Technology in the workplace

Government agencies will increasingly be challenged by the introduction and management of technology designed to offer employers an efficient and accurate means to secure their workplaces, and monitor and record their employees' time and attendance.

In the past, these technologies have included surveillance cameras, IT monitoring, GPS tracking and mobile phone tracking. These technologies have largely been accepted into the workplace and, in some jurisdictions, are governed by express legislation like the Workplace Surveillance Act 2005 (NSW).

The boundaries are now being tested with new technologies, in particular biometric technology which captures facial, fingerprint and iris scans. How should a government agency deal with these technologies?

One significant concern is the potential misuse of biometric information gathered through such technology. While a password can be easily changed, a record of a fingerprint or iris scan could lead to identify theft and other significant security breaches if the information was stolen.

In addition to the security needed around the storage and use of such biometric information, the more fundamental question relates to privacy.

Jeremy Lee v Superior Wood Pty Ltd

In Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (Lee) the Full Bench of the Fair Work Commission examined the boundaries of an employer's ability to compel their employees to provide their biometric data in order to comply with sign-in policies that rely on this information.

The finding at first instance in Lee was that a sawmill employee was fairly dismissed because his failure to comply with an Attendance Policy, requiring fingerprint scanning to sign on and off from work, was a valid reason for the dismissal. The Full Bench upheld an appeal by the worker against this finding and reversed it.

The Full Bench found the policy did not form part of the applicant's employment contract, having come into existence well after he was employed. Therefore, his obligation to comply with it, and thus the validity of his dismissal, "[depended] on whether the direction to do so, using the scanners to sign in and out of work each day, was a reasonable and lawful direction".

This was found not to be the case as the requirement contravened the Privacy Act by:

  • requiring the collection of the applicant's sensitive information without his consent, contravening Australian Privacy Principle (APP) 3
  • failing to properly inform the applicant by not issuing a privacy collection notice, as required by APP 5.

Further, none of the exemptions in the Privacy Act, namely ss 16A and 7B(3), applied to the employer in this case. In particular, s 7B(3), creating an exemption for the use of information held as employee records was confined to presently held information and did not apply to the prospective holding of information. Of course, this exemption does not apply to most government employers.

The subsequent finding that "the direction to Mr Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction" meant that his failure to comply with it was not a valid reason for his dismissal.

Implications for government agencies

The result in Lee indicates that attempts by employers to implement compulsory tracking or sign-on systems which require the collection of biometric data are likely to come up against a combination of privacy and unfair dismissal laws – that is, the failure to gain the meaningful consent of employees subject to any such system will bring not only the collection of their data, but the direction of employees to provide the data into conflict with the Privacy Act (or the equivalent State or Territory privacy legislation that applies to state or territory government employers). Failure to comply with such a policy will therefore in many circumstances not provide a valid reason for dismissal and this may limit the capacity for employers to compel compliance.

If you are an employer who wishes to impose a requirement for employees and other persons performing work in your workplace to provide biometric data as part of a system to track employees' time and attendance, you need to do the following:

  • develop a clearly-expressed and up to date privacy policy that complies with the applicable privacy legislation regarding the collection, use and storage of personal information
  • give employees written notice of intention to collect data
  • use reasonable and lawful means to solicit employee consent to collection.

You will then be better placed to discipline employees who unreasonably withhold their consent.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.