A look at biometric attendance records – are they lawful? And what are the concerns employers should consider before introducing them? By Emma Watt

A 2019 decision of a Full Bench of the Fair Work Commission found that an employer’s direction to an employee to consent to fingerprint scanning for attendance and time recording was not lawful, and therefore could not form the basis of a valid reason to dismiss the employee.

The employer’s direction to the employee infringed the employee’s rights under the Privacy Act 1988 (Cth), as the employee records exemption relied upon by the employer only applies to records actually held by the employer, not the process of seeking personal information from an employee.

The background

The employer introduced fingerprint scanners in order to more efficiently log start and finish times, and to better track employees in attendance during an emergency.

The employee in question was a casual general hand with just over three years of service. Before his dismissal, the employee wrote to the employer explaining his concerns with the system. The employer held multiple meetings with the employee to explain the reason for the change in method of recording hours of work. The employer also obtained information from the scanner supplier about how the data would be used.

The employee refused to register his fingerprint on the system and continued to use the paper system to sign in and out of the workplace. He did this despite multiple warnings, and a clear ultimatum that failure to comply with the Site Attendance Policy would result in his dismissal.

He continued to refuse to use the system, citing privacy concerns around the collection of ‘sensitive information’ (his fingerprint), and wrote to the employer seeking a method of resolving the dispute that allowed him to keep his job, but also retain ownership of his own biometric data.

Interestingly, the employer notified all employees that the data gathered could not be used to generate a fingerprint, and the employees’ fingerprints would not be retained on the system. However, registration of each employee’s fingerprint was necessary initially.

Ultimately, he was dismissed about five weeks after the scanning system went ‘live’ at the site. He claimed he had been unfairly dismissed, but in the initial decision, the Fair Work Commission (FWC) disagreed.

The employee appealed to a Full Bench of the FWC, and the Full Bench overturned the initial decision. The Full Bench found that there was no valid reason for the employee’s dismissal, as the direction to comply with the Site Attendance Policy was not lawful.

Privacy concerns

Employee records are exempt from the Australian Privacy Principles (the Principles), even within organisations that are otherwise required to comply with the Principles. But the FWC asserted that the exemption does not apply to records not yet in existence, i.e. the Principles don’t apply if an employee has already handed over their fingerprint, but they do apply if the employee refuses to register their fingerprint.

Therefore, the FWC found that the employer’s collection and solicitation of its employees’ personal information (their fingerprint) was covered by the Principles. It is prohibited to collect sensitive information (including biometric data) without the individual’s consent. There are also restrictions on the use of the sensitive information after it has been collected.

Direction to provide fingerprint unlawful

The direction to register a fingerprint failed to allow for the consent required under the Privacy Act 1988, and the employer failed to comply with the Principles for the collection of sensitive information. Together these made the direction to comply unlawful and meant that the employee’s dismissal for failure to comply with a ‘lawful and reasonable direction’ could not be sustained.

Requiring employees to comply with policies

The employee’s contract was drafted in a way that meant he was not required to comply with policies developed after his employment commenced. This is likely to have been an unintended consequence of the contract as drafted.

All contracts need to include a requirement that the employee will comply with all current and future workplace policies, including any amendments to policies. But the contract must be clear that the policy terms are not incorporated into the contract, or the employer could find they are sued for breach of contract if they fail to abide by their own policies.

As part of the contractual agreement, the employee should be required to provide consent in any situation where they are reasonably required to do so. If the employee subsequently fails to provide consent, it is possible that this failure could be grounds for dismissal.

Privacy in the employment relationship

Companies with an annual turnover of $3 million or more must comply with the Privacy Act 1988 (Cth). This case, while specifically based on another piece of legislation entirely (the Fair Work Act 2009 (Cth)), provides some guidance on the employee records exemption. In fact, the Office of the Australian Information Commission had previously advised that the scope of the employee records exemption was broad enough to include asking for information to form the basis of these records.

The employer had believed they were able to lawfully do so, based on advice received at the time of implementation of the scanner system, and also believed that the new system would improve both safety and payroll efficiency.

It would be prudent for employers to check they have ensured compliance with the Privacy Act 1988 (Cth), including providing a collection statement in situations where sensitive information is being solicited from employees.

Consent in the employment relationship

Another issue brought to light by this decision is whether the failure to provide consent could be used to stymie legitimate processes by the employer.

Ordinarily an employer may direct an employee to an independent medical assessment if the direction is reasonable, but if an employee fails to provide consent to the doctor to release the information, is this now no longer grounds for dismissal? The Full Bench commented that consent is not ‘freely given’ if the result of failing to provide consent might be dismissal – this would be seen as a form of coercion.

What remedy did the employee get?

The Full Bench asked another Commissioner to determine appropriate remedy. It appears that the employee was represented by his brother during this process, although he had been legally represented up to that point. The employee’s brother was apparently entirely unfamiliar with the process. Reading between the lines of the decision that was issued in June 2019, the employee and his brother managed to significantly irritate the Commissioner and prolong proceedings!

Ultimately, the employee was not reinstated, but was awarded $24,117 plus superannuation. This amount represented six months’ pay, the maximum compensation available under the jurisdiction. Unusually, during submissions to the FWC on the subject of compensation, the employer consented to the sum of six months’ pay.

Are biometric attendance systems lawful?

There is nothing unlawful about an attendance system that uses biometric data.

There may, however, be privacy questions regarding the collection and use of that data. Employers wishing to implement biometric attendance systems need to be very careful about their introduction.

Emma Watt is an independent industrial relations consultant who has, for more than 20 years, provided advice and assistance to employers in the timber industry. She has also worked as an unfair dismissal conciliator with the Fair Work Commission. Emma is very keen to ensure that employers know their rights and obligations, so they can sleep well at night!