By Charles Power
Employers that use biometric fingerprint scanners for employees signing in and out of work are potentially subject to Australian privacy legislation according to a recent Fair Work Commission (FWC) ruling.
The Privacy Act 1988 (Cth) applies to private sector organisations with annual turnover of more than $3 million. The Act requires records of personal information to be handled in accordance with Australian Privacy Principles (APPs). The APPs require the person about whom the information pertains to give genuine consent to the collection. However dealings with a record of personal information relating to the employment of an existing or prospective employee are exempt.
In Lee v Superior Wood Pty Ltd (2019) the FWC ruled the APPs applied to an employer in connection with the solicitation and collection of sensitive personal information from employees, up to the point of collection. Once collected, the employee records exemption was enlivened and the Privacy Act no longer regulated its use or disclosure.
In that case, the employer dismissed an employee for refusing to consent to having his fingerprints scanned. The employer replaced the manual signing in process with a biometric fingerprint scanner.
The reason for dismissal was the employee’s refusal to follow the ‘lawful and reasonable’ direction to comply with the new scanning policy, which the business asserted was necessary for a number of reasons including safety.
The employee successfully claimed the dismissal was unfair.
The FWC ruled that the direction to the employee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction.
Any consent the employee might have given once told that he faced discipline or dismissal would likely have been invalidated by the threat of dismissal and would not have been genuine consent.
Moreover, the FWC considered the direction was unreasonable because, in asking for consent, there needed to be a right to refuse it.
The FWC ruled that the Privacy Act’s employee records exemption did not apply because the employer did not actually hold a record of personal information. It had not yet been created and was not yet in the possession or control of the employer because the employee had refused consent.