Introduction
A Full Bench of the Fair Work Commission (Full Commission) has recently handed down a decision which potentially carries some interesting implications in privacy and employment law.
Mr Jeremy Lee (Lee) was dismissed by his employer Superior Wood Pty Ltd (Superior Wood) after he refused to comply with a direction to provide his fingerprints. In Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946, the Full Commission found that this dismissal was unfair, because Mr Lee was entitled to decline to provide his consent to the collection of his fingerprints under the Privacy Act 1988 (Cth) (Privacy Act), even as an employee, and that the direction issued by Superior Wood was accordingly not lawful.
Many acts undertaken by employers involving the personal information of employees will be outside the scope of the Privacy Act, but this Full Commission’s decision illustrates that this will not always be the case. However, because certain conduct of employers will be exempt, some unusual consequences can arise.
Employers subject to the Privacy Act (including Australian Government agencies, organisations with an annual turnover of more than $3 million as well as some other organisations) should revisit their contracts of employment and policies and procedures to ensure they have appropriate clauses concerning the collection of personal information in light of the Commission’s decision.
The facts
Sawmill operator Superior Wood introduced fingerprint scanners at Mr Lee’s workplace to record the attendance of its employees at the start and end of each shift. A corresponding Site Attendance Policy (Policy) was subsequently introduced stipulating that all employees must use the biometric scanners to record attendance or face disciplinary action. The Policy also reinforced that merely signing attendance sheets would no longer be acceptable.
Mr Lee refused to comply with the Policy and continued to manually sign in and out using attendance sheets, citing concerns about the control of the biometric data contained within his fingerprint and Superior Wood’s inability to guarantee that his data would be protected against third party access once it was stored electronically. He was subsequently terminated for his continued failure to follow the Policy.
Mr Lee then took the matter to the Full Commission, claiming he had been unfairly dismissed.
Decision at first instance
The claim was first heard before Commissioner Hunt who ultimately found that the dismissal was not unfair, as the Policy was a lawful and reasonable direction which Mr Lee was obliged to comply with. While the Commissioner also noted her concerns over potential breaches of the Privacy Act by Superior Wood, including its lack of privacy policy and failure to issue a collection notice, she did not accept that such breaches would have rendered the Policy unlawful. Any breaches of the Privacy Act, according to the Commissioner, would be a matter for the Office of Australian Information Commissioner (OAIC).
Instead, the Commissioner found the Policy to be a reasonable one as it allowed the employer to improve upon “an inherently unsafe obligation” to attempt to manually account for employee attendance in the event of an emergency. She also considered it persuasive that the introduction of the Policy would improve payroll integrity and efficiency.
Decision on appeal
On appeal, the three member panel of the Full Commission opted for a more holistic approach to determine the matter. Unlike Commissioner Hunt, the Full Commission ruled that the legality of Superior Wood’s actions under the Privacy Act was central to deciding whether the Policy itself was a lawful and reasonable direction.
Under the Privacy Act:
- Organisations typically require consent to collect sensitive information about individuals, such as biometric data; but
- An “employee records exemption” (Employee Records Exemption) removes the need for employers to comply with the Privacy Act’s requirements insofar as they relate to personal information about current and former employees held in “employee records”.
Accordingly, one of the key questions considered by the Full Commission was whether Superior Wood’s use of fingerprint scanners to collect sensitive information from its employees would be exempt from compliance with the Privacy Act by way of the Employee Records Exemption. If this was not the case, then Superior Wood would require Mr Lee’s consent in order to collect his biometric information.
While the Employee Record Exemption is very broad, it does have limits. The Full Commission noted that the wording of the Employee Records Exemption extends only to acts or practices directly related to “an employee record held by the organisation” (emphasis added). As a result, the Full Commission found that:
“A record is not held if it has not yet been created or is not yet in the possession or control of the organisation. The exemption does not apply to a thing that does not exist or to the creation of future records.”
