Fingerprint scanner decision overturned, and the broader implications

Regular readers will be aware of the recent Lee v Superior Wood Pty Ltd case where, at first instance, a Commissioner of the Fair Work Commission (FWC) upheld the validity of the dismissal of an employee who refused to provide his fingerprint data to his employer (see our articles here, and here).

Now, this month, the Full Bench of the FWC has reversed that decision, finding that the dismissal was unfair. The appeal decision has some specific lessons for entities covered by the Privacy Act 1988 (Cth), as well as more general lessons for all employers.

For entities covered by the Privacy Act 1988 (Cth), it is critical that a privacy policy in place and ‘collection notices’ are issued in accordance with the Australian Privacy Principles (APPs). Fingerprint data in particular is not only ‘personal information’ under the APPs but is also classified as ‘sensitive information’ (meaning additional requirements apply). The employer in this case breached all applicable aspects of the APPs (and even the supplier of the fingerprint scanners was unaware of its obligations under the APPs), which did not at all help their cause in this litigation.

Of more general interest to all employers (not just those covered by the Privacy Act 1988 (Cth)) is the discussion in the appeal case of whether employees can be ‘required’ to provided statutory consents, or else be dismissed. This is relevant not only to fingerprint data collection, but also matters such as GPS surveillance and data surveillance under the Surveillance Devices Act 2016 (SA).

The employer had a policy which directed employees to use the fingerprint scanners. Generally employment contracts will require an employee to comply with policies, but remarkably in this case the FWC considered that the wording of the employee’s contract meant that the employee was only required to comply with those policies which existed at the date of the employment contract. The policy regarding fingerprint scanners was introduced after the employee’s contract was executed, and so the FWC determined that it was not a term of the employee’s contract to comply with the policy. The FWC then found that the direction by the employer for the employee to provide consent (or else face disciplinary consequences) was an unlawful and unreasonable direction.

There are many curious elements about this case, and it may well continue on appeal. However, regardless of where the matter ends up, employers can protect themselves by:

• Identifying whether the Privacy Act 1988 (Cth) applies to them and, if so, observing all requirements of the APPs;
• Identifying whether any biometric or surveillance activities require consent from employees;
• Having a clear policy framework regarding any activities which require consent; and
• Updating all new employment contracts so that employees provide relevant consents in the employment contract itself (and also ensuring that the contract is framed so that employees agree to observe all future policies, not just those in existence at the time of the contract).