1
Fair Work Act 2009
s.394 - Application for unfair dismissal remedy
Mr Jeremy Lee
v
Superior Wood Pty Ltd T/A Superior Wood
(U2018/2253)
COMMISSIONER HUNT BRISBANE, 1 NOVEMBER 2018
Application for an unfair dismissal remedy – dismissed after failing to comply with site
attendance policy – refused to use biometric fingerprint scanners to record site attendance –
no consent given by employee to collection of sensitive information – site attendance policy
reasonably necessary for employer’s payroll and safety functions - employee refused to follow
lawful workplace policy – employee given multiple warnings and opportunities to follow site
attendance policy - dismissal not harsh, unjust or unreasonable
[1] Mr Jeremy Lee was employed by Superior Wood Pty Ltd T/A Superior Wood
(Superior Wood) from on or about 19 November 2014 to 12 February 2018. On 5 March
2018 Mr Lee made an application for a remedy for unfair dismissal under s.394 of the Fair
Work Act 2009 (the Act) alleging that he was dismissed from his employment on 12 February
2018 and that his dismissal was harsh, unjust or unreasonable.
Background
[2] Superior Wood operates sawmills on two sites at Melawondi and Imbil, Queensland.
Mr Lee worked at the Imbil site at the time of his dismissal. Throughout his employment and
at the time of his dismissal, Mr Lee was employed by Superior Wood as a general factory
hand on a casual basis. Mr Lee’s duties included the operation of forklifts and other
machinery as well as the completion of other general tasks involved in the process of milling
and processing timber. Mr Lee had originally worked from the Melawondi site, but was
working from the Imbil site at the time of his dismissal.
[3] Superior Wood is part of the Finlayson Group of companies which handles wood
products from plantation forest resource, through to processing and manufacturing, and
product distribution.
[4] In October 2017 Superior Wood announced that it was introducing biometric scanners
at the Imbil site for registering employee attendance and tracking shift times (the scanners). It
was announced that ‘all employees must use the biometric scanners to record attendance on
site’.1
[2018] FWC 4762 [Note: This decision has been quashed - refer to Full
Bench decision dated 1 May 2019 [[2019] FWCFB 2946]
DECISION
E AUSTRALIA FairWork Commission
https://www.fwc.gov.au/documents/decisionssigned/html/2019fwcfb2946.htm
[2018] FWC 4762
2
[5] Mr Lee objected to the use of the scanners and refused to use them in the course of his
employment, as he was concerned about the collection and storage of his personal information
by the scanners and Superior Wood.
[6] Between November 2017 and February 2018, Mr Lee and several managers of
Superior Wood discussed Mr Lee’s refusal to use the scanners. The parties were unable to
resolve Mr Lee’s concerns about the scanners and the employer’s insistence that the scanners
be used by all employees. On 12 February 2018, Mr Lee was issued with a letter of
termination dismissing him from his employment on the grounds that he had failed to adhere
to Superior Wood’s Site Attendance Policy.
Relevant legislation
[7] Pursuant to s.385 of the Act, “unfair dismissal” is defined as meaning:
“385 What is an unfair dismissal
A person has been unfairly dismissed if the FWC is satisfied that:
(a) the person has been dismissed; and
(b) the dismissal was harsh, unjust or unreasonable; and
(c) the dismissal was not consistent with the Small Business Fair Dismissal
Code; and
(d) the dismissal was not a case of genuine redundancy.
Note: For the definition of consistent with the Small Business Fair Dismissal Code:
see section 388.”
[8] Further, s.387 relevantly provides:
“387 Criteria for considering harshness etc.
In considering whether it is satisfied that a dismissal was harsh, unjust or
unreasonable, the FWC must take into account:
(a) whether there was a valid reason for the dismissal related to the
person’s capacity or conduct (including its effect on the safety and welfare of
other employees); and
(b) whether the person was notified of that reason; and
(c) whether the person was given an opportunity to respond to any reason
related to the capacity or conduct of the person; and
(d) any unreasonable refusal by the employer to allow the person to have a
support person present to assist at any discussions relating to dismissal; and
[2018] FWC 4762
3
(e) if the dismissal related to unsatisfactory performance by the person—
whether the person had been warned about that unsatisfactory performance
before the dismissal; and
(f) the degree to which the size of the employer’s enterprise would be
likely to impact on the procedures followed in effecting the dismissal; and
(g) the degree to which the absence of dedicated human resource
management specialists or expertise in the enterprise would be likely to impact
on the procedures followed in effecting the dismissal; and
(h) any other matters that the FWC considers relevant.”
Capacity to bring application
[9] It is uncontested that Superior Wood dismissed Mr Lee from his employment by
provision of the letter of termination on 12 February 2018. I am satisfied that Mr Lee was
dismissed from his employment at the initiative of Superior Wood.
[10] Mr Lee’s application was brought within the 21-day time period required by s.394(2)
of the Act following his dismissal.
[11] Mr Lee was employed by Superior Wood as a regular and systematic casual
employee. It is not contested and I so determine that he had a reasonable expectation of
continuing employment with Superior Wood on a regular and systematic basis.2 Me Lee’s
annual earnings were less than the high-income threshold amount. Mr Lee is protected from
unfair dismissal under s.382 of the Act.
[12] Superior Wood is not a small business employer and is not subject to the Small
Business Fair Dismissal Code.
[13] Mr Lee did not contend that his dismissal was a non-genuine redundancy.
[14] Therefore, the sole issue to be determined in this matter is whether Mr Lee’s dismissal
was an unfair dismissal pursuant to s.385 of the Act.
Conduct of the matter
[15] This matter was heard before me on 15 June 2018. Leave was granted for the parties to
be represented. Mr Charles Martin of Counsel appeared for Mr Lee, instructed by the Caxton
Legal Centre. Mr Andrew Herbert of Counsel appeared for Superior Wood, instructed by
DWF Australia.
[16] The following people gave evidence. Mr Todd was not required for cross-
examination:
Mr Lee
Mr Andrew Douglass, Director of Mitrefinch (Australia) Pty Ltd
Mr Bruce Todd, Production Supervisor, Superior Wood Pty Ltd
Mr Ian Swinbourne, Manager, Superior Wood Pty Ltd
[2018] FWC 4762
4
Mr Michael Lithgow, Technical Services Manager, Superior Wood Pty Ltd
Mr Skene Finlayson, Director and Secretary, Superior Wood Pty Ltd
[17] Following the above hearing, and with leave, Superior Wood filed a second statement
by Mr Finlayson. A second hearing was conducted on 10 August 2018 to allow for further
cross-examination of Mr Finlayson.
Evidence of Mr Jeremy Lee
[18] Mr Lee’s evidence was that he commenced employment with Superior Wood in
November 2014 on a casual basis in the role of a general factory hand. Mr Lee had worked at
Superior Wood’s Melawondi site for approximately six months before transferring to the
Imbil site, from which he had worked until the termination of his employment. Prior to
October 2017, Mr Lee had been happy in his role and had been recognised for his good
performance.
[19] Mr Lee stated that he and the other staff present at the Imbil site learned of the
intention to install fingerprint scanners at a ‘floor meeting’ held at the Imbil site at 5:15am on
25 October 2017. A conversation to the following effect took place:
Todd: A fingerprint scanner is being introduced for registering staff attendance. Over
the next week you’ll have to register your fingerprint. Michael Lithgow from
administration is responsible for ticking off staff to make sure everybody
registers. The scanner is going to be located on the outside of the
administration building. Staff will be required to register attendance using the
biometric scanner at the start and finish of shift.
The scanner won’t actually take a fingerprint.
Lee: Yes it will.
Todd: No it won’t. The scanner uses an algorithm. It’s not actually storing or
keeping the fingerprint.
Lee: It’s scanning your finger, of course it’s taking a fingerprint.
Todd: I don’t want to argue.
[20] Mr Lee stated that Mr Todd did not provide any explanation about why the scanners
were being introduced. He considered that there was no consultation with employees about
the introduction of the scanners, nor did the employer seek to secure the consent of employees
to obtain biometric data. Employees were not provided with any written information or asked
to read and sign any document.
[21] On 1 November 2017 Mr Lee was working at the Imbil site when he was approached
by Mr Steve Howe, Floor Manager. Mr Howe directed Mr Lee to meet with Mr Lithgow to
register his fingerprints for using the scanners.
[22] Mr Lee met with Mr Lithgow. The following was said:
[2018] FWC 4762
5
Lee: I’m not comfortable providing my fingerprints to the scanner so I won’t
be doing it at this stage.
Lithgow: Everyone has to do it.
Lee: I understand your point of view. I am happy to discuss my concerns
with Ian (Swinbourne) or Skene (Finlayson).
[23] Mr Lee did not provide his fingerprint to Mr Lithgow on 1 November 2017.
[24] On 2 November 2017 Mr Lee was directed to attend a meeting with Mr Swinbourne
and Mr Finlayson. Mr Finlayson explained to Mr Lee several reasons why the scanners were
being introduced in the workplace, including allowing the employer to streamline payroll and
keep a track of people on site. Mr Finlayson said it was important for health and safety
reasons.
[25] Mr Finlayson explained that he had considered other systems such as swipe cards, but
he had chosen the scanner because there had been trouble in the past when staff could use a
swipe card to swipe in for their ‘buddies’.
[26] Mr Lee said to Mr Swinbourne and Mr Finlayson that he remained concerned about
the control of his biometric data, and considered that Superior Wood could not guarantee that
third parties would not access and use that data once it was stored electronically.
[27] Mr Finlayson said to him words to the effect, “We are going ahead with
this…hopefully Ian can address your concerns.” Mr Swinbourne said to him words to the
effect, “You have a decision to make.”
[28] Following the meetings of 1 and 2 November 2017, Mr Lee continued to use a
physical ‘sign in and sign out book’ located in the Imbil site’s administration office to record
his attendance.
[29] On 7 November 2017 Mr Lee wrote to Mr Swinbourne detailing his concerns about
the scanners and the collection of his biometric data. Mr Lee’s letter stated:
“I am unwilling to consent to have my fingerprints scanned because I regard my
biometric data as personal and private.
If I were to submit to a fingerprint scan timeclock, I would be allowing:
- Unknown individuals and groups to access my biometric data,
- The potential trading/acquisition of my biometric data by unknown individuals and
groups, indefinitely.
Brief explanation:
Information technology companies gather as much information/data on people as they
can. Whether they admit to it or not. (see Edward Snowden)
Such information is used as currency between corporations.
[2018] FWC 4762
6
All the largest technology companies – such as Apple, Google, Facebook, Telstra,
Samsung – are in a race to access and store as much data on individuals as they can.
This info is then traded and exchanged.
So if I were to consent to a fingerprint scan, my fingerprint would be scanned and
stored for use immediately (regardless of assertions to the contrary), or it would be
scanned and stored for use at a later time.
Jeremy Lee”
[30] On 22 November 2017 Mr Lee received a letter from Mr Swinbourne responding to
his letter of 7 November 2017. Mr Swinbourne’s letter stated:
“I would like to address your concerns re the implementation of Biometric scanning for
payroll purposes. As you know the company has embarked on this common method to
improve efficiency and accuracy of our payroll for approx. 400 employees.
You have raised some concern relating to your fingerprint security and use by others.
I wish to outline some of the facts to help you make a decision on your own security
concerns.
I have included a document from the supplier which outlines
- The information gathered is not a finger print but a set of data measurements
which is processed via an algorithm.
- There is no possible way the data measurements can be converted or used as a
finger print.
- The company and its supplier cannot use your data measurements for any other
purpose other than linking your payroll number to a clock in/out time.
I trust this will address your concerns over the process.”
[31] Mr Swinbourne’s letter of 22 November 2017 attached a document explaining that the
scanners did not collect an entire fingerprint, but determined ‘unique points on a fingertip…to
form a template which is a set of numbers…this biometric template cannot be used to re-
create a fingerprint for identification purposes’.
[32] Mr Lee considered that Mr Swinbourne’s letter did not address all of his concerns, and
he remained concerned about the use of the scanners and the collection of his biometric data
after 22 November 2017. Mr Lee continued to avoid using the scanners in the course of his
employment after 22 November 2017.
[33] Mr Lee gave evidence that he was directed to attend several further meetings with Mr
Swinbourne throughout December 2017. Mr Lee stated that at each of those meetings Mr
Swinbourne detailed to Mr Lee the occasions on which he had attended the Imbil site in the
course of his employment and not used the scanners. Mr Lee recalled that Mr Swinbourne, in
each of the meetings said words to the effect, “I urge you to start using the fingerprint
scanner…it is not taking your fingerprint.” On one occasion he said, “Even I have to use it.”
[34] On 9 January 2018 Mr Lee met with Mr Swinbourne and was given a verbal warning
for refusing to use the fingerprint scanner. Mr Lee said to Mr Swinbourne words to the effect,
[2018] FWC 4762
7
“The scanners can be cheated using fake fingerprints.” He then asked what consequences
may result from refusing to use the scanners, to which Mr Swinbourne replied words to the
effect, “That’s a decision for you to make.”
[35] On 11 January 2018 he was directed to attend a meeting with Mr Swinbourne and Mr
Howe. Mr Lee confirmed that he had not changed his mind about using the scanners, to which
Mr Swinbourne responded by reading aloud and presenting to Mr Lee a written warning letter
(the first written warning), which stated:
“The company has a strict policy on recording site attendance using Biometric
Scanners. The system is used to both record attendance on site for Workplace Health
and Safety and Payroll reasons.
Up until the 2nd January 2018, the Biometric scanners have been in a trial mode to
allow all employees to register and gain familiarity using the system. After an
extensive trial period of seven weeks, a policy was issued on the 21st of December
2017 requiring all employees to record site attendance using the Biometric Scanner
from the 2nd January 2018. This is the Site Attendance Policy.
Throughout the trial period you have refused to register and use the system. You
sighted [sic] concerns over giving up your own biometric data during this process.
The Company has addressed these concerns as far as practicable by supplying the
relevant information.
During numerous discussions and meetings re the live implementation of the system,
you have continued to refuse using the system.
