Jeremy Lee v Superior Wood Pty Ltd[2019] FWCFB 2946; Full Bench of the Fair Work Commission considering breach of the Privacy Act, biometric data, unfair dismissal

July 1, 2019 |

The Full Bench of the Fair Work Commission recently handed down a very important decision in Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 regarding the application of the Privacy Act. The Full Bench undertook a careful analysis of the Act and applied the Australian Privacy Principles (the APPs) to the facts in the context of an unfair dismissal claim, in this case appeal from a Commissioner at first instance.

The Facts

Superior Wood operates two sawmills at Melawondi and Imbil [2] in Queensland. It had approximately 150 employees, 80 of whom, including Lee,working at the Imbil site. Lee was employed as a casual general hand and worked for  3 ¼ years. Superior Wood is part of the ‘Finlayson’ group of companies (the Finlayson Group), which also includes Finlayson Timber and Hardware Pty Ltd (FTH) [2].

On 25 October 2017, Superior Wood convened a floor meeting to announce the introduction of fingerprint scanners and advised the staff that they would have to register their fingerprints over the following week and register their attendance using the scanners at the start and finish of each shift [5].  On 1 November 2017, Superior Wood directed Lee to attend a meeting to register his fingerprints. He attended but did not provide his fingerprints. He continued to sign in and out using the site’s sign in and sign out book [6].

On 2 November 2017  Lee and Superior Wood met [7]. Superior Wood gave reasons for the introduction of the scanners while Lee expressed concern about the control of his biometric data and the inability of Superior Wood to guarantee that no third party would have access to or use of that data once it was stored. He was told the scanner implementation was proceeding, and that “he had a decision to make” [7]. On 7 November 2017, Lee wrote to Superior Wood setting out his concerns about the use of the scanners and collection of his biometric data. On 22 November 2017, Superior Wood responded in writing and provided a document from the scanner’s supplier, Mitrefinch, explaining the nature of the data collected and stating that it could not be used “for any other purpose other than linking your payroll number to a clock in/out time”.[8]  There were further meetings throughout December 2017 regarding Lee’s ongoing refusal to use the scanners to sign in and out of work [8].

On 21 December 2017, the Policy was introduced and on 2 January 2018, the scanners were formally implemented [9].

On 9 January 2018, Lee received a verbal warning for refusing to use the scanner with written warnings following on 11 and 17 January 2018,  advising that a continued failure to follow the Policy would result in termination of employment [10]. On 18 January 2018, Lee wrote to Superior Wood seeking to resolve the dispute in a way that would allow him to keep his job, but retain ownership over his biometric data [11]

The parties again discussed the issue on 24 and 30 January 2018 [11] but on 6 February 2018 Superior issued a show cause letter and Lee’s employment was terminated on 12 February 2018 [13] .

Lee applied to the Fair Work Commission alleging unfair dismissal.

The Decision

In the Decision, the Commissioner found the Site Attendance Policy was not unjust or unreasonable, [13], because:

  1. It improved safety in the event of an emergency by avoiding the need to locate the paper sign in and out book to ascertain attendance on site;
  2. the scanners improved the integrity and efficiency of payroll;  and
  3. Superior Wood had the right to manage its affairs by requiring employees to comply with the Policy, such that refusal to comply after adequate caution would not render any dismissal invalid.

The Commissioner noted that in relation to the Privacy Act compliance,  at [14]:

  1. Biometric data collected by the scanners was ‘sensitive information’ under the Privacy Act, which applied to Superior Wood and required it not to collect information about a person unless:
  2. the person consented to the collection of that information; and
  3. it was reasonably necessary to collect the information for one or more of its functions or activities (Australian Privacy Principle 3.3).
  4. It was reasonably necessary to introduce the scanners after a suitable period of time of duplication between the old and new payroll systems to consolidate its payroll and do away with manual payroll handling.
  5. having Mr Lee as the only employee in a group of either 150 or 400 employees, use an alternative method to sign on would be inefficient, inequitable, and a burden.
  6. employees other than Lee had given their implied consent to the collection of their data by registering their fingerprint for use by the scanners.
  7. Lee did not give express or implied consent to the collection of his sensitive information by the scanners.

