Unfairly fingered: Is your employer allowed to collect your biometric data?

Increasingly, healthcare employers are using biometric and electronic databases and surveillance cameras to monitor their employees, who need to be vigilant about protecting their rights and personal information. This case dealt with an unfair dismissal claim in a non-healthcare workplace, but it has direct relevance to the health sector and issues of privacy.

The case concerns a company that introduced fingerprint scanning of employees as part of a new attendance policy. One employee (Mr L) was a casual ‘general hand’ of more than three years standing. In a November 2017 meeting, he refused a request to provide his fingerprints. Mr L was not satisfied the company could guarantee no third-party access to the fingerprint database, a concern he provided in writing. The company responded with documentation from the scanner supplier that said the data could not be used for any “purpose other than linking your payroll number to a clock in/out time”.

Mr L, however, continued to use the ‘sign in’ book. He was given a verbal and then a written warning that if he did not comply with the scanning policy, his employment would be terminated.

Further discussions did not bring about a resolution, and in February 2018 he was dismissed. Mr L brought an application in the Fair Work Commission (FWC) for unfair dismissal.

The employer submitted that its policy to use fingerprint scanning was lawful, reasonable and practical. Its justification was that fingerprint scanning improved safety in the event of an emergency, and that the policy formed part of Mr L’s contract of employment and he was therefore obliged to comply. Further, the collected biometric data was secure and confidential, and there was no breach of privacy due to an exemption in the Privacy Act 1988 (Cth) with respect to his records.

Mr L’s submissions were that his fingerprints and associated biometric data constituted “sensitive information” according to the Privacy Act, and, in any event, were his private property. He asserted that once his personal biometric data was digitised, it would be difficult to contain its use by third parties, including for commercial purposes, and he was never informed exactly who was likely to have access and under what circumstances. Lastly, he submitted that the Privacy Act exemption did not apply to his records because the company failed to issue a ‘privacy collection notice’ as required by the Privacy Act.

The FWC at first instance determined that the dismissal of Mr L was valid. It said the site attendance policy was “reasonably necessary” to improve safety and payroll efficiency. The commission said that despite the company not having a privacy policy, this was outweighed by the reasonable necessity of implementing a site attendance policy. The commission concluded that the dismissal was not, in all the circumstances, harsh, unjust or unreasonable.

Mr L successfully appealed the decision to the full bench of the FWC on several grounds. Overturning the initial decision, the full bench found that the company’s reasons for dismissing Mr L were not valid and contravened Australian privacy laws – by not complying with its privacy obligations pursuant to the Act.

As a result, Mr L was within his rights to refuse to provide his fingerprint data and was not in breach of his employment contract because at the time of entering into the contract such (electronic and biometric) policies were not part of it.

Mr L’s concerns about data confidentiality were also found to be valid. The full bench found that prior to introducing the scanners, the employer should have provided employees with detailed information that it was seeking to collect personally sensitive information. It should have had a privacy policy and a mechanism to manage and protect such data after its collection.

In determining Mr L’s successful appeal, the FWC undertook a detailed review of the relevant Australian Privacy Principles (APP).

APP 1 requires a company/business to have an up-to-date and clearly expressed policy about its management of personal information and how, in an open and transparent means, it manages storage of such personal information.

The company did not have the required privacy policy or controls in place for the collection, use and storage of the information or data in question. In addition, the company tended no evidence that it was able to protect and manage information and data. Tellingly, FWC found that management had made little effort to make themselves aware of privacy laws and their obligations.

APP 3 prohibits the collection of an individual’s sensitive information without consent, unless the information is “reasonably necessary” for the company’s activities or functioning. Any collection of personal information can only occur by lawful and fair means. The FWC found the company’s direction to Mr L for provision of his fingerprints was not “reasonably necessary”, and therefore not lawful.

APP 5 provides that before or as soon as practicable after collection of personal information, reasonable steps must be taken to notify individuals of an entity’s privacy policy. Such notice must include details about who is undertaking the collection; the purposes of the private information being collected; any consequences if the information is not collected; how the information may be accessed and corrected; how to make complaints concerning breaches of the APPs; how complaints will be dealt with; whether it is likely the information would be disclosed to overseas recipients, and if so, in which countries those recipients are located. The company failed on these points.

The FWC stated that Mr L was within his rights to refuse consent to having his fingerprints scanned and registered and therefore there was no valid reason to dismiss him.
As more electronic devices are introduced into health workplaces, nurses need ever more vigilance. Such vigilance is often nothing more than reminding an employer of their legally mandated obligations.

Scott Trueman is a lecturer in the School of Nursing, Midwifery and Nutrition at James Cook University.

 

 

 

 

 

Do you have an idea for a story?
Email [email protected]