In the decision of Lee v Superior Wood [2019] FWCFB 2946, the Full Bench of the Fair Work Commission found that a direction requiring an employee to consent to biometric attendance scanning (in the form of fingerprint scanning) was not a lawful direction as it infringed the employee's rights under the Privacy Act 1988 (Cth) (Privacy Act). The employee's termination for refusal to follow that direction was therefore unfair.

Significantly, and contrary to the commonly understood position, the Full Bench found that the employee records exemption only applied to records actually held by the employer, meaning the Privacy Act applied to practices engaged in by the employer up to the point of collecting personal information.

What's the case about?

Superior Wood introduced fingerprint scanners in the workplace to log employees' start and finish times. One employee, Mr Lee, refused to register his fingerprint and continued to manually sign in and out for his shifts.

A site attendance policy was then introduced which required all employees to use the fingerprint scanning. Superior Wood attempted to discuss Mr Lee's concerns with him, and warned him that a continued failure to follow the policy would result in his employment being terminated. Mr Lee was not satisfied with his employer's explanations, continued to refuse to comply and Superior Wood terminated his employment.

Mr Lee then brought an unfair dismissal application in the Fair Work Commission. At first instance, the Commission held that Mr Lee's dismissal was not unfair because the direction was reasonable in the circumstances. Mr Lee appealed the decision to the Full Bench of the Fair Work Commission.

What did the Full Bench say on appeal?

1. The Full Bench overturned the Commission's decision, finding that there was no valid reason for the termination. Relevantly, the Full Bench concluded that:
2. The site attendance policy did not apply to Mr Lee because the drafting of his employment contract meant that he was only bound by policies in place at the time his contract was signed. Because the Policy was introduced some four years later, it did not form part of Mr Lee's terms and conditions of employment.
3. Mr Lee's obligation to comply with the Policy (having already established that it was not a term of his employment) depended on whether the direction to do so was a 'reasonable and lawful' direction. At common law, any direction which requires an employee to contravene the law or is otherwise inconsistent with a legal principle is not a 'lawful' direction. The employee records exemption does not apply to records yet to be created. The employee record exemption is at s7B(3) of the Privacy Act and reads:

'An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:

a current or former employment relationship between the employer and the individual; and

an employee record held by the organisation and relating to the individual.'

The Full Bench interpreted 'records 'held' by an organisation' as meaning that the exemption for 'acts or practices by an employer in connection with a person's employment' must be in relation to an actual record held by the employer. The scope of the employee record exemption does not extend to records not yet in existence.

4. Given the Commission's conclusion regarding the employee records exemption, Superior Wood was bound by the Privacy Act requirements regarding the collection and solicitation of its employees' personal information.

This included a prohibition on collecting sensitive information (which includes biometric data) without the individual's consent (Australian Privacy Principle (APP) 3), and restrictions on the collection of information where it is not reasonably necessary to the entity's functions or activities (APP 5).

Because Mr Lee did not give consent and there were other options open to Superior Wood to log his start and finish times, the direction to submit to mandatory fingerprint scanning was not a lawful direction and could not form the basis of the decision to terminate Mr Lee's employment.

What are the implications for employers?

This decision by the Full Bench could have enormous consequences for employers subject to the Privacy Act (federal government agencies and companies with an annual turnover of $3 million or more).

Prior to this decision, it has been understood that the employee records exemption covered both the collection and handling of employee personal information provided it was done for a purpose directly related to the employment relationship – this was certainly the guidance previously released by the Office of the Australian Information Commission (OAIC) regarding the scope of the employee records exemption. The OAIC has not yet commented on the decision.

The implications for employers could be significant. For example, will the common law right that an employer has to reasonably direct an employee to an independent medical assessment be rendered functionally useless by an uncooperative employee who refuses to consent to the examining doctor collecting their sensitive personal information? This may be the case in light of the Full Bench's observation that consent will not be 'freely given' if a refusal to give consent might result in disciplinary action against the employee. The same concerns arise in respect of drug and alcohol testing programs.

At this time, it is uncertain if the Full Bench decision will be appealed, but it is easy to see the unintended – and serious – consequences which could result.

What do employers need to do now?

Employers should take some immediate steps to minimise the risk of a privacy complaint:

• Have a compliant privacy policy: Both the Commission and Full Bench were critical of Superior Wood's lack of a privacy policy or any measures to protect employee personal information.

But having a general privacy policy will not be sufficient, so also…

• Be clear about what, how and when employee personal information may be collected, and obtain employee consent where required: A well-drafted suite of policies will be your best defence to an allegation that you have collected personal information in breach of the APPs.

These policies should clearly outline what information will be collected, how it will be stored, how you will use it and anyone else you might release it to (including your service providers).

For the collection of sensitive personal information, you will need a mechanism to obtain consent from employees. If you need to collect sensitive information pursuant to one of your policies (eg a drug and alcohol testing regime) and your current employment contracts do not clearly state that the employees provide consent by the act of entering into the contract, then consider seeking written consent from all employees now in relation to those policies.

• Review your policies and privacy clauses in your employment contracts: Employment contracts should include a clause requiring employees to comply with all current and future workplace policies (including any amendments to these policies, and without incorporating policy terms into the contract), including that they must provide consent if reasonably required as part of any process as a fundamental obligation of employment. Any later refusal to provide consent where the employee has agreed to such as clause is more likely to be upheld as a failure to follow a reasonable work direction.

Similarly, employment contracts should include a privacy clause which sets out the types of personal information which will be collected, how that information will be used and who it may be disclosed to (employers in NSW and the ACT should already have a clause of this nature to comply with workplace surveillance legislation). It is also important that employees are made aware of any new policies or changes to existing policies.