The Commissioner found that:

  • there may have been a breach of the Privacy Act in the manner in which Superior Wood sought to obtain employee consent but those were matters for the Australian Information Commissioner and the Privacy Commissioner.
  • Australian Privacy Principle 3.5 required sensitive information to be collected by lawful and fair means. There had been no collection of Mr Lee’s biometric data as he did not consent.
  • Superior Wood did not unlawfully press his hand into a scanner to provide a template.
  • Superior Wood did not inform its employees that:
    • the scanners collected their sensitive information; did not provide a collection notice to employees;
    • did not discuss its obligations in handling their sensitive information with employees, merely informing them that the scanners were being introduced and that they would be required to use them.
  • the failure to provide a privacy collection notice to employees, prior to obtaining their personal and sensitive information, did not render the Policy unlawful.
  • Superior Wood failed to inform Lee of the responsibilities it and its associated entities would be required to meet under the Privacy Act.
  • it was concerning that Superior Wood did not provide a collection notice to employees about the collection and use of their data and it was disturbing that there was no appropriate privacy policy, as the Privacy Act had been in force since 2001 however even if Superior Wood had provided Lee with a privacy collection notice, he would not have provided his consent under any circumstances.
  • Mitrefinch, who supplied the scanners to Superior Wood, did not have a relevant privacy policy until May 2018, and its knowledge about its own obligations to collect and use personal and sensitive information in accordance with Australian privacy laws was “poor and rather disturbing”.
  • AUS IT Services Pty Ltd, an IT company charged with ‘looking after data’ collected by Superior Wood, knew its obligations under the Privacy Act and had given assurances that it would meet those obligations.
  • The employee records exemption in section 7B(3) of the Privacy Act applied to employee records once they have been obtained or held but did not ameliorate the obligation on Superior Wood to issue a privacy collection notice to Lee and other employees.
  • Superior Wood was not exempt from complying with Australian Privacy Principle 3.3 by reason of the employee records exemption in section 7B(3) of the Privacy Act.
  • Superior Wood was not entitled to collect Mr Lee’s sensitive information without his consent.

The Commissioner set out the following matters, at [15], as being relevant in determining whether there was a valid reason for dismissal being:

  • Lee made a concerted effort to identify alternatives to compliance with the Policy and there was no evidence that Superior Wood had taken any steps to evaluate the costs of those alternative data collection methods.
  • other methods of employee identification and attendance verification were available, although some did not provide the same degree of certainty of identity verification or the additional safety benefits derived from access to attendance information on supervisors’ phones.
  • It was within Superior Wood’s rights as an employer to install the scanners and create a policy governing and mandating the use of scanners at the workplace.
  • while Superior Wood made significant efforts to provide additional information about the scanners to Lee and allay his concerns it may not have grasped the precise nature of his concerns about his biometric information rather than his fingerprint. Super Wood gave Lee repeated opportunities to explain his objection and made several attempts to indicate to him that his continued employment required adherence to the Policy.
  • Lee’s concern about his fingerprint being reconstructed from scanned data is ‘incorrect’.
  • Lee was entitled to withhold his consent however in doing so meant he had failed to meet a reasonable request to implement a fair and reasonable workplace policy.
  • in all the circumstances, and having regard to potential breaches of the Privacy Act, there was a valid reason for dismissal.

The Commissioner also found, at [16], that:

  1. Mr Lee’s position in relation to the use of his biometric data by the scanners was at odds with his position in relation to the use of other biometric data and his DNA (in connection with drug and alcohol testing); and
  2. Mr Lee’s objection to the use of his biometric data by Superior Wood, FTH and a third party supplier was unreasonable when taking into consideration the purposes of the Policy, improvements to payroll and health and safety and the alternatives that would have been required to be put in place for him.

Lee appealed the decision of Commissioner Hunt on 1 November 2018 [1].

DECISION

The Full bench summarised Lee’s key issue, at [4], as:

  • Lee’s claim of ownership of the biometric data contained within his fingerprint.
  • biometric data is sensitive personal information under the Privacy Act 1988 (Privacy Act) and that Superior Wood was not entitled to require that information from him;
  • Lee’s refusal to give the information to Superior Wood was not a valid reason for his dismissal.

