Fingerprint scanning: Privacy obligations when collecting employee biometric data
May 29, 2019
Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946
Earlier this month, the Full Bench of the Fair Work Commission (FWC) found that an employee’s refusal to provide his biometric data and use his employer’s new fingerprint scanning technology did not constitute a valid reason for dismissal. In light of the decision, employers seeking to compel employees to provide biometric data need to ensure their policies and procedures comply with their obligations under the Privacy Act 1988 (Cth) (Privacy Act).
In November 2018, the FWC upheld the dismissal of Jeremy Lee by Queensland sawmill operator, Superior Wood Pty Ltd (Superior Wood). Mr Lee had refused to comply with the new workplace attendance policy requiring fingerprint scanning because of his concerns about the collection and storage of his personal information.
Commissioner Hunt held Mr Lee’s dismissal was not unfair in that he refused to follow a lawful and reasonable workplace policy: specifically, to use the fingerprint scanners in accordance with the Site Attendance Policy. Commissioner Hunt held that it was ‘reasonably necessary’ for the business to introduce the new system – which improved safety and payroll integrity – and the Site Attendance Policy itself was not unlawful. However, the manner in which the employer went about trying to obtain consent to the collection of private and sensitive information may have constituted a breach of the Privacy Act.
On Appeal to the Full Bench of the FWC, the first instance decision was quashed, with the Full Bench finding that Mr Lee was dismissed ‘for a reason that was not valid and in contravention of its obligations under the Privacy Act’. The dismissal was therefore unjust.
The Full Bench found that Superior Wood had an obligation to comply with the Privacy Act and could not rely upon the employee record exemption, as this would only apply once the employees’ personal information was collected. As such, up until the point of collection of the data, Superior Wood had an obligation to apply with the Australian Privacy Principles (APP) including:
- APP entities must have a clearly expressed and up to date policy about the management of personal information by the APP entity (APP 1)
- APP entities must not collect sensitive information (including biometric information) without the individual’s consent (APP 3)
- APP entities must notify the individuals of specified matters in relation to the intended collection of the personal information, such as the purpose of the collection, and whether the APP entity is likely to disclose the personal information to overseas recipients (APP 5).
Lessons for employers
- Adequate notice needs to be provided to employees in advance of the intended collection of their biometric data, and employers need to seek genuine, informed, voluntary consent from their employees
- Employers need to take seriously any employee concerns about what data is being collected, where their data will be held, what security measures are in place to protect and manage their data, and what will happen to their data when they leave their employment
- In light of the Full Bench’s decision, employers need to have a contingency plan in place if an employee exercises their right not to consent to the collection of their data.
Further information / assistance regarding the issues raised in this article is available from the author, Alison Freeman, Lawyer or your usual contact at Moray & Agnew.
May 29, 2019
Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946 Earlier this month, the Full Bench of the Fair Work Commission…Continue reading
April 3, 2018
CSL Limited T/A CSL Behring v Chris Papaioannou  FWCFB 1005 A recent decision of the Full Bench of the Fair…Continue reading
Dentist loses Federal Court matter alleging adverse action and breach of contract against health fund
September 11, 2017
Avenia v Railway & Transport Health Fund Ltd  FCA 859 Background On 27 September 2016, Dr Avenia was employed, initially…Continue reading