Your first rostered day back was 8th January and you made no attempt to register or
scan. On the 9th, 10th, 11th of January you have made no attempt to register or sign in.
On the 9th January you were issued with a verbal warning in relation to your refusal
to register or sign in. It was clearly stated that you must follow the Site Attendance
Policy.
This is a written warning for failure to follow the Site Attendance Policy. Further
failure to rectify this will result in a Final Written Warning. Continuing to not adhere
to the Site Attendance Policy may result in your termination.”
[36] It was Mr Lee’s evidence that he considered that he had, in fact, ‘signed in’ upon
attending the Imbil site, using the physical sign-in book located in the Imbil site’s
administration office. Mr Lee continued to use the physical sign-in book to sign in and not the
scanners after receiving the first written warning.
[37] On 17 January 2018 he was directed to attend a meeting with Mr Swinbourne and Mr
Todd, during which Mr Swinbourne read aloud and presented to Mr Lee another written
warning (the final written warning), which stated:
“Further to the Written Warning issued on the 11/1/18 re: failure to register and scan
your attendance on site.
[2018] FWC 4762
8
On the 15th and 16th of January you have failed to register with the Biometric Scanner
and scan your attendance with Superior Wood. This continues to be in breach of the
Site Attendance Policy.
This is a Final Written Warning for failure to follow the Site Attendance Policy. I urge
you in the strongest terms to comply with this Site Policy immediately. Further failure
to comply with this will result in a Termination.”
[38] On 18 January 2018 Mr Lee wrote to Mr Swinbourne in an attempt to resolve his
concerns about the use of the scanners and the employer’s insistence on mandatory use of the
scanners. Mr Lee’s letter stated:
“I value my job a great deal and your records will show that I have not missed a single
day at work in over three years.
I have never given Superior Wood consent to scan my fingerprints or take my
biometric data. I am hoping that by explaining my reasons more fully, there will be a
satisfactory resolution allowing me to keep my job and my private biometric data.
The first time I was told about the installation of a fingerprint scanner was on
Wednesday 25th October last year, at the start of the days [sic] shift (5.15am). At
that time, the floor manager Bruce informed staff that Superior would be installing a
“fingerprint scanner” and over the next week we would have to register our
fingerprint for the system. He said that these scanners “don’t take a fingerprint” and
I immediately objected and said “Yes they do.”
On Wednesday 1sth November 2017 floor manager Steve Howe asked me to go down
to see Michael Lithgow to register my fingerprints. I went straight to see Michael
Lithgow and declined to scan my fingerprints and returned to work.
On Thursday 2nd November, 2017 I had a meeting with Skeen Findlayson [sic] and
Ian Swinbourne. It was explained to me that the system was being installed and I had
to use it. Ian said I had “a decision to make”. I was not asked for my consent.
On Thursday 9th November, 2017 I gave Ian my letter refusing to give my consent to
have my fingerprints scanned.
On Wednesday 22nd November, 2017 Ian gave me a written reply to my letter while I
was working.
After my letter, during November and December 2017 I was approached several
times by Ian to see if I had changed my mind. I told him no each time.
On Tuesday 9th January, 2018 I had a meeting with Ian who gave me a verbal
warning for refusing to use the fingerprint scanner. I asked for more information
about the process “what happens from here” and was told “well that’s a decision
for you to make” but it was not explained to me further.
On Thursday 11th January, 2018 Ian gave me a written warning at the end of the
day.
[2018] FWC 4762
9
On Wednesday 17th January, 2018 Ian gave me a final written warning.
During this whole time I have continued to use the sign in book as usual.
I understand managements [sic] need to account for employees [sic] work hours and
would be happy to use any possible alternatives to sign in without providing my
biometric data. I could continue to time in/out using the sign-in book, or I could use an
employee number, or a password, or a timecard, etc.
From the 25th November forward I have been told that I must use the fingerprint
scanner, or be sacked. No alternative has been offered.
Staff were told “You have to do it, there is no option”.
Superior Wood did not seek consent from staff. There was no consultation with staff.
The system was simply installed and staff were informed they were to use it.
Superior Wood has given me nothing to sign to give my consent or provide assurances
of how, when, where, who could access my data. There was not any acknowledgement
of privacy, no privacy statement or data handling statement or mention of the
companies’ [sic] privacy obligations.
I would love to continue to work for Superior Wood as it is a good, reliable place to
work. However, I do not consent to my biometric data being taken.
The reason for writing this letter is to impress upon you that I am in earnest and hope
there is a way we can negotiate a satisfactory outcome.”
[39] Mr Lee stated that the next discussion he had with Superior Wood about the scanners
was during a meeting on 24 January 2018 that he attended, along with Mr Swinbourne and Mr
Finlayson. Mr Bill Gethin also attended the meeting as Mr Lee’s witness and support person.
Mr Lee stated that Mr Finlayson began the meeting by reading aloud Mr Lee’s letter of 18
January 2018. Mr Finlayson then asked Mr Lee whether he would use the scanner, to which
Mr Lee responded, “No.”
[40] Mr Finlayson said to Mr Lee words to the effect, “You have to use the scanner…it
allows us to keep a better track of where people are…if someone gets injured on site I could
be sued for twenty million dollars.” Mr Finlayson referred to the information document
provided to Mr Lee on 22 November 2018 and reiterated that the scanners did not record a
fingerprint.
[41] Mr Lee responded to Mr Finlayson words to the effect, “The scanner still relies on
trust because someone could scan in in the morning and then come back in the afternoon and
scan out.” Mr Lee said further that the information document previously provided to him did
not address his concerns about the collection of his ‘biometric data’, and he did not consent to
anyone collecting his biometric data.
[42] On 30 January 2018 he was directed to attend a meeting with Mr Swinbourne and Mr
Todd. During that meeting Mr Swinbourne noted to Mr Lee that he had received several
[2018] FWC 4762
10
warnings about using the scanners and directed Mr Lee to use the scanners. Mr Lee agreed
that he had been given several opportunities to reconsider using the scanners, but did not
agree to use the scanners.
[43] Mr Lee stated that Mr Swinbourne said “[you are]…required to show cause why
further action should not be taken”, to which Mr Lee responded, “I believe my two letters
have shown cause but if you can point to something that you do not understand or don’t agree
with I would be happy to try to explain it better.”
[44] On 6 February 2018 he was directed to attend a meeting with Mr Swinbourne and Mr
Todd to show cause as to why his employment should not be terminated. Mr Lee reiterated
that he had explained his reservations about using the scanners in his two previous letters. Mr
Swinbourne informed Mr Lee that he would discuss the matter with Mr Finlayson, who would
make a decision.
[45] On 12 February 2018 he was directed to attend a meeting with Mr Swinbourne and
Mr Howe. At the start of the meeting Mr Lee confirmed that he still refused to use the
scanners in the course of his employment. Following Mr Lee’s confirmation, Mr Swinbourne
read aloud a letter addressed to Mr Lee, terminating his employment with Superior Wood
effective immediately (the Termination Letter). Mr Swinbourne presented a copy of the
Termination Letter to Mr Lee, which stated:
“RE: Failure to adhere to Site Attendance Policy.
The Site Attendance Policy clearly states that you must sign into site using the
biometric scanners provided. A trial period of seven weeks enabling all employees to
gain an understanding of the system function has occurred. This was completed on the
21st Dec 2017. Information prior to and during this trial period has been given to
employees.
Thus far you have not registered and scanned for your attendance on site and this is in
clear breach of this policy. During the trial period you showed reservations to
registering and scanning for your attendance. You addressed a letter to the company
on the 7th November requesting further information and listing your reasons for not
taking part in the process. The company responded to questions with a letter and
documents addressing your concerns.
The following warnings and discussions have taken place since 21st December 2017 in
relation to breaching the Company Site Attendance Policy
o Verbal Warning 9/1/18
o Written Warning 11/1/18
o Final Written Warning 17/1/18
Despite the warnings above you continued to fail to adhere to the Site Attendance
Policy.
Meeting with the Company Director, Superior Wood Manager and yourself, with Bill
Gethin Jones as your witness – 24/1/18
[2018] FWC 4762
11
o The company reinforced its requirement to adhere to the lawful and
reasonable instruction in the Site Attendance Policy. It is a strict WH&S
requirement in addition to payroll functionality.
o The company reiterated the information given in relation to the use of
biometrics. Specifically referring to the system not gathering a finger
print.
o You continue to refuse to follow the Site Attendance Policy.
Further meeting with Superior Wood Manager, Dry Mill Supervisor, and an offered
witness (not taken) – 30/1/18
o The company again reinforced its requirement to adhere to the Site
Attendance Policy.
o You stated there was no change in refusal to adhere to the Policy.
o The company has given you all information required on the Biometric
Scanner.
o The company reinforces that Jeremy has been given sufficient notice,
sufficient trial period and a verbal, written and final written warning.
o The company requested a letter from Jeremy to show cause why further
disciplinary action should not be taken.
Further meeting with Superior Wood Manager, Dry Mill Supervisor, and an offered
witness (not taken) – 6/2/18
o Company reiterated again the requirements of the Site Attendance
Policy
o Jeremy states he will not follow this Policy
o Jeremy cannot provide a show cause letter as requested in the previous
meeting
o Jeremy refers back to his original letter and states that this is his show
cause letter
o Meeting ended with no further discussion.
Despite the numerous discussions, warnings and information provided back to
yourself, you have continuously refused to adhere to the Site Attendance Policy. The
company has met all requests for information to enable you to successfully follow the
Site Attendance Policy.
Due to the above events you are given notice of your termination, effective
immediately. Two weeks notice will be paid into your account.
Date: 12/2/18
Ian Swinbourne
Manager
Superior Wood”
[2018] FWC 4762
12
[46] In cross-examination, Mr Lee was asked if it was a condition of going back to work,
would he provide his biometric data? He answered that he would not provide his biometric
data.3
[47] Mr Lee agreed that the alternatives put on his behalf, such as a swipe pass or password
can be falsified by others. It was Mr Lee’s evidence that if he were to return to the workplace
his preference would be to continue to sign-in using the paper sign-in book at reception.
When informed that Superior Wood no longer uses the paper sign-in book, Mr Lee responded
that he was not aware of that.4
[48] The following exchange occurred:5
Mr Herbert: So it's because you object to giving out your biometric data you should be
treated by the company as being exempt from the security measure that
they've introduced. Is that what you're telling the Commission?
Mr Lee: Exempt from the security measure. Yes, I didn't think about it that way. I
just think that my biometric data is mine and I didn't want to give it away and
have someone else control it and have it.
[49] Mr Lee agreed that he has a driver’s licence, and has provided his biometric data to the
Queensland transport department in the form of his driver’s licence photo. Likewise, he has a
passport, and he understands that facial recognition software is used for people going in and
out of Australia by the relevant departments responsible for immigration and counter-
terrorism.
[50] Relevant to Mr Lee’s understanding or belief that a fingerprint would not be obtained
if he were to use the fingerprint scanner, the following exchange occurred:6
Mr Herbert: Just on that - I won't take very long, Mr Lee, but just on that, you understand
that what happens is that the scanner takes various dot points of interest from
your fingerprint and it converts all that into an electronic message and is
processed by a complicated algorithm so that it can be readily compared to the
next time that fingerprint is placed on the scanner. You understand how that
works, in general terms?
Mr Lee: Yes.
Mr Herbert: You understand also that it doesn't actually take a photograph or anything like
that of a fingerprint and that a fingerprint cannot be created out of the data
that it takes. You can't recreate a fingerprint out of that data, because it's got
dots, and the lines between the dots are not recorded. Do you accept that?
That's what you've been told?
Mr Lee: Yes, I’ve been told that; yes.
Mr Herbert: Do you accept it?
Mr Lee: No.
Mr Herbert Why? Do you have any evidence that that's untrue, or is it just in your mind
you don't agree with it?
[2018] FWC 4762
13
Mr Lee: Yes there’s in general evidence everywhere.
…
Mr Herbert: Sorry?
Mr Lee: Yes, in general there's evidence everywhere in the information technology
sector that they are keeping more than they let on, they are using it in different
ways than they let on and, yes, my view of that explanation of the fingerprint
scanner is - it's a palatable explanation of what they do with it, and it's
actually worse, I think, that they most probably do take a fingerprint scan and
can recreate a fingerprint, but most people won't see that. That will - most
people won't, yes. It's not accessible by most people.
Mr Herbert: You obviously have brought no evidence to this Commission to establish that
what the provider of that machine says is not true, because you understand -
for example, you've seen the evidence of Mr Douglass where he says you
cannot create a fingerprint from the data that's collected. You have no
evidence that what he says is not true, have you?
Mr Lee: No, I'm not presenting any evidence that that's not true.
[51] In a later exchange, Mr Lee was asked his concern as to having his fingerprint
reconstructed. The following was put to him and answered by him:7
Mr Herbert: No, and what is it that you think would be the value to anyone of biometric
data constituted by some points taken from one of your fingerprints? What do
you think someone could conceivably do with that information anyway, even
if it was to be trafficked, as you say?
Mr Lee: There's kind of similar things that people do with - say if someone steals a
wallet, they've got stuff they can make up an identity, put me somewhere that
I'm not.
Mr Herbert: Put you somewhere you're not?
Mr Lee: Yes.
Mr Herbert: You think somebody might reconstruct a fingerprint out of this data, even
though you were told it can't be done, and then create a false fingerprint and
then put your fingerprint somewhere where you weren't. Is that what you
think might happen?
Mr Lee: It’s conceivable.
Mr Herbert: Why do you think anybody on the face of planet earth would do a thing like
that to you?
Mr Lee: It's like - it's valuable data that companies, and information companies, are
seeking to get, so…
Mr Herbert: To do what? What can they do? It's not your shopping habits, it's not your
likes and dislikes with sports or movies?
[2018] FWC 4762
14
Mr Lee: It's empowering. It's empowering to those that have it.
Mr Herbert: How does it empower them? What power do they have over anybody by
having a reconstructed fingerprint of yours?