The Full bench identified nine appeal grounds :

Ground 1 – The finding that failure to comply with the Policy was a valid reason for dismissal, given potential breaches of the Privacy Act and despite the finding that Mr Lee was entitled to refuse to provide his biometric data.

Ground 2 – The finding that Mr Lee’s dismissal for protecting ownership of his sensitive information was not harsh, unjust and unreasonable in circumstances where he was threatened with dismissal for refusing to allow the collection of his biometric data.

Ground 3- A mistake of fact by finding that the new scanners improved safety.

Ground 4 – A mistake of fact by finding that Mr Lee did not consent to the collection of his biometric data, when he was never asked for his consent.

Ground 5 – The finding that the introduction of biometric scanners was reasonably necessary.

Ground 6 – The finding that employees gave implied consent by registering their fingerprints, instead of finding that biometric data was collected from employees other than Mr Lee by unlawful and unfair means.

Ground 7 – The failure to find that implied consent is not sufficient for the purposes of collecting sensitive information.

Ground 8 – The finding that there was no breach of the Privacy Act with respect to the collection of information from Mr Lee, because his data was never collected.

Ground 9 – The finding that consent is implied by providing a scan, but that a breach of the Privacy Act only arises if a scan is taken, with the result that Superior Wood could never breach Mr Lee’s privacy if no scan was taken.

The key grounds were grounds 1, 2 and 8.

Grounds 1 and 8 – whether having regard to the Privacy Act, failure to comply with the Policy was a valid reason for dismissal

It was not in dispute, at [23], that:

  • Lee was aware of the Policy and its contents.
  • Lee refused to comply with the Policy
  • Lee’s refusal was the reason for his dismissal.
  • the Policy formed part of Lee’s contract of employment,
  • Lee was obliged to comply with the terms of the Policy

Lee’s obligation to comply with the Policy depends on whether the direction to do so, using the scanners to sign in and out of work each day, was a reasonable and lawful direction [25].

According to the Policy, all employees had to use the scanners to record their attendance on site, both when arriving and leaving the site and signing attendance sheets alone was no longer acceptable [27]. To comply with the Policy, employees had to first register their fingerprint for use with the scanners and then use their fingerprint to scan in and out of work each day [28].

The Full Bench noted that the terms of the Privacy Act require consent to the collection of employee biometric information by Superior Wood to be used for the purpose of automated biometric verification or biometric identification [28].

The Full Bench referred to the Full Federal Court decision of AIT18 v Australian Information Commissioner [2018] FCAFC 19 , (in which I was one of the appellant’s counsel) which:

  • observed that the Privacy Act reflects the Parliament’s concern to recognise and protect individual privacy within the framework of a complex statutory regime and that it is to be construed so as to give effect to Australia’s international obligations, so far as the statutory language permits [31].
  • stated that  Privacy Act contains statutory provisions:
    • “which protect the privacy of individuals from unlawful or arbitrary interference”; but also
    • specify “circumstances (or “exceptions”) which reflect the Parliament’s concern to strike an appropriate balance between competing community interests.”
  • stated that the exceptions are to be interpreted carefully, with an eye to preserving the balance struck.
  • noted that the Privacy Act does not make paramount the protection of individual privacy but protects individual privacy from arbitrary or unlawful interference [31]

The Tribunal undertook a brief summary of the section 13, dealing with interferences with privacy, section 13G dealing with civil penalty provisions in cases of serious or repeated interferences with privacy, the exceptions under section 16A (which did not apply) and section 7B(3)  covering the exemption in relation to employee records [32] – [38].

