A semi-recent case in Australia has highlighted the delicate balance between employers’ responsibility to keep records for seven years – while also ensuring that certain information is not stored as part of such records.

Let’s begin with the Fair Work Commission’s decision in Jeremy Lee v Superior Wood [2019]. This case questioned what data employers are permitted to store after the employer requested the employee’s fingerprints – to which the employee said No.

In 2018 Jeremy Lee was employed by Superior Wood, a company that operates Sawmills in Queensland. Superior Wood decided to implement a fingerprint scanning system to replace the sign-in book and amended their ‘Site Attendance Policy’ accordingly. Lee refused to register his fingerprint in the system and continued to use the manual sign-in book. After directions, discussions, and warnings, Lee’s employment was terminated.

Lee made an unfair dismissal claim in the Fair Work Commission. The Commission held that the dismissal was not unfair. However, on appeal to the Full Bench, this decision was overturned. The Full Bench held that the way Superior Wood implemented the scanning system was unlawful because it was in breach of the Privacy Act 1988 (Cth). Therefore, since the implementation of the new finger scanning policy was unlawful, Superior Woods’ direction to Lee to adhere to the policy was also unlawful. This is because at law, any direction which requires an employee to contravene a law or is otherwise inconsistent with a legal principle is not a ‘lawful’ direction.

Pursuant to the Privacy Act, a person is prohibited from collecting sensitive information (which includes biometric data) without the individual’s consent. The Privacy Act also prohibits the collection of information where it is not reasonably necessary to the entity’s functions or activities.

Since there were other options open to Superior Wood to log Lee’s start and finish times, such as utilisation of the sign-in book, Lee’s termination for refusal to follow the unlawful direction concerning fingerprint scanning was therefore unfair.

Employers should ensure:

  • If an employer wants to implement a new workplace practice within their business, and such practice collects and stores sensitive data from employees, employers first need to obtain explicit consent from employees before the implementation of the new practice.
  • Employment contracts must clearly state that employees consent to the employer collecting and storing sensitive data, including biometric data, in accordance with the privacy policy, and other policies and procedures that may already be in place.
  • Employers should ensure that employment contracts refer to policies as amended from time to time, not just the policies that are in place at the date of the contract. This is important because another aspect of Lee’s case referred to the fact that his employment contract was drafted in a way so as to exclude the enforcement of any policies introduced post Lee’s engagement.

What about data regarding an employee’s Covid-19 vaccination status?

On 30 November 2021, Virgin Australia entered into Federal Court consent orders to delete all proof of certain COVID-19 vaccination documents.

Virgin Australia was required to delete all proof of COVID-19 digital certificates and Immunisation History Statements. Why? Because the Australian Privacy Principles (APPs) in the Privacy Act applied, ruling that an employee’s COVID-19 vaccination status is personal information because it constitutes health information about an identified individual that is considered sensitive information.

Virgin Australia would have only been allowed to collect an employee’s vaccination status if the employee had consented and the collection had been reasonably necessary for Virgin’s functions or activities.

What the law says about employee records

An employee record, defined under Australia’s Privacy Act, relates to:

  • The engagement, training, disciplining, resignation, or termination of employment of an employee
  • The terms and conditions of employment of an employee
  • The employee’s personal and emergency contact details, performance or conduct, hours of employment or salary or wages
  • The employee’s membership of a professional or trade association or trade union membership
  • The employee’s recreation, long service, sick, maternity, paternity, or other leave
  • The employee’s taxation, banking, or superannuation affairs.

However, not all information held by an employer is allowed to be part of the employee’s record.

  • Emails an employee receives from their financial institution via their work email account, not relating to the employment of the employee, for example, wouldn’t be permissible as part of an employee’s record
  • Monitoring and storing data about an employee’s computer usage would likely have to be assented to in the employment contract
  • Employers are required by law to be open with employees about what information they are collecting and what they will be using the information for

At the end of the day, employers cannot simply collect employee information for no genuine reason. The collection of information must always be in accordance with the Privacy Act.

enableHR has hundreds of ready-to-use workflows, checklists, guides, policies, contracts, and letters – each one checked on a regular basis by an employment expert at FCB Workplace Law, enableHR’s sister company – easing the burden on you and your business for total HR compliance and peace of mind.

Get a demo and see how enableHR allows you to easily manage your people through every stage of the employment lifecycle: from recruitment to termination for employees, casuals, contractors, and volunteers.

Looking to take your HR to the next level? Our team is happy to answer all your questions. Call us on our toll-free number 1300 120 469, or fill out this form for a prompt call-back.