Earlier this month, the ABC reported that a recruitment subcontractor for the Queensland Gas Corporation was conducting mandatory blood testing of job applicants in order to determine their risk of serious and life threatening conditions including high cholesterol and risk of heart attack. Candidates were told their job application was conditional on submitting to the blood test and were further required to sign a waiver authorising the recruiter, SNC Lavalin, to send their health information, medical records and blood samples overseas to countries without the same standard of privacy protection as in Australia.
In the broader context of employers seeking to manage risk by obtaining access to a wider range of employee data and increasing workplace surveillance to monitor attendance and productivity, this incident is a timely reminder of the need for employers to exercise caution when seeking to collect biometric or health information from their employees (or prospective employees).
The Office of the Australian Information Officer (OAIC) provides limited guidance on biometric scanning which occurs when an organisation or agency takes an electronic copy of your biometric information. This includes your face, fingerprints, iris, palm, signature and voice. The UK Information Commissioner’s Office (UK ICO) provides several further example of biometric information in its recent guidance on Special Category Data, including keystroke analysis, handwritten signature analysis, gait analysis and gaze analysis (eye tracking).
The case law developments in 2019 make it clear that there is a high bar for employers seeking to establish a genuine need to collect biometric information on the basis it is “reasonably necessary for, or directly related to, one or more of the entity’s functions or activities”.
Employers and biometric information – case law developments in 2019
Earlier this year, the Fair Work Commission considered the matter of Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946, in which an employer sought to compel employees to use a fingerprint verification system to sign-in for a casual shift, a process necessarily entailing the collection of biometric information. In this case, the Full Bench of the Fair Work Commission determined that employers must not collect biometric information unless it is reasonably necessary for the entity‘s function or activities and the individual consents to the collection.
The Australian standard for consent to the collection of personal information, including biometric and health information has four elements – consent must be voluntary, informed, current and specific.
The issue of consent being voluntary arises in cases where it is a condition of employment or a condition of providing services. While this has not been considered specifically by the OAIC, the UK ICO recommends that particular care be taken if asking for consent to collect sensitive information as a condition of providing your services or if you are in a position of power over the individual – for example if you are a public authority or the individual’s employer.
The UK ICO considers that consent cannot be validly given where the provision of the service is conditional on the individual consenting to the collection of sensitive information, for example, where a gym introduces a facial recognition system and compels members to consent to the use of facial recognition as a condition of their membership. In contrast, if members are provided with an option to access the facilities either via the facial recognition system or via a membership card, those who choose to use the facial recognition system will have freely given consent.
What does this mean for Australian employers?
Employers who are interested in utilising biometric technology to improve the accuracy and efficiency of their payroll processes or ensure the security of their premises should consider offering their employees the opportunity to opt in rather than seeking to compel the employees to submit to the collection of their biometric data.
However, employers ultimately need to balance the utility of using biometric technology for business efficiency and security purposes against the need to protect the individual privacy rights of their employees.
Authors: Lyn Nicholson & Clare Giugni
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.
Published by Lyn Nicholson, Clare Giugni