The Tribunal reviewed the Australian Privacy Principles (the APPs) in particular:

  • Principle 1 provides for open and transparent management of personal information requiring that entities have a clearly expressed and up to date policy about their management of personal information [39].
  • Principle 3, dealing with the collection of solicited personal information that is solicited by an APP entity which:
    • prohibits the collection of sensitive information about an individual, unless that person consents to the collection of the information, and the information is reasonably necessary for one or more of the entity’s functions or activities
    • ‘Sensitive information’ includes biometric information that is to be used for the purpose of automated biometric verification or biometric identification.  The Full Bench noted that it was not in dispute that the collection of fingerprint data by the scanners meets the description of sensitive information.
    • collection of personal information may only occur by lawful and fair means [40] .
  • Principle 5, dealing with notification of the collection of personal information which provides that:
    • at, before or (if that is not practicable) as soon as practicable after the time that an APP entity collects personal information, it must take reasonable steps to notify the individual of certain specified matters, or to otherwise ensure the individual is aware of those matters.
    • which must be notified to an individual depends on what is reasonable in the circumstances. The specified list of matters includes:
      1. The identity and contact details of the APP entity;
      2. If personal information is collected from someone other than the individual, or the person may not be aware that the organisation has collected the personal information, the fact that the APP entity does, or has, collected the information and the circumstances of that collection;
      3. The purposes for which the APP entity collects the personal information;
      4. The main consequences for the individual if all or some of the personal information is not collected by the APP entity;
      5. Any other entity or type of entity to which the APP entity usually discloses personal information of the kind collected;
      6. That the APP entity’s privacy policy has information about how to access one’s personal information and seek its correction;
      7. That the APP entity’s privacy policy has information about how to make complaints about breaches of the Australian Privacy Principles and how complaints will be dealt with by the APP entity;
      8. Whether the APP entity is likely to disclose the personal information to overseas recipients; and
      9. If overseas disclosure is likely, the countries where recipients of personal information are located (if practicable to identify) [41].
  • Principle 8, dealing with the cross-border disclosure of personal information requiring reasonable steps to be taken to ensure that the overseas recipient does not breach the Australian Privacy Principles [43].
  • Principle 11 dealing with the security of personal information, requiring an organisation to take such steps as are reasonable in the circumstances to protect the information, and to destroy that information once it is no longer needed in the relevant sense [44].
  • Principles 12 and 13 dealing with access to, and correction of personal information [45].

The Full Bench found that:

  • Lee was directed to consent to the collection of his biometric information by Superior Wood, for use for the purpose of automated biometric verification or biometric identification. He did not consent as required, and his fingerprint was not collected [46].
  • Principle 3:
    • applies both to the solicitation and collection of sensitive information.
    • operates at a time before collection, because an APP entity ‘must not’ collect sensitive information ‘unless’ the individual consents to that collection.
    • is breached where any collection occurs without first having obtained consent to that collection [47]
  • Lee was directed to submit to the collection of his fingerprint data in circumstances where he did not consent to that collection which direction was directly inconsistent with Principle 3 [48]
  • the Policy, and the direction, were issued in circumstances where at all relevant times, Superior Wood did not have a privacy policy as required by Principle 1 [49]
  • Superior Wood also had not issued a privacy collection notice to Lee (or any other employee) in accordance with Principle 5 [50].  The Full Bench found it would have been reasonable to notify Lee of some of the additional matters set out in Principle 5 including:
    • information about the range of other entities that were likely to have access to his sensitive information
    • information about Superior Wood’s privacy policy (which it was required to have) and
    • information in relation to privacy complaints and how to access his personal information [51].
  • there is no basis for concluding that it was not practicable for Superior Wood to provide this information to Lee, either before or at the time it sought to register his fingerprint for use with the scanners [52] as there  was no shortage of time available to Superior Wood to collate and provide information to Lee [52].
  • Superior Wood’s submission that the employee records exemption applied in relation to the fingerprint scanner because all records generated by an employer, including those that have not yet been created was wrong. The Full Bench found that submission was inconsistent with the plain words of the statute, which are in the present tense and refer to a record “held by” the organisation. An entity “holds” personal information if they have possession or control of a record that contains the personal information [53].  The Full Bench also found that section 7B or the surrounding provisions of the Privacy Act support a wider construction [54]. Section 7B(3) covers an act or practice in relation to an actual record held by the organisation that relates to a particular individual and does not encompass employee records that are yet to be held by an organisation. The act or practice of generating employee records is not an act or practice directly related to the relationship between an employer and a particular employee. It is an act or practice in relation to employees generally [55].
  • the employee records exemption applies to records obtained and held by an organisation however a record is not held if it has not yet been created or is not yet in the possession or control of the organisation [56]
  • the Australian Privacy Principles applied to Superior Wood in connection with the solicitation and collection of sensitive information from employees, up to the point of collection [57]
  • the direction to Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction [58].
  • any “consent” that Lee might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It was not genuine consent.
  • while not necessary to consider whether the direction was reasonable the Full Bench regarded the direction was unreasonable because a necessary counterpart to a right to consent to a thing is a right to refuse it.  A direction to a person to give consent does not vest in that person a meaningful right [58]

The other grounds of appeal dealt with employment law related matters.