Mr Lee: The power of surveillance and - it's a bit hard to describe. It's like you have -
it's kind of like ownership. You can surveil them. You own their biometric
data. I mean, it's…
Mr Herbert: You own their biometric data and you can use your ownership of a fingerprint
to surveil a person. Have you joined those dots together? Perhaps you can
explain how those things fit together. How does getting access to an
algorithm which records points on a person's fingerprint give that person
who's got that algorithm or that material the ability to surveil you?
Mr Lee: If you reconstitute to a fingerprint that's usable by people from - visually, so
that's more useful, and also you don't have to reconstitute it into a fingerprint
for it to be - it's a biometric template as it is.
Mr Herbert: How do people get to surveil you as a result of that?
Mr Lee: They don't get to surveil you with your fingerprint, but it's part of my
biometric data. It's my identity, and if they take it it's empowering to them.
Mr Herbert: You've already empowered all the people that you've given your photograph
to in all sorts of high places in government, haven't you?
Mr Lee: Yes, I have.
Mr Herbert: And you're going to draw the line?
Mr Lee: And I dislike it.
Mr Herbert: Yes, and you're going to draw the line with this company. Is that your
position?
Mr Lee: It's not really Superior that I object to taking it, it would be anyone.
[52] Relevant to health and safety risks in a large sawmill, Mr Lee agreed that there are lots
of combustible materials within the mill, and a high risk of fire. He agreed that people can
become trapped.8 He agreed the employer would need to know in the event of an emergency
if anybody was trapped, and if all people on site had evacuated safely.9
[53] Relevant to the payroll system and the improvements that the employer would achieve
in having biometric scanning, Mr Lee speculated that people might be able to use ‘dummy
fingers’, for example, a prosthetic or rubber finger. He was unsure if a person might be able
to use a dummy fingerprint to abuse the system.10
[54] In answering questions from me, Mr Lee confirmed that Superior Wood has a drug
and alcohol policy. While he was never obligated to provide a sample, Mr Lee’s
understanding is that it required an employee to provide a urine sample. He agreed that if had
been required to undertake a test, he would have done so.11
[2018] FWC 4762
15
[55] In the scenario where Mr Lee would have provided a urine sample, and it had been
sent to a pathology laboratory for further testing, Mr Lee stated that he would be ‘OK’ with
that scenario. He said, “I wouldn’t regard the pathology lab testing urine as risky, I would
say.”12
[56] I put the following to Mr Lee and he answered as follows:13
Commissioner: Aren't they more easy - in a better position, if you have any concerns about
somebody pretending you're somewhere where you're not, wouldn't it be
easier to obtain a small sample of the urine that you had provided for testing
and putting you in that place than it is for somebody to reconstruct a
fingerprint?
Mr Lee: Yes. Potentially, yes.
Commissioner: So you would trust that pathology and you don't trust this organisation?
Mr Lee: Yes, I would be more inclined to trust pathology; yes. It depends. I guess if
the pathology worked with police, had police contracts, I might be a bit
concerned.
Commissioner: You'd be worried, would you, if the pathology organisation worked with
police, because of - why?
Mr Lee: It has happened in the past, because - in the UK, that pathology labs were
leaned on to get results for police in cases. So it's like they want to please the
police.
Commissioner: Your evidence earlier was that up until today, if you had have been required
to undertake a urine, drug and alcohol test you would have done so at the
workplace?
Mr Lee: Yes.
[57] Regarding mitigation, Mr Lee stated that he has been attempting to obtain work, but
has been unsuccessful. He stated that he had applied to Coles, IGA, Woolworths, Laminex,
rendering and roofing businesses, an auction business, factory positions in Gympie and also to
some employers in Brisbane. He had received some calls, but had not secured interviews.
[58] In answering my questions during the hearing, Mr Lee stated that he recently objected
to an application with Coles because Coles required a psychological profile on his application
and he objected to it. Mr Lee agreed that he would decline work if it was in a workplace
where biometric scanning was required, or the employer required psychometric testing as pre-
employment criteria.
Evidence of Mr Ian Swinbourne
[59] Mr Ian Swinbourne is the Manager of Superior Wood and has been employed by
Superior Wood for approximately 24 years. He was responsible for the management of Mr
Lee’s employment during the relevant period of time in this matter.
[2018] FWC 4762
16
[60] Prior to the implementation of the scanners at the Imbil site, manual time sheets were
used by employees who were required to sign in and sign out by writing in the relevant time
and adding their signature.
[61] Mr Swinbourne confirmed that the trial period for the scanners was for seven weeks
starting in early November 2017. Employees were gradually enrolled into the system during
this time while manual time sheets were still available for use. A pamphlet explaining the
scanner was provided to employees and also made available on notice boards in the lunch
room and near the scanner itself.
[62] Mr Swinbourne conceded that at the relevant time Superior Wood did not have a
privacy policy to cover employees; the one-page privacy policy admitted into evidence was
only relevant to the information obtained by persons accessing the Superior Wood website.
[63] On 2 January 2018 an updated Site Attendance Policy was introduced. It was posted
near the scanner for all employees to read. The Site Attendance Policy reads:
“Site Attendance Policy
Due to company Workplace Health and Safety and Payroll requirements it is
imperative all employees are accounted for on site.
Therefore as at the 2nd January 2018 it is policy that all employees must use the
biometric scanners to record attendance on site.
It is reinforced that the biometric scanners do not take a finger print. The algorithm
data used to record attendance cannot be used to generate a fingerprint.
Please ensure you scan in when arriving on site and leaving site at the end of your
shift. If you are having issues with scanning please see your supervisor. If you fail to
use or attempt to use the biometric scanner then disciplinary action may be taken.
Signing the attendance sheets alone is no longer acceptable.
The Directors and Superior Wood Leadership would like to thank employees for their
assistance and patience during the ‘trial’ period.”
[64] Relevant to the meetings involving Mr Swinbourne and Mr Lee on 2 November 2017
and 9 January 2018 as referred to at paragraphs [24] – [27] and [34] Mr Swinbourne denies
that he ever said to Mr Lee words to the effect, “You have a decision to make” in relation to
use of the scanners.
[65] Mr Swinbourne confirmed that two written warning letters were provided to Mr Lee
on 11 January 2018 and 17 January 2018. Mr Lee was offered a support person at all meetings
where the Site Attendance Policy was discussed.
[66] Mr Swinbourne considered that had Mr Lee’s employment continued, the alternatives
open to Superior Wood regarding Mr Lee signing in and out would have been:
[2018] FWC 4762
17
Allow Mr Lee to use manual time sheets – Mr Swinbourne stated that this would
have left Superior Wood open to time recording inaccuracy and fraud which the
scanner was designed to prevent;
Allow Mr Lee to use a surgical glove when using the scanner – Mr Swinbourne
stated Superior Wood would have accommodated this because the scanner can still
operate through a surgical glove;
Allow Mr Lee to use an artificial fingerprint, not his own fingerprint – Mr
Swinbourne stated that this would not have been appropriate because the artificial
fingerprint could be used by other staff, defeating the purpose of the system.
[67] Mr Swinbourne stated further that pursuing alternative arrangements for Mr Lee to
sign in and out would have been costly to Superior Wood.
[68] In any event, Mr Swinbourne stated that if Mr Lee was allowed to be exempt from
using the scanner, it would be difficult to justify requiring any other staff who objected, with
or without dishonest intent, to use the system.
[69] During the hearing Mr Swinbourne stated that for a period from early November 2017
up until around 1 June 2018, both the biometric scanning and the paper sign-on sheets had
been used. Both systems were used by Superior Wood to allow for cross-checking the
accuracy of the payroll to ensure the employees were correctly paid.14
[70] In cross-examination Mr Swinbourne agreed that there had been a fire alarm trigger at
the site in January 2018. The paper sign-on book was used to determine the presence of
employees.
[71] Mr Swinbourne agreed that he did not explore the possibility of using another system
of time and attendance for Mr Lee given his objections. Mr Swinbourne stated that it was not
within his scope or responsibility for the site.15 He did not make inquiries as to how much
other systems might have cost to implement.
[72] Mr Swinbourne agreed that he had not been issued with a collection notice under The
Privacy Act 1988 (Privacy Act) by either Superior Wood, Finlayson’s Timber & Hardware
Pty Ltd, Mitrefinch or by any other company in the Finlayson Group.
[73] In answering questions from me, Mr Swinbourne stated that Superior Wood has an
employee on-site trained to conduct drug and alcohol testing using saliva. If an employee on-
site produced a non-negative result, the employee is to be escorted by the employer and
required to go to a general practitioner or pathology laboratory where a urine test will be
conducted. A negative saliva sample on-site is destroyed on-site. A non-negative saliva
sample provided on-site travels with the employee and the escort to the general practitioner or
pathology laboratory.
[74] Mr Swinbourne agreed that the trained employee on-site is entrusted with the oral
fluid samples of employees.
[2018] FWC 4762
18
Evidence of Mr Skene Finlayson
[75] Mr Finlayson is the sole director and secretary of Superior Wood. Superior Wood has
approximately 150 employees and is part of the Finlayson Group of companies, which has
acquired a number of businesses over the last five years.
[76] Mr Finlayson said the Finlayson Group had found the payroll function was being
conducted on three different days each week, resulting in a number of errors due to manual
time-keeping systems. Mr Finlayson outlined the following issues the payroll department
encountered with the manual time-keeping system:
Staff signing into and out from work at the same time, when they arrived at work,
so that there was no guarantee that their actual departure time matched the time
they had filled in on arrival that day;
Staff who arrived late inserting their normal start time rather than their actual
arrival time;
Staff signing in for another staff member when that staff member was late;
Staff being paid when they were absent because of false timesheet entries; and
Staff being paid incorrectly in relation to sick pay and annual leave.
[77] Mr Finlayson said a number of options were investigated by the payroll department to
streamline the process. Mitrefinch was awarded the contract after the project was put to
tender, due to three main factors:
The Mitrefinch system was able to be fully integrated with the current operating
system;
The Mitrefinch system improved safety across all sites;
The Mitrefinch system had installations in over 340 businesses operating in
Australia, and ‘thousands’ worldwide.
[78] Mr Finlayson also stated that the scanner had been introduced across six other
Finlayson Group sites over the preceding 18 months, involving around 400 employees. No
other employees in the Finlayson Group had refused to use the scanner, and Superior Wood
was the last company in the Finlayson Group where the scanner was rolled out. The
introduction of a new time and attendance system was discussed at a biannual company
update conducted on 27 June 2017. The scanner was installed at the site well before it was
actually used.
[79] Mr Finlayson stated that on account of the biometric scanning, the above payroll
issues had been eliminated, with the added bonus that supervisors could now quickly
download who is on any site at any given time. Mr Finlayson stated he regarded this function
as a very important part of the company discharging its work, health and safety obligations,
for example, in the event of a premises evacuation. If a manual system continued to be used,
if an employee had been falsely signed in when they were truly absent, in the event of an
emergency, staff might be unnecessarily endangered mounting a search for an employee not
present at work.
[80] Mr Finlayson stated that at the meeting of 2 November 2017 he told Mr Lee that the
Mitrefinch system had been progressively rolled out in other companies in the Finlayson
Group, and it was now time to implement the system at Superior Wood. Mr Finlayson stated
[2018] FWC 4762
19
he also told Mr Lee that the scanner provided significant benefits in relation to workplace
health and safety and that the system did not take a fingerprint, only an algorithm.
[81] Mr Finlayson denies hearing Mr Swinbourne say to Mr Lee the words, “You have a
decision to make”, or that Mr Finlayson said to Mr Lee, “Hopefully Ian can address your
concerns.”
[82] Mr Finlayson stated further at the meeting of 24 January 2018 he discussed with Mr
Lee the inaccuracies of the current manual time-recording system. Mr Finlayson said he
recalled stating to the effect that he respected Mr Lee’s decision not to use the scanner. Mr
Finlayson denies saying, “I could be sued for $20 million”, but does recall saying he could be
fined or imprisoned. Mr Finlayson also said he could not recall Mr Lee saying, “That does not
address my concerns”.
[83] Mr Finlayson stated that it was his view that Mr Lee’s employment with Superior
Wood would not have continued for very long, because Mr Lee had shown an unwillingness
to follow an important company policy. Mr Finlayson also stated that unless Mr Lee signed in
via the scanner, a payment file could not be generated and therefore Mr Lee would not be paid
by the payroll system.
[84] Mr Finlayson stated that he opposed reinstatement of Mr Lee on the grounds that he
had lost faith that Mr Lee would act in the best interests of the company or follow directions
and policies. Mr Finlayson also stated he had significant concerns about operating a different
workplace health and safety and payroll system for one employee. Mr Finlayson also stated
that the company is looking to downsize in an effort to compete with mouldings coming in
from China.
[85] During the hearing Mr Finlayson gave evidence regarding the storage of data collected
by the scanners. Mr Finlayson stated that the data collected by the scanners was stored off-site
by a third-party information technology company, ‘Oz IT’, which also collected data from
scanners used in other companies within the Finlayson Group of companies, similar to the
scanners in use at Superior Wood.
[86] Mr Finlayson stated that the data collected by the scanners used within Superior
Wood’s workplaces was stored on servers owned by the Finlayson Group within an area
leased on a monthly basis from Oz IT (the servers). Mr Finlayson stated that Oz IT and its
staff would have access to the data stored on the servers owned by the Finlayson Group. Mr
Finlayson stated that to his knowledge, Oz IT had a privacy policy in relation to the use of
those servers.
[87] Mr Finlayson stated two employees of another company, the Finlayson Timber and
Hardware Company, routinely accessed the data stored on those servers for the preparation of
payroll for Superior Wood. Mr Finlayson stated that the only people with access to the data
stored on the servers were the two employees of the Finlayson Timber and Hardware
Company and the two ‘working directors’ of the Finlayson Group.
[88] Mr Finlayson reiterated his concerns about allowing Mr Lee to operate on a different
payroll system and site attendance policy than the other employees of Superior Wood and
within the Finlayson Group. Mr Finlayson stated that the nature of the sawmilling work
conducted by Superior Wood was dangerous and it was his responsibility to ensure that his
[2018] FWC 4762
20
employees were safe and the implementation of the scanners within Superior Wood provided
an additional safety measure. Mr Finlayson stated that he had to make the choice to terminate
Mr Lee’s employment because he could not allow Mr Lee to be subject to different policies
regarding site attendance and safety than the other employs of Superior Wood.
