+613 9629 9629

+613 9629 9630
ceo@lewisholdway.com.au
Level 2, 91 William Street, Melbourne, 3000

Employers Beware: The Privacy Act and Employee Data

Laptop fingerprint scanner

By Micaela Manning

Did you know that the Privacy Act 1988 (Cth) could apply to personal information that you collect from your employees?

At the start of their employment, you collect lots of information from your employees: contact details, their previous employment history, academic record, medical information, superannuation details and bank account details. Once they become your employees, you may continue to collect information from them: maybe they’ve changed their bank account, or there has been a workplace issue causing stress leave or maybe you’re implementing a new fingerprint scanner in your workplace to make it easier to record when your employees sign in and out of work.

That last situation recently came under the scrutiny of the Fair Work Commission in the case of Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946. The finding of the Commission in this case suggests that employers need to comply with the Privacy Act by obtaining their employees’ consent before collecting personal information from them.

But does the Privacy Act even apply to me?

In general, if your business or not-for-profit organisation has an annual turnover of more than $3 million, you need to comply with the Privacy Act and the Australian Privacy Principles. The Privacy Act and Australian Privacy Principles regulate how organisations collect, hold, use, store and disclose personal information. Personal information includes information that allows someone to determine the identity of an individual.

There are various obligations businesses have under the Privacy Act. For example, under Australian Privacy Principles 1.3 and 1.4, businesses need to have an up to date privacy policy about the management of personal information.

In some circumstances, the practice or act of a business is exempt from the Privacy Act. For example, under section 7B(3) an act or practice of an organisation that is an employer of an individual is exempt from the Privacy Act if the act or practice is directly related to a current or former employment relationship and is directly related to an “employee record” held by the employer about the individual. An employee record means a record of personal information relating to the employment of the employee, including for example, information about the terms and conditions of their employment.

Jeremy Lee v Superior Wood

In the case of Jeremy Lee v Superior Wood, Superior Wood had announced the implementation of fingerprint scanners to register attendance at the start and end of each shift. Mr Lee, an employee of Superior Wood, refused to provide his fingerprints because he was concerned about the control of his biometric data. Superior Wood had several meetings with Mr Lee about his concerns over a period of several months. In January 2018, Superior Wood formally implemented the scanners and issued Mr Lee with written warnings asking him to comply with the company policy and provide his fingerprints. In February 2018, after months of discussions and warnings, Superior Wood terminated Mr Lee’s employment.

As a result, Mr Lee brought an action with the Fair Work Commissioner on the basis of “unfair dismissal”. In the first instance, the Fair Work Commissioner held that Superior Wood’s company policy requiring the provision of fingerprints was not unjust or unreasonable (under the Fair Work Act) because it improved employee safety in emergencies, improved the integrity of the payroll system and was an exercise of Superior Wood’s right to manage its affairs by requiring compliance with its company policy. As a result, the Fair Work Commissioner found that the dismissal was not “unfair” but was valid.

However, Mr Lee appealed that decision to the full bench of the Fair Work Commission arguing that his dismissal was unfair because Superior Wood had not complied with the Privacy Act.

Before the full bench, Superior Wood argued that there was no breach of the Privacy Act because the “employee records” exemption applied in relation to the fingerprint scanner.

However, the Fair Work Commission found from that a plain reading of the Privacy Act that the employee records exemption only applied to personal information that an employer had already collected. The exemption did not apply to information about employees before it is collected. Consequently, the Fair Work Commission held that Superior Wood could not lawfully ask Mr Lee to provide his fingerprints if Mr Lee did not consent to giving that data. On top of this, if Mr Lee only “consented” because Superior Wood threatened him with discipline or dismissal, that would not be real consent.

As a result, the Fair Work Commission found that Superior Wood did not have a valid reason for dismissing Mr Lee and the dismissal was held to be “unfair”.

What does this mean for you?

As an employer, you need to comply with the Privacy Act before you collect personal information from your employees. Once you have collected information from your employees, the “employee records” exemption may apply but it does not apply before you have collected the information. For example, if you are implementing a new fingerprint scanner like Superior Wood did, you will probably need to comply with the Privacy Act and obtain your employees’ consent before collecting their biometric data.

If you need advice on your privacy obligations or require a privacy policy to be drafted for you, please contact Peter North or Reshma Farrer from our Business team on (03) 9629 9629.