Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

Biometric data: Under your skin – Employee rights to privacy

01 June 20 - In the News

Author: Charles Power
Publication:
 Law Institute Journal (June 2020 edition)
Publication date: 01/06/2020
Publisher: Law Institute of Victoria

Recent wage underpayment disclosures by some of Australia’s largest employers have brought into focus the importance of accurately recording employee working hours. Identifying who is in the workplace at any one time is also important for safety and security.

Manual time and attendance systems that rely on employees signing in and out can be unreliable. Systems that collect and match biometric data from employees, whether facial, fingerprint or iris, provide efficient solutions. However, collection of this biometric data raises privacy concerns. Once collected, the concern is whether the data is vulnerable to be misused or hacked. You can change your computer password, but not your fingerprint or iris.

Biometric information that is to be used for the purpose of automated biometric verification, biometric identification or biometric templates is sensitive information for the purposes of the Privacy Act 1988 (Cth) (Privacy Act). Subject to certain exceptions, the collection or solicitation of biometric information from an employee without their consent would be inconsistent with the Australian Privacy Principles (APPs) in the Privacy Act (APP 3.3). Even if consent is given, APP 3 requires it to be reasonably necessary to collect the biometric information for one or more of the employer’s functions or activities. Collection of employee biometric data enables employers to meet important functions of paying employees correctly and locating them in the event of a safety incident. However, it will only be reasonably necessary to collect the data for these purposes if there are no other reasonable and practical means to achieve them.

The Privacy Act APPs do not apply to actions by an employer that are directly related to its employment relationship with an employee and any record of personal information about that employee held by the employer.1 Does this employee records exemption apply when the biometric data is requested from employees? Can an employer threaten an employee with disciplinary action, including dismissal, if they decline to provide the data? How would that affect the quality of any consent given for collection? 

Lee v Superior Wood 

These issues were considered recently by the Fair Work Commission (FWC) in determining an unfair dismissal made by a casual employee working at a sawmill.2

The employer introduced a new site attendance policy (policy) based on collection and use of biometric data. Employees were required to submit their fingerprint to a different entity, which derived data from the features of tissue lying beneath the skin and on the skin surface. This was converted into a template unique to the individual, using an embedded algorithm owned by another entity. Each template was stored on servers and site readers owned by an entity related to the employer. Employees could register their attendance at the start and finish of each shift by scanning their fingerprint. The stored templates could be accessed remotely by third party service providers. The data was used by the related entity to operate the employer’s payroll system.

In this case, the employee had refused to allow a template to be made of his fingerprint and continued to sign in and out using the site’s sign in and sign out book. The employee expressed concern to his employer about the control of his biometric data and the inability of the employer to guarantee no third-party access or use of that data once stored electronically. After initially attempting to address some of the employee’s concerns, the employee was dismissed because he did not comply with the policy.

Decision at first instance

In the hearing of his unfair dismissal claim before Hunt C, the applicant employee submitted he owned the biometric data contained within his fingerprint and, as sensitive personal information under the Privacy Act, the employer was not entitled to require him to supply that information. Therefore, his refusal to give the information was not a valid reason for his dismissal.

Hunt C considered that the policy improved safety in the event of an emergency by avoiding the need to locate the paper sign in and out book to ascertain attendance on site. It also improved the integrity and efficiency of payroll. In that context, the Commissioner held the employer was entitled to manage its affairs by requiring employees to comply with the policy, and the employee’s refusal to comply after adequate caution was a valid reason for dismissal.

The Commissioner made some interesting observations about the operation of the Privacy Act in this situation. The Commissioner considered collection of the biometric information was reasonably necessary for the employer’s functions given the plan to consolidate its payroll and move away from less efficient and burdensome manual attendance systems. However, the employer may have breached the Privacy Act in the manner in which it sought to obtain employee consent by not:

  • informing its employees the scanners collected their sensitive information
  • providing a collection notice to employees prior to collection
  • discussing its obligations in handling their sensitive information with employees.

The employer merely informed employees the scanners were being introduced and they would be required to use them. The applicant was told if he didn’t consent he was liable to be dismissed for failing to comply with the policy.

The Commissioner also expressed concern about the fact there was no appropriate privacy policy in place with both the employer and other third parties involved. The Commissioner noted the company supplying the scanners had only recently implemented a privacy policy, and opined that its knowledge of privacy obligations regarding collection and use of personal and sensitive information in accordance with Australian privacy laws was “poor and rather disturbing”.

The Commissioner considered the employee records exemption under the Privacy Act only applied to dealings with biometric data when it had been collected and held in a record. It did not exempt the employer from the obligation to issue a privacy collection notice or from complying with APP 3.3.

However, the Commissioner ruled these failures did not render the requirement to observe the policy unlawful. Even if the employer had provided a privacy collection notice to the applicant, he would not have provided his consent under any circumstances.

The Commissioner observed that:

  • the employer was entitled to install the scanners and create a policy governing and mandating the use of scanners at the workplace
  • the employer made significant efforts to provide additional information about the scanners to the employee and allay his concerns
  • the employer gave the employee repeated opportunities to explain his objection and made several attempts to indicate to him that his continued employment required adherence to the policy
  • the employee’s concern about his fingerprint being reconstructed from scanned data was misconceived
  • by withholding his consent, the employee failed to meet a reasonable request to implement a fair and reasonable workplace policy.