As the Full Commission then explained:
“The significance of that finding is that the Australian Privacy Principles applied to Superior Wood in connection with the solicitation and collection of sensitive information from employees, up to the point of collection. Once collected, the employee records exemption was enlivened and the Privacy Act no longer regulated its use or disclosure.”
In the context of this matter, this meant that Superior Wood required Mr Lee’s consent in order to collect his biometric information, although, curiously, once this was collected it could be dealt with by Superior Wood without regard to the Privacy Act.
As a consequence of these findings, the Full Commission further considered that:
- “The direction to Mr Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction”; and
- Any consent compulsorily obtained from Mr Lee pursuant to such a direction “would not have been genuine consent”, because a “necessary counterpart to a right to consent to a thing is a right to refuse it”.
Notwithstanding the Full Commission’s view that the scanners offered “safety benefits”, it considered that the main function of Superior Wood’s system was “clearly to improve its payroll operation”.
In finding that Superior Wood’s Policy and direction was unlawful, the Full Commission ultimately held that Superior Wood did not have a valid reason to dismiss Lee.
Implications
Privacy
This decision highlights that the Employee Records Exemption is subject to limitations, and that employers cannot ignore all obligations under the Privacy Act.
As seen in this particular decision, employers will need to ensure that they have genuinely obtained consent of their employees before collecting sensitive information. However, even when collecting other, non-sensitive personal information, the Australian Privacy Principles (APPs) will impose relevant obligations.
APP 5 requires organisations to take reasonable steps to notify or otherwise make individuals aware of certain matters before collecting their personal information. This is often done by way of a “privacy collection notice”. The matters to be notified include information about the organisation’s privacy policy, the purposes for which information will be used, the kinds of persons to which personal information may be disclosed, and how individuals can access and correct their information.
The Full Commission specifically noted that Superior Wood did not have a privacy policy in place, nor did it provide Mr Lee with a privacy collection notice or otherwise satisfy APP 5. However, the Full Commission’s findings regarding the scope of the Employee Records Exemption lead to some curious consequences in this respect.
For example, a privacy collection notice (or other similar steps) will be required at the time of collection, because at this stage in the process the information is not held by an employer, and therefore will not be covered by the Employee Records Exemption. This notice will need to address, amongst other things, how employees can access and correct the information held by their employer. However, once information is held by their employer, the Employee Records Exemption will apply, and those employees will have no automatic entitlement to access their own personal information. Privacy collection notices will presumably need to make that situation clear, necessitating different notices for employees relative to other individuals a business may deal with.
Employment
From an employment law perspective, this case has the potential to have enormous consequences for employers subject to the Privacy Act. The case makes a unique point on the interaction between employee autonomy and compliance with an employer’s lawful and reasonable directions.
For example, this decision may call into question an employer’s ability to lawfully direct an employee to attend an independent medical examination or submit to a drug or alcohol test as such activities involve the collection of sensitive information which requires prior consent under APP 3. Issues may arise for an employer if an employee refuses to submit to such an examination or test.
However, APP 3 has certain exemptions. Consent is not required where the collection of the sensitive information is required or authorised by or under an Australian law. An employer may therefore be able to argue that such a direction is lawful and reasonable as it is required or authorised under the relevant work health and safety legislation to allow an employer to comply with its duty of care. Time will tell how industrial courts and tribunals apply this decision in the future.
In the meantime, we recommend employers ensure they have:
- A privacy policy in place which complies with the Privacy Act;
- Policies and procedures concerning fitness for work and drug and alcohol testing (if appropriate and applicable for the individual business); and
- Appropriate terms and conditions in their contracts of employment concerning the collection of personal information in certain situations (including medical assessments and drug and alcohol testing).
This article was written by Luke Dale, Partner, Clare Raimondo, Partner, Daniel Kiley, Special Counsel, Jessica Nicholls, Senior Associate and Stephanie Leong, Law Graduate.