[89] In cross-examination Mr Finlayson agreed that there had been a number of fire alarms
at Superior Wood during 2018, although he could not recall the exact dates. It was put to Mr
Finlayson that during a fire alarm in January 2018, attendance of staff at the designated
assembly point was checked by reference to the physical sign-in sheets and not by reference
to the attendance information collected by the scanners. Mr Finlayson could not give evidence
on the procedures followed during that fire alarm, as he had not been present on-site during
the alarm.
[90] Mr Finlayson agreed that Superior Wood does not have a privacy policy reflecting the
Australian Privacy Principles set out in the Privacy Act that governs the privacy of its
employees.
[91] Mr Finlayson agreed that the servers are owned by the Finlayson Timber and
Hardware Company, and that the data collected by the scanners in use within Superior Wood
are stored on those servers. Mr Finlayson agreed that no notice or letter had ever been sent to
any employee of Superior Wood disclosing that the data collected by the scanners is stored on
servers owned by another company, being the Finlayson Timber and Hardware Company.
[92] Mr Finlayson confirmed that Mr Lee’s employment, if it had not ended on 12
February 2018, would have ended a short time after as Mr Lee had demonstrated an
unwillingness to follow the site attendance policy.
[93] Mr Finlayson stated that any other position with no less favourable terms and
conditions of employment that Mr Lee may have been able to have been redeployed to in a
company within the Finlayson Group would also have required Mr Lee to use a scanner in the
course of his employment.
[94] Mr Finlayson accepted that Superior Wood could not lawfully require Mr Lee to
provide certain kinds of information dealt with under the Privacy Act without his consent.
[95] In answering questions from me, Mr Finlayson stated that site attendance information
produced from the data collected by the scanners could be accessed by supervising employees
within Superior Wood. For example, the site attendance information could be downloaded or
displayed on a supervisors’ phone to show which employees were present on site at the
relevant time.
[96] Mr Finlayson stated that before the introduction of the scanners, site attendance could
only be confirmed by reference to the physical sign-in sheet located in the administration
building within Superior Wood’s worksites, which a supervisor would need to retrieve from
the administration building.
[97] In Mr Finlayson’s second statement he said that while the scanner used at Superior
Wood was initially purchased by Finlayson Timber & Hardware Pty Ltd, at all relevant times,
Superior Wood had sole possession and control of the scanner, and it was operated only by
Superior Wood staff.
[2018] FWC 4762
21
[98] For accounting purposes, Mr Finlayson stated that it is common practice for capital
items to be purchased by Finlayson Timber & Hardware Pty Ltd, and transferred to other
members of the Finlayson group of companies who may have need for it.
[99] There was no formal leasing arrangement documented for the transfer of the scanner
to Superior Wood, however the scanner is treated for all purposes as having been transferred
to Superior Wood by Finlayson Timber & Hardware Pty Ltd for the sole use by Superior
Wood.
[100] Finlayson Timber & Hardware Pty Ltd charged and collected from Superior Wood an
administration fee of $9,000 per month for various charges. An amount of $1,250 per month
was charged within the $9,000 total for the purposes of the use by Superior Wood for the
scanner placed at Superior Wood.
[101] Mr Finlayson agreed in his second statement that at the time of the dismissal, neither
Superior Wood or Finlayson Timber & Hardware Pty Ltd had in place a Privacy or
Confidentiality Policy. Policies have now been introduced.
[102] Relevant to the contractor providing IT hosting services on the server owned by
Finlayson Timber & Hardware Pty Ltd, Mr Finlayson provided a copy of an unsigned
agreement between Finlayson Timber & Hardware Pty Ltd and Aus IT Services Pty Ltd. Mr
Finlayson stated that the parties have been meeting respective obligations pursuant to the
unsigned agreement since 20 October 2016 as though it were signed. The agreement requires
each party to meet its obligations under the Privacy Act. Mr Finlayson stated that the
agreement applies to members of the Finlayson Group, including Superior Wood.
[103] Mr Finlayson attached to his second statement a copy of the Mitrefinch ‘Data Loss
Assessment and Reporting Procedure’ adopted on 15 May 2018. It is a document generated
from Mitrefinch’s United Kingdom office and deals with actions taken if a data breach is
identified.
Evidence of Mr Michael Lithgow
[104] Mr Lithgow has been the Technical Services Manager at Superior Wood since 2002.
Mr Lithgow stated that his responsibilities include optimising the scanning system, computer
systems maintenance and training, installation of new technologies as well as wood
procurement and timber certification.
[105] Mr Lithgow stated that scanners had been present on site at Imbil and Melawondi from
2016, visible to employees before they were eventually installed around October 2017.
[106] Mr Lithgow stated he was responsible for registering 90% of the Imbil employees to
the scanner in November and December 2017. Mr Lithgow explained the process as follows:
An employee entered a number specific to them and scanned a finger (usually the
index finger) three times;
Another scan of that finger was then performed to verify the entry;
This process was then repeated for the same finger on the other hand in case of
injury.
[2018] FWC 4762
22
[107] Mr Lithgow confirmed he had discussions with Mr Lee regarding the methodology
and operation of the scanner on multiple occasions between November and December 2017.
Mr Lithgow stated that he explained to Mr Lee that the scanner did not record fingerprints.
[108] Mr Lithgow also confirmed that Mr Lee’s recollection of the events surrounding the
floor meeting Mr Lee attended on 25 October 2017 at 5.15am and the subsequent
conversation Mr Lee had with Mr Lithgow on 1 November 2017 was accurate.
[109] In cross-examination, Mr Lithgow stated that he had not received from Superior Wood
a collection notice under the Privacy Act. Mr Lithgow stated further that he had not been
informed on any occasion that any other entity besides Superior Wood had received his
‘biometric template’ or ‘biometric information’. Mr Lithgow stated that he was not aware of
where the ‘biometric template’ collected by the scanners was stored.
Evidence of Mr Andrew Douglass
[110] Mr Douglass is the director of Mitrefinch (Aust) Pty Ltd and has been working for the
Mitrefinch group of companies for over 30 years. He has worked as a Systems Analyst,
Programmer and IT and Implementation Manager in that time.
[111] Mr Douglass stated that he is currently responsible for the operation of Mitrefinch
(Aust) Pty Ltd, and still performs some installations of Mitrefinch systems at client sites, as
was his role as an Implementation Manager.
[112] The Mitrefinch scanner captures features of the tissue that lie below the skin as well as
on the finger surface. The scanner uses a special algorithm to ascertain coordinates of the
“minutiae” (numerous points on a finger) which are then stored as a series of numbers. Mr
Douglass provided the Commission with an example of finger template data generated and
stored by the scanner.
[113] Mr Douglass explained that the scanner does not store actual fingerprints or fingerprint
image data and it is not possible to reconstruct a person’s fingerprint from the template
produced by the scan, as the scan does not retain enough detail of the skin patterns on the
fingerprint. Further, a biometric reader is not able to use normal fingerprint images as the
data involved is too large to store, and takes too long to process.
[114] Mr Douglass confirmed that the scanner was designed to operate through a tight-fitting
medical glove and could also operate irrespective of calluses, dirt, moisture, wrinkles,
contaminants, ink, glue or paint on the skin surface.
[115] Use of a scanner within a workplace ensures that only the employee can register or
clock themselves in or out of a workplace, and the time that they do on each occasion is
accurately recorded in real time. Mitrefinch has implemented over 500 scanner systems with
employers throughout Australia and New Zealand in the last 16 years. Globally there are
almost 1 million employees using the system.
[116] Mr Douglass stated that the Mitrefinch scanner uses Lumidigm multi-spectral imaging
technology and that the algorithm used to ascertain the coordinates was proprietary to the
manufacturers of the Lumidigm readers, such that it is not made known to equipment
[2018] FWC 4762
23
managers such as Mitrefinch. Mitrefinch manufactures the registration terminal that houses
the scanner; Mitrefinch installs the scanners into each terminal; however Mitrefinch does not
manufacture the actual scanner.
[117] The customer contracted by Mitrefinch is Finlayson Group.
[118] Mitrefinch has remote access to the application installed on the Finlayson Group
server to provide remote support when required by Finlayson Group. Mr Douglass stated that
Mitrefinch did not provide this information to any external parties.
[119] The biometric template of each employee is stored firstly in the ‘reader’ of the
registration terminal at the workplace, and a copy is kept in the Finlayson Group database
server. Mr Douglass stated that the purpose of Finlayson Group storing the second copy at its
offsite server is if an employee within the Finlayson Group is enrolled at one terminal on one
site, and is required to go to another site, the employee does not have to go to each terminal
and enrol individually on them. Additionally, if a terminal is replaced through faults, or for
any other reason, the template stored on the server is provided to the site terminal, ensuring
the employees do not have to be taken back to the site terminal to re-enrol.16
[120] Mr Douglass agreed that Mitrefinch has the ability to obtain the stored data on the
Finlayson Group server, if it was necessary to do so. Mitrefinch has not, to-date, had any
reason to do so, and might only ever need to in the event of a data corruption event. Mr
Douglass confirmed that Mitrefinch has not ever required access to any client’s storage of
biometric data of its employees.
[121] In cross-examination Mr Douglass was asked if Mitrefinch has an Australian Privacy
Principles (APP) policy. He stated that he did not know; he might need to refer to ‘head
office in the UK’, and that he has not seen one.
[122] In answering questions from me, Mr Douglass stated that he was not familiar with the
APP’s. He stated that Mitrefinch has 14 employees in Australia, and nobody has a title that
includes things such as ‘Data Privacy Officer’. He stated, “We are owned wholly by
Mitrefinch Ltd in the UK. They tend to take care of these issues.”
Mr Lee’s submissions
Australian Privacy Principles
[123] APP is a reference to the Australian Privacy Principles within the Privacy Act 1988
(Privacy Act). It is asserted that Superior Wood does not contest that it is an APP entity
within the Privacy Act.
[124] It is submitted that the sole reason for Mr Lee’s dismissal was his failure to comply
with Superior Wood’s Site Attendance Policy and subsequent directions to obey it by refusing
to use the biometric scanner to clock on and off. Mr Lee submits that this does not constitute
a valid reason for the dismissal because neither the Site Attendance Policy nor the directions
to comply with it were lawful.
[2018] FWC 4762
24
[125] Mr Lee submitted that failure to comply with an unreasonable direction is not a valid
reason for dismissal,17 and an employee is only obliged to obey orders which are both lawful
and reasonable.18
[126] It is submitted that the Site Attendance Policy and directions to comply with it were
unlawful because they involved contravention of s 13G of the Privacy Act. Section 13G of
the Privacy Act is produced below:
“13G Serious and repeated interferences with privacy
An entity contravenes this subsection if:
(a) the entity does an act, or engages in a practice, that is a
serious interference with the privacy of an individual; or
(b) the entity repeatedly does an act, or engages in a practice, that is an
interference with the privacy of one or more individuals.
[127] As to the definition of what ‘interference with the privacy of an individual’ means, it is
defined in s.13 of the Privacy Act to mean:
(1) An act or practice of an APP entity is an interference with the privacy of an
individual if:
(a) the act or practice breaches an Australian Privacy Principle in relation
to personal information about the individual; or
(b) the act or practice breaches a registered APP code that binds the entity in
relation to personal information about the individual.
[128] Section 15 of the Privacy Act provides that an APP entity must not do an act, or
engage in a practice that breaches an APP. Section 6A of the Privacy Act provides that an act
or practice breaches an APP if, and only if, it is contrary to, or inconsistent with that principle.
[129] The APP’s are set out in Schedule 1 to the Privacy Act. There are 13 of them. APP1
requires APP entities to take reasonable steps to implement practices, procedures, and systems
relating to their functions or activities that will ensure compliance with the APPs and enable
them to deal with inquiries or complaints about compliance with the APPs. APP1 compels
APP entities to have clear and up-to-date privacy policies about the management of personal
information by the entity. APP1 is produced below:
“1 Australian Privacy Principle 1--open and transparent management
of personal information
1.1 The object of this principle is to ensure that APP entities manage personal
information in an open and transparent way.
Compliance with the Australian Privacy Principles etc.
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#registered_app_code
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#breach
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#breach
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#interference_with_the_privacy_of_an_individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#interference_with_the_privacy_of_an_individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#interference_with_the_privacy_of_an_individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#interference_with_the_privacy_of_an_individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
[2018] FWC 4762
25
1.2 An APP entity must take such steps as are reasonable in the circumstances to
implement practices, procedures and systems relating to the entity's functions or
activities that:
(a) will ensure that the entity complies with the Australian Privacy
Principles and a registered APP code (if any) that binds the entity; and
(b) will enable the entity to deal with inquiries or complaints
from individuals about the entity's compliance with the Australian Privacy
Principles or such a code.
APP Privacy policy
1.3 An APP entity must have a clearly expressed and up-to-date policy (the APP
privacy policy ) about the management of personal information by the entity.
1.4 Without limiting subclause 1.3, the APP privacy policy of the APP entity must
contain the following information:
(a) the kinds of personal information that the entity collects and holds;
(b) how the entity collects and holds personal information;
(c) the purposes for which the entity collects, holds, uses and
discloses personal information;
(d) how an individual may access personal information about
the individual that is held by the entity and seek the correction of such
information;
(e) how an individual may complain about a breach of the Australian Privacy
Principles, or a registered APP code (if any) that binds the entity, and how
the entity will deal with such a complaint;
(f) whether the entity is likely to disclose personal
information to overseas recipients;
(g) if the entity is likely to disclose personal information to overseas
recipients--the countries in which such recipients are likely to be located if it is
practicable to specify those countries in the policy.
Availability of APP privacy policy etc.
1.5 An APP entity must take such steps as are reasonable in the circumstances to
make its APP privacy policy available:
(a) free of charge; and
(b) in such form as is appropriate.
