Confidentiality and Post Employment ObligationsGeneral

BIOMETRIC DATA AND PRIVACY IN THE WORKPLACE

X

Employers are not always aware of their obligations in relation to privacy in the workplace. The invasion of employee privacy can occur in a number of different ways including through records and information, physical and electronic surveillance and monitoring.

From a company perspective, the advancement of digital workplaces and technology has increased the amount of information employers can access about their employees. It is now also becoming more common for organisations to use biometric templates, for example to use your fingerprint to sign into work. Interestingly, the decision of Lee v Superior Wood Pty Ltd [2019] FWCFC 2946 provides insight on the extent to which an employer can request personal data in this regard.

Accordingly, in this week’s article we discuss the general principles of privacy in the workplace and the Fair Work Commission’s interesting interpretation of the Privacy Act 1988 (Cth) and Australian Privacy principles.

Privacy Act 1988

The Privacy Act 1988 (Cth) (“Privacy Act”) applies to federal government agencies as well as private sector organisations including bodies corporate who use or disclose personal information in the course of carrying on a business. In March 2014, the Privacy Act was amended to introduce thirteen legally binding Australian Privacy Principles (“APP”) which apply to personal information held by Australian government agencies and most Australian companies. Worthy of note is that personal information handled by a private sector employer is exempt from the APP if it is directly relates to:

· a current or former employment relationship; or

· an employee record relating to the individual employee concerned.

“Employee record” refers to a record of personal information relating to the employment of a person, such as information about the employee’s:

· health;

· engagement, training, disciplining or resignation;

· terms and conditions of employment;

· personal and emergency contact details;

· performance or conduct; or

· taxation, banking or superannuation affairs.

However, the exemption does not include information otherwise collected about candidates when determining to offer employment. In this respect, employers must ensure that any personal or sensitive information collected about a prospective employee is not used unless the

employee consents and the information is reasonably necessary for one or more of the entity’s functions or activities. In addition, employers must ensure that the means of collecting such information is only by lawful and fair means. In this regard, the employer must act in accordance with the APP.

Jeremy Lee v Superior Wood Pty Ltd

The recent decision of Lee v Superior Wood Pty Ltd [2019] FWCFC 2946 demonstrates the importance of understanding and complying with privacy obligations and how they interact with the rights and obligations of employees.

Mr Jeremy Lee was employed at Superior Wood for over 3 years before he was dismissed for failing to comply with the company’s Site Attendance Policy (“Policy”). The Policy required employees to use newly introduced fingerprint scanners to sign on and off the work site.

Mr Lee refused to provide his fingerprint for the purposes of signing on and off the worksite, raising concerns about the control of his biometric data and the inability for Superior Wood to guarantee no third party would be provided access or use of the data once stored electronically.

Superior Wood attempted to discuss his concerns with him and warned that a continued failure to follow the policy would result in his employment being terminated. Mr Lee again refused to sign in with his fingerprint and was dismissed as a result. Mr Lee subsequently brought an unfair dismissal application.

At first instance, the Fair Work Commission found that the Policy was not unjust or unreasonable because, amongst other things, Superior Wood had the right to require employees to comply with the policy and refusal to comply after adequate warning would not render any dismissal invalid.

The Commissioner also considered the Privacy Act 1988 and found that although biometric data is ‘sensitive information’ for the purposes of the Privacy Act 1988, it was reasonably necessary to collect the information in accordance with the Australian Privacy Principle (“APP”) 3.3.

The Commissioner noted that Mr Lee was entitled to withhold his consent, however in doing so, meant that he failed to meet a reasonable request to implement a fair and reasonable workplace policy. Accordingly, it was found in all the circumstances the dismissal was valid.

Appeal Decision

Mr Lee was granted permission to appeal the decision to the Full Bench of the Fair Work Commission. The Full Bench overturned the Commission’s decision, finding that there was no valid reason for the termination. Relevantly, the Full Bench noted the below:

· On a strict reading of Mr Lee’s employment contract, Mr Lee was only bound by any policies and procedures in place at the time of entry into the contract. As the Policy came into existence following Mr Lee commencing employment, the Fair Work Commission was not satisfied that compliance with the Policy was a term of Mr Lee’s employment.

· It was found that biometric templates are considered ‘sensitive information’ under the Privacy Act. APP 3 states that an entity cannot collect an individual’s sensitive information without their consent. The Full Bench ruled that ‘a necessary counterpart to a right to consent to a thing is a right to refuse it’. Accordingly, a direction to a person to give consent would be considered unreasonable and not a valid reason for dismissal.

· Section 7B(3) of the Privacy Act contains an exemption from an employer’s requirement to comply with the APPs in regards to an employee record held by the company and relating to the individual directly related to a current or former employment relationship. However, the Full Bench did not agree that the fingerprint scanners fell under the employee records exemption because the exemption applies only to sensitive information that has been created or is within the employer’s custody or control. In this case, the employer was only at the stage of soliciting the sensitive information, it had not in fact collected the information.

Lessons for Employers

With new and emerging technology being utilised in the workplace, this decision is an important reminder for employers to ensure that data collection in the workplace is only used if necessary and is carried out in compliance with Privacy legislation and employers are having regard to privacy concerns and employee consent.

We suggest employers should:

· Ensure that employment contracts are drafted to allow the organisation to gather personal information with consent of the employee and make provision for changes to the employer policies.

· Ensure you understand your obligations under the privacy laws and ensure human resources or relevant managers are provided training to prevent potential breaches, and ensure your company practices operate efficiently.

· Any workplace policy that is introduced should be distributed to each employee and the business should provide training on the policy. It is also important to continue to review and update your policies to ensure they are current and applicable to your business and evolving technologies.

· For the avoidance of doubt, we suggest obtaining legal advice to ensure your privacy practices are up to date and there are suitable workplace policies to cover these issues.

If you wish to discuss any aspect of this article or require specialist advice or assistance in relation to your obligations under privacy laws, please do not hesitate to contact us.

This alert is not intended to constitute, and should not be treated as, legal advice.

Ready to get started or need help?