Lee v Superior Wood Pty Ltd (2019) FWCFB 95

  • The employer in question had announced the introduction of finger scanning.
  • There were approximately 80 employees at the worksite in question and Mr Lee was the only employee not to register his fingerprints. He continued to sign in and out using the physical sign in and sign out book.
  • A meeting had been held with the employer where Mr Lee expressed concern about the control of his biometric data and the inability of the employer to guarantee no third party access or use of that data once shared electronically.
  • Mr Lee was given a verbal warning and two written warnings for failure to register his fingerprints and was subsequently terminated as a result.

First Instance Decision

At first instance, the Commission held that:

  • The finger scanning policy was reasonable because:
  • it improved safety in the event of an emergency; and
  • it improved the integration and efficiency of pay roll;
  • In relation to the Privacy Act, at first instance the Commission held that the biometric data collected was sensitive information within the meaning of the Privacy Act and therefore the employer was required not to collect it unless:
  • the person consented to the collection of that information; and
  • it was reasonably necessary to collect the information.

The Commissioner at first instance held that Mr Lee had not provided his consent and the employer had not provided a valid collection notice within the meaning of the Privacy Act.

That collection notice should have included details regarding things such as:

  • any other entities to whom the employer would disclose personal information;
  • that the employer's privacy policy has information about how to access one's personal information;
  • that the employer's privacy policy has information about how to make complaints about breaches of the Australian Privacy Principles; and
  • whether the employer is likely to disclose the information to overseas recipients.

Further, the employee records exemption contained in the Privacy Act did not apply. That only applied to employee records once such records came into existence. Even though the employer had breached the Privacy Act and Mr Lee had been entitled to withhold his consent for the purposes of the Privacy Act, Mr Lee had failed to meet a reasonable request to implement a fair and reasonable workplace policy. Therefore, the dismissal was valid.

Appeal Decision

On appeal, the Full Bench held that the termination was not valid for the following reasons:

  • Mr Lee had not breached any binding employer policy, his employment contract said that he was required to comply with those policies that "exist" that are displayed at various locations within the workplace. A strict reading suggests therefore was that it was only those policies which existed at the time of entry into his employment contract some years earlier which were binding upon him.
  • The employer had committed various breaches of the Privacy Act. For instance, by not issuing a valid privacy collection notice to Mr Lee and, further, not even having a privacy policy in existence.

The employer's direction to Mr Lee to submit to the collection of fingerprint data in circumstances where he did not consent to that collection was not a lawful direction. As it was unlawful, it was not a reasonable direction.

The Full Bench went further and stated that if Mr Lee had consented to the collection of fingerprint data under threat of termination that would not have been a valid consent for the purposes of the Privacy Act.

Therefore, the termination was not valid.

The matter was remitted to a single Commissioner for a determination regarding the remedy.

Implication for Employers

Even if the employee had had a binding workplace policy applying to him requiring him to submit to fingerprint scanning then it appears that the Full Bench would still have found in favour of the employee. This is because the Full Bench gave primacy to protections afforded to the employee by the Privacy Act. Namely, the right to be provided with a valid collection notice and the right to refuse consent to the obtaining of his sensitive health data.

This case has very serious implications for those employers who are seeking to implement measures within the workplace where an employee's biometric or biological data is sought to be obtained. For instance, fingerprint scanning, facial recognition software and retina identification software amongst others. The precedent established by this case would also conceivably apply in the case of drug & alcohol testing of employees or the undertaking of independent medical assessments to determine an employee's capacity to work or perform the inherent requirements of the position.

Based upon the reasoning in this case, it would appear that employers seeking to obtain sensitive health, biological or biometric data of employees:

  • will need to issue the employee a valid collection notice for the purposes of the Privacy Act;
  • will not be able to rely on any workplace policies or provisions in employment contracts to force or require employees to provide these forms of sensitive data;
  • cannot discipline or terminate an employee on account of the employee refusing to provide consent.

Further, a refusal by the employee to provide consent to the obtaining of their sensitive data would seem to be the exercise of a workplace right by the employee. Any subsequent action taken by the employee which exposed the employee to a detriment could potentially give rise to a general protections claim by the employee.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.