The Case & Decision
An Australian employee (Jeremy Lee) won an action against his employer after he was fired for refusing to provide his fingerprints to sign in and out of work.
In February 2018, the employer (Superior Wood Pty Ltd – a timber manufacturer) introduced fingerprint scanners and required all employees to sign in and out of work using the fingerprint scanners. Mr Lee refused to comply with the new procedure. The employer attempted to discuss Mr Lee’s concerns and warned him that continued failure to follow the policy would result in his dismissal. Mr Lee was not satisfied with the employer’s explanations and continued to ignore the policy. He was subsequently dismissed from his position within the company for failing to comply with the new sign in/sign out procedure.
Mr Lee filed an action with the Fair Work Commission arguing that he was unfairly dismissed from his employment and should be either reinstated to his position or receive compensation. Mr Lee argued that he owed the biometric data contained in his fingerprint and under the Australian Privacy Act, the employer could not require Mr Lee to hand over that information.
At the first hearing, the Commission decided that Mr Lee had been fairly dismissed. The first hearing decided that the fingerprinting policy was fair and reasonable and therefore, employees were obliged to comply.
Mr Lee appealed this decision on the basis that he owned his fingerprint data, that he was entitled to refuse to provide his biometric data to the company and that his dismissal for the company was unjust. Mr Lee also raised concerns that the employer would share his data with third parties.
The full bench of the Fair Work Commission Appeal, decided that Mr Lee had been unfairly dismissed on the following grounds:
- Mr Lee’s employment policy only required him to follow the policies that were effective at the time of his contract. The biometric policy was introduced some four years after his employment contract began – therefore, he was not contractually required to follow the new policy.
- Even if Mr Lee was contractually required to follow the policy, it still needed to be a reasonable and lawful direction. At common law, any direction which requires an employee to contravene the law or is otherwise inconsistent with a legal principle, is not a lawful direction. While some employment records are exempt from the Privacy Act; data which is yet to be created (e.g. fingerprint data) is not. Therefore, the direction was not reasonable or lawful as it required an explicit consent from the employee which the employee was not required to give.
- Mr Lee did not consent to the fingerprint log in/log out policy and there were reasonable alternatives available to the employer for a log in/log out procedure. It was decided that the dismissal was unfair.
What does this mean for employers?
Employers should take some immediate steps to minimise the risk of a privacy complaint:
- Have a compliant privacy policy: Both the Commission and Full Bench were critical of Superior Wood’s lack of a privacy policy or any measures to protect employee personal information.
But having a general privacy policy will not be sufficient, so also…
- Be clear about what, how and when employee personal information may be collected, and obtain employee consent where required: A well-drafted suite of policies will be your best defence to an allegation that you have collected personal information in breach of the APPs.
These policies should clearly outline what information will be collected, how it will be stored, how you will use it and anyone else you might release it to (including your service providers).
For the collection of sensitive personal information, you will need a mechanism to obtain consent from employees. If you need to collect sensitive information pursuant to one of your policies (eg a drug and alcohol testing regime) and your current employment contracts do not clearly state that the employees provide consent by the act of entering into the contract, then consider seeking written consent from all employees now in relation to those policies.
- Review your policies and privacy clauses in your employment contracts: Employment contracts should include a clause requiring employees to comply with all current and future workplace policies (including any amendments to these policies, and without incorporating policy terms into the contract), including that they must provide consent if reasonably required as part of any process as a fundamental obligation of employment. Any later refusal to provide consent where the employee has agreed to such as clause is more likely to be upheld as a failure to follow a reasonable work direction.
Similarly, employment contracts should include a privacy clause which sets out the types of personal information which will be collected, how that information will be used and who it may be disclosed to (employers in NSW and the ACT should already have a clause of this nature to comply with workplace surveillance legislation). It is also important that employees are made aware of any new policies or changes to existing policies.
Contact
To talk about your matter – reach out to us via any means to start a conversation. All of our contact information is listed here on our Contact Page.
The information on this information sheet is general guidance only correct at the time of publication and is not legal advice. You should consult a lawyer for legal advice.
Updated: 01.07.2019