Employee gives his employer the finger, but not in the way they wanted him to. This FWC decision could change the way employers approach biometric data collection.
Asking an employee to share their tax file number is a reasonable request to receive from an employer, but asking them to share their unique fingerprint might be a step too far.
In a recent appeal case, the Fair Work Commission (FWC) sided with an employee who claimed unfair dismissal after being terminated by Queensland sawmill company Superior Wood for refusing to participate in biometric data collection. The process was touted as a way of improving the company’s payroll system. He was one of hundreds of staff who refused to use the new system.
In the initial decision in November last year, the FWC heard the unfair dismissal case and backed the employer, with commissioner Jennifer Hunt deeming it to be a lawful workplace attendance policy. She said it was “reasonably necessary” for the business to introduce the new system.
Passing through too many hands
Protecting personal data from third party hackers is an increasing concern for employees. A report from OH&S Alert said that in this particular case up to six separate entities had access to the data. They included Superior Wood, the companies that captured the data and converted them into templates unique to individuals, the entity that operated the relevant server, and the system that processed Superior Wood’s payroll.
“There is no evidence that any of these entities had, at the relevant time, any actual mechanism in place to protect and manage information collected by Superior Wood, consistent with its obligations [under the Commonwealth Privacy Act]. The concerns expressed by [the employee] were not, in our view, devoid of merit, ” the FWC report reads.
It turns out, legally, the employee had every right to be concerned.
Michael Byrnes, partner at legal firm Swaab, told HRM it’s an employee’s prerogative to refuse to withhold that information.
“If an employee is being deliberately recalcitrant or subversive, then that’s a problem. On the other hand, if an employer is asking an employee to hand over sensitive information by way of a fingerprint, the employer needs to make a reasonable effort to convince that employee that the information is going to be treated in a way where confidentiality is preserved,” Byrnes says.
Superior Wood was unable to offer that assurance. The company admitted that it didn’t have a privacy policy in place and didn’t provide employees with a privacy collection notice. It was therefore breaching its obligations under the Privacy Act, which was a big reason why the FWC overruled the original decision.
“It’s not enough for an employer to say, ‘this is a system we’re implementing and from this date, you will be expected to provide biometric data.’ That analysis is overly simplistic. It’s not good enough. An employer needs to be able to make the case for the need for that information to be collected,” says Byrnes.
Convenience versus necessity
Byrnes says the use of biometric data collection may be valid in a situation where health and safety is an issue, but even then he emphasises the necessity of providing adequate privacy policies and data security assurance to employees.
In this case, the reason Superior Wood supplied for implementing this new system was to bolster the “integrity and efficiency” of its payroll system, as well as improve “safety in the event of an emergency by avoiding the need to locate the paper sign in and out book to ascertain attendance on site.”
In the appeal case, deputy presidents Sams and Gostencnik and commissioner McKinnon didn’t consider that to be a particularly compelling argument, but they were satisfied that “the scanners, through their capacity to display attendance records on supervisors’ phones, offered safety benefits, even though the main function was clearly to improve its payroll operation.”
What’s reasonable?
In order to support the employer’s dismissal decision, Superior Wood had to prove that the fingerprinting was “reasonably necessary”, which it was unable to do.
In a Smart Company article, workplace lawyer Athena Koelmeyer says, “This is a very good example of how the word ‘reasonable’ means different things to different people. If you work at ASIO, or at a deeply secret part of the Australian Federal Police, then biometric scanning for restricted access may well be very reasonable.”
Still, it demands the question, surely there’s a less intrusive way to streamline this particular process?
Yes, it’s important for organisations to stay ahead of the curve when it comes to utilising new workplace technologies, but if the organisation’s main concern is overhauling its paper based record keeping process, there are less intrusive methods than biometric data collection. Why not just have employees download an app to log their hours?
How does it differ from other “invasive” policies?
Others have drawn comparisons to other job requirements that are now considered to be appropriate, such as undergoing a medical test or supplying a blood or urine sample.
“It’s completely different in my view,” says Byrnes. “Testing for drugs and alcohol in an employee’s systems goes to the heart of workplace health and safety and that’s of fundamental importance to the welfare of employees. Biometric testing is usually, but not always, for administrative convenience for the employer. That’s the big difference.”
