18 June 2019
The recent Fair Work Commission (FWC) case of Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946 has illustrated a number of holes in current privacy legislation.
Mr Lee’s employer dismissed him as he refused to give biometric information - his fingerprint - for the purpose of safety and linking individuals to payroll records.
However, the FWC held that the collection of biometric information required his consent and, as there was no voluntary element to the provision of biometric information by the employee i.e. provide your fingerprint or you will be dismissed, the employer was in breach of the Privacy Act 1988 (Cth) (Privacy Act).
The employer argued that employee records were exempt under the Privacy Act. But this exemption only operates once information is collected by the organisation.
The case (explored in greater detail here) raises an interesting question as to whether the collection of biometric data in an employment context can meet the requirements of the Privacy Act.
Mandatory collection of biometric data
To begin, for anyone to consent to the collection of their personal information there are four elements of consent. It must be voluntary, informed, current and specific. In the case of Mr Lee the issue was that he either consent or be dismissed. That is, his continuing employment would terminate in the absence of consent. This meant there was no “voluntary” element available if there is no consent.
If a contract provides that it is a term of the contract that the individual provides their biometric data then arguably this is a voluntary collection because there is no existing relationship and one might argue that this is a reasonable perspective for an employer to take.
However, under the Privacy Act there are additional requirements that can impact the consent.
For example, the collection must be reasonably required for the conduct of the entity’s business. In this case, the use of the biometric technology was adopted as a way to reduce costs but without reference to alternative methodologies.
It is, in many ways, a frightening issue from a human rights perspective if obtaining a job to be a general hand at a timber mill – as was the case in this matter -comes at the cost of providing one’s biometric data.
No consent - no job. Life begins to look like George Orwell’s 1984.
Failure to protect collected data
This aspect of the case is also concerning from the perspective that in relying on the employee records exemption, the employer sought to avoid the obligation to provide employees with relevant information about how their data was used, and take steps to ensure that their data was kept secure. It is evident they had not contemplated the likely and possibly significant negative consequences of a privacy breach.
This case is illustrative of the fact that the employee records exemption is often difficult to reconcile with the operation of the Privacy Act and difficult to reconcile that in cases such as this, where it results in a consequence that employee information may be afforded a much lower level of security and protection than that of other stakeholders who deal with the employer.
What about a breach?
If in fact there is a breach or unauthorised access as a result of the employer’s failure to keep information secure, then the employee records exemption would not apply to that breach and it is likely that the employer would be at risk of penalties and also claims by employees for compensation and damages. It is important to note that employee information usually has a full suite of identifying information which makes it easy for hackers to steal identities and this has been the case in the past with tax file numbers.
What are the privacy lessons from this case?
This case illustrates the difficulty of reconciling the employee records exemption, which was only ever expected to be a temporary exemption on the basis that other industrial legislation would fill the void, with general Privacy Act obligations. It has not, nor is there any indication this will change in the near future.
Employers should consider best practice in terms of affording their employees the same basic protections of their personal information as are required under law for other stakeholders.
Considering privacy by design and whether various data elements are required to be collected, how they will be stored and how they will be shared, are key elements to a robust privacy and data protection environment.
Author: Lyn Nicholson
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.