Earlier this month, the ABC reported that a recruitment subcontractor for the Queensland Gas Corporation was conducting mandatory blood testing of job applicants in order to determine their risk of serious and life threatening conditions including high cholesterol and risk of heart attack. Candidates were told their job application was conditional on submitting to the blood test and were further required to sign a waiver authorising the recruiter, SNC Lavalin, to send their health information, medical records and blood samples overseas to countries without the same standard of privacy protection as in Australia.

In the broader context of employers seeking to manage risk by obtaining access to a wider range of employee data and increasing workplace surveillance to monitor attendance and productivity, this incident is a timely reminder of the need for employers to exercise caution when seeking to collect biometric or health information from their employees (or prospective employees).

Biometric information

The Office of the Australian Information Officer (OAIC) provides limited guidance on biometric scanning which occurs when an organisation or agency takes an electronic copy of your biometric information. This includes your face, fingerprints, iris, palm, signature and voice. The UK Information Commissioner's Office (UK ICO) provides several further example of biometric information in its recent guidance on Special Category Data, including keystroke analysis, handwritten signature analysis, gait analysis and gaze analysis (eye tracking).

The case law developments in 2019 make it clear that there is a high bar for employers seeking to establish a genuine need to collect biometric information on the basis it is "reasonably necessary for, or directly related to, one or more of the entity's functions or activities".

Employers and biometric information – case law developments in 2019

Earlier this year, the Fair Work Commission considered the matter of Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946, in which an employer sought to compel employees to use a fingerprint verification system to sign-in for a casual shift, a process necessarily entailing the collection of biometric information. In this case, the Full Bench of the Fair Work Commission determined that employers must not collect biometric information unless it is reasonably necessary for the entity's function or activities and the individual consents to the collection.

Read more about this case here, and our privacy take on it here.


The Australian standard for consent to the collection of personal information, including biometric and health information has four elements – consent must be voluntary, informed, current and specific.

The issue of consent being voluntary arises in cases where it is a condition of employment or a condition of providing services. While this has not been considered specifically by the OAIC, the UK ICO recommends that particular care be taken if asking for consent to collect sensitive information as a condition of providing your services or if you are in a position of power over the individual – for example if you are a public authority or the individual's employer.

The UK ICO considers that consent cannot be validly given where the provision of the service is conditional on the individual consenting to the collection of sensitive information, for example, where a gym introduces a facial recognition system and compels members to consent to the use of facial recognition as a condition of their membership. In contrast, if members are provided with an option to access the facilities either via the facial recognition system or via a membership card, those who choose to use the facial recognition system will have freely given consent.

What does this mean for Australian employers?

Employers who are interested in utilising biometric technology to improve the accuracy and efficiency of their payroll processes or ensure the security of their premises should consider offering their employees the opportunity to opt in rather than seeking to compel the employees to submit to the collection of their biometric data.

However, employers ultimately need to balance the utility of using biometric technology for business efficiency and security purposes against the need to protect the individual privacy rights of their employees.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.