Fingerprint scanning - Privacy obligations when collecting employee biometric data

Earlier this month, the Full Bench of the Fair Work Commission (FWC) found that an employee’s refusal to provide his biometric data and use his employer’s new fingerprint scanning technology did not constitute a valid reason for dismissal. In light of the decision, employers seeking to compel employees to provide biometric data need to ensure their policies and procedures comply with their obligations under the Privacy Act 1988 (Cth) (Privacy Act).

Background

In November 2018, the FWC upheld the dismissal of Jeremy Lee by Queensland sawmill operator, Superior Wood Pty Ltd (Superior Wood). Mr Lee had refused to comply with the new workplace attendance policy requiring fingerprint scanning because of his concerns about the collection and storage of his personal information.

Commissioner Hunt held Mr Lee’s dismissal was not unfair in that he refused to follow a lawful and reasonable workplace policy: specifically, to use the fingerprint scanners in accordance with the Site Attendance Policy. Commissioner Hunt held that it was ‘reasonably necessary’ for the business to introduce the new system – which improved safety and payroll integrity – and the Site Attendance Policy itself was not unlawful. However, the manner in which the employer went about trying to obtain consent to the collection of private and sensitive information may have constituted a breach of the Privacy Act.

Appeal

On Appeal to the Full Bench of the FWC, the first instance decision was quashed, with the Full Bench finding that Mr Lee was dismissed ‘for a reason that was not valid and in contravention of its obligations under the Privacy Act’. The dismissal was therefore unjust.

The Full Bench found that Superior Wood had an obligation to comply with the Privacy Act and could not rely upon the employee record exemption, as this would only apply once the employees’ personal information was collected. As such, up until the point of collection of the data, Superior Wood had an obligation to apply with the Australian Privacy Principles (APP) including:

APP entities must have a clearly expressed and up to date policy about the management of personal information by the APP entity (APP 1)
APP entities must not collect sensitive information (including biometric information) without the individual’s consent (APP 3)

Since Superior Wood did not have a privacy policy in place, it failed to issue a privacy collection notice to Mr Lee (or any other employee) in accordance with APP 5, and its direction to Mr Lee to ‘submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection’ was directly inconsistent with APP 3, and was not a lawful direction. It was also not reasonable direction because ‘A direction to a person to give consent does not vest in that person a meaningful right at all.’ Further, the implementation of the biometric system was ‘administratively convenient’, not ‘reasonably necessary’ as had originally been found.

Lessons for employers

Employers looking to introduce biometric technology such as fingerprint or retina scanning for payroll, security, surveillance or workplace safety purposes must have a comprehensive privacy policy in place
Adequate notice needs to be provided to employees in advance of the intended collection of their biometric data, and employers need to seek genuine, informed, voluntary consent from their employees
Employers need to take seriously any employee concerns about what data is being collected, where their data will be held, what security measures are in place to protect and manage their data, and what will happen to their data when they leave their employment
In light of the Full Bench’s decision, employers need to have a contingency plan in place if an employee exercises their right not to consent to the collection of their data.