This is not the view workplace lawyer Peter Vitale takes. In the same Smart Company article, he says, “The commission has repeatedly held a direction to undergo a medical in the right circumstances is lawful…that an employer who has valid reasons for introducing fingerprint scanning can’t then direct an employee to provide the basic data seems to me to be inconsistent with broader principles.”
Advice for employers
It’s not as simple as just having a privacy policy in place, although you definitely should. Employers should ensure they understand the specifics of that policy. Byrnes points to a particularly interesting section of the FWC’s report, which outlines the ‘employee record exemption’, which Hall and Wilcox lawyers define as:
[A provision that] exempts private sector employers from having to comply with the Privacy Act when handling an employee’s personal information for a purpose directly related to the employment relationship. However, if a private sector employer handles personal information for a purpose that is not directly related to the employment relationship, the exemption will not apply and the Privacy Act will.
“Some argue that the employee record exemption could apply,” says Byrnes. “But this judgement is casting doubt on that, saying that although an employee record exemption applies to a record, the record is contingent upon information having already been collected. Until that information is collected, the solicitation of that information invokes the privacy principles. That’s something that employers might need to grapple with in any privacy policy they might have.”
He goes on to suggest that employers play devil’s advocate when implementing a policy like this. Think about the ways in which your staff may object, and plan for specific pain points. Think of ways in which you can gain their trust from the beginning by demonstrating that you’ve taken all appropriate measures.
Just because you can, it doesn’t mean you should
Bruce Arnold, assistant professor at the University of Canberra’s School of Law and Justice previously spoke to HRM about biometric identification in the workplace.
He raises an interesting point in saying that “once an employee leaves, the question remains as to whether an employer is obliged to remove all biometric data relating to them from its systems. There is an expectation that employers will safely dispose of personal data, but there isn’t a statutory fixed period for retention, and an ‘obligation’… will depend on the circumstances.”
In a previous article that Byrnes wrote for HRM on microchipping employees he argued that “just because a technological development enables a particular process or innovation to be adopted for employees, this doesn’t mean it automatically can be.” That applies in this case too, he says.
Byrnes acknowledges that streamlining administrative processes is a laudable objective, but privacy trumps convenience. Had the reasoning behind the system been completely dedicated to workplace health and safety, Byrnes says the employer’s position would have been stronger, but not unassailable.
“When there’s a genuine nexus between the collection of biometric data and improved outcomes in health and safety, backed by evidence, that’s when there will be a much stronger prerogative for an employer to ask an employee to provide that data.”
This is a nascent and developing area of the law, says Byrnes, which means it’s vexed. But the one thing that is crystal clear from this case is the need to prioritise employee privacy.
What do you think about this decision? Share your thoughts in the comments below.
The use of biometrics in the workplace is just one of many ethical dilemmas that HR practitioners face. AHRI’s short course ‘Workplace ethics’ will arm you with the information you need.
We have added the ability to use the employees voice or thier palm vein patterns for validation rather than having to keep fingerprint records that could be used for other reasons rather than the employees attendance record. I believe these 2 options are better
I don’t really have an issue with my employer gaining access to my biometric data. They should have all of their security ducks in a row first, though. It seems that Superior Wood went about this a$@ backwards, and didn’t really think of the security implications before trying to roll out their whiz bang new system.
Saying that, they must have a big issue with staff filling out fraudulent timesheets to roll something like this out for the sole purpose of payroll…
My thoughts exactly, Adam.
I worked for an employer where it was common for staff to clock in/out colleagues so they wouldn’t get docked, but as someone responsible for both HR and WHS I see the implications on both: a) staff being fraudulent and paid for hours they’re not working, and b) implications if there’s an emergency evacuation and staff are listed as present but not even on site.
So I’ve no issue with the system in principle, but the security of that system is imperative.
it seems to me that once again, this is an attempt to use “technology” to fix a “hr management” issue. the real problem that they appear to be trying to solve is “attendance on site” – and their current technology of a “paper sign in and out book” seems to be less than adequate, rather than the stated “efficiency of payroll” – although there is (obviously) a correlation between the two. So, we then need to ask the question “is the sign-in/out book” process being compromised – and if so, why? (and by whom?) There are other methods of dealing… Read more »
Employers can overcome many of the problems portrayed here by issuing key cards with barcodes to employees. Along with the warning that allowing another employees access to their card constitutes grounds for instant dismissal. Supervisory stafg can be issued with portable card readers for safety and evacuation procedures. I dont see that any employer should have the right to this sort of sensitive information, especially when there are inadequate safeguards in place.