There are a range of things that businesses can do to better manage the collection, use and disclosure of employee information
Following an earlier article written for HRD magazine on the matter under appeal for an unfair dismissal around fingerprint data collection, the Full Bench of the Fair Work Commission has clarified what businesses need to be doing about the collection of employee data.
Decision under appeal
Late in 2018, Commissioner Hunt handed down a decision that held the collection of an employee’s biometric data, based on operational and safety reasons, was for a company function or activity that was reasonably necessary.
This finding overshadowed any concerns the Commissioner had about the company’s compliance (or lack thereof) of the Privacy Act 1988 (Cth). The Commissioner also held that the employee’s dismissal was for a valid reason in view of the employee’s repeated refusal to consent to the collection of his biometric data (fingerprint).
The Full Bench disagreed with the Commissioner, finding the employee’s dismissal was unfair. In doing so, the Full Bench held that the company was bound to comply with the rules for the collection, use and disclosure of personal information in the Privacy Act and could not rely on the exemption that applies to employee records in the Privacy Act.
The Full Bench was sympathetic to the former employee’s concerns about compliance with the Privacy Act and the security of his biometric data.
The company was in breach of the Privacy Act (and also in breach of the Australian Privacy Principles) at the time because:
- The company required the employee to provide his personal information without his consent
- The company failed to provide the employee with the necessary privacy collection notice
Lessons companies should act on:
The Full Bench decision provides some clear direction that companies should learn from when collecting employee data:
- Operational efficiencies and the avoidance of operational inconveniences will not override a company’s obligation to comply with legal requirements like those under the Privacy Act, and any requirement on employees must accordingly be reasonable in all the circumstances
- Treat the collection of employee personal information in the same manner as it would any other member of the public and in accordance with the Privacy Act
- Have a clearly expressed and up-to-date policy about the management of all personal information, including employee personal information
- Ensure all personal information collected is reasonably necessary for one or more of the entity's functions or activities
- Provide a compliant privacy collection notice when proposing to collect personal information
- Seek the consent of employees to the collection of sensitive information (includes biometric) that is not already in the company’s possession or control
- Ensure any third party provider has the necessary policy and security measures to ensure the protection of personal information
How businesses can minimise risk
There are a range of things that businesses can be doing to better manage the collection, use and disclosure of employee personal and sensitive information:
- Review employment contracts to ensure helpful and appropriate drafting is included around personal information and privacy generally
- Have a process in place for the purpose of managing personal and sensitive information
- Have the appropriate measures in place to secure personal and sensitive information
- Consult in a meaningful and engaging manner with employees about changes to policies and procedures (especially policies of a health and safety nature given the requirements under WHS legislation to consult) Make sure all third party providers, who manage any personal information your business collects, are also compliant with the relevant aspects of the Privacy Act and the security of personal and sensitive information.
It is advisable you seek legal guidance to review your policies and processes around data collection and storing sensitive employee personal information. Companies should take the time to check where personal information is gathered, both customer and employee data, and review transparency, consent and safety.