In the decision of Lee v Superior Wood  FWCFB 2946, the Full Bench of the Fair Work Commission found that a direction requiring an employee to consent to biometric attendance scanning (in the form of fingerprint scanning) was not a lawful direction as it infringed the employee's rights under the Privacy Act 1988 (Cth) (Privacy Act). The employee's termination for refusal to follow that direction was therefore unfair.
Significantly, and contrary to the commonly understood position, the Full Bench found that the employee records exemption only applied to records actually held by the employer, meaning the Privacy Act applied to practices engaged in by the employer up to the point of collecting personal information.
Superior Wood introduced fingerprint scanners in the workplace to log employees' start and finish times. One employee, Mr Lee, refused to register his fingerprint and continued to manually sign in and out for his shifts.
A site attendance policy was then introduced which required all employees to use the fingerprint scanning. Superior Wood attempted to discuss Mr Lee's concerns with him, and warned him that a continued failure to follow the policy would result in his employment being terminated. Mr Lee was not satisfied with his employer's explanations, continued to refuse to comply and Superior Wood terminated his employment.
Mr Lee then brought an unfair dismissal application in the Fair Work Commission. At first instance, the Commission held that Mr Lee's dismissal was not unfair because the direction was reasonable in the circumstances. Mr Lee appealed the decision to the Full Bench of the Fair Work Commission.
'An act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:
a current or former employment relationship between the employer and the individual; and
an employee record held by the organisation and relating to the individual.'
The Full Bench interpreted 'records 'held' by an organisation' as meaning that the exemption for 'acts or practices by an employer in connection with a person's employment' must be in relation to an actual record held by the employer. The scope of the employee record exemption does not extend to records not yet in existence.
This included a prohibition on collecting sensitive information (which includes biometric data) without the individual's consent (Australian Privacy Principle (APP) 3), and restrictions on the collection of information where it is not reasonably necessary to the entity's functions or activities (APP 5).
Because Mr Lee did not give consent and there were other options open to Superior Wood to log his start and finish times, the direction to submit to mandatory fingerprint scanning was not a lawful direction and could not form the basis of the decision to terminate Mr Lee's employment.
This decision by the Full Bench could have enormous consequences for employers subject to the Privacy Act (federal government agencies and companies with an annual turnover of $3 million or more).
Prior to this decision, it has been understood that the employee records exemption covered both the collection and handling of employee personal information provided it was done for a purpose directly related to the employment relationship – this was certainly the guidance previously released by the Office of the Australian Information Commission (OAIC) regarding the scope of the employee records exemption. The OAIC has not yet commented on the decision.
The implications for employers could be significant. For example, will the common law right that an employer has to reasonably direct an employee to an independent medical assessment be rendered functionally useless by an uncooperative employee who refuses to consent to the examining doctor collecting their sensitive personal information? This may be the case in light of the Full Bench's observation that consent will not be 'freely given' if a refusal to give consent might result in disciplinary action against the employee. The same concerns arise in respect of drug and alcohol testing programs.
At this time, it is uncertain if the Full Bench decision will be appealed, but it is easy to see the unintended – and serious – consequences which could result.
Employers should take some immediate steps to minimise the risk of a privacy complaint:
These policies should clearly outline what information will be collected, how it will be stored, how you will use it and anyone else you might release it to (including your service providers).
For the collection of sensitive personal information, you will need a mechanism to obtain consent from employees. If you need to collect sensitive information pursuant to one of your policies (eg a drug and alcohol testing regime) and your current employment contracts do not clearly state that the employees provide consent by the act of entering into the contract, then consider seeking written consent from all employees now in relation to those policies.
Similarly, employment contracts should include a privacy clause which sets out the types of personal information which will be collected, how that information will be used and who it may be disclosed to (employers in NSW and the ACT should already have a clause of this nature to comply with workplace surveillance legislation). It is also important that employees are made aware of any new policies or changes to existing policies.