The recent Fair Work Commission (FWC) case of Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 has illustrated a number of holes in current privacy legislation.

Mr Lee's employer dismissed him as he refused to give biometric information - his fingerprint - for the purpose of safety and linking individuals to payroll records.

However, the FWC held that the collection of biometric information required his consent and, as there was no voluntary element to the provision of biometric information by the employee i.e. provide your fingerprint or you will be dismissed, the employer was in breach of the Privacy Act 1988 (Cth) (Privacy Act).

The employer argued that employee records were exempt under the Privacy Act. But this exemption only operates once information is collected by the organisation.

The case (explored in greater detail here) raises an interesting question as to whether the collection of biometric data in an employment context can meet the requirements of the Privacy Act.

Mandatory collection of biometric data

To begin, for anyone to consent to the collection of their personal information there are four elements of consent. It must be voluntary, informed, current and specific. In the case of Mr Lee the issue was that he either consent or be dismissed. That is, his continuing employment would terminate in the absence of consent. This meant there was no "voluntary" element available if there is no consent.

If a contract provides that it is a term of the contract that the individual provides their biometric data then arguably this is a voluntary collection because there is no existing relationship and one might argue that this is a reasonable perspective for an employer to take.

However, under the Privacy Act there are additional requirements that can impact the consent.

For example, the collection must be reasonably required for the conduct of the entity's business. In this case, the use of the biometric technology was adopted as a way to reduce costs but without reference to alternative methodologies.

It is, in many ways, a frightening issue from a human rights perspective if obtaining a job to be a general hand at a timber mill – as was the case in this matter -comes at the cost of providing one's biometric data.

No consent - no job. Life begins to look like George Orwell's 1984.

Failure to protect collected data

This aspect of the case is also concerning from the perspective that in relying on the employee records exemption, the employer sought to avoid the obligation to provide employees with relevant information about how their data was used, and take steps to ensure that their data was kept secure. It is evident they had not contemplated the likely and possibly significant negative consequences of a privacy breach.

The employer relied on assurances by the vendor of the biometric technology, who incidentally did not itself have a privacy policy and appeared not to be conversant with the Privacy Act obligations, that there was no issue to be concerned about.

This case is illustrative of the fact that the employee records exemption is often difficult to reconcile with the operation of the Privacy Act and difficult to reconcile that in cases such as this, where it results in a consequence that employee information may be afforded a much lower level of security and protection than that of other stakeholders who deal with the employer.

What about a breach?

If in fact there is a breach or unauthorised access as a result of the employer's failure to keep information secure, then the employee records exemption would not apply to that breach and it is likely that the employer would be at risk of penalties and also claims by employees for compensation and damages. It is important to note that employee information usually has a full suite of identifying information which makes it easy for hackers to steal identities and this has been the case in the past with tax file numbers.

What are the privacy lessons from this case?

This case illustrates the difficulty of reconciling the employee records exemption, which was only ever expected to be a temporary exemption on the basis that other industrial legislation would fill the void, with general Privacy Act obligations. It has not, nor is there any indication this will change in the near future.

Employers should consider best practice in terms of affording their employees the same basic protections of their personal information as are required under law for other stakeholders.

Considering privacy by design and whether various data elements are required to be collected, how they will be stored and how they will be shared, are key elements to a robust privacy and data protection environment.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.