Can an employer force you to provide your biometric data? In this case of Jeremy Lee v Superior Wood Pty Ltd, Jeremy Lee objected to his employer’s direction to use a fingerprint scanner to sign in and out of his work site, under Superior Wood’s Site Attendance Policy. Mr Lee argued that he owned the biometric data contained within his fingerprint, and that as ‘sensitive information’ under the Privacy Act 1988, his employer was not entitled to require he provide this information.
Following the implementation of the Policy, Mr Lee was provided with verbal and written warnings, directing him to adhere to the Policy and provide his fingerprint. After Mr Lee’s continued refusal, his employment was terminated for failing to follow a lawful and reasonable direction to comply with the Policy.
At first instance, Commissioner Hunt held that the direction to provide the fingerprint scan was both lawful and reasonable. The Full Bench of the Fair Work Commission quashed this decision, finding Superior Wood’s direction to be unlawful, as it breached the Australian Privacy Principles in the Privacy Act, specifically, Australian Privacy Principle 3.
Superior Wood argued that the Privacy Act’s employee records exemption applied to collection of fingerprint information. The Full Bench found that the employee records exemption did not encompass employee records that were not yet ‘held’ by an organisation. Because of this, Superior Wood was obligated to follow the APPs when soliciting personal information from employees. As a result, the Full Bench determined that Superior Wood’s actions in directing Mr Lee to provide sensitive information were directly inconsistent with Australian Privacy Principle 3, which requires sensitive information to be solicited by consent.
This decision is notable for two reasons:
- the FWC’s interpretation of the employee records exemption within Privacy Act; and
- the impact of the FWC’s current interpretation of the employee records exemption, and the effect that this could have on:
- the roll out of sign-in technology; and
- the ability for employers to direct employees to provide sensitive information in other circumstances such as Independent Medical Examinations or drug and alcohol testing
Employee records exemption
The Fair Work Commission interpreted section 7B(3), the employee records exemption in the Privacy Act, as limited to individual records currently held or within the possession or control of the employer. It specifically stated that it ‘does not encompass employee records that are yet to be held by an organisation’. As a result, the FWC determined that Superior Wood was required to follow the APPs applicable to the collection of personal information, before the information was ‘held’ and then subject to the exemption.
This appears to be a novel interpretation of the employee records exemption, despite it having some justification based on the specific wording of the exemption. We are not aware of any material where the Office of the Australian Information Commissioner have expressed the view that the employee records exemption does not apply to the APPs relating to collection of personal information. Certainly the OAIC has recommended on a number of occasions that the exemption should be removed from the Privacy Act, and may support the FWC’s interpretation, at least from a policy perspective.
In an Information Sheet originally issued around the time the exemption commenced, the OAIC’s predecessor noted that employers’ contracted service providers could not rely on the exemption. It stated that, ‘an organisation that collects employee records about a person from the organisation employing that person will have to comply with the notice requirements of NPP 1’, (NPP 1 corresponds to the current APP 5, one of the principles applicable to collection of personal information). In our view, this publication infers that the Office of the Privacy Commissioner considered that NPP 1 was not even applicable to the employer itself, if it did, we are if the opinion that the Information Sheet would have referred to a different NPP to illustrate its point about contracted service providers.
Furthermore, commentary from the Australian government at the time of introducing the employee records exemption suggests an intention that the employee records exemption would apply broadly. The Hon Daryl Williams AM QC MP, Attorney-General, stated in his Second Reading Speech that, ‘the exemption is limited to collection, use or disclosure of employee records where this directly relates to the employment relationship’ (emphasis added). Further, the Revised Explanatory Memorandum for the Privacy Amendment (Private Sector) Bill 2000, which introduced the exemption, stated that,
the Government has agreed that the handling of employee records is a matter better dealt with under workplace relations legislation. An act or practice engaged in by a current or former employer of a person in relation to an employee record will be exempt from the operation of the legislation if the act or practice is directly related to the current or former employment relationship.
We note that ‘handling’ is not a defined term, however, it is generally considered to cover collection, storage, use and disclosure.
Can the previous suggestions consistent with a broader interpretation of the exemption be reconciled with the words in the Privacy Act itself? Arguably, the FWC’s interpretation was based on the idea that each piece of employee personal information was a separate ‘employee record’ and that the conduct in question needed to directly relate to that specific piece of information (e.g. collection of that fingerprint, use of that fingerprint, disclosure of that fingerprint). On that basis, as the fingerprint was not yet ‘held’ by Superior Wood, the exemption did not apply. In an alternate view, ‘an employee record held’ could be interpreted as a worker’s employee record more broadly (e.g. a personnel file). On this interpretation, the collection process, in which Superior Wood directed Mr Lee to provide his biometric data, would fall within the exemption, as it would be conduct that directly related to Mr Lee’s employee record (in a broader sense), which was held by Superior Wood.
Read Report – https://constitutionwatch.com.au/biometric-data-the-privacy-act-1988/