The Full Bench found that there was no valid reason for the dismissal and in the reasons stated that:

  • there was no evidence that Superior Wood employed dedicated human resources specialists or experts at, or prior to the time of dismissal,
  •  there was no evidence that it did not have the means to access specialist advice had it wished to do so.
  • Superior Wood  should have been, but was not, aware of and compliant with its obligations under the Privacy Act well before the introduction of the scanners. Its failure in this regard contributed substantially to a dismissal without valid reason [96]
  •  Superior Wood’s failure to be aware of its obligations under the Privacy Act weighed in favour of a finding that Mr Lee’s dismissal was unfair.
  • they accepted Lee’s submission that once biometric information is digitised it may be very difficult to contain its use by third parties including for commercial purposes. In this case, various organisations required access to data obtained by the biometric scanners.  In this particular situation:
    • Mitrefinch captured the data derived from the features of tissue lying beneath the skin and on the skin surface. Those features were converted into a template unique to the individual, using an embedded algorithm owned by another entity, ‘Lumidigm’.
    • the template was stored on one or more of the site readers installed at FTH and Superior Wood sites.
    • the template was also stored on servers owned by FTH, which were accessible remotely by at least FTH, Mitrefinch and AUS IT Services, who operated the servers.
    • the data was used by ‘Ironbark’ to operate the FTH payroll system and by FTH to process the payroll for FTH and Superior Wood.
  • there was no evidence that Superior Wood or any related entities had any  mechanism in place to protect and manage information collected consistent with its obligations under the Privacy Act.  As a result Lee’s concerns  were not devoid of merit. That weighed in his favouir of unfair dismissal.
  • whether the data was captured in pictorial or numerical form, it was data unique to the individual and derived from that individual’s biometric characteristics, above and beneath the skin. It was data that Lee was entitled to seek to protect [101].

The Full Bench found that Superior Wood was procedurally unfair in effecting Lee’s dismissal for a reason that was not valid and in contravention of its obligations under the Privacy Act. As a result  Lee’s dismissal was unjust because he was not guilty of the conduct alleged. As the direction was unlawful he was entitled to refuse to follow it. Mr Lee was unfairly dismissed [102]

ISSUE

The decision highlights that there are consequences of not complying with the Privacy Act which extend beyond the operations of that piece of legislation.  This case also highlights that a complaint about an act which interferes with privacy can result in breach of privacy can often result in more breaches of the Privacy Act upon closer inspection.  That happens often when the UK Information Commissioner investigates a complaint.

What this case also highlights is the poor understanding of what an organisations obligations are under the Privacy Act.  Superior Wood was a relatively large and sophisticated business with a discrete human resources department yet its policies and processes on privacy protection were non existent.

The decision is notable for the clarity of its reasoning and logic. To that extent it is distinctive and a welcome change from the approach taken by the Administrative Appeals Tribunal which has had a retrograde effect on the operations of the Privacy Act.  Two ready examples are the Ben Grubb decision, Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991, relating to the characterisation of metadata and the more decision of TYGJ and Information Commissioner [2017] AATA 1560, regarding the disclosure of personal information between departments.   The reasoning in both decisions is quite poor and inconsistent with the way privacy and data protection law is evolving in other common law countries.  In the case of the Ben Grubb decision the findings are quite inconsistent with what is known about how meta data effectively can identify a person, that is personal information.

The difficulties in appealing those decisions are apparent from the appeal of those decisions to the Federal Court in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 and  AIT18 v Australian Information Commissioner [2018] FCAFC 192.

Leave a Reply