Biometric data collection has many advantages for employers but its use raises concerns about employee privacy and can expose employers to significant legal and compliance risks. With heightened attention and focus being placed on data privacy and security in the digital age, it is imperative that businesses are clear on their obligations with respect to the collection, storage and use of employees’ sensitive information.
Some companies have taken an approach to the extreme, such as an employer in Wisconsin hosting a voluntary “microchip party”, as well as a Swedish firm offering to microchip its employees for free, which more than 150 agreed to do. However, with the ever increasing prevalence of cyber security breaches, decisions regarding employee biometric data should not be made lightly.
When biometric data is collected, appropriate internal safeguards need to be implemented to ensure that sensitive information is protected, and steps should also be taken to ensure that any third parties requiring access to the information also have adequate protections in place.
The Commission was highly critical of the fact that at least six different entities were required to collect, store or access the data obtained by Superior Wood's scanners, and yet there was nothing to suggest that any of these entities had mechanisms in place to protect and manage this information.
Given the emphasis placed by the Commission on the importance of genuine consent, employers must also to consider how they seek to obtain their employees' consent to collect sensitive information. Employees cannot be forced to consent.
The Commission's decision provides some clarity on the extent to which employers can insist on using the biometric data of their employees, in an area that is becoming increasingly prevalent, and complex, as new technology is introduced into the workplace.
In 2017 Superior Wood introduced biometric scanners to register their employees’ site attendances. The scanners do not store actual fingerprints, but capture features of the tissue lying below the skin as well as on the finger.
Employee Jeremy Lee refused to use the biometric fingerprint scanners. When Superior Wood later implemented a policy requiring all employees to use the biometric scanners Lee continued to refuse despite repeated warnings that non-compliance would result in his termination. Lee was eventually dismissed on that basis.
Lee brought an unfair dismissal application, which failed at first instance. On appeal, however, the Full Bench held that Lee’s refusal to use the biometric fingerprint scanner to sign on and off for work was not a valid reason for his dismissal.
Lee’s obligation to comply with Superior Wood's policy turned on whether the direction to submit to fingerprint scanning was a "reasonable and lawful" direction, in circumstances where Lee did not consent to the collection of his biometric data, which was "sensitive information" under the Privacy Act.
Was it "lawful"?
It also said that there were problems with consent, and that consent provided in circumstances where a refusal to do so could result in disciplinary action, such as dismissal was not "genuine consent".
Was it reasonable?
Although it was not necessary, the Full Bench noted that it would have concluded that the direction was not reasonable, had it been required to make such a finding.
Interestingly, the Full Bench also found that Lee was not under any contractual obligation to comply with the policy. The way in which Lee’s employment contract was drafted meant that he was only bound by policies in place at the time the contract was signed. The policy was introduced much later.
What about the Privacy Act's employee records exemption?
The Full Bench also found that the "employee records exemption" contained in the Privacy Act only applied to an actual record held by the employer, and did not extend to records not yet in existence or to the creation or solicitation of future records.
Katie Williams is an employment law expert at Pinsent Masons, the law firm behind Out-Law.com.