Australia: biometric data, the Privacy Act, and the employee records exemption

In Jeremy Lee v Superior Wood Pty Ltd,^[1] the Full Bench of the Fair Work Commission (FWC) considered the lawfulness of an employer directing an employee to provide their biometric data. 

In this case, Mr Lee objected to his employer’s direction to use a fingerprint scanner to sign in and out of his work site, under Superior Wood’s Site Attendance Policy (Policy). Mr Lee argued that he owned the biometric data contained within his fingerprint, and that as ‘sensitive information’ under the Privacy Act 1988 (Cth) (Privacy Act), his employer was not entitled to require he provide this information.

Following the implementation of the Policy, Mr Lee was provided with verbal and written warnings, directing him to adhere to the Policy and provide his fingerprint. After Mr Lee’s continued refusal, his employment was terminated for failing to follow a lawful and reasonable direction to comply with the Policy.

At first instance, Commissioner Hunt held that the direction to provide the fingerprint scan was both lawful and reasonable.^[2] The Full Bench of the Fair Work Commission quashed this decision, finding Superior Wood’s direction to be unlawful, as it breached the Australian Privacy Principles (APP) in the Privacy Act, specifically, APP 3.

Superior Wood argued that the Privacy Act’s employee records exemption applied to collection of fingerprint information. The Full Bench found that the employee records exemption did not encompass employee records that were not yet ‘held’ by an organisation. Because of this, Superior Wood was obligated to follow the APPs when soliciting personal information from employees. As a result, the Full Bench determined that Superior Wood’s actions in directing Mr Lee to provide sensitive information were directly inconsistent with APP 3, which requires sensitive information to be solicited by consent.

This decision is notable for two reasons:

• the FWC’s interpretation of the employee records exemption within Privacy Act; and
• the impact of the FWC’s current interpretation of the employee records exemption, and the effect that this could have on:
  • the roll out of sign-in technology; and
  • the ability for employers to direct employees to provide sensitive information in other circumstances such as Independent Medical Examinations (IME) or drug and alcohol testing

Employee records exemption

The FWC interpreted section 7B(3), the employee records exemption in the Privacy Act, as limited to individual records currently held or within the possession or control of the employer. It specifically stated that it ‘does not encompass employee records that are yet to be held by an organisation’. As a result, the FWC determined that Superior Wood was required to follow the APPs applicable to the collection of personal information, before the information was ‘held’ and then subject to the exemption.

This appears to be a novel interpretation of the employee records exemption, despite it having some justification based on the specific wording of the exemption. We are not aware of any material where the Office of the Australian Information Commissioner (OAIC) (or its predecessors) have expressed the view that the employee records exemption does not apply to the APPs relating to collection of personal information. Certainly the OAIC has recommended on a number of occasions that the exemption should be removed from the Privacy Act, and may support the FWC’s interpretation, at least from a policy perspective.

In an Information Sheet originally issued around the time the exemption commenced,^[3] the OAIC’s predecessor noted that employers’ contracted service providers could not rely on the exemption. It stated that, ‘an organisation that collects employee records about a person from the organisation employing that person will have to comply with the notice requirements of NPP 1’,  (NPP 1 corresponds to the current APP 5, one of the principles applicable to collection of personal information). In our view, this publication infers that the Office of the Privacy Commissioner considered that NPP 1 was not even applicable to the employer itself, if it did, we are if the opinion that the Information Sheet would have referred to a different NPP to illustrate its point about contracted service providers.

Furthermore, commentary from the Australian government at the time of introducing the employee records exemption suggests an intention that the employee records exemption would apply broadly. The Hon Daryl Williams AM QC MP, Attorney-General, stated in his Second Reading Speech that, ‘the exemption is limited to collection, use or disclosure of employee records where this directly relates to the employment relationship’ (emphasis added). Further, the Revised Explanatory Memorandum for the Privacy Amendment (Private Sector) Bill 2000, which introduced the exemption, stated that,

the Government has agreed that the handling of employee records is a matter better dealt with under workplace relations legislation. An act or practice engaged in by a current or former employer of a person in relation to an employee record will be exempt from the operation of the legislation if the act or practice is directly related to the current or former employment relationship.

We note that ‘handling’ is not a defined term, however, it is generally considered to cover collection, storage, use and disclosure.

Can the previous suggestions consistent with a broader interpretation of the exemption be reconciled with the words in the Privacy Act itself? Arguably, the FWC’s interpretation was based on the idea that each piece of employee personal information was a separate ‘employee record’ and that the conduct in question needed to directly relate to that specific piece of information (e.g. collection of that fingerprint, use of that fingerprint, disclosure of that fingerprint). On that basis, as the fingerprint was not yet ‘held’ by Superior Wood, the exemption did not apply. In an alternate view, ‘an employee record held’ could be interpreted as a worker’s employee record more broadly (e.g. a personnel file). On this interpretation, the collection process, in which Superior Wood directed Mr Lee to provide his biometric data, would fall within the exemption, as it would be conduct that directly related to Mr Lee’s employee record (in a broader sense), which was held by Superior Wood.

