A closer look at biometric data in the workplace
A recent decision of the Fair Work Commission (FWC) has provided some insight into the collection and use of sensitive information in the workplace.
In the case of Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946, the FWC found that it was unfair for an employer to dismiss an employee for refusing to use a system which collected their biometric fingerprint.
Background Facts
Jeremy Lee Wood was dismissed from his job at a timber manufacturing company in Queensland after refusing to use a sign-in/sign-off fingerprint scanner. Superior Wood, Lee’s employer, introduced the fingerprint scanner to improve workplace safety but failed to inform Lee of where and to whom his sensitive information would be disclosed. Initially, the FWC found that Lee’s resistance to the scanners amounted to a failure to follow a workplace policy and therefore created a valid ground for termination.
This was overturned on appeal, however, when the full bench of the FWC considered the lawfulness of the direction to provide consent rather than the collection of the information itself.
Outcome
Though Lee contended that his dismissal was harsh and unreasonable because he had a right to protect the ownership of his biometric data, this was not why the Commission found in his favour. In consideration of Australian Privacy Principle 3, the FWC found that it was unlawful for the employer to solicit consent for the collection. The direction was unlawful because the employer had no Privacy Policy in place or collection notice issued that would allow the employee to give informed consent. Moreover, the direction was made with the threat of dismissal looming over the employee. In upholding the appeal, the FWC noted that:
“A necessary counterpart to a right to consent to a thing is a right to refuse it”.
Perhaps the most interesting finding of the case was the FWC’s interpretation of “employee records”, an exemption the employer sought to rely on in the appeal. The Commission held that information, such as fingerprint data, will only become an “employee record” after it is in the possession or control of the employer. Records yet to be generated do not form part of the employee record exemption. This interpretation leaves open a suggestion that the employer would have discharged their privacy obligations under the Act. if they had already been in possession of Mr Lee’s biometric data.
What does this mean for employment relations?
This case threw into doubt the scope of the employee records exemption in the Privacy Act. It demonstrates the entitlement of employees to protect their personal information and refuse consent of collection by their employer. Where technology is involved, refusal to follow a direction from an employer may not necessarily give rise to a right to terminate. Employers should make sure they always have an up to date privacy policy in place. When seeking to collect the sensitive information of employees for the purposes of a safety procedure or employee records, it is vital that a valid collection notice is issued.
If you require more information on collecting personal information from employees, or the policies you are required to have in place, please contact our team for more information.