A Full Bench of the Fair Work Commission has granted permission for an employee to appeal an unfair dismissal based on “public interest” as the case raised “important, novel and emerging issues” concerning personal data, security and fingerprint scans.
Yes, fingerprints – familiar from forensic procedurals and one of a range of biometric measures used to monitor employee movements. In this particular case, the employer advised employees that they were introducing this technology for signing in and out of work. One employee refused as he was concerned that his biometric data would be accessed, sold or used against him. Despite responses from his manager regarding security, he still refused and was consequently terminated 12 weeks later.
This case and subsequent appeal are significant as they will allow the Full Bench to review what personal data employers can request from their employees in a time of increased fear around data collection, breaches and privacy.
As individuals become better educated on the threats against cybersecurity and the damage that can occur from identity theft, it raises the question: at what point can an employee refuse to share personal data with an employer without the risk of dismissal?
Employees’ rights to ‘opt in’
As we have seen with the government’s My Health Records and the significant number of ‘opt-outs’, people don’t trust organisations to keep their personal data safe. How many organisations can give assurances that personal data will be secure at all times?
No organisation can give a 100% guarantee that they won’t be hacked, but they should put every reasonable protection in place to make that data secure. Employment contracts, induction training and policies should clearly state reasons for data collection.
Managing Generation Z
With younger, tech-savvy generations in the workforce, many companies are looking at adopting a Bring Your Own Device (BYOD) policy, including personal phones and laptops. These policies present another area for review. Smartphones today are more than a techno- logical tool. They can hold all of an employee’s private data, medical and financial records – even their fingerprints! If an organisation asks employees to use personal devices to access corporate data, policies and processes should be in place so they are clear on the employer’s rights to access the device and its data.
When is a company within its rights to collect data?
Building trust and proceeding reasonably are critical when an employer is exercising its rights to collect information. If you have a workplace culture built on communication and trust that properly informs employees when, why and how you collect their personal data, you should experience minimal resistance.
Whatever personal data you collect, keep these rules in mind:
- Communicate: Tell employees what data you need and why, at every point of collection. If they understand the rationale behind it, cooperation should follow.
- Document: Make policies available to employees at the start, and frequently remind them of what data you collect, and why and how it will be used.
- Secure: Access to employee records and data should be restricted to the few who need it to do their job, as well as the employee. Giving the employee equal access is considered best practice.
If you collect data or monitor your employees, you should communicate clear workplace policies to avoid repercussions should an unfair dismissal claim arise. Have a policy for email and internet use, social media drug and alcohol testing, and personal data collection.
Whether fingerprint scans or health records, handling employees’ personal data can be a grey area. Review your methods of collection, the purpose of the data and the security measures adopted. Bring in relevant departments that have a role in protecting the privacy of employees. If in doubt, get professional advice on whether your current processes are best practice and would stand up in court if challenged.
If this article has raised any issues for your business, get in touch on 1300 565 846 or firstname.lastname@example.org