The Full Bench of the Fair Work Commission this week held that an employee was unfairly dismissed for refusing to follow the employee’s direction to log in and out of work using a fingerprint scanner, on the grounds that this was not a ‘valid reason’ for dismissal. Typically, employers are able to dismiss an employee who fails to follow a lawful and reasonable direction. The effect of this decision, therefore, is that an employer’s direction to an employee to provide biometric data, in the absence of the employee’s consent, is not lawful and reasonable.
Jeremy Lee was an employee of Superior Wood Pty Ltd, which operates two sawmills in Queensland. At the end of 2017, Superior Wood sought to implement electronic fingerprint scanning, to replace hard copy attendance records which involved each employee signing in and out in a book. After significant consultation with the employees, and a trial period, the fingerprint scanning was introduced in January 2018, and the employees were directed to provide a fingerprint scan. The purposes of the introduction of the scanning was to improve workplace health and safety, by automating real time attendance recording, as well as the improvement of payroll integrity.
Mr Lee refused to provide this scan, on the basis that it was unlawful under the Privacy Act 1988 (Cth), expressing concerns about the employer’s capacity to ensure that his biometric data would be kept private from data loss to third parties.
Mr Lee maintained his objection throughout a process involving two verbal warnings, a written warning, and a show cause letter. Mr Lee was dismissed on 12 February 2018.
He brought an application under section 394 of the Fair Work Act 2009 (Cth) for an unfair dismissal remedy. At first instance, in Jeremy Lee v Superior Wood Pty Ltd T/A Superior Wood [2018] FWC 4762 (1 November 2018), Commissioner Hunt held in favour of the Employer. Among other things, the Commissioner determined that the direction to give the fingerprint scan was both lawful and reasonable, and refusal to do so constituted a valid reason for dismissal.
The Appeal
On appeal, in the matter of Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (1 May 2019), a full bench of the Commission comprised of Deputy President Sams, Deputy President Gostencnik and Commissioner Mckinnon, overturned the first instance decision, held that the dismissal was unfair, and remitted the matter for consideration on remedy.
The key to the decision was the Full Bench’s consideration of Principle 3 of the Australian Privacy Principles (APP), which deals with the collection of solicited personal information. It prohibits the collection of sensitive information about an individual, unless that person consents to the collection of the information, and the information is reasonably necessary for one or more of the entity’s functions or activities. In relation to the facts of this case, the Full Bench held that
“the direction to Mr Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction. Moreover we consider that any “consent” that he might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent.”
Following this finding it was not necessary to consider whether the direction was ‘reasonable’.
Consequences of this Decision
On a personal level, Mr Lee’s courage in challenging the employer’s direction is to be admired, and I do not begrudge him a remedy for being dismissed unfairly. However, this decision does have some significant consequences for employers who have (or who currently are seeking) to introduce fingerprint scanning, which has in recent years become a very affordable and efficient method of recording attendance, and is rapidly becoming the norm for many industries.
Employers in this category should consider the following:
- Become familiar with the Australian Privacy Principles in relation to the collection of this data, and potentially seek legal advice regarding this, prior to implementing or designing any policy relating to the biometric scanning.
- Ensure that a current and effective Privacy Policy is in place, and that the biometric scanning is addressed in the policy.
- When choosing a provider, consideration should be given to which third party providers may ultimately have access to the information, and do the necessary due diligence into those third party providers’ data security arrangements and compliance with the APP. It is also preferable for that supplier to not hold data overseas.
- Notice to all employees must be provided in relation to the intended collection of data. This notice must include anything reasonably required in the circumstances. The prescribed list of notice items include:
- The identity and contact details of the Employer;
- The purposes for which the Employer collects the personal information;
- The main consequences for the individual if all or some of the personal information is not collected by the Employer;
- Any other entity or type of entity to which the Employer usually discloses personal information of the kind collected;
- That the Employer’s privacy policy has information about how to access one’s personal information and seek its correction;
- That the Employer’s privacy policy has information about how to make complaints about breaches of the Australian Privacy Principles and how complaints will be dealt with by the Employer;
- Whether the Employer is likely to disclose the personal information to overseas recipients; and
- If overseas disclosure is likely, the countries where recipients of personal information are located (if practicable to identify).
- Ensure that the employees’ consent is given prior to the collection of fingerprint data, and that consent is genuine. Consent will not be considered genuine if it is coerced in any way by the Employer, especially if that coercion is the threat of disciplinary action and/ or termination.
- Consider the implementation of an alternative scheme for those employees not consenting to the fingerprint scanning, and ensure that the onus is heavily on the employee to provide evidence of their attendance in the appropriate form. For example:
- The employee must provide their start and finish times in hard-copy form countersigned by an appropriate manager of supervisor; and
- the employee must additionally be responsible for converting those start and finish times accurately into the appropriate electronic format for processing (for example .csv file); and
- Establishing a policy whereby employees cannot have their payroll processed until such time as the appropriate evidence and data format is provided. While it would be unlawful to coerce the employee into consenting, there is no reason why the administrative inconvenience the employee failing to consent should need to be borne by the employer.
This decision does not mean that biometric scanning is not still the most efficient way forward for many industries. However, it is a timely reminder that employee privacy is a complex duty, which employers should never disregard.