Data collection, consent, and dismissal – A complex frontier for industrial relations

After refusing to use new biometric fingerprint scanners to record his attendances at the sawmill where he worked, Mr Lee was dismissed from his employment.

Mr Lee said he was entitled to withhold consent for the collection of his biometric data—which he was. Mr Lee said his employer was breaching privacy laws—which it apparently was. The employer said it was nevertheless entitled to terminate Mr Lee’s employment—which, according to the Fair Work Commission (Commission), it was.

This case of Lee v Superior Wood Pty Ltd [2018] FWC 4762, handed down this month, highlights a number of the complex considerations which exist at the interface between human resources management and technology. Lessons from the case extend not only to biometric scanners, but also to any other form of technology which gathers personal or sensitive data.

Mr Lee’s case

The central reason why Mr Lee’s unfair dismissal claim failed was that Mr Lee’s employer had an appropriate policy in place. In short, the key rulings from the case were as follows:

• Mr Lee was entitled, as a citizen, to withhold his consent to the collection of his fingerprint data.
• Equally, the employer was entitled to make the use of the fingerprint scanners a compulsory component of its Site Attendance Policy. The Commission was satisfied of the rationale underlying the fingerprint scanners (i.e. streamlining payroll systems, as well as certain safety benefits), and Mr Lee’s arguments did not convince the Commission that the policy was ‘unjust or unreasonable’.
• Accordingly, by withholding consent and not using the fingerprint scanners, Mr Lee failed to meet his employer’s reasonable request to implement a fair and reasonable workplace policy.
• Appropriate procedural fairness was observed, as the employer had several meetings with Mr Lee and provided several warnings before dismissal.

Broader application

The above reasoning can be applied to a range of circumstances. For example, an employee may refuse to provide consent under the Surveillance Devices Act 2016 (SA) to a vehicle GPS tracking device being used to determine their location. However, it may be a requirement of the employee’s role that they use the vehicle (and the employer should have a proper reason for using the GPS device—a well drafted policy will greatly assist in demonstrating a proper reason). In these circumstances, following proper procedural fairness, the employer may be able to dismiss the employee.

However, it is extremely important that any dismissal involving a refusal of consent to collection of data is expressed properly. The dismissal must not be because the employee withheld consent (which, as citizens, they are entitled to do). Rather, the dismissal should be because of failure to comply with a reasonable direction, or failure to comply with a policy, or failure to meet the inherent requirements of the job (as the case may be in any given situation).

Not all smooth sailing for the employer

Returning now to the case of Mr Lee—while the unfair dismissal application failed, the Commission nevertheless made critical observations regarding the employer’s conduct.

In particular, it was clear (though not the Commission’s place to impose any penalty) that the employer had not discharged certain fundamental obligations under the Privacy Act 1988 (Cth). In particular, the employer did not have a Privacy Policy as required under Australian Privacy Principles, and did not issue the proper ‘collection notice’ to it employees in advance of collecting their biometric information.

These breaches ultimately did not interfere with the lawfulness of the dismissal of Mr Lee. However, that conclusion was only reached because of the specific circumstances of Mr Lee’s case. It is possible that in other cases, a failure to have issued a collection notice for personal information or sensitive information could indeed undermine the lawfulness of a dismissal.

Leaving aside issues of dismissal, it should also be noted that breaches of privacy legislation can attract considerable penalties. Having a well drafted Privacy Policy is important to mitigate these risks.Norman Waterhouse has significant expertise advising upon matter of privacy, data collection, workplace surveillance, and industrial relations more generally.