01 June 20 - In the News
Author: Charles Power
Publication: Law Institute Journal (June 2020 edition)
Publication date: 01/06/2020
Publisher: Law Institute of Victoria
Recent wage underpayment disclosures by some of Australia’s largest employers have brought into focus the importance of accurately recording employee working hours. Identifying who is in the workplace at any one time is also important for safety and security.
Manual time and attendance systems that rely on employees signing in and out can be unreliable. Systems that collect and match biometric data from employees, whether facial, fingerprint or iris, provide efficient solutions. However, collection of this biometric data raises privacy concerns. Once collected, the concern is whether the data is vulnerable to be misused or hacked. You can change your computer password, but not your fingerprint or iris.
Biometric information that is to be used for the purpose of automated biometric verification, biometric identification or biometric templates is sensitive information for the purposes of the Privacy Act 1988 (Cth) (Privacy Act). Subject to certain exceptions, the collection or solicitation of biometric information from an employee without their consent would be inconsistent with the Australian Privacy Principles (APPs) in the Privacy Act (APP 3.3). Even if consent is given, APP 3 requires it to be reasonably necessary to collect the biometric information for one or more of the employer’s functions or activities. Collection of employee biometric data enables employers to meet important functions of paying employees correctly and locating them in the event of a safety incident. However, it will only be reasonably necessary to collect the data for these purposes if there are no other reasonable and practical means to achieve them.
The Privacy Act APPs do not apply to actions by an employer that are directly related to its employment relationship with an employee and any record of personal information about that employee held by the employer.1 Does this employee records exemption apply when the biometric data is requested from employees? Can an employer threaten an employee with disciplinary action, including dismissal, if they decline to provide the data? How would that affect the quality of any consent given for collection?
Lee v Superior Wood
These issues were considered recently by the Fair Work Commission (FWC) in determining an unfair dismissal made by a casual employee working at a sawmill.2
The employer introduced a new site attendance policy (policy) based on collection and use of biometric data. Employees were required to submit their fingerprint to a different entity, which derived data from the features of tissue lying beneath the skin and on the skin surface. This was converted into a template unique to the individual, using an embedded algorithm owned by another entity. Each template was stored on servers and site readers owned by an entity related to the employer. Employees could register their attendance at the start and finish of each shift by scanning their fingerprint. The stored templates could be accessed remotely by third party service providers. The data was used by the related entity to operate the employer’s payroll system.
In this case, the employee had refused to allow a template to be made of his fingerprint and continued to sign in and out using the site’s sign in and sign out book. The employee expressed concern to his employer about the control of his biometric data and the inability of the employer to guarantee no third-party access or use of that data once stored electronically. After initially attempting to address some of the employee’s concerns, the employee was dismissed because he did not comply with the policy.
Decision at first instance
In the hearing of his unfair dismissal claim before Hunt C, the applicant employee submitted he owned the biometric data contained within his fingerprint and, as sensitive personal information under the Privacy Act, the employer was not entitled to require him to supply that information. Therefore, his refusal to give the information was not a valid reason for his dismissal.
Hunt C considered that the policy improved safety in the event of an emergency by avoiding the need to locate the paper sign in and out book to ascertain attendance on site. It also improved the integrity and efficiency of payroll. In that context, the Commissioner held the employer was entitled to manage its affairs by requiring employees to comply with the policy, and the employee’s refusal to comply after adequate caution was a valid reason for dismissal.
The Commissioner made some interesting observations about the operation of the Privacy Act in this situation. The Commissioner considered collection of the biometric information was reasonably necessary for the employer’s functions given the plan to consolidate its payroll and move away from less efficient and burdensome manual attendance systems. However, the employer may have breached the Privacy Act in the manner in which it sought to obtain employee consent by not:
The employer merely informed employees the scanners were being introduced and they would be required to use them. The applicant was told if he didn’t consent he was liable to be dismissed for failing to comply with the policy.
The Commissioner considered the employee records exemption under the Privacy Act only applied to dealings with biometric data when it had been collected and held in a record. It did not exempt the employer from the obligation to issue a privacy collection notice or from complying with APP 3.3.
However, the Commissioner ruled these failures did not render the requirement to observe the policy unlawful. Even if the employer had provided a privacy collection notice to the applicant, he would not have provided his consent under any circumstances.
The Commissioner observed that:
In all the circumstances, the Commissioner considered the reason for dismissal was a valid reason and the dismissal was not unfair.
The applicant appealed the decision, principally on the ground that a failure to comply with the policy was not a valid reason for dismissal given potential breaches of the Privacy Act and the applicant’s entitlement to refuse to provide his biometric data.
The Full Bench ruled the employee could be obliged to comply with the policy if the direction to do so was a reasonable and lawful direction. However, the Full Bench considered the direction to submit to the collection of the employee’s fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction.
The Full Bench agreed with Hunt C that the employee records exemption does not apply to dealings with personal information where the record of personal information has not yet been created or is not yet in the possession or control of the employer. Therefore, the APPs applied to the employer in connection with the solicitation and collection of sensitive information from employees, up to the point of collection. Once collected, the employee records exemption was enlivened and the Privacy Act no longer regulated its use or disclosure.
Any consent the employee might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent. That said, the Full Bench saw no error in Hunt C’s finding, at least on a prima facie basis, that other employees gave implied consent by registering their fingerprints.
The Full Bench was critical of the conclusion that collection of fingerprint data was reasonably necessary for the employer’s functions or activities. It agreed the introduction of the scanners was administratively convenient for payroll administration and to apply a special time and attendance system for one of 400 employees might be less than reasonable. However, there was no evidence the employer had taken any steps to evaluate the costs of those alternative data collection methods.
The Full Bench accepted that once biometric information is digitised, it may be very difficult to contain its use by third parties, including for commercial purposes. None of the various organisations having access to data obtained by the biometric scanners had, at the relevant time, any actual mechanism in place to protect and manage information collected by the employer, consistent with its obligations under the Privacy Act (other than the warranty by one IT provider that it would comply with the Privacy Act).
Therefore, the Full Bench considered the applicant was justified in raising concerns. The applicant was entitled to protect data unique to the individual and derived from that individual’s biometric characteristics, above and beneath the skin. According to the Full Bench, to dismiss the employee for taking that position was, in all the circumstances of this case, unfair.
Enforcing provision of biometric data by employees
If an employer wishes to impose a requirement for workers to provide biometric data as part of a system to monitor working hours, the Superior Wood decision suggests that three steps are required.
Consent: The employer can then request employees to signify their consent by signing the collection notice. If they refuse, the employer should consider alternative methods, but only has to adopt these if reasonable and practical.
If these steps are met, the employer will have a sound basis for disciplining or dismissing employees who refuse to provide their biometric data.
1. Privacy Act 1988 (Cth), s7B(3).
2. Lee v Superior Wood  FWC 4762 (1 November 2018);  FWCFB 2946 (1 May 2019).