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#overseas_recipient
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#overseas_recipient
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#overseas_recipient
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#overseas_recipient
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#registered_app_code
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#breach
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#holds
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#collects
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#holds
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#collects
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#holds
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#collects
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#registered_app_code
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
[2018] FWC 4762
26
Note: An APP entity will usually make its APP privacy policy available on
the entity's website.
1.6 If a person or body requests a copy of the APP privacy policy of an APP entity in
a particular form, the entity must take such steps as are reasonable in the
circumstances to give the person or body a copy in that form.
[130] The APP privacy policy must at least contain certain listed information, including how
the entity collects and holds personal information, and the purposes for which the entity
collects, holds, uses, and discloses personal information. Each entity must take reasonable
steps to ensure that its APP privacy policy is freely available in an appropriate form.
[131] APP3 governs the collection of solicited information by APP entities. APP3 is
produced below:
“3 Australian Privacy Principle 3--collection of solicited personal
information
Personal information other than sensitive information
3.1 If an APP entity is an agency, the entity must not collect personal
information (other than sensitive information) unless the information is reasonably
necessary for, or directly related to, one or more of the entity's functions or activities.
3.2 If an APP entity is an organisation, the entity must not collect personal
information (other than sensitive information) unless the information is reasonably
necessary for one or more of the entity's functions or activities.
Sensitive information
3.3 An APP entity must not collect sensitive information about an individual unless:
(a) the individual consents to the collection of the information and:
(i) if the entity is an agency--the information is reasonably necessary for,
or directly related to, one or more of the entity's functions or activities; or
(ii) if the entity is an organisation--the information is reasonably
necessary for one or more of the entity's functions or activities; or
(b) subclause 3.4 applies in relation to the information.
3.4 This subclause applies in relation to sensitive information about an individual if:
(a) the collection of the information is required or authorised by or under
an Australian law or a court/tribunal order; or
(b) a permitted general situation exists in relation to the collection of the
information by the APP entity; or
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#permitted_general_situation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_law
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#sensitive_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#agency
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#consent
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#sensitive_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#sensitive_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#sensitive_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#sensitive_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#agency
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#sensitive_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_privacy_principle
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_privacy_policy
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
[2018] FWC 4762
27
(c) the APP entity is an organisation and a permitted health situation exists in
relation to the collection of the information by the entity; or
(d) the APP entity is an enforcement body and the entity reasonably believes
that:
(i) if the entity is the Immigration Department--the collection of the
information is reasonably necessary for, or directly related to, one or
more enforcement related activities conducted by, or on behalf of,
the entity; or
(ii) otherwise--the collection of the information is reasonably necessary
for, or directly related to, one or more of the entity's functions or
activities; or
(e) the APP entity is a non-profit organisation and both of the following apply:
(i) the information relates to the activities of the organisation;
(ii) the information relates solely to the members of the organisation, or
to individuals who have regular contact with the organisation in
connection with its activities.
Note: For permitted general situation , see section 16A. For permitted health
situation , see section 16B.
Means of collection
3.5 An APP entity must collect personal information only by lawful and fair means.
3.6 An APP entity must collect personal information about an individual only from
the individual unless:
(a) if the entity is an agency:
(i) the individual consents to the collection of the information from
someone other than the individual; or
(ii) the entity is required or authorised by or under an Australian law, or
a court/tribunal order, to collect the information from someone other than
the individual; or
(b) it is unreasonable or impracticable to do so.
Solicited personal information
3.7 This principle applies to the collection of personal information that is solicited by
an APP entity.
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#australian_law
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#consent
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#agency
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#permitted_health_situation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#permitted_health_situation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#permitted_general_situation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s81.html#member
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#non-profit_organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#immigration_department
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#enforcement_body
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#entity
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#permitted_health_situation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#app_entity
[2018] FWC 4762
28
[132] APP5 provides that, at or before the time when an APP entity collects personal
information, the entity must take reasonable steps to notify the individual of certain listed
matters including:
(a) The identity and contact details of the entity;
(b) Where the entity has collected the personal information from someone
other than the individual, or the individual may not be aware that the entity has
collected the information, the fact that the entity has so collected and the
circumstances of the collection;
(c) The purposes for which the entity collects the personal information;
(d) Consequences of non-collection;
(e) Any other APP entity, body or person to which the entity usually discloses
personal information of the kind collected by the entity; and
(f) Information about what is contained in the entity’s APP privacy policy.
Breaches of the Privacy Act
[133] Mr Lee asserts that Finlayson Timber has breached the APP’s in several ways. Firstly,
Finlayson Timber did not have an APP policy, let alone one that was freely and appropriately
available. This is in breach of APP1.
[134] Secondly, it was Finlayson Timber which owned the scanners and software system for
use with the scanners. Accordingly, Finlayson Timber received sensitive information (in the
form of biometric templates and biometric information) about Superior Wood’s employees
when they registered for use of the biometric scanning system, and each time they used the
system to clock on or off. Mr Lee submits that the receipt of such information is in breach of
APP’s 3 and 4.
[135] Mr Lee asserts that if he had complied with the Site Attendance Policy like all other
employees, he would not have been giving his biometric template and information to only his
employer; he would also have been allowing a separate corporate entity which was not his
employer to receive that sensitive information, notwithstanding that it had never sought and
never obtained Mr Lee’s consent.
[136] Further, Mr Lee submits that Finlayson Timber also breached APP5 by failing to give
the individuals whose sensitive information it received notification of that collection.
Employee record exemption
[137] It is acknowledged that within the Privacy Act there is an employee record exemption.
It is as follows:
“7B Exempt acts and exempt practices of organisations
…
[2018] FWC 4762
29
Employee records
(3) An act done, or practice engaged in, by an organisation that is or was an employer
of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice
is directly related to:
(a) a current or former employment relationship between the employer and
the individual; and
(b) an employee record held by the organisation and relating to the individual.
[138] Employee record is a term defined in section 6 of the Privacy Act as follows:
“6 Interpretation
"employee record" , in relation to an employee, means a record of personal
information relating to the employment of the employee. Examples of personal
information relating to the employment of the employee are health information about
the employee and personal information about all or any of the following:
(a) the engagement, training, disciplining or resignation of the employee;
(b) the termination of the employment of the employee;
(c) the terms and conditions of employment of the employee;
(d) the employee's personal and emergency contact details;
(e) the employee's performance or conduct;
(f) the employee's hours of employment;
(g) the employee's salary or wages;
(h) the employee's membership of a professional or trade association;
(i) the employee's trade union membership;
(j) the employee's recreation, long service, sick, personal, maternity, paternity
or other leave;
(k) the employee's taxation, banking or superannuation affairs.
[139] Mr Lee submits that if Superior Wood can rely on the employee records exemption to
absolve itself of what would otherwise have been its clear breach of the Privacy Act forcing
its employees to provide sensitive information in the form of biometric templates, Finlayson
Timber cannot. Finlayson Timber did not employ Mr Lee or any other workers at Superior
Wood. Accordingly, Mr Lee submits that each time Finlayson Timber received an
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#bank
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s81.html#member
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s81.html#member
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#health_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#personal_information
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#record
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#employee_record
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s99a.html#paragraph
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#individual
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6c.html#organisation
http://www5.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s6.html#employee_record
[2018] FWC 4762
30
individual’s biometric information, it was in breach of APP’s 3, 4 and 5, which is made
unlawful by s.15 of the Privacy Act.
[140] Mr Lee submitted that the exemption in section 7B of the Privacy Act can apply only
to information held by an employee’s employer. Mr Lee submitted that Superior Wood had
informed its employees that the implementation of the scanners was necessary for the payroll
management of 400 employees; far more employees than Superior Wood employed.
[141] Mr Lee submitted that it was reasonable to consider that another organisation within
the Finlayson Group may have been collecting or using the information collected by the
scanners to manage payroll across the Finlayson Group, or that Mitrefinch may have sought
to use or collect the information.
[142] Mr Lee submitted in the alternative that if Superior Wood’s collection of biometric
information was found to be lawful on the basis that Mr Lee’s biometric information is
considered to be an ‘employee record’, then Superior Wood’s direction to use the scanners
was still unreasonable because Superior Wood failed to provide to Mr Lee sufficient
information that would satisfy a reasonable person that Superior Wood was complying with
its obligations under the Privacy Act.
[143] Mr Lee conceded that Superior Wood never in fact collected his sensitive information.
However, Mr Lee submitted that Superior Wood’s obligation to observe the APPs arose at the
time that it took steps to collect Mr Lee’s sensitive information and that Superior Wood
breached the Privacy Act at that time.
Repeated breaches of the Privacy Act
[144] It is submitted that Finlayson Timber (as opposed to Superior Wood) was involved in
a breach of the Privacy Act at least twice a day for around 150 Superior Wood employees,
and accordingly had breached s.13 of the Privacy Act for repeated interferences with privacy.
It was more serious, it is contended because the information is sensitive information, not just
personal information. It is submitted that Superior Wood has also contravened s.13G of the
Privacy Act by its involvement in the acts and practices which led to Finlayson Timber’s
unlawful receipt of sensitive information in breach of s.13G. It is said that it was Superior
Wood’s Site Attendance Policy and directions for compliance which were the means by
which Finlayson Timber came to receive the sensitive information.
[145] Mr Lee submits that but for Superior Wood ‘forcing’ its employees to use the
biometric scanners, the employees’ sensitive information would not have been recorded on
the scanners of the system behind them, all which belonged to Finlayson Timber, as opposed
to Superior Wood.
Unlawfulness of the Site Attendance Policy and unfairness of the dismissal
[146] Mr Lee states that the Commission must determine if Superior Wood engaged in any
act or practice that was contrary to, or inconsistent with one or more of the APP’s. If so,
Superior Wood will have acted contrary to its obligations under the Privacy Act unless an
exemption applies under the Privacy Act.
[2018] FWC 4762
31
[147] It is submitted that a person’s dismissal will be harsh, unjust or unreasonable if, among
other things, the dismissal has occurred in response to the employee refusing to obey an
unlawful order. Further, it will be harsh, unjust or unreasonable if it is disproportionate to the
gravity of the misconduct to which it purports to respond or has significant consequences for
the employee’s personal and economic situation.
[148] Mr Lee submitted that the direction to him, and to others, to use a biometric scanner in
order to allow Superior Wood and possibly others to collect and use his biometric information
was neither lawful or reasonable.
[149] It was submitted that if the direction was lawful and reasonable, Mr Lee’s failure to
obey it was not the kind of misconduct that would justify dismissal. There were reasonable
alternatives available to Superior Wood other than dismissal, it was submitted.
[150] Mr Lee submitted that his consent to the collection of his sensitive information could
only be given voluntarily. Mr Lee submitted that Superior Wood had sought to obtain Mr
Lee’s consent under duress, coercion or pressure by mandating the use of the scanners
through the Site Attendance Policy which, as submitted by Mr Lee, had been introduced
without consultation and further by ‘stonewalling’ Mr Lee’s attempts to find alternatives to
the use of the scanners and by threatening him with disciplinary action.
[151] Mr Lee submitted that Superior Wood acted recklessly or with contempt for the need
to obtain Mr Lee’s consent to the collection of his biometric information.
[152] Mr Lee submitted that Superior Wood never sought to obtain his express consent
before attempting to handle his sensitive information, and failed to notify Mr Lee of matters
which would have been reasonable in the circumstances, including the terms of Superior
Wood’s privacy policy and the corporate entity that would be collecting and using the
information.
[153] It was submitted that Superior Wood was ‘heavy handed’ and ‘capricious’ in the way
it attempted to force Mr Lee to allow unlawful collection/receipt of his sensitive information
in circumstances where he had clearly expressed his non-consent. Mr Lee submits that
Superior Wood took the view that his concerns about his privacy were irrelevant and it could
force him to hand over sensitive information without giving him any assurances about the
intended use or security of that information.
Was there a valid reason?
[154] Mr Lee submitted that Superior Wood’s action were also inconsistent with APP 3.3 in
that it was not reasonably necessary for Superior Wood to collect Mr Lee’s sensitive
information for Superior Wood’s functions or activities. Mr Lee referred to the APP
Guidelines which provide that ‘reasonably necessary’ collection of sensitive information does
not refer to a use which is ‘helpful, desirable or convenient’, and will usually be ‘reasonably
necessary’ if there are reasonable alternatives available.19
[155] Mr Lee submitted that the function or activity identified by Superior Wood as
necessarily requiring the use of the scanners was timekeeping for payroll. Mr Lee submitted
that while the scanners may be suitable and convenient for that activity, their use was not
[2018] FWC 4762
32
reasonably necessary in place of other reasonable alternatives which Mr Lee had suggested,
including the use of an employee number, password or timecard.
[156] Mr Lee submitted that he had proven himself to be a loyal and trustworthy employee.
He had attempted to discuss his concerns about the scanners with Superior Wood and had
sought to engage with Superior Wood about alternatives in good faith. Mr Lee submitted that
the cost to Superior Wood in allowing Mr Lee some alternative means of identifying himself
would not have been unreasonable.
[157] Mr Lee submitted that reinstatement to his previous position with Superior Wood is an
appropriate remedy in the circumstances. Mr Lee also seeks compensation for his lost
earnings resulting from his dismissal.
[158] In reply, to Superior Wood’s submissions, Mr Lee submitted that it is irrelevant as to
whether Superior Wood might have agreed to allow him to wear a surgical glove when using
the scanner; there is no evidence that either party ever proposed the use of a surgical glove.
[159] Where Superior Wood asserts that its purpose in obtaining the biometric data of an
employee is for a legitimate purpose, the obligation in the Privacy Act is more onerous than
simply ensuring that the collection and use serves a legitimate purpose.
[160] It was submitted that where Superior Wood relies on the employee records exemption
to avoid the conclusion that Superior Wood’s conduct was unlawful under the Privacy Act
and APP’s, prior to the dismissal Superior Wood failed to provide Mr Lee with information
that would satisfy a reasonable person that his sensitive information would not be collected or
used by any third party, such that the exemption would apply.
[161] It is Mr Lee’s contention that given the evidence of Superior Wood, it confirms, rather
than dispels the impression that if he had used the biometric scanner, his sensitive information
would be collected or used by third parties, including other parts of the Finlayson Group and
MitreFinch.
