Call 1300 565 846 or +61 2 9466 4740
Close

Subscribe

Join our mailing list to receive breaking news and webinar invites.

Please tick if you'd like to receive alerts and webinar invites on the following topics:*


Agree to the terms of our Privacy Policy.: By submitting this form you agree to the terms of our Privacy Policy.

Resources

Company policies and employee data collection

Company policies and employee data collection

Published: 29 Aug 2019

Company policies and employee data collection
Written by

Company policies and employee data collection

Published: 29 Aug 2019

Following an earlier article on the matter under appeal for an unfair dismissal around fingerprint data collection, the Full Bench of the Fair Work Commission has clarified what businesses need to be doing about the collection of employee data.

Decision under appeal

Late in 2018, Commissioner Hunt handed down a decision that held the collection of an employee’s biometric data, based on operational and safety reasons, was for a company function or activity that was reasonably necessary.  This finding overshadowed any concerns the Commissioner had about the company’s compliance (or lack thereof) of the Privacy Act 1988 (Cth).  The Commissioner also held that the employee’s dismissal was for a valid reason in view of the employee’s repeated refusal to consent to the collection of his biometric data (fingerprint).

The Appeal

The Full Bench disagreed with the Commissioner, finding the employee’s dismissal was unfair.  In doing so, the Full Bench held that the company was bound to comply with the rules for the collection, use and disclosure of personal information in the Privacy Act and could not rely on the exemption that applies to employee records in the Privacy Act.

The Full Bench was sympathetic to the former employee’s concerns about compliance with the Privacy Act and the security of his biometric data.

The company was in breach of the Privacy Act (and also in breach of the Australian Privacy Principles) at the time because:
  1. The company did not have the necessary privacy policy in place
  2. The company required the employee to provide his personal information without his consent
  3. The company failed to provide the employee with the necessary privacy collection notice
In addition to the above, the third party provider did not have a privacy policy at the time.

Lessons Companies should act on:

The Full Bench decision provides some clear direction that companies should learn from when collecting employee data:
  • Operational efficiencies and the avoidance of operational inconveniences will not override a company’s obligation to comply with legal requirements like those under the Privacy Act, and any requirement on employees must accordingly be reasonable in all the circumstances
  • Treat the collection of employee personal information in the same manner as it would any other member of the public and in accordance with the Privacy Act
  • Have a clearly expressed and up-to-date policy about the management of all personal information, including employee personal information
  • Ensure all personal information collected is reasonably necessary for one or more of the entity's functions or activities
  • Provide a compliant privacy collection notice when proposing to collect personal information
  • Seek the consent of employees to the collection of sensitive information (includes biometric) that is not already in the company’s possession or control
  • Ensure any third party provider has the necessary policy and security measures to ensure the protection of personal information

How businesses can minimise risk

There are a range of things that businesses can be doing to better manage the collection, use and disclosure of employee personal and sensitive information:
  • Review employment contracts to ensure helpful and appropriate drafting is included around personal information and privacy generally
  • Have a Privacy Policy that is compliant with the Australian Privacy Principles, one that is clearly expressed and up-to-date about the management of all personal information (including employee personal information)
  • Have a process in place for the purpose of managing personal and sensitive information
  • Have the appropriate measures in place to secure personal and sensitive information
  • Consult in a meaningful and engaging manner with employees about changes to policies and procedures (especially policies of a health and safety nature given the requirements under WHS legislation to consult) Make sure all third party providers, who manage any personal information your business collects, are also compliant with the relevant aspects of the Privacy Act and the security of personal and sensitive information.
It is advisable you seek legal guidance to review your policies and processes around data collection and storing sensitive employee personal information.  Companies should take the time to check where personal information is gathered, both customer and employee data, and review transparency, consent and safety. Get in touch now if this has raised any concerns for your business on 1300 565 846. 

Join our mailing list to receive breaking news and webinar invites.

Please tick if you'd like to receive alerts and webinar invites on the following topics*:


By submitting this form you agree to the terms of our Privacy Policy.

Australian Business Lawyers & Advisors (ABLA) (ACN 146 318 783) is the Trustee of Australian Business Lawyers & Advisors Trust (ABN 76 008 556 595). Liability limited by a scheme approved under Professional Standards Legislation.  Legal practitioners employed by or directors of Australian Business Lawyers & Advisors Pty Limited are members of the scheme.

To understand how we protect your privacy, please refer to our Privacy Policy.