Pointing the finger at privacy law: Commission’s new take on when a direction is lawful and reasonable

The Fair Work Commission has upended the accepted understanding of the “employee records” exemption in the Privacy Act 1988 and in the process, potentially severely impacted the ability of employers to manage issues of medical capacity and unlawful discrimination in the workplace.

This case turns on whether the collection of a fingerprint scan of an employee as part of a new attendance recording system is a practice that is exempted from the reach of the Privacy Act 1998 (Cth) (Privacy Act) under the Privacy Act’s “employee records” exemption.

If it is an exempt practice, the Privacy Act would not be a barrier to employees being directed to comply with the new attendance system.

However, if it is not exempt, a fingerprint will be the type of sensitive biometric information which has a high level of protection, and cannot be collected without the permission of the person concerned (unless an exception applies).  That protection prevents an employer from enforcing a management direction to comply with the collection of sensitive information.

Fingerprint-based attendance systems are relatively uncommon and generally unnecessary when alternatives based on RFID-chip or smartphone geo-fencing are available.  However, “sensitive information” goes well beyond mere biometric information, and the principle established in the Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (Superior Wood) case will apply equally to other employee sensitive information commonly required by an employer for ordinary and legitimate management purposes, and (until now) thought to be entirely outside the Privacy Act’s regulation of information collection.

Background

Jeremy Lee was employed as a general hand at one of Superior Wood’s sawmills in Queensland for approximately 3 ¼ years, before he was dismissed on 12 February 2019 for failing to comply with Superior Wood’s new Site Attendance Policy. The Site Attendance Policy (Policy) required employees to use newly introduced fingerprint scanners to sign on and off the work site.

Mr Lee refused to provide his fingerprint for the purposes of signing on and off the worksite. His concerns were about the control of his biometric data and the inability of Superior Wood to guarantee no third party would be provided access or use of the data once stored electronically.

After a number of discussions with Superior Wood and the scanner’s supplier, Mitrefinch, Mr Lee was provided with a verbal warning for refusing to use the scanner. Two written warnings were subsequently issued in the following weeks advising Mr Lee that failure to follow the Policy would result in termination of employment.

Following further discussions, a show cause letter was issued on 6 February 2018 and Mr Lee’s employment was officially terminated on 12 February 2018, for his failure to follow the management directions contained in the Policy.

Mr Lee challenged the termination in an unfair dismissal claim in the Fair Work Commission, which had to consider whether the failure to follow the direction to comply with the Policy was a valid reason for termination.  The Commission in its initial decision determined that Superior Wood was not exempt from complying with Australian Privacy Principle (APP) 3.3 under the employee records exemption in section 7B(3) of the Privacy Act, but that the direction was nonetheless reasonable and his failure to comply with it formed a valid reasons for termination.

Full Bench Decision

Mr Lee appealed to a Full Bench of the Commission.  In that decision, the Commission Full Bench:

• confirmed that Mr Lee had not (under his contract) given general consent to comply with new management directions in a later-introduced policy (after his employment had commenced);
• confirmed the view that the employee records exemption applies only to records after they have been created, and could not exempt a practice in collection of information from the Privacy Act’s reach;
• confirmed that as the employee records exemption had no application, the biometric data in a fingerprint was sensitive information for which an employee’s consent to collection must be obtained;
• said that consent could not be coerced by a management direction to comply with a collection practice under threat of disciplinary action; and
• considered that no exemption from the requirement to obtain consent applied.

Implications for Workforce Management

It has been a long-held view of Courts and employment tribunals that there are genuine operational reasons which can justify an employer requiring employees to provide personal information, even quite sensitive information.  In a situation of that kind, an employee can be directed to provide the information and be subject to disciplinary action if they do not comply.

Situations of that kind will include:

• where an ongoing illness or injury potentially affects the employee’s capacity to safely work or to carry out the inherent requirements of his or her employment; and
• where an incident of workplace harassment includes allegations of unlawful discriminatory conduct involving opinions about an employee’s sexual orientation, political affiliations or religious beliefs, and the employer is conducting a workplace investigation.

There is no general exemption (in APP 3.4) reflecting these operational employment reasons from the requirement that collection of sensitive information of this kind must be consented to by the employee – the exceptions that do allow collection of sensitive information without consent are more limited.

The Superior Wood case is even more significant when it is recognised that there are also cases which demonstrate that without adequate medical evidence of incapacity to carry out the inherent requirements of his or her employment, an employer will not have positively established it had grounds to terminate for capacity reasons (CSL Limited v. Papaioannou [2018] FWCFB 1005), and that employers are required to take action to protect employees from risks, including psychological risks of bullying and harassment.

It may well be that the Superior Wood case represents a barrier to doing these ordinary workforce management functions successfully, because as they deal with sensitive information an assertion might be made that the information cannot be collected without express consent.

The Superior Wood case represents a serious challenge to an employer’s ability to meet these conflicting imperatives – on the one hand to respect an employee’s decision not to consent to provide sensitive information, and on the other to obtain sensitive information about its workforce that is necessary to comply with operational and legal considerations.

In managing that impact, employers will need to now:

• check that employment contracts include agreement to a general obligation to comply with policies, including policies introduced or varied after the employment starts;
• establish a privacy policy the emphasises operational and legal considerations as a basis for collection of information, and provides appropriate disclosure of purposes of collection;
• look to obtain employee consent specifically when introducing a new collection method; and
• stay tuned for other decisions which may wind back the impact of Superior Wood.

Key Take Aways

• The Privacy Act 1988 regulates the use, collection and disclosure of personal information, including prohibiting the collection of sensitive information without the consent of the person affected.
• The Privacy Act does not extend to “employee records”.  So, where it is otherwise justified as a lawful and reasonable management direction, an employer can require an employee to co-operate in its collection of, for example, health information (about capacity to work) and other sensitive information (such as information that might be central to a workplace investigation of some kinds of harassment or unlawful discrimination).
• In a significant change, in Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (Superior Wood) a Fair Work Commission Full Bench has determined that personal information does not become an “employee record” until and unless it has been documented, and that an employer cannot therefore discipline an employee who refuses to comply with a direction to provide sensitive information.
• While there are potentially other exemptions that might allow a different basis on which an employer can collect necessary information to manage its workforce, none are by themselves as broad as the “employee records” exemption.
• The “employee records” exemption on any view has always had limitations and does not provide a basis for a principal to collect personal information of contractors and labour-hire workers (although it might require their direct employer to do so).
• However, the Superior Wood case may now significantly impact on the scope of what is a “lawful and reasonable management direction” to an employee, well beyond the limited factual circumstances in the Superior Wood case itself.