IMEs and drug and alcohol testing

This decision has raised a number of concerns among employers in regards to directing employees to attend IMEs or participate in drug and alcohol testing, as these examinations and tests involve the collection of sensitive information, which often requires consent under APP 3. The Federal Circuit Court of Australia has clearly stated that employers are entitled to direct an employee to attend an IME, on a reasonable basis. This right arises from employers’ obligations under relevant state-based occupational health and safety (OHS) laws to provide a safe place of work for their employees, which includes a right to require an employee, on a reasonable basis, to attend an IME.^[4] This same logic could be applied to directing employees to participate in drug and alcohol testing. We also note that there is a legislated requirement for some employers to conduct drug and alcohol testing, for example, employers covered by the Code for the Tendering and Performance of Building Work 2016 (Cth).

If the view in Lee v Superior Wood is applied and the APPs are required to be adhered to in the collection of sensitive information, APP 3.4 provides some exceptions to consent, including where ‘the collection of the information is required or authorised by or under an Australian law’. It could be argued, that the information provided by IMEs or through drug and alcohol testing, is required (in appropriate situations) to ensure ongoing compliance with OHS law. Where this is the case, employee consent would not be required under the Privacy Act. In serious medical or health situations, employers would also be exempt from needing consent when collecting health information if the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual.^[5]

Even if consent is not required for the reasons above, other APP requirements relating to collection of personal information would still apply, for example APP 5 which requires notification about the handling of personal information. This notification does not have to be issued at the time of collection and can be issued before collecting personal information (e.g. at the commencement of employment) or, as soon as practicable after collection. Also, other parts of APP 3 would still be relevant, including with respect to only collecting personal information that is reasonably necessary, collecting directly from the individual unless unreasonable or impractical and collecting by lawful and fair means (e.g. avoiding deceptive collection). These obligations apply to all personal information, not only sensitive information.

Implications for employers

While there are arguments supporting a broader view of the employee records exemption, the FWC’s decision states that the APPs apply to employers in the collection of personal information, prior to the records being held and subsequently subject to the exemption. On this basis, employers that had been relying on the exemption in relation to the collection of employee personal information may need to revisit their practices considering:

• collection of sensitive information;
• issuing of privacy collection notices to employees;
• allowing employees to be anonymous or use pseudonyms in appropriate circumstances;
• collection of unnecessary employee personal information;
• collection of employee personal information by unfair means; and
• collection of employee personal information via third party sources.

Specifically, when attempting to implement technologies that rely on biometric data, employers must consider their options for implementation should an employee refuse to participate. This may include:

Alternate practices

Employers may wish to consider an alternate workplace practice for employees who refuse to provide their biometric data. Alternatively, to avoid risk entirely, employers may wish to reconsider the need for technology that relies on biometric data, and implement technologies that improve efficiencies without employees’ sensitive information. This could include issuing personalised swipe cards to gain access to site or sign on.

Consent via contracting

Employers may wish to minimise the risk of employees refusing to provide biometric data through contracting. For example, the inclusion of a standard clause in an employment contract that confirms that an employee consents to certain collection and use of their biometric data. For existing employees, an employer could consider making an employee’s annual wage review contingent on the employee agreeing to comply with all of the employer's new policies and procedures (including the collection and appropriate use of biometric data). This would incentivise employees to provide their consent (as opposed to take away from an employee’s genuine consent with the threat of termination should they refuse to comply). Consideration would need to be given to whether denying the employee the incentive is too harsh a consequence, as the OAIC suggests that ‘consent is not voluntary where there is duress, coercion or pressure that could overpower the person’s will’. The seriousness of the consequences of refusal to consent are a factor in assessing this.

Employees’ consent can also be withdrawn at any time. This is the view of the OAIC and was also noted in the Explanatory Memorandum of the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which inserted the APPs into the Privacy Act. This means that creating an incentive for an employee to agree to provide his or her biometric information does not necessarily guarantee that the employee will not withdraw their consent when requested to provide their biometric information.

Considering other permitted exceptions

As outlined above, if the collection of sensitive information is required or authorised by or under an Australian law, employers do not require employee consent for the collection. Employers may wish to consider whether OHS, security, or privacy obligations require the level of security provided by biometric scanners, and whether this would remove the need for consent (and allow an employee to be directed to provide such information).

Ultimately, there are a number of ways in which an employer could approach the situation, when attempting to implement technologies that use biometric data.

We will be happy to advise employers on their obligations as and when these circumstances arise in the future.

_________________________

[1] [2019] FWCFB 2946.
[2] [2018] FWC 4762.
[3] Office of the Privacy Commissioner, Information Sheet (Private Sector) 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions, updated 2007, available at https://www.oaic.gov.au/privacy-law/privacy-archive/privacy-resources-archive/information-sheet-private-sector-12-2001-coverage-of-and-exemptions-from-the-private-sector-provisions.
[4] Swanson v Monash Health [2018] FCCA 538.
[5] Privacy Act 1988 (Cth), s 16A.

This article was written by Kaman Tsoi, Special Counsel, Deanna Carlon, Solicitor and Ansel Rens, Graduate.

For more information or advice on this topic, please contact: