Can’t touch this: employee’s privacy concerns vindicated by FWC

A Full Bench of the Fair Work Commission has issued a decision which highlights the need for employers to make sure that their privacy policy and any change implementation are up to scratch.

Sawmill operator, Superior Wood, sought to introduce a fingerprint-based time recording system in conjunction with a new Site Attendance Policy.

One of their casual employees, Mr Lee, raised concerns regarding the use and storage of his fingerprints. He was not satisfied with Superior Wood’s response to his concerns and did not comply with the new policy, even when threatened with dismissal. His employment was terminated by Superior Wood for his failure to comply with a lawful and reasonable direction.

Mr Lee made an unfair dismissal application, which was initially unsuccessful as the Commissioner considered the termination to be reasonable in the circumstances. On appeal, the decision was quashed and Mr Lee’s termination held to be an unfair dismissal.

The Full Bench’s decision was heavily influenced by the employer’s non-compliance with the Privacy Act 1998 (Cth) (Act) and the relevant Australian Privacy Principles (APPs) contained within it.

The Full Bench found that Superior Wood:

  1. did not have an appropriate privacy policy in place;
  2. failed to inform its employees that the fingerprint scanners would be collecting sensitive information within the meaning of the Act.
  3. failed to provide its employees (including Mr Lee) with an appropriate privacy collection notice; and
  4. failed to advise and discuss with staff its obligations in relation to handling the sensitive information.

Superior Wood attempted to rely upon the employee records exemption under the Act to overcome its failure of process. However, the Full Bench rejected this approach and found that the direction given to Mr Lee was not lawful and reasonable because of the failure to comply with the Act and the APPs. They also emphasised that any “consent” obtained was vitiated by the threat of dismissal.

Key takeaways

  1. Employers must have a privacy policy in place where the APPs apply.
  2. A collection notice should be given to staff when seeking their consent to the collection of sensitive data.
  3. Employers should not be over-zealous in relying on a failure to follow lawful and reasonable directions as the basis for a termination of employment if the failure is due to an employee asserting legal rights and protections.
  4. In addition to the Act, there is other privacy legislation that may be relevant, and particular care should be taken in relation to the collection, use and storage of sensitive information.

If you need any help navigating privacy legislation and data retention in relation to your employees, please contact the Employment, Safety and Migration team at Macpherson Kelley.

This article was written by Adam Foster, Senior Associate – Employment, Safety and Migration.