[162] It is submitted that the collection of sensitive information is not ‘reasonably necessary’
on the basis that the alternatives are ‘not satisfactory’, or on the basis that the collection is
considered reasonably necessary ‘given the purpose for which the information would have
been collected’. It is submitted that it is not sufficient to identify some legitimate general
purpose behind the collection, such as health and safety or efficiency of the payroll function.
[163] Mr Lee suggests that it could not be said that the collection of biometric data was
reasonably necessary in light of other reasonable alternatives such as a timecard or passcode.
These other courses would not, Mr Lee contends, be expensive as Superior Wood had already
decided to implement an expensive biometric identify verification system.
[164] As to whether the direction was unreasonable, Mr Lee contends that the question of
reasonableness is directed not to the policy but to the direction given to the employee in the
particular circumstances of the case. The direction that Mr Lee use the biometric scanner was
not a direction that any reasonable employer in the position of Superior Wood would have
given, in light of Mr Lee’s objection and particular circumstances.
[2018] FWC 4762
33
[165] Where the employer has stated that if it had respected Mr Lee’s concerns, and agreed
he need not comply with the policy, this would not ‘have sent a good message’, Mr Lee
contends this is unsound. The characterisation of Mr Lee’s objection as setting a precedent
for employees to disobey directions ‘as it suited them’ ignored Mr Lee’s good record of
service to his employer and the nature of his objection.
[166] In an exchange with Mr Martin on Mr Lee’s behalf, Mr Martin submitted that Mr Lee
should be reinstated by the Commission. The following discussion was had:20
Commissioner: Well, it is not unlawful once they get their collection notice out, is it?
Mr Martin: That might be the case.
Commissioner: Then comes the consent issue.
Mr Martin: Yes, that might be the case, yes.
Commissioner: So you want him to be reinstated but he is free to not agree to use the scanner?
Mr Martin: Well, if the issue with the collection notices and the other issues haven't been
dealt with, then the policy would still be unlawful and he wouldn't have to
comply, but - - -
Commissioner: Let's say tomorrow the employer goes and issues collection notices and Mr
Lee is reinstated. It is no longer unlawful, is it?
Mr Martin: That would seem to be the case.
Superior Wood’s submissions
Valid reason for the dismissal s.387(1)(a)
[167] Superior Wood submitted that in considering if there was a valid reason for the
dismissal, the Commission must determine whether, on the balance of probabilities, the
conduct allegedly engaged in by the employee actually occurred.21
[168] It was submitted that a failure by an employee to follow the employer’s lawful and
reasonable directions can constitute a valid reason for dismissal.22
[169] It was submitted that a direction to comply with a policy must be in relation to a
lawful policy which relates to the subject matter of employment or a matter affecting work
and it must be reasonable. A policy will be reasonable if a reasonable employer, in the
position of the actual employer acting reasonably, could have adopted the policy. A policy
will not be unreasonable merely because a Commission member considers that a better or
different policy may have been more appropriate,23 and it is note the Commission’s role to
interfere with the right of an employer to manage his own business, unless he or she is
seeking from the employee something which is unjust or unreasonable.24
[170] Superior Wood referred to the decision of Commissioner Holmes in MEAA v Victorian
Amateur Turf Club.25 Commissioner Holmes in that case considered that the use of a
biometric hand scanner similar to the scanner in the present case was reasonable, and stated:26
[2018] FWC 4762
34
“In relation to the privacy issue I am not satisfied that the system is any more intrusive
than requiring an individual employee to enter their signature in a time book, user
card clocking system or an electronically coded card”.
[171] It was submitted that there was a valid reason for the termination of Mr Lee’s
employment, namely that Mr Lee failed to comply with the Site Attendance Policy. Superior
Wood submitted that the only significance of the scanner relying upon a biometric algorithm
was that the biometric algorithm was the means by which the scanner was made completely
secure and unable to be manipulated.
[172] It was submitted that there were no reasonable privacy concerns involved with the use
of the scanners in addition to the collection of data relating to employee attendance at the
workplace, which is a feature of all payroll systems regardless of their sophistication.
Notification of reason s.387(1)(b)
[173] It was submitted that Mr Lee was notified of the reason for the termination of his
employment in the letter of termination.
Opportunity to respond s.387(1)(c)
[174] Superior Wood recognised that an employee must be given an opportunity to respond
to the reason for termination before a decision to terminate is made.27 Superior Wood
submitted that the process of providing an opportunity does not require any formality and is to
be applied in a common-sense way to ensure the employee has been treated fairly.28 It was
submitted that it is enough for an employee to be made aware of the precise nature of the
employer’s concern about the employee’s conduct or performance and to be given an
opportunity to respond to those concerns.29
[175] It was submitted that Mr Lee was provided with an opportunity to respond to the
reasons for termination before the decision to terminate was made, through the meetings of 30
January and 6 February 2018.
Support person at discussions s.387(1)(d)
[176] It is not contested that Mr Lee was offered a support person at all relevant meetings.
Prior warnings s.387(1)(e)
[177] Superior Wood acknowledged that the Commission must take into account the period
of time between an employee being warned about unsatisfactory performance and a
subsequent dismissal.30 The warnings given to an employee must identify the relevant aspect
of the employee’s performance which the employer is concerned with.31
[178] Mr Lee was issued with two warnings prior to the dismissal; during the meeting of 11
January 2018 and of 17 January 2018. Mr Lee was aware that Superior Wood was concerned
about Mr Lee’s conduct in refusing to use the scanners and to adhere to the Site Attendance
Policy.
Size of the enterprise s.387(1)(f) and (g)
[2018] FWC 4762
35
[179] It was submitted that this is not a relevant consideration.
Other considerations s.387(1)(h)
[180] It was submitted that sufficient information was provided by Superior Wood to Mr
Lee to address his concerns about the nature of the information collected by the scanner. Mr
Lee was informed that the scanner did not take a fingerprint. Superior Wood submitted that
Mr Lee’s objections to participating in its use are not sufficient to exempting him alone from
the employer’s objectives of preventing inaccuracy and fraud in its payroll, and improving
safety.
[181] Superior Wood submitted that it had not breached the Privacy Act because the
‘employee records’ exemption under section 7B of the Privacy Act applies. The Explanatory
Memorandum introducing the Privacy Act into Parliament stated the following:
‘….Acts and practices in relation to “employee records” are exempted as it is
recognised that the handling of employee records is a matter better dealt with under
workplace relations legislation.’32
[182] Relevant to the biometric data on the scanner at Superior Wood, it was submitted that
the record is, in fact, held by the employer, Superior Wood. Simply because a copy is taken
off-site, and stored on an associated entity’s server in a fire-proof room does not mean that the
employee record is not held by Superior Wood. It was submitted that any employer who put a
copy of an employee record in a secure data storage facility off-site would lose the benefit of
the employee record exemption which the legislation clearly intends that they have.
[183] It was submitted that even though the time and wages records generated as a result of
the scanning is done by another entity, it is only the biometric data that is relevant for the
purpose of this application, and it is exempt from the Privacy Act.
[184] Superior Wood submitted that any biometric information that would have been
collected would have been reasonably necessary for Superior Wood’s activities within the
meaning of Schedule 3 of the Privacy Act and the National Privacy Principles given the
purposes for which the information would have been collected; the improvement of the
accuracy of Superior Wood’s payroll function and the discharge of work, health and safety
duties.
[185] I note that the National Privacy Principles referred to by Superior Wood were
amended and replaced by the APPs by the Privacy Amendment (Enhancing Privacy
Protection) Act 2012. However, Superior Wood’s submissions on the improvements to its
payroll and workplace health and safety functions remain relevant with respect to the APPs.
[186] Relevant to the failure by Superior Wood to provide to Mr Lee and other employees a
collection notice, it is conceded this might be an issue for Superior Wood. However, it was
submitted that because Mr Lee made it very clear that he would never agree to the provision
of his biometric data, the time for collecting personal information about Mr Lee never arose.
It was never going to arise because Mr Lee effectively said, “I was never going to agree, I told
them that from day one, minute one, and I’m telling the Commission that today, I never did, I
never have and I never will.”33
[2018] FWC 4762
36
[187] Superior Wood submitted that the dismissal was not harsh, unjust or unreasonable
when regard was had to the fact that there was around 3.5 months of gentle persuasion.
Submissions on reinstatement
[188] It was submitted that the evidence of Superior Wood managers is they have lost trust
and confidence in Mr Lee because of his refusal, alone amongst his peers, to comply with the
Site Attendance Policy for no good reason. An employee who elects to be exempted from a
policy directed towards honesty, accuracy and safety, which policy causes no harm to them,
cannot expect to retain the requisite degree of confidence on the part of their employer.
[189] It was conceded that just because the person’s role has been filled by another, on its
own it is insufficient for a finding that reinstatement is not appropriate. It is just one factor to
be taken into account in determining whether reinstatement is appropriate.34 It was submitted
that should the Commission find for Mr Lee, reinstatement would be inappropriate, and
compensation should be awarded.
Submissions on compensation
[190] It was submitted that but for the termination, Mr Lee’s employment would not have
continued for much longer; only 2-4 weeks. This is so because, as stated by Mr Finlayson in
his evidence, Mr Lee had demonstrated an unwillingness to follow the Site Attendance Policy
which impacted upon Superior Wood’s ability to manage Mr Lee’s employment through
Superior Wood’s payroll system. Superior Wood submitted that Mr Lee’s employment could
not continue in the circumstances that he could not be paid under its payroll system.
[191] Mr Lee received two week’s pay in lieu of notice when he was not entitled to any
notice, as he employed as a casual employee.
[192] It was submitted that Mr Lee’s efforts to mitigate his loss was not demonstrative in his
initial evidence to the Commission. Further, if the Commission is inclined to award
compensation to Mr Lee, it should be discounted to take into account his misconduct in not
complying with the Site Attendance Policy.
Consideration
[193] I must now consider whether Mr Lee’s dismissal was harsh, unjust or unreasonable.
The criteria I must take into account when assessing whether the dismissal was harsh, unjust
or unreasonable are set out in s.387 of the Act, extracted above at [8].
[194] In Byrne v Australian Airlines Ltd, McHugh and Gummow JJ explained the various
permutations of ‘harsh, unjust or unreasonable’ which may result in a dismissal being
considered ‘unfair’:35
“…It may be that the termination is harsh but not unjust or unreasonable, unjust but not
harsh or unreasonable, or unreasonable but not harsh or unjust. In many cases the
concepts will overlap. Thus, the one termination of employment may be unjust because
the employee was not guilty of the misconduct on which the employer acted, may be
unreasonable because it was decided upon inferences which could not reasonably have
been drawn from the material before the employer, and may be harsh in its
[2018] FWC 4762
37
consequences for the personal and economic situation of the employee or because it is
disproportionate to the gravity of the misconduct in respect of which the employer
acted.”
[195] I am duty bound to consider each of the above criteria in deciding the outcome of this
matter.36 My considerations in respect of each the criteria appear separately below.
(a) Whether there was a valid reason for the dismissal related to the person’s
capacity or conduct (including its effect on the safety and welfare of other employees)
[196] Central to my consideration of this criterion is whether Superior Wood’s action, in
attempting to collect Mr Lee’s biometric information through the use of the scanners was
inconsistent with its obligations under the Privacy Act. Before doing so, however, I wish to
determine whether, in my view, the introduction of the Site Attendance Policy was unjust or
unreasonable.
[197] In the case of Woolworths (t/as Safeway) v Brown (Woolworths), a Full Bench of the
Australian Industrial Relations Commission considered how and when an employer’s policy
will be reasonable to have been complied with, and stated:
“What is reasonable will depend upon all the circumstances including the nature of the
employment, the established usages affecting it, the common practices which exist and
the general provisions of the instrument governing the relationship. A policy will be
reasonable if a reasonable employer, in the position of actual employer and acting
reasonably, could have adopted the policy. That is, a policy will only be unreasonable
if no reasonable employer could have adopted it. A policy will not be unreasonable
merely because a member of the Commission considers that a better or different policy
may have been more appropriate. As the Full Bench observed in the XPT Case, albeit
in a somewhat different context, it is not the role of the Commission "...to interfere
with the right of an employer to manage his own business unless he is seeking from the
employees something which is unjust or unreasonable.” [footnotes omitted].37
[198] In light of the Full Bench’s decision in Woolworths, I consider that the Site
Attendance Policy is not unjust or unreasonable. It is entirely reasonable for the employer to
improve upon an inherently unsafe obligation to run to the front administration office in the
event of an emergency, locate a paper sign-on sheet and attempt to ascertain who is at work
over a site of significant size. On the evidence before the Commission, supervisors can
immediately see who from their area of work is present in the workplace using the
information collected through adherence to the Site Attendance Policy and displayed on a
supervisor’s phone.
[199] Further, the improved integrity and efficiency of the payroll across the Finlayson
Group is a persuasive matter to find that the introduction of the Site Attendance Policy was
neither unjust or unreasonable. I find that Superior Wood either directly or through its related
body corporate entities held a right to manage its affairs by the introduction of the Site
Attendance Policy, requiring all individuals who work at the various premises to comply with
it. I would not accept that an individual’s refusal to comply with the policy would render any
subsequent dismissal, with adequate caution, invalid.
[2018] FWC 4762
38
[200] Relevant to the necessary consideration of the application of the Privacy Act, I
consider that the information collected by the scanners meets the definition of ‘sensitive
information’ under section 6 of the Privacy Act, as either biometric information that is to be
uses for the purpose of automated biometric verification or biometric identification, or a
biometric template.
[201] Superior Wood meets the definition of an ‘organisation’ and an ‘APP entity’ under the
Privacy Act.38 It is not contested by the parties that Superior Wood is an APP entity and is
obliged to adhere to the APPs. Pursuant to APP 3.3, Superior Wood must not collect sensitive
information about an individual unless the individual consents to the collection of the
information and the information is reasonably necessary for one or more of the entity’s
functions or activities.39
[202] The meaning of the word ‘consent’ as it appears within APP 3.3 is defined by section
6 of the Privacy Act which states that ‘consent’, “means express or implied consent”.
