Fingerprint Scan 1900x500

Fingerprint Scanning - Beware!

Libby Pallot, Walter MacCallum, Anthony Massaro, Ben Tallboys, Abbey Burns and Caitlin Walsh

The Full Bench of the Fair Work Commission’s decision in Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 highlights the increasing tension between technology and privacy in the workplace.

Facts

Mr Jeremy Lee was employed as a general hand by Superior Wood who operate sawmills in Queensland.

In October 2017, Superior Wood introduced a new policy which directed employees to register their fingerprints and use fingerprint scanners to register their attendance at work.

Mr Lee refused to comply with the policy, claiming ownership of the biometric data contained in his fingerprint and citing concerns over the inadvertent release of this information to a third party.

Despite assurances from the scanner supplier that the data collected could only be used to link a payroll ID with a time stamp, Mr Lee refused to supply his fingerprint and continued to oppose the policy. After several meetings between parties, Mr Lee’s employment was terminated on 12 February 2018.

Mr Lee brought an unfair dismissal application in the Fair Work Commission (FWC).

The Decision

In considering Mr Lee’s claim, the FWC accepted that the policy was reasonable; it provided a clear way to ascertain employee attendance on site, particularly in the event of an emergency, and operated to improve the integrity and efficiency of payroll.

The FWC decided that Mr Lee’s refusal to comply with his employer’s reasonable request meant that his dismissal was not harsh, unjust or unreasonable. Mr Lee subsequently appealed.

The Appeal

The Full Bench was asked to consider whether the direction to comply with the Policy was a lawful direction with regard to the Privacy Act 1988 (Cth) (Act).

The FWC found that the biometric data collected by the scanners was personal information under the Act and further, fell within the more limited meaning of sensitive information under the Act. This meant that Superior Wood was required to comply with the Australian Privacy Principles (APP) which governs the collection of solicited personal information. APP 3.3 requires, in respect of sensitive information, that an entity obtain the consent of the individual and that the information is reasonably necessary for one or more of its functions.

Notably, the FWC held that APP 3.3 applies to both the solicitation and collection of sensitive information. This ultimately meant that the direction to Lee to provide his fingerprint was wholly inconsistent with the notion of consent required by APP 3.3. Additionally, any consent he may have provided would have been defective owing to the threat of discipline or dismissal. Therefore, the direction was not lawful and there was no valid reason for Lee’s dismissal.

Superior Wood attempted to rely on the employee records exemption under the Act to argue that it was exempt from complying with the APP. However, the FWC considered that the plain meaning of the statute indicates that the exemption only applies to records under the entity’s present possession or control. Therefore, the APP applied to Superior Wood up to the point of collection, and it was only once the sensitive information was obtained that the exemption applied.

Key takeaways for employers

It is increasingly common to find systems that use an employee’s data to control worksite access, or for payroll and time keeping purposes. The decision in Lee raises important considerations about collection of sensitive information, consent and the need for compliance with the APP in relation to employees.

Employers who use, or are looking to introduce, fingerprint scanners in their workplace should ensure their policies, contracts and practices are reviewed in light of the decision in Lee.

More generally, all employers covered by the Act should ensure that they have a privacy policy that deals with consumers, as well as employees, and that they are aware of the obligations that arise when dealing with personal information under the Act. For example:

  • Inform employees that personal information is being collected
  • Provide employees with information about other entities that may have access to the personal information (for example external IT companies)
  • Provide a privacy collection notice
  • Provide information in relation to privacy complaints
  • Discuss employer obligations in handling sensitive information
  • Obtain consent without threat of consequence when seeking sensitive information
  • Explain how employees can access their personal information

Please note: the Privacy Act 1988 does not apply to all businesses, and other State-based privacy legislation may apply to your business in particular.

If you require assistance understanding how this decision may affect your business, or if you would like advice on privacy legislation as is applies to employees in your workplace, please contact the Russell Kennedy Workplace Relations, Employment and Safety, team.

If you would like to stay up to date with Russell Kennedy's insights, please sign up here.

View related insights

Law and Justice Banner

Delegates’ Rights to be enshrined in legislation

2 Sep 2024

As part of the Closing the Loopholes Amendments to the Fair Work Act 2009 (Cth) (the Act) which received royal assent on 14 December 2023, there are a number of changes to workplace delegates’ r ...

View
Opting Out of the New Definition of Employee 540X360

Opting Out of the New Definition of Employee

29 Aug 2024

In late August 2024, the Federal Government published the Fair Work Amendment (Contractor High Income Threshold) Regulations 2024 (Cth) (Regulations) which prescribes the contractor high income thresh ...

View
Independent Contractor Arrangements_540x360 (2)

Incoming Changes to Independent Contractor Arrangements

6 Jun 2024

All businesses who engage contractors should review and reconsider their current arrangements as a matter of priority following recent changes to the Fair Work Act 2009 (Cth) (Fair Work Act) and the A ...

View