In the recent decision of Jeremy Lee v Superior Wood Pty Ltd  FWC 4762, an employee was dismissed from his job because he refused to provide his fingerprint to his employer. Initially, the Fair Work Commission dismissed his application for unfair dismissal on the basis that this was a valid ground for dismissal. However, on 17 January 2019, the Full Bench of the Fair Work Commission in Jeremy Lee v Superior Wood Pty Ltd t/a Superior Wood  FWCFB 95 granted the applicant permission to appeal the decision on the basis that there was an arguable case of 'appealable error'.
Biometric data collection is becoming increasingly common in the workplace. For example, the data can be used to control employee's access to restricted areas, timekeeping and using software. However, this raises issues surrounding collection of data, obtaining consent, retention policies, biometric data ownership, how information is stored and protected in the workplace and in particular, whether an employer has valid grounds to dismiss an employee for refusing to provide sensitive information.
Superior Wood Pty Ltd t/a as Superior Wood (Superior Wood) operates two sawmills at Melawondi and Imbil in Queensland and is part of the Finlayson Group. Mr Jeremy Lee was employed as a casual General Hand for a period of 3.25 years at both sites. In October 2017, Superior Wood introduced a new 'Site Attendance Policy' (Policy) as a safety measure. The Policy provided that employees would only be allowed access to a site, once their fingerprint had been scanned.
Mr Lee objected to the collection of his biometric information and refused to use the scanners. As an alternative, he proposed that he continue using the 'paper sign-in' process or the swipe card system.
On 12 February 2018, Mr Lee's employment with Superior Wood was terminated on the grounds that he failed to adhere to the Policy and comply with lawful directions by his employer to adhere to the Policy. Mr Lee lodged an unfair dismissal application with the Fair Work Commission (Commission) claiming that his dismissal was 'harsh, unjust and unreasonable" and therefore unfair within the meaning of s.387 of the Fair Work Act 2009 (the Act).
Mr Lee submitted that his failure to comply with the Policy or Superior Wood's direction to comply with the Policy did not constitute a valid reason for his dismissal, as the Policy was unlawful (and as such so were the directions) because it contravened the Privacy Act.
Both parties did not contest:
- that the sole reason for Mr Lee's dismissal was his failure to comply with both the Policy and Superior Wood's directions that he adhere to the Policy; and
- that Superior Wood was subject to the Privacy Act and as such obliged to adhere to its obligations under that act.
The relevant law
Section 13G of the Privacy Act provides:
"An entity contravenes this subsection if:
- The entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or
- The entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals."
The phrase "interference with the privacy of an individual" is defined in section 13 of the Act to mean:
- "An act or practice of an APP entity [an agency or organisation] is an interference with the privacy of an individual if:
- The act or practice breaches an Australian Privacy Principle [APP] in relation to personal information about the individual; or
- The act or practice reaches a registered APP code that binds the entity in relation to personal information about the individual.
Section 15 of the Privacy Act provides that an APP entity must not do an act, or engage in a practice that breaches an APP.
The APP's are set out in Schedule 1 of the Privacy Act. They stipulate, amongst other things, that APP entities must:
- manage personal information in an open and transparent way (APP 1.1);
- have a clearly expressed and up to date policy about the management of personal information by the entity and sets out what information the policy must contain (APP 1.3);
- if an APP entity is an organisation, the entity must not collect personal information unless the information is reasonable necessary for one or more of the entity's functions or activities (APP 3.2) ; and
- must not collect sensitive information, without the individual's consent (APP 3.3).
The Privacy Act contains an employee records exemption, section 7B(3) of the Privacy Act. This exempts private sector organisations from the operation of the Privacy Act in circumstances where the private sector organisation is or was an employer of an individual and where its act or practice is related directly to the employment relationship between the organisation and the individual, and the employee record held by the organisation.
The parties submissions
Superior Wood submitted that a failure by an employee to follow the employer's lawful and reasonable direction can constitute a valid reason for dismissal. The Policy was reasonable and that there was a valid reason for the termination of Mr Lee's employment as he failed to comply with the Policy. There were no reasonable privacy concerns involved in the use of the scanners and that it had not breached the Privacy Act as the employee records exemption applied.
Mr Lee submitted that the Policy was unlawful (and as such so were the directions) as it contravened section 13 (G) of the Privacy Act as:
- Superior Wood did not have an APP Policy;
- the scanners were collecting "sensitive information", as that term is defined under the Privacy Act and Superior Wood had not informed its employees that the scanners were collecting sensitive information;
- Superior Wood's employees had not consented to Superior Wood collecting their sensitive information;
- Superior Wood's employees had not given their consent to the collection of sensitive information;
- the scanners were not owned by Superior Wood, but Finlayson Timber, and each time an employee used a scanner, Finlayson Timber would have received sensitive information about the employee, without the employees consent; and
- if the employee records exemption applied (which he denied), it only protected the Superior Wood and not Finlayson Timber.
Determination by the Commission
The Commission determined that the Policy was not "unjust or unreasonable" as it improved safety and the "integrity and efficiency" of the payroll system across the Finlayson Group. The Commission then went on to determine whether Superior Woods had breached the Privacy Act and whether those breaches made the Policy unlawful.
The Commission found:
- the information collected by the scanners was "sensitive information", as defined by section 6 of the Privacy Act, and that prior to the introduction of the scanners, Superior Wood did not:
- inform its employees that that the scanners collected their sensitive information;
- provide them with a collection notice regarding the collection of their sensitive information (as it was required to do under the Privacy Act); or
- discuss the obligations imposed on it in handling the employee's sensitive information;
- that the employee record exemption did not exempt Superior Wood from complying with its obligations under the Privacy Act in respect of collecting its employee's sensitive information; and
Although the Commission acknowledged that Superior Woods had breached the Privacy Act, those breaches did not render the Policy unlawful. As such, the Commission determined that Mr Lee failure to comply with the Policy was a valid reason for his dismissal.
The Full Bench of the Fair Work Commission granted permission for Mr Lee to appeal on the basis that:
- There is an arguable case of appealable error identified in the appeal as to whether the request to comply with the Policy was lawful and/or reasonable;
- Whether the Commission's findings as to the application of the Privacy Act were reasonable and or appropriately balanced with the exercise of the Commission's discretion under Part 3-2 of the Act – Unfair Dismissal;
- To the extent the Privacy Act is relevant, whether the employee record exemption applies to the process by which the employee record is obtained or created;
- Whether an employee's refusal to provide consent to the collection of sensitive "information about an individual" is a breach of the Policy;
- Whether the "consent" required by APP 3.3 includes "implied consent" in circumstances where the employees have registered their fingerprint algorithm to be used by the scanners without first having been notified as required under the Privacy Act; and
- There was a public interest in the issue of whether an employee's refusal to provide their biometric data for purpose of recording a person's presence at the workplace constitutes a valid reason for dismissal pursuant to section 387(a) of the Act.
Ramifications on employers and employees
Other than the Privacy Act, which was not drafted to address employment issues, there is no legislation which protects an employee's employment if he/she refuses to provide his/her consent to his/her employer to collect and store their biometric data. With the increasing collection of employee data in the workplace, this decision may influence and encourage legislative reforms to recognise the implications of biometric data collection. Further, it is hoped that when the Full Bench determines the appeal it will provide clarity as to what extent the Privacy Act will apply to protect employees in this regard.
In the meantime, employers should review their current policies and procedures in the workplace relating to the collection of biometric data to ensure that they have policies and that their policies and procedures concerning the collection of biometric data complies with their obligations under the Privacy Act.