Employers are increasingly using technology to monitor, control and surveil their workers. Often new technology systems are implemented without consultation with workers, or regard to whether workers even consent to such arrangements.
This can probably be attributed to the widespread view that the collection and retention of workers’ private information was not regulated by the Privacy Act 1988 (Cth) (‘the Act’) because of an ‘employee record exemption’.
But a recent decision made by the Full Bench of the Fair Work Commission has found that the employee record exemption does not apply to the collection of workers’ private information. This puts the onus back on employers to seek consent from workers before they collect certain types of information from them.
The decision – Lee v Superior Wood  FWCFB 2946 – has significant implications for how and when employers may collect their workers’ personal and sensitive information, and means that employers should not take disciplinary action against workers who decline to provide certain types of information.
What type of information is covered?
The Act deals with information it calls private information and sensitive information. Employers with an annual turnover of more than $3 million a year must comply with the Act when seeking to collect either from their workers.
‘Personal information’ is defined as information or an opinion about someone (whether true or not) who is identified, or is reasonably identifiable by the holder. ‘Sensitive information’ is generally a subset of ‘personal information’ which contains a higher level of identifying information, such as biometric information or health information.
How does the Privacy Act apply?
The Full Bench’s finding means that when employers with a turnover of $3 million or more seek to collect workers’ personal or sensitive information that they don’t already possess, they must first:
- Ensure that the collection of the information is reasonably necessary for one or more of the employer’s functions or activities
For example, does a supermarket chain really need to use biometric finger scanning, or would entering a unique ID number or scanning a swipe card also accurately record workers’ start and finish times?
By contrast, an employer which handles highly sensitive information and needs to confirm workers’ identities before allowing them access to a restricted work area would likely have a far better case to say that the collection of its workers’ sensitive data was necessary to manage this process.
- Ensure it has an up to date policy regarding management of personal and sensitive information
- At, before or as soon as practicable after the collection of information, notify the worker of certain information (‘the collection notice’).
A full list of the information that must be provided by the employer can be accessed here (from 5.8), but includes the purposes for which the information was collected, and the name any other entity who might be given access to the information.
Collection of sensitive information requires consent
The Act requires that, when an employer seeks to collect workers’ sensitive information, in addition to the steps outlined above, the employer must also:
- Obtain the worker’s consent to collect the information
Genuine consent must first be obtained before any collection of sensitive information takes place. Genuine consent will not have been given if it was only provided after a threat was made by the employer to take disciplinary action if the worker did not consent. Directions given by employers to consent to collection will not be ‘lawful and reasonable’ directions, and therefore employers cannot take disciplinary action (including dismissal) against workers for refusing to comply with a direction to provide consent.
Workers should be aware that they may be treated as having given consent if they provide their sensitive information without protest.
Does the Privacy Act apply to how the employer uses or stores the information?
Section 7B of the Act exempts employers from any obligations under the Act in relation to personal or sensitive information that it already holds (‘the employee record exemption’). In practice, this means that employers must comply with the Act when collecting personal and sensitive information, but not in how they handle, store, share or otherwise deal with the information once it is in their possession.
This is likely to be of concern to many workers, especially workers like Lee who are worried about their sensitive information being shared without their consent or their employer’s servers being hacked.
How can you use the Privacy Act to push back on onerous demands by employers?
While the Full Bench’s decision in Lee v Superior Wood does not bind the Privacy Commissioner or the higher courts, unions can and should use the Privacy Act as a means to push back on unreasonable demands by employers to collect members’ personal or sensitive information.
Maurice Blackburn Lawyers recently represented the ETU in doing just that against SNC-Lavalin, a new contractor for the Shell-owned Queensland Gas Corporation (‘QGC’).
SNC-Lavalin required existing workers to reapply for their roles, and required applicants to submit to blood tests, ostensibly to see if they were at risk of heart attack and other conditions. Applicants were told they would not be considered for roles if they did not provide the blood samples.
After several weeks of negotiations, SNC-Lavalin continued to insist on applicants undergoing blood tests. ETU instructed us to file an application in the Federal Court of Australia seeking injunctive relief restraining SNC-Lavalin from collecting any blood analysis, and to destroy any blood tests that had already been collected, on the basis that the information sought was not reasonably necessary as required by the Privacy Act.
Two hours after our application was served, SNC-Lavalin advised it would not collect any blood tests, and would destroy any blood tests that had already been taken.