Employment and privacy: can employees be made to divulge personal information?
Written By
In the digital world, data is an asset. It can be one of the most important assets an organisation has because it defines each organisation's uniqueness. This can of course include employee data. There are, however, detailed rules regulating the collection of employees' personal data. The Full Bench of the Fair Work Commission in Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (the "Lee Case") recently delivered a decision which highlights that employers need to be careful when handling employee data, particularly if an employee's refusal to provide information is used as a grounds for dismissal.
This update will first discuss the privacy rules most relevant in an employment context and then explore how these principles were applied in the Lee Case, before giving some key takeaways.
Privacy principles in an employment context – a summary:
The collection, use and disclosure of data in Australia is governed by the Privacy Act 1988 (the "Act") and by the Australian Privacy Principles (APPs) which are contained in the Act. In relation to private-sector employers, the APPs only apply to "APP Entities", (as defined in section 6 of the Act). This definition includes most organisations that are not classified as "Small Business Operators". "Small Business Operators" are generally businesses that have an annual turnover of $3,000,000 or less.
Of particular relevance in the Lee Case were the following APPs
APP 3.2 provides that an organisation "must not collect personal information…unless the information is reasonably necessary for one or more of the entity’s functions or activities". If the relevant information is "sensitive information", then APP 3.3 imposes the additional requirement that the individual whose information is being collected must consent to the collection of the information. "Sensitive information" is defined in section 6 of the Act and includes biometric information that is to be used for the purpose of automated biometric verification or biometric identification as well as biometric templates.
Section 7B(3) of the Act provides an exemption for acts done, or practices engaged in "by an organisation that is or was an employer of an individual…if the act or practice is directly related to (a) a current or former employment relationship between the employer and the individual; and (b) an employee record held by the organisation and relating to the individual".
The privacy principles applied in the Lee Case
The employer in the Lee Case was Superior Wood Pty Ltd ("Superior Wood"), a company which operates sawmills in Queensland. At the time the relevant events took place, employees of Superior Wood were required to sign in and out of the sawmill worksites using a "sign in and sign out book". Superior Wood sought to replace this system with a fingerprint scanning system in an effort to improve safety and prevent employees from fraudulently signing in for colleagues when they weren't actually at work. Superior Wood consequently amended the company's "Site Attendance Policy" to require employees to sign in and out using the fingerprint scanners.
The relevant employee in the Lee case was Jeremy Lee, a casual employee who worked at one of Superior Wood's sawmills, and had done so for several years. Mr Lee objected to the use of the fingerprint scanning system due to privacy concerns. He argued that "once biometric information is digitised, it may be very difficult to contain its use by third parties, including for commercial purposes". After discussions with management and several warnings, Lee's continued refusal to provide his fingerprints resulted in the termination of his employment.
The main question for resolution by the Full Bench was whether the dismissal should be characterised as harsh, unjust or unreasonable in accordance with section 385 of the Fair Work Act 2009.
The information used by the fingerprint scanner was held by the Full Bench to be "sensitive information", as it was "biometric information that is to be used for the purpose of…biometric identification", per section 6 of the Act. As such, Superior Wood required Lee's consent in order to collect and hold that information, in accordance with APP 3.3. On the topic of consent, the Full Bench stated that "a necessary counterpart to the right to consent to a thing is a right to refuse it". Therefore, the request by Superior Wood for Mr Lee to provide his consent to his fingerprints being taken was unlawful. Additionally, if Mr Lee had granted his "consent", that "consent" would have been vitiated by Superior Wood's threat of discipline or dismissal.
Given that Superior Wood's demand that Mr Lee provide his fingerprints was unlawful, his dismissal for refusing to comply with this demand was characterised as unfair in accordance with section 385 of the Fair Work Act. The Full Bench additionally found that the exception for employers provided in section 7B(3) of the Act did not provide a defence in this case, as it only applies where organisations already hold the relevant information. Given that Mr Lee never provided Superior Wood with his fingerprints, the exception did not apply.
Key takeaways:
- Employers must exercise caution around asking employees to provide "sensitive information". The fact that the technology is now readily available to collect biometric data for monitoring attendance does not necessarily mean that its use is lawful. Employers should familiarise themselves with privacy laws in relation the use of such technology before using it. While it may increase efficiencies within the business, this does not override the right of employees to protect their sensitive personal information.
- If the collection of personal information is found to be unlawful, any dismissal of an employee for a refusal to provide such information will also be unlawful.
