When the Australian Privacy Principles interact with Directions to Employees
The recent decision of Lee v Superior Wood Pty Ltd  FWCFB 2946 is a controversial one and is a timely reminder for employers of their obligations when collecting employee personal information.
Superior Wood operates two sawmills in Queensland. Lee was employed as a casual general hand at one of the sites.
In about December 2017, Superior Wood introduced fingerprint scanners in the workplace and a Site Attendance Policy (Policy). The purpose of doing so was for employees to sign in and out of work, which would replace the logbooks previously used to do so.
Lee was concerned that the biometric data which the scanners would obtain could potentially be misused. He raised his concerns with Superior Wood however he was not satisfied with their responses and refused to provide his consent for the scanners to collect his data. Superior Wood believed that it was a reasonable management direction and, based on Lee’s failure to comply with that direction, his employment was terminated.
Lee made an unfair dismissal application following his dismissal, however Commissioner Hunt found that his dismissal was not unfair. In summary, the Commissioner found that Superior Wood had a right, as an employer, to install the scanners and implement the Policy. Although it was acknowledged that Lee was entitled to refuse consent, his doing so meant that he “failed to meet a reasonable request to implement a fair and reasonable workplace policy” (at ).
Lee then lodged an appeal, asserting that the initial decision was flawed for a number of reasons. Those are explored below; however, it is worth first considering what the applicable privacy considerations are.
Privacy Act and the Australian Privacy Principles
Following the Privacy Act 1989 (Cth) (Act), a number of regulatory principles (called the Australian Privacy Principles, or “APP” shortened) were created and apply to certain entities (called “APP entities”). In this case, the Commission found that Superior Wood is an APP entity.
APP 3 deals with the collection of personal information. It prohibits the collection of sensitive information (which includes biometric information) unless the individual provides consent.
APP 5 deals with notification of collection of personal information. An APP entity must take reasonable steps to notify the individual of various things, including who is collecting the personal information, the purpose for doing so, and how the individual can access their information.
Section 7B(3) of the Act provides that certain acts or practices of an employer do not need to comply with the APPs. Broadly, those acts or practices are exempt if they relate to that employee’s personal information “held by” the employer. It extends to personal information of former employees.
Were the fingerprint scanners necessary?
Initially, Commissioner Hunt found that Superior Wood acted out of necessity in installing the scanners, however the Full Bench disagreed. This was for reasons including that:
- Superior Wood had several alternatives to fingerprint scanners (such as swipe keys/fobs) which it had not apparently considered;
- Superior Wood continued to use the manual sign-in/sign-out books, even after the fingerprint scanners were installed;
- there was no evidence that Lee would mislead Superior Wood about his entry and exit times unless the fingerprint scanners were used; and
- there was no evidence that even if the fingerprint scanners were used, Superior Wood would always be able to know his location while at work (a concern Superior Wood raised in support of its decision to install the scanners).
The Commission found that the use of the scanners by Superior Wood was not necessary.
Issues with Superior Wood’s direction to Lee
Superior Wood provided Lee with an ultimatum: either consent to using the fingerprint scanners or face disciplinary action, including dismissal. The Commission found that even if Lee had provided his consent, it would not have been voluntary due to Superior Wood’s threat to him. For that reason, the direction for him to provide his consent was not a lawful one.
The Commission also found that Superior Wood could have taken further measures to explain relevant information to Lee as described in APP 5 above, including how his personal information would be protected and managed. The likely reason is because there was no evidence that Superior Wood had any mechanism to protect and manage personal information, once collected (which is a requirement under the Act).
Superior Wood argued that once Lee’s personal information had been collected, Superior Wood would not have to comply with the APP’s because of section 7B(3) of the Act (see above). However, the Full Bench found that section 7B(3) only relates to records “held by” an employer; that is, records which already exist (collected in accordance with the APP). When collecting employee personal information and creating new records, employers must comply with the APP’s.
The Commission ultimately found that Lee’s refusal to use the fingerprint scanners did not justify his dismissal.
Lessons for employers
A key lesson for employers is that it is vital to understand your obligations under the APP’s and the Privacy Act, when collecting employee personal information. Even more fundamentally, employers should consider whether collecting that personal information is necessary, as there are clear restrictions on how that information can be collected and used. This is becoming a more significant issue for employers migrating to digital systems, and significant care should be taken.
If your business is considering implementing systems which may involve the collection and use of employee personal information, contact the Employment Law Team at Atkinson Vinden Lawyers for advice.
If your business is considering implementing systems which may involve the collection and use of employee personal information, contact the experienced team at Atkinson Vinden Lawyers for advice.