[203] Having regard to the issue of whether the introduction of biometric scanners at the
Superior Wood premises is ‘reasonably necessary’, I have no hesitation in so finding. For the
same reasons stated earlier, the Finlayson Group wished to consolidate its payroll. Superior
Wood was the last entity to have the scanners introduced, and after a suitable period of time
where there was duplication, it was a reasonable course for the employer to then remove the
paper payroll system to join in with its parent entity activities. Once Superior Wood and the
Finlayson Group was satisfied the biometric scanning was properly implemented, the entities
wished to do away with all manual payroll handling. Once that decision was made, I do then
consider the collection of the biometric information to be reasonably necessary for its
functions or activities.
[204] On a fairness and reasonableness consideration, I am minded to side with the views of
management of Superior Wood that having Mr Lee use some alternative method such as a
swipe pass or continue to use a paper sign-on would be inefficient, inequitable, and a burden.
Requiring a manual pay run to be implemented for a single employee, as against either 150
employees or 400 employees in the group would be an onerous obligation.
[205] Rounding back to whether an individual consents to the collection of the information,
it appears that the other employees of Superior Wood gave implied consent to the collection
of their sensitive information by attending upon Mr Lithgow during November 2017 and
registering their fingerprint algorithm to be used by the scanners. It is concerning that the
employer, Superior Wood, did not provide to employees a collection notice stating what it
would do with their information to ensure their sensitive information would be kept safe, and
who, or which organisations the information might be shared with. Nor did Superior Wood or
Finlayson Group have an appropriate Privacy Policy.
[206] The Privacy Act has been in force relevant to private enterprise since December 2001.
It is concerning that a reasonably large employer did not have a suitable Privacy Policy in
place in 2017.
[207] Further, on the information before the Commission, Mitrefinch did not have in place a
Privacy Policy until May 2018, and Mr Douglass’ evidence was poor and rather disturbing
[2018] FWC 4762
39
relevant to the obligations on Mitrefinch to ensure it collects and uses personal and sensitive
information in accordance with Australian privacy laws.
[208] Superior Wood first notified its employees about the implementation of the scanners
and the collection of their sensitive information in the meeting of 25 October 2017, as
described above at [19]. The employees of Superior Wood were merely informed that the
scanners were being introduced and that they would be required to use them. Superior Wood
did not inform its employees that the scanners collected the sensitive information of its
employees, provide a ‘collection notice’ regarding the collection of their sensitive information
or discuss the obligations imposed on Superior Wood in handling its employees’ sensitive
information.
[209] It is argued that because Mr Lee’s biometric data was never collected, there was never
a breach with respect to Mr Lee. In questioning from me to Mr Martin, he agreed that the
breach was the failure by Superior Wood or by Finlayson Timber to provide to Mr Lee a
collection notice.40 The following exchange occurred:41
Commissioner: Yes, but in Mr Lee’s case, the sensitive information is never obtained.
Mr Martin: No, but the policy that he refused to comply with was already unlawful
because other people had had their sensitive information collected because of
their compliance with the policy and hadn’t received the collection notice.
[210] Mr Lee did not either expressly or impliedly consent to the collection of his sensitive
information by the scanners. The Site Attendance Policy required Mr Lee to provide his
sensitive information to Superior Wood for collection. By mandating Mr Lee to comply with
the Site Attendance Policy, Superior Wood attempted to collect Mr Lee’s sensitive
information with his consent, however he continued to decline consent.
[211] As to whether Superior Wood or Finlayson Timber & Hardware Pty Ltd owned the
scanners, on Mr Finlayson’s evidence at the second hearing, I am satisfied that Superior
Wood pays to the parent company an amount per month in the way of an administration fee
for the use of the scanners. While there was no formal leasing arrangement to expressly state
the use by Superior Wood, I accept that the scanner has been placed at the Superior Wood
sites for the use of Superior Wood employees (and visiting employees and management), and
the monthly sum of $1,250 is not insubstantial.
[212] Within APP6 the following is stated about related bodies corporate:
‘Related bodies corporate
6.6 If:
(a) an APP entity is a body corporate; and
(b) the entity collects personal information from a related body corporate;
this principle applies as if the entity’s primary purpose for the collection of the
information were the primary purpose for which the related body corporate
collected the information.’
[2018] FWC 4762
40
[213] In my view, having regard to [212] above, it matters little if the daily information of
time and attendance, generated by the daily use of the scanners is gathered by Superior Wood
or by the parent company owning the servers in place in a secure environment. Whether it is
Superior Wood or the parent entity who is collecting the personal information, the APP6
applies.
[214] AUS IT Services Pty Ltd, looking after the data contained on the server knows its
obligations relevant to the Privacy Act and has assured its client, Finlayson Timber &
Hardware Pty Ltd that it will meet its Privacy Act obligations.
[215] At this point in time I am satisfied that the collection of the private and sensitive
information was for a function or activity that was reasonably necessary. I am disturbed that
none of the organisations, except the IT provider has in place a privacy policy, and I am
concerned that there was a failure by Superior Wood to issue a collection notice.
[216] Relevant to APP3.5 which states that an APP entity must collect personal information
only by lawful and fair means, having regard to some of the decisions issued by the
Australian Information and Privacy Commission, this might include consideration of illegal
telephone recordings and the like. Mr Lee’s biometric data was not collected, as he did not
provide his consent. The employer did not unlawfully press his hand into a scanner to
provide a template. Mr Lee said he did not consent and therefore Superior Wood did not
collect personal information.
[217] I must consider whether Superior Wood was exempt from acting in accordance with
APP 3.3 by the operation of the s.7B(3) of the Privacy Act.
[218] During the hearing Mr Martin made the following statement:42
“…….If Superior Wood was the owner of all the equipment and all the servers where
it was stored, then they could potentially rely on the employee records exemption to
say, “It’s irrelevant, we’re the only one collecting the information, so what we are
doing is lawful.” It is because in this case there was the collection by the other entity
that isn’t an employer that it affects the lawfulness and reasonableness of the policy.’
[219] The evidence of Mr Finlayson (as extracted at [75] - [103] above) was that the
information collected by the scanners was not held by Superior Wood. The information was
instead held by a third-party company, ‘AUS IT’, and the Finlayson Timber and Hardware
Company. Mr Finlayson’s evidence confirms that Superior Wood had not notified Mr Lee
that the data collected by the scanners was held on servers owned by the Finlayson Timber
and Hardware Company and maintained by ‘AUS IT’.
[220] I consider that the exemption under s.7B(3) of the Privacy Act would apply to the non-
exhaustive list of employee records, if the record had been obtained or held. Many employers
have been using biometric data for decades or more, and it would be highly improbable that
each of those employers owned the scanning equipment, the servers on which the data was
held, or had any relationship with the provider of the biometric system the employer had
installed.
[2018] FWC 4762
41
[221] The reference in the employee exemption is to the record having been held, and
following it being held, it is exempt.
[222] In my view, the employee record exemption does not ameliorate the obligation by
Superior Wood to issue to Mr Lee and other employees a privacy collection notice.
[223] It follows that Superior Wood was not exempt from complying with APP 3.3 in
collecting its employees sensitive information, and that it could not have collected Mr Lee’s
sensitive information in the circumstances where he did not consent to Superior Wood
collecting his sensitive information.
[224] Mr Lee submitted that Superior Wood could not validly dismiss him for refusing to
comply with the Site Attendance Policy as it could not lawfully direct him to consent to
providing his sensitive information. Even if Superior Wood, or some other associated entity
or every associated entity of Superior Wood provided to Mr Lee a privacy collection notice,
informing him of each entity’s obligations relevant to the Privacy Act, Mr Lee’s evidence is
that he would not, under any circumstances, provide his consent.
[225] Superior Wood could not lawfully force Mr Lee to consent to the collection of his
sensitive information and to comply with the Site Attendance Policy. It did not do so. It
informed him that if his consent was not forthcoming, and he failed to comply with the Site
Attendance Policy, dismissal was a likely outcome. It failed to inform Mr Lee pursuant to the
Privacy Act of the responsibilities it and other associated entities would meet.
[226] It is apparent from the evidence that Mr Lee made a concerted effort to identify
alternatives methods of identification and site attendance verification that Superior Wood
could implement for his use, rather than complying with the Site Attendance Policy and using
the scanner. Mr Lee did not object to the purpose of the Site Attendance Policy, but the
collection of his biometric information and particularly that information which related to Mr
Lee’s fingerprint.
[227] There is no evidence that Superior Wood took any steps to evaluate the costs of any if
the alternative methods of identification put forward by Mr Lee. Superior Wood has always
maintained that the use of the scanners and compliance with the Site Attendance Policy is
mandatory for employment with Superior Wood.
[228] I accept that methods of employee identification and attendance verification other than
biometric scanners are available, some of which were put forward as alternatives to the
scanners by Mr Lee on 18 January 2018. However, I consider that many of those other
methods do not provide the same degree of certainty of identity verification as the scanners
used in Superior Wood’s workplace.
[229] Further, I note that the scanners allowed for additional safety benefits beyond simple
attendance verification, such as reviewing site attendance on supervisors’ phones. The other
methods identified by Mr Lee do not provide such additional benefits.
[230] Overall, Superior Wood decided that the method of site attendance verification that
would be implemented at its workplace was the biometric scanning system. It was within its
rights as an employer to install the scanners and to create a policy governing the use of the
scanners which its employees were mandated to follow in the course of their employment.
[2018] FWC 4762
42
[231] Superior Wood made significant efforts to provide additional information about the
scanners to Mr Lee and to allay his concerns about the collection of his biometric data. It
appears from the evidence that Superior Wood may not have completely grasped the precise
nature of Mr Lee’s particular concerns regarding his biometric information, as opposed to his
fingerprint. Nevertheless, Superior Wood gave Mr Lee repeated opportunities to explain his
objection to using the scanners and made several attempts to indicate to Mr Lee that his
continued employment with Superior Wood was dependent upon his adherence with the site
Attendance Policy.
[232] It is clear that even if a privacy collection statement had been issued, it would not have
allayed any of Mr Lee’s concerns. Even at hearing, Mr Lee remains steadfast of the view that
his fingerprint can be reconstructed from the biometric data obtained from the scanner. On
the information available to the Commission, Mr Lee’s concerns are incorrect. I understand
his concerns and his distrust, and he is entitled to hold such views.
[233] I do not accept that the employer’s failure to provide a privacy collection notice to its
employees prior to obtaining their personal and sensitive information, in all the circumstances
before me, constitutes the Site Attendance Policy being rendered unlawful. While there may
have been a breach of the Privacy Act relevant to the notice given to employees, the private
and sensitive information was not collected and would never be collected relevant to Mr Lee
because of his steadfast refusal. The policy itself is not unlawful, simply the manner in which
the employer went about trying to obtain consent may have constituted a breach of the
Privacy Act. Any such breach might constitute a matter that could be examined by the
Australian Information Commissioner and Privacy Commissioner.
[234] It mattered not who owned the equipment, Mr Lee would never provide his consent.
Mr Lee refused to provide his consent, which he is entitled to do. He did, however, then fail
to meet his employer’s reasonable request to implement a fair and reasonable workplace
policy.
[235] In all the circumstances, and having regard to any potential breaches of the Privacy
Act, I find there was a valid reason for the dismissal.
(b) whether the person was notified of that reason
[236] Mr Lee was repeatedly warned that his failure to use the biometric scanner after a
reasonable trial period would result in his dismissal. I consider that Mr Lee was appropriately
notified that the reason for his dismissal was his continued refusal to follow the Site
Attendance Policy.
(c) whether the person was given an opportunity to respond to any reason related to
the capacity or conduct of the person
[237] Superior Wood discussed with Mr Lee the importance of using the scanners
throughout November and December 2017. After the commencement of the Site Attendance
Policy, Superior Wood met with Mr Lee on six further occasions to discuss his continued
refusal to adhere to the Site Attendance Policy. I consider that Mr Lee was given several
opportunities to respond to Superior Wood’s directions to use the scanners and to follow the
Site Attendance Policy.
[2018] FWC 4762
43
(d) any unreasonable refusal by the employer to allow the person to have a support
person present to assist at any discussions relating to dismissal
[238] Mr Lee was offered the opportunity to have a support person present at meetings with
the employer. At the meeting of 24 January 2018, Mr Gethin was in attendance as Mr Lee’s
witness and support person. At no time did Superior Wood refuse Mr Lee from having a
support person present.
(e) if the dismissal related to unsatisfactory performance by the person—whether
the person had been warned about that unsatisfactory performance before the dismissal
[239] Mr Lee was not dismissed for unsatisfactory performance. Mr Lee was dismissed on
the grounds of conduct as a result of his refusal to abide by the Site Attendance Policy.
(f) the degree to which the size of the employer’s enterprise would be likely to
impact on the procedures followed in effecting the dismissal
[240] Superior Wood is a reasonably large employer, and within a larger parent company. I
do not consider that the size of Superior Wood had any impact on the procedures followed in
effecting the dismissal.
(g) the degree to which the absence of dedicated human resource management
specialists or expertise in the enterprise would be likely to impact on the procedures
followed in effecting the dismissal
[241] The employees of Superior Wood responsible for managing Mr Lee’s concerns were
not employed as dedicated human resource personnel. However, Superior Wood met and
corresponded with Mr Lee on several occasions in attempting to understand his concerns
about the scanners. Mr Lee was served with several verbal and written warnings about his
refusal to use the scanners and abide the Site Attendance Policy. When Superior Wood
formed the view that Mr Lee should be dismissed, it provided him with a letter of termination
[242] I consider that the involvement of dedicated human resource management specialists
in the management of Mr Lee’s concerns would have been unlikely to impact on the
procedures followed in effecting Mr Lee’s dismissal.
(h) any other matters that the FWC considers relevant
[243] Mr Lee’s decision to agree to the use of his biometric data, or even his DNA in other
scenarios puts his refusal to use the biometric scanner at Superior Wood somewhat at odds.
