Fingerprint case highlights importance of biometric policies and consent

Out-Law Analysis | 11 Jun 2019 | 10:14 am | 3 min. read

An unfair dismissal case has highlighted the need for companies to update policies and procedures and to obtain full consent before using biometric data in the workplace.

The technology to use fingerprints, iris scanners and implanted chips is becoming cheaper and more readily available, meaning that more and more companies are seeking to use the technology. But an employment dispute has revealed some of the pitfalls of adopting technology before changing workplace policies and practices.

The Fair Work Commission in Australia found that Superior Wood employee Jeremy Lee's dismissal for refusing to use a fingerprint scanner was unfair because the company did not have a privacy policy in place; it didn't obtain consent before collecting sensitive information, and it failed to issue a privacy collection notice.

The Full Bench of the Commission also said that the company did not properly seek or receive Lee's consent. It said: "a necessary counterpart to a right to consent to a thing is a right to refuse it". Any consent provided in circumstances where a refusal to do so could result in disciplinary action, such as dismissal, was not "genuine consent".

Williams Katie

Katie Williams

Partner

This case highlights the importance of having a robust and compliant privacy policy in place

Biometric data collection has many advantages for employers but its use raises concerns about employee privacy and can expose employers to significant legal and compliance risks. With heightened attention and focus being placed on data privacy and security in the digital age, it is imperative that businesses are clear on their obligations with respect to the collection, storage and use of employees’ sensitive information.

Some companies have taken an approach to the extreme, such as an employer in Wisconsin hosting a voluntary “microchip party”, as well as a Swedish firm offering to microchip its employees for free, which more than 150 agreed to do. However, with the ever increasing prevalence of cyber security breaches, decisions regarding employee biometric data should not be made lightly.

This case highlights the importance of having a robust and compliant privacy policy in place. This policy should specify what information will be collected, how it will be handled and stored, and the circumstances in which it may be disclosed to third parties.

When biometric data is collected, appropriate internal safeguards need to be implemented to ensure that sensitive information is protected, and steps should also be taken to ensure that any third parties requiring access to the information also have adequate protections in place.

The Commission was highly critical of the fact that at least six different entities were required to collect, store or access the data obtained by Superior Wood's scanners, and yet there was nothing to suggest that any of these entities had mechanisms in place to protect and manage this information.

Given the emphasis placed by the Commission on the importance of genuine consent, employers must also to consider how they seek to obtain their employees' consent to collect sensitive information. Employees cannot be forced to consent.

The Commission's decision provides some clarity on the extent to which employers can insist on using the biometric data of their employees, in an area that is becoming increasingly prevalent, and complex, as new technology is introduced into the workplace.

In 2017 Superior Wood introduced biometric scanners to register their employees’ site attendances. The scanners do not store actual fingerprints, but capture features of the tissue lying below the skin as well as on the finger.

Employee Jeremy Lee refused to use the biometric fingerprint scanners. When Superior Wood later implemented a policy requiring all employees to use the biometric scanners Lee continued to refuse despite repeated warnings that non-compliance would result in his termination. Lee was eventually dismissed on that basis.

Lee brought an unfair dismissal application, which failed at first instance. On appeal, however, the Full Bench held that Lee’s refusal to use the biometric fingerprint scanner to sign on and off for work was not a valid reason for his dismissal.

Lee’s obligation to comply with Superior Wood's policy turned on whether the direction to submit to fingerprint scanning was a "reasonable and lawful" direction, in circumstances where Lee did not consent to the collection of his biometric data, which was "sensitive information" under the Privacy Act.

Was it "lawful"?

The Full Bench said that the direction was in breach of the Privacy Act, and was therefore not a "lawful" direction, because Superior Wood did not have a privacy policy in place; did not obtain consent before collecting sensitive information, and failed to issue a privacy collection notice.

It also said that there were problems with consent, and that consent provided in circumstances where a refusal to do so could result in disciplinary action, such as dismissal was not "genuine consent".

Was it reasonable?

Although it was not necessary, the Full Bench noted that it would have concluded that the direction was not reasonable, had it been required to make such a finding.

Interestingly, the Full Bench also found that Lee was not under any contractual obligation to comply with the policy. The way in which Lee’s employment contract was drafted meant that he was only bound by policies in place at the time the contract was signed. The policy was introduced much later.

What about the Privacy Act's employee records exemption?

The Full Bench also found that the "employee records exemption" contained in the Privacy Act only applied to an actual record held by the employer, and did not extend to records not yet in existence or to the creation or solicitation of future records.

Katie Williams is an employment law expert at Pinsent Masons, the law firm behind Out-Law.com.