Following the Fingerprints: Can Employers legally collect and store Employees’ Sensitive Data?
Do you collect and store your employees' sensitive data? A recent decision by the Fair Work Commission Full Bench has analysed closely whether employers can legally collect and store their employees’ data.
There are many reasons why an employer may find it useful to collect and store employee data, such as personal contact details, emergency contacts, health information or records. And where companies implement and encourage a ‘Bring Your Own Device’ (‘BYOD’) policy that allows employees to use their personal phones, laptops and tablets to engage in work activities. Employees are usually required to download software onto their devices to allow them to log into and access company data, and for privacy and cyber security purposes, this software may also allow the employer to access data on employees’ personal devices.
Previously, guidance provided by the Office of the Australian Information Commissioner suggested that employers could legally store employee data without breaching the Privacy Act if the data related to the employee’s employment.
However, the recent Fair Work Commission Full Bench decision in Jeremy Lee v Superior Wood  has held that this exception only applies to data already held by the employer. Furthermore, employees are entitled to refuse to allow their employer to collect and store ‘sensitive information’ about them, including biometric data obtained from BYOD personal devices, or in this case, fingerprints.
Facts of the Case
Jeremy Lee was employed by Superior Wood, a company that operates Sawmills in Queensland. Previously, employees of Superior Wood were required to use a ‘sign in and sign out’ book to log their shift times. However, Superior Wood discovered that employees were signing in for their colleagues when they were not actually at work. Superior Wood decided to implement a fingerprint scanning system to replace the sign-in book and amended their ‘Site Attendance Policy’ accordingly.
Mr Lee refused to register his fingerprint in the system and continued to use the manual sign-in book. After directions, discussions and warnings, Mr Lee’s employment was terminated.
Mr Lee made an unfair dismissal claim in the Fair Work Commission. The Commission held that the dismissal was not unfair. However, on appeal to the Full Bench, this decision was overturned. The Full Bench held that:
- the ‘Site Attendance Policy’ did not apply to Mr Lee, as his employment contract specified that he was only bound by company policies in place at the commencement of his employment (a drafting point worth noting);
- as to whether Superior Wood’s direction to use the fingerprint scanner was a ‘reasonable and lawful’ direction, under the Privacy Act, records held by an organisation in connection to a person’s employment are exempt from Privacy Act requirements, but this exemption only applied to records already held by the employer, not the collection of data, and even more so sensitive personal information;
- therefore Superior Wood did have to comply with the provisions of the Privacy Act, including the prohibition on collecting ‘sensitive information’, including biometric data, without the person’s consent;
- and therefore, Superior Wood’s direction to Mr Lee to submit to mandatory fingerprint scans was not a ‘reasonable and lawful’ direction, and not a sound basis for termination; and
- while it was acknowledged that the implementation of the fingerprint scanner may have offered some safety benefits by providing a record of which employees were on site in the case of an emergency, these safety benefits did not outweigh the requirement for Superior Wood to comply with the provisions of the Privacy Act.
What does this mean for employers?
Further, if an employer wants to implement a new workplace practice for the purposes of improving safety, and that safety feature somehow collects and stores sensitive data from employees, employers first need to obtain explicit consent from employees before implementing the new workplace practice.
Finally, employers should ensure that employment contracts refer to policies as amended from time to time, not just the policies that are in place at the date of the contract.
If you think that your employment contracts or privacy policies need to be updated, please contact our Employment Law Team.
Authors: Stephen Booth and Tom Dearden, Coleman Greig Lawyers.