In all the circumstances, the Commissioner considered the reason for dismissal was a valid reason and the dismissal was not unfair.

Appeal

The applicant appealed the decision, principally on the ground that a failure to comply with the policy was not a valid reason for dismissal given potential breaches of the Privacy Act and the applicant’s entitlement to refuse to provide his biometric data.

The Full Bench ruled the employee could be obliged to comply with the policy if the direction to do so was a reasonable and lawful direction. However, the Full Bench considered the direction to submit to the collection of the employee’s fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction.

This was because the direction amounted to the solicitation or request to provide sensitive information. APP 3 requires that an APP entity must not collect or solicit sensitive information unless the individual consents to that collection. Moreover, the Policy and the direction to observe it were issued in circumstances where at all relevant times the employer did not have a privacy policy as required by APP 1.

Nor had the employer issued a privacy collection notice to employees in accordance with APP 5. The employee was informed of the purpose for collection and the consequences if he did not permit this, but he wasn’t informed of the range of other entities that were likely to have access to his sensitive information, about the employer’s (non-existent) privacy policy and information regarding privacy complaints and how to access his personal information.

The Full Bench agreed with Hunt C that the employee records exemption does not apply to dealings with personal information where the record of personal information has not yet been created or is not yet in the possession or control of the employer. Therefore, the APPs applied to the employer in connection with the solicitation and collection of sensitive information from employees, up to the point of collection. Once collected, the employee records exemption was enlivened and the Privacy Act no longer regulated its use or disclosure.

Any consent the employee might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent. That said, the Full Bench saw no error in Hunt C’s finding, at least on a prima facie basis, that other employees gave implied consent by registering their fingerprints.

The Full Bench was critical of the conclusion that collection of fingerprint data was reasonably necessary for the employer’s functions or activities. It agreed the introduction of the scanners was administratively convenient for payroll administration and to apply a special time and attendance system for one of 400 employees might be less than reasonable. However, there was no evidence the employer had taken any steps to evaluate the costs of those alternative data collection methods.

The Full Bench accepted that once biometric information is digitised, it may be very difficult to contain its use by third parties, including for commercial purposes. None of the various organisations having access to data obtained by the biometric scanners had, at the relevant time, any actual mechanism in place to protect and manage information collected by the employer, consistent with its obligations under the Privacy Act (other than the warranty by one IT provider that it would comply with the Privacy Act).

Therefore, the Full Bench considered the applicant was justified in raising concerns. The applicant was entitled to protect data unique to the individual and derived from that individual’s biometric characteristics, above and beneath the skin. According to the Full Bench, to dismiss the employee for taking that position was, in all the circumstances of this case, unfair.

Enforcing provision of biometric data by employees

If an employer wishes to impose a requirement for workers to provide biometric data as part of a system to monitor working hours, the Superior Wood decision suggests that three steps are required.

Policy: The employer needs a clearly-expressed and up-to-date privacy policy that complies with the Privacy Act regarding the collection, use and storage of personal information. It should be easy to understand, avoiding jargon, legalistic and in-house terms, easy to navigate, and only include information that is relevant to the management of personal information by the entity. Any related entity or third party provider involved in implementing the time and attendance system must also have a compliant privacy policy.

Collection notice: Employees must receive a proper written notice of the employer’s intention to collect biometric data. The notice should refer to the applicable privacy policy. For new employees this can be done at the induction stage. For existing employees, this may require appropriate consultation. The notice must inform employees of the purpose for collection, the consequences if they do not permit this, the range of other entities that were likely to have access to this sensitive information, about the employer’s privacy policy and information in relation to privacy complaints and how to access this personal information.

Consent: The employer can then request employees to signify their consent by signing the collection notice. If they refuse, the employer should consider alternative methods, but only has to adopt these if reasonable and practical.

If these steps are met, the employer will have a sound basis for disciplining or dismissing employees who refuse to provide their biometric data.

1. Privacy Act 1988 (Cth), s7B(3).

2. Lee v Superior Wood [2018] FWC 4762 (1 November 2018); [2019] FWCFB 2946 (1 May 2019).

Share this

You might be interested in

07 March 2024 - Media Release

Holding Redlich facilitates investment fund launch for Burra Park acquisition in Badgerys Creek

Holding Redlich has acted for Richmond Bridge, UniSuper and ISPT in relation to the establishment of an investment fund for the acquisition of Burra Park, a major landholding in Badgerys Creek. 

27 February 2024 - Media Release

Holding Redlich achieves gender pay gap of only 2.1 per cent

Holding Redlich is pleased to announce a gender pay gap of only 2.1 per cent, as nearly 5,000 Australian private sector employers have disclosed their gender pay gaps for the first time today.

11 December 2023 - Media Release

Holding Redlich welcomes Sarah Byrne as partner in Canberra office

Holding Redlich announces the appointment of Sarah Byrne as a Partner in its Canberra office. Sarah brings with her a background in government spanning 30 years with extensive experience across various departments and agencies at both the state and Commonwealth levels.