Fingerprint, eye scanners, face and voice authentication; technology that was once confined to science fiction is increasingly common, including in the workplace. However, the Fair Work Commission has put up a cautionary hand, finding that an employer's use of mandatory fingerprint technology breached the Privacy Act.
The employer, Superior Wood, rolled out biometric fingerprint scanning to track employee attendance. Its reasons were genuine. The new system was way more efficient than the old paper based sign-in/out process.
The roll out was going great until one of Superior Wood's 150 employees refused to hand over his fingerprint out of concern for the company's use and protection of his biometric info. After a long but unsuccessful process of trying to convince the employee he had nothing to worry about, Superior Wood dismissed him for failing to follow a lawful and reasonable direction.
The case focused on whether mandatory participation in fingerprint scanning was reasonable.
On appeal, the FWC's Full Bench determined that it was not, because the mandatory system fell foul of the Privacy Act. Superior Wood:
- did not have the employee's consent to collect his biometric data, which is "sensitive information" under the Privacy Act; and
- did not notify employees of required matters under the Privacy Act.
Superior Wood sought to rely on the exception under the Privacy Act for "employee records". However, by drawing what we consider to be an artificial line, the Full Bench said the exception only applied once Superior Wood actually collected the employee information. In other words, collection of the biometric data was governed by the Privacy Act, but its use once collected was not (because the employee records exception then applied to it).
We certainly don't advocate for a world in which employers can literally collect employees' blood, sweat, and tears without following some form of due process. However, unless appealed (likely), the Full Bench's decision is problematic. Employers have long been in the habit of collecting employees' personal and sensitive information on the basis that the Privacy Act doesn't apply at all.
For example, employers direct employees to undertake criminal background checks, attend fitness for work assessments, or undertake drug and alcohol testing. This can lead to the collection of personal and sensitive information. This decision draws into question the lawfulness and reasonableness of such directions, particularly if the employee refuses.