Alert: Check your company policies before collecting employee data

There are a range of things that businesses can do to better manage the collection, use and disclosure of employee information

Alert: Check your company policies before collecting employee data

Following an earlier article written for HRD magazine on the matter under appeal for an unfair dismissal around fingerprint data collection, the Full Bench of the Fair Work Commission has clarified what businesses need to be doing about the collection of employee data.

Decision under appeal

Late in 2018, Commissioner Hunt handed down a decision that held the collection of an employee’s biometric data, based on operational and safety reasons, was for a company function or activity that was reasonably necessary.

This finding overshadowed any concerns the Commissioner had about the company’s compliance (or lack thereof) of the Privacy Act 1988 (Cth). The Commissioner also held that the employee’s dismissal was for a valid reason in view of the employee’s repeated refusal to consent to the collection of his biometric data (fingerprint).

The appeal

The Full Bench disagreed with the Commissioner, finding the employee’s dismissal was unfair. In doing so, the Full Bench held that the company was bound to comply with the rules for the collection, use and disclosure of personal information in the Privacy Act and could not rely on the exemption that applies to employee records in the Privacy Act.

The Full Bench was sympathetic to the former employee’s concerns about compliance with the Privacy Act and the security of his biometric data.

The company was in breach of the Privacy Act (and also in breach of the Australian Privacy Principles) at the time because:

  1. The company did not have the necessary privacy policy in place
  2. The company required the employee to provide his personal information without his consent
  3. The company failed to provide the employee with the necessary privacy collection notice

In addition to the above, the third party provider did not have a privacy policy at the time.

Lessons companies should act on:

The Full Bench decision provides some clear direction that companies should learn from when collecting employee data:

  • Operational efficiencies and the avoidance of operational inconveniences will not override a company’s obligation to comply with legal requirements like those under the Privacy Act, and any requirement on employees must accordingly be reasonable in all the circumstances
  • Treat the collection of employee personal information in the same manner as it would any other member of the public and in accordance with the Privacy Act
  • Have a clearly expressed and up-to-date policy about the management of all personal information, including employee personal information
  • Ensure all personal information collected is reasonably necessary for one or more of the entity's functions or activities
  • Provide a compliant privacy collection notice when proposing to collect personal information
  • Seek the consent of employees to the collection of sensitive information (includes biometric) that is not already in the company’s possession or control
  • Ensure any third party provider has the necessary policy and security measures to ensure the protection of personal information

How businesses can minimise risk

There are a range of things that businesses can be doing to better manage the collection, use and disclosure of employee personal and sensitive information:

  • Review employment contracts to ensure helpful and appropriate drafting is included around personal information and privacy generally
  • Have a Privacy Policy that is compliant with the Australian Privacy Principles, one that is clearly expressed and up-to-date about the management of all personal information (including employee personal information)
  • Have a process in place for the purpose of managing personal and sensitive information
  • Have the appropriate measures in place to secure personal and sensitive information
  • Consult in a meaningful and engaging manner with employees about changes to policies and procedures (especially policies of a health and safety nature given the requirements under WHS legislation to consult) Make sure all third party providers, who manage any personal information your business collects, are also compliant with the relevant aspects of the Privacy Act and the security of personal and sensitive information.

It is advisable you seek legal guidance to review your policies and processes around data collection and storing sensitive employee personal information.  Companies should take the time to check where personal information is gathered, both customer and employee data, and review transparency, consent and safety.

Joe Murphy

Australian Business Lawyers & Advisors (ABLA)

Recent articles & video

1 in 5 employers using non-compete clauses: ABS

'Go all in on understanding how to make your workplace neuro-inclusive'

Wage growth increased 4.2% in 2023 to outpace inflation

SA extends up to $50,000 to help more South Australians find work

Most Read Articles

Pay hikes in Australia projected to reach 4% in 2024

Good news: Employee intent to stay with employer rises

Government to remove criminal penalties in right to disconnect