, as well as employees, and that they are aware of the obligations that arise when dealing with personal information under the Act. For example:
- Inform employees that personal information is being collected
- Provide employees with information about other entities that may have access to the personal information (for example external IT companies)
- Provide a privacy collection notice
- Provide information in relation to privacy complaints
- Discuss employer obligations in handling sensitive information
- Obtain consent without threat of consequence when seeking sensitive information
- Explain how employees can access their personal information
Please note: the Privacy Act 1988 does not apply to all businesses, and other State-based privacy legislation may apply to your business in particular.
If you require assistance understanding how this decision may affect your business, or if you would like advice on privacy legislation as is applies to employees in your workplace, please contact the Russell Kennedy Workplace Relations, Employment and Safety, team.
If you would like to stay up to date with Russell Kennedy's insights, please sign up here.