[244] His evidence is that he would provide a urine sample to a pathology laboratory
contracted by his employer, without much concern. It is my view that if an employee held
concerns a contracted organisation could, for example, place them somewhere they were not,
it would be far easier to do so with an actual urine sample, as opposed to a reconstructed
fingerprint.
[245] Mr Lee might be a conscientious objector to his biometric data being used by an
employer, the employer’s parent company, and a third party supplier. His objection was
[2018] FWC 4762
44
unreasonable when taking into consideration the purposes of the Site Attendance Policy, the
improvements to payroll and health and safety, and the alternatives that would have been
required to have been put in place for him.
[246] I have had regard to a speech given by the then Deputy Privacy Commissioner, Mr
Timothy Pilgrim to the Biometrics Institute on 27 May 2010. Whilst it might now be
somewhat outdated, I consider for the benefit of those interested in biometric data collection,
not necessarily related to employment-related matters, it is suitable to reproduce the entire
speech:
“Privacy in Australia: Challenges and Opportunities
Speech by Timothy Pilgrim, Deputy Privacy Commissioner, to Biometrics Institute,
27 May 2010
Introduction
May I start by thanking the Biometrics Institute for this opportunity to speak, and for
Leanne's warm introduction.
Our Office welcomes the commitment the Biometrics Institute has just given to
include representation from consumer organisations and academia on the next review
panel for the Biometrics Institute Privacy Code. Our Office believes that independent
reviews of industry codes are critical to their effectiveness.
I am very pleased to be able to present to an audience of people so clearly at the
forefront of biometric technology development and use. As you would all understand,
research and planning is very important in achieving a project's objectives. So, today I
will be talking to you about building privacy into projects early. If you are going to do
privacy right, you need to think about privacy early and build it in from the start.
Like so many emerging technologies, biometric technologies have the potential to
improve our lives and offer great opportunities. Many of you will be motivated by the
goal of providing society with modern, innovative solutions to tackle difficult-to-solve
problems.
But as you surge ahead along this path of innovation and problem-solving, other
important aspects need to be considered as part of their development. And probably
the most important of these, particularly in the field of biometrics, is privacy.
Now I would like to be clear about something; technology is not the enemy of privacy.
Technology can be privacy enhancing. Privacy can be an enabler, not a blocker for
technology development. Our Office believes it is crucial that there is a conversation
about privacy and its relationship with the evolution of biometric technologies.And
this conversation needs to happen now more than ever, as these technologies continue
to rapidly take hold in everyday transactions.
It is now that we have the best opportunity to make sure that privacy is embedded in
the design and operation of biometric technologies. Tacking privacy protections on at
the end is never the best outcome. Last minute considerations can be costly and
[2018] FWC 4762
45
complicated for agencies and organisations, and potentially less effective in protecting
individuals.
Today, I will emphasise two key messages. The first is that, for biometric technologies
to be successful, individuals need to be able to trust that their privacy is not being
eroded and, if possible, being enhanced. Without that crucial ingredient of trust, the
industry in which you are all involved will struggle to thrive. Without the buy-in of the
society in which you are operating, biometric technologies will not be able to produce
the genuine solutions they aim to provide.
And the second message is that, for biometric technologies to flourish in a way that
genuinely meets the community's needs and expectations, they need a nationally
consistent regulatory environment. I will speak more about this later.
But first, I'd like to talk a bit more about the role privacy should play in the
development and use of biometric technologies.
Biometric information and privacy
The way that governments and organisations handle biometric information is
something that many people, quite understandably, feel very strongly about. This is
because biometric information is about a person's physical characteristics. When we
collect biometric information from a person, we are not just collecting
information about that person, but information of that person.
Biometric information cuts across both information privacy and physical privacy. It
can reveal sensitive information about us, including information about our health,
genetic background and age, and most importantly, it is intrinsic to each of us.
The very nature of biometric information is one of its major advantages in terms of its
powers of identification. However, this same attribute can also create significant
privacy risks.
This is why developers and users of biometric technologies always need to have one
eye on the solution the technology is being developed and used for, and the other eye
on privacy outcomes. If you don't watch both, you will not be able to achieve either.
It might be a good time to talk briefly about how privacy is regulated in Australia.
The Privacy Act
I know that many of you will have a good knowledge of privacy laws. However, I still
think it's useful to provide just a quick Privacy 101 update - some of the most
important things you need to know about the current privacy regulatory framework
and the role of our Office.
The first thing to note is that the Privacy Act is mainly about information or data
protection - not about bodily or territorial privacy.
The Privacy Act protects 'personal information', which means:
[2018] FWC 4762
46
information or an opinion [...], whether true or not, and whether recorded in
material form or not, about an individual whose identity is apparent, or can be
reasonably ascertained, from the information or opinion.
The way organisations and agencies handle biometric data is only regulated by the
Privacy Act to the extent that the data is also 'personal information'.
Second, it is important to realise that privacy, under the Privacy Act, is not an absolute
right. The Privacy Act recognises that privacy needs to be balanced against other
competing interests, including the desirability of the free flow of information and the
recognition of the right of government and business to achieve their objectives in an
efficient way. The Act is about balancing a range of interests, and that is the way our
Office approaches its responsibilities.
Technology development
While the Privacy Act was designed to be technologically neutral, and while our
Office believes that it has been effective in regulating flows of personal information
since it was introduced in 1988, a great deal has changed in the way society conducts
itself since then. Rapid advances in technology over the decades have presented
significant challenges for regulation of personal information-handling in Australia.
Developments in biometric technologies have been at the forefront of this change.
Back when the Privacy Act was introduced in 1988, many biometric technologies
were largely confined to science fiction movies. Of course, a few, such as the use of
fingerprints in law enforcement, were well established. However, the concept that
biometric technologies could become part of our everyday consumer transactions was
almost unthinkable.
A person standing in line at a bank branch in 1988 would struggle to conceive a future
where they could phone their bank, be identified by voice recognition technology, and
transact from the comfort of their own home. Yet today, this is a reality.
A worker signing a time sheet as they arrived at work in 1988, would struggle to
conceive a time when they would be required to have a fingerprint scanned to clock
on. Yet for some people today, this is a reality.
A young adult entering a nightclub in 1988 would struggle to conceive a future where
they would have to submit to a face scan before being allowed entry. This would have
been the crazy plot of some futuristic television show. But today, this is also a reality.
We are likely to continue to see increasing use of biometric technologies like those I
have just mentioned, as well as iris scanning, palm scanning, and many others, in ways
that we cannot predict. Assuming that these new technologies are developed in a way
that is genuinely sensitive to privacy, this need not necessarily be a bad thing.
Biometrics - neither good nor bad
What is interesting about biometric technology is that we tend to hear both that it is
good and bad for people's privacy.
[2018] FWC 4762
47
On one hand, we hear that biometric technologies enhance privacy. For example,
voice recognition technology is being rolled out in some call centres to identify
callers, leading to more effective protection of clients' personal information.
On the other hand, we hear that biometric technology has the potential to invade our
privacy. For example, in the film Minority Report, individuals confront ubiquitous iris
scanning infrastructure and technology which allows their every activity to be tracked.
How do such obviously divergent views on privacy and biometrics coexist?
The answer is: because biometric technology is what we make it. Biometric
technologies are not inherently good or bad for privacy, and privacy is not a blocker to
the use of biometric technologies. These technologies can become good or bad for
privacy depending on how they are designed, developed and deployed.
This is one of the key messages that I would like to communicate to you today. By
considering projects involving biometric technologies in the context of privacy, and by
building in privacy from the very beginning of the design phase, we can ensure that
biometric technologies do not impinge on, but actually enhance, the privacy of
individuals.
Enjoying the benefits of biometric technologies does not also mean we have to give up
other freedoms or rights. Biometric technology has a lot to offer. Let's take
responsibility to develop biometric systems carefully so that they achieve their aims
while protecting privacy.
How to build privacy in
Our Office encourages all agencies and organisations to conduct Privacy Impact
Assessments when commencing projects that are likely to impact on privacy to design
it in. Earlier this month, in Privacy Awareness Week, we launched a new version of
our Privacy Impact Assessment Guide, catering for both organisations and agencies.
Building privacy in from the start is cheaper and more effective than considering it
only as an afterthought. Most importantly, projects and products that have been
through a comprehensive privacy planning process are likely to inspire the trust of the
community, have greater take-up and success, and so build your organisation's
reputation.
The essential ingredient - trust
I have already mentioned trust a few times. Trust is a major factor in consumers'
decision-making processes. In fact, in the Community Attitudes to Privacy research
commissioned by our Office in 2007, 36 per cent of people stated that they had
decided not to deal with an organisation because of concerns about how their personal
information would be handled. This shows that individuals' perceptions about personal
information can often dictate their consumer decisions.
It may, or may not, surprise you to hear that government departments actually enjoy a
high level of trust from the community. In fact, that trust has been growing.73% of
people surveyed said they believed that government departments were trustworthy
[2018] FWC 4762
48
when it came to how they collected and used personal information. This is in
comparison to 64% in 2004 and 58% in 2001.
The numbers for private sector organisations were generally lower that this, with 58%
of people considering 'financial organisations' to be trustworthy, 37% for retailers and
17% for businesses selling goods over the internet.
No agency or organisation can ever afford to be complacent about trust. They can lose
this trust and their reputation overnight if they sustain a major breach of personal
information or handle personal information poorly.
And as I mentioned, many consumers will vote with their feet if they suspect an
organisation may mishandle their personal information. This statement is particularly
relevant for audience members here today, given that many consumers feel that
biometric data is even more sensitive than other forms of personal information.
I should also note here that we are currently conducting several investigations
including an own motion investigation into the scanning of driver's licences and the
separate collection of biometrics like finger prints at night clubs and other
entertainment venues. This includes looking at the technology and the processes
involved. As these are ongoing investigations I cannot discuss any details but it does
illustrate the importance of getting the technology and the business practices right
from the start.
I note with interest that the Biometrics Institute is aware of the importance of
community trust and confidence in an organisation's information-handling practices.
The preamble to the Biometrics Institute Privacy Code states: "only by adopting and
promoting ethical practices, openness and transparency can these technologies gain
widespread acceptance".
For agencies, it is even more vital to be careful to incorporate privacy principles into
their operations as, in many cases, individuals may not have a choice about whether or
not they participate in that agency's systems or operations. A poorly designed project
incorporating biometric technology can cause considerable embarrassment or worse
for government and serious repercussions for individuals.
Working with new technology is challenging, but it can also be very rewarding. If
you're pioneering or implementing new biometric technologies, or any new product or
service that impacts upon personal information, our Office encourages you to
rigorously consider any privacy implications that may arise. By doing this, you place
yourself ahead of the game, and are more likely to inspire the trust and confidence of
your consumers and the community.
National consistency
There's another issue that I would like to discuss with you today. It is a little more
technical, but is no less significant. It relates to the array of laws and regimes that
govern the handling of personal information, including biometric information, in
Australia.
[2018] FWC 4762
49
As most of you will be aware, the Privacy Act is 'principles based'. There are 11
Information Privacy Principles (IPPs) for Australian Government agencies, and 10
National Privacy Principles (NPPs) for business. These principles govern how those
agencies and businesses handle personal information, including its collection, use and
disclosure, security and destruction.
However, the Privacy Act has some exceptions. For example, it does not cover most
small businesses. Nor does it cover state government agencies. To bridge this gap,
some Australian states have introduced their own laws covering their public sector.
Navigating the complex relationship between state and national laws is a familiar story
in our federation, but this is little consolation for organisations and agencies trying to
understand their privacy obligations.
In our current regulatory environment, some users of biometric information may fall
outside of our Office's jurisdiction, and may not be required to comply with the
Privacy Act.
Private sector organisations bound by the NPPs that perform some functions under
contract to a state or territory government may have to comply with different laws for
that work. As well, organisations contracted to Australian Government agencies may
have to comply with the IPPs for functions performed under the contract, and the
NPPs for their other functions. Confused? Well, it's not surprising.
And what is the main implication for biometrics? With different laws applying to
different kinds of organisations and agencies, we risk having different standards
applied to organisations and agencies conducting similar activities.
Information flows do not stop at state borders. Many large organisations have a
presence in some or all Australian states and territories. In our modern, integrated
economy, it makes little sense and can be very expensive to require organisations to
handle information differently in different states and territories, even if these
differences are often only minor.
As I'm sure you can see, the system that is currently in place can be quite complex.
This is a challenge indeed. However, I'm glad to be able to inform you that there are
genuine opportunities for improvements on the horizon.
Changes in the pipeline
As many of you will be aware, the Government has announced its intention to make
major changes to privacy law in Australia. The Australian Law Reform Commission
(ALRC) delivered a report to the Government in May 2008 recommending 295
changes to Australia's privacy framework. The Government outlined its first stage
response to the Report in October last year, putting forward its position on 197 of the
ALRC's recommendations.
The Government has said that it intends to release exposure draft legislation reflecting
these changes during 2010.
[2018] FWC 4762
50
A number of the recommendations that the Government has decided to adopt will have
significant, and hopefully positive, impacts for the environment in which biometric
technologies must operate in Australia. I'd like to explain some of these to you now.
Single set of privacy principles
As I mentioned earlier, in the Privacy Act, there are two sets of privacy principles.
In what is probably the key reform proposal of all of the ALRC's 295
recommendations, the Government announced that it sees the wisdom in replacing
these two sets of principles with a single set of principles to cover all entities that are
now covered by the NPPs or the IPPs.This means that, for the first time, Australian
Government agencies will have the same obligations as private sector organisations
covered by the Act (of course with a few exceptions).
So what does this mean for users of biometric data? This represents a significant step
towards national consistency in the regulation of privacy and biometrics. For the first
time, one set of rules will cover the biometrics field at a national level.
Biometric information as sensitive information
As I mentioned earlier, when we collect biometric information from a person, we are
not just collecting information about that person, but information of that person.
Recognising this fact, the Government has accepted the ALRC's recommendation that
biometric information be treated as 'sensitive information' under the Privacy Act.
As it stands, the Privacy Act regulates the handling of personal information generally.
The NPPs also contain extra protections specifically dealing with what is termed
'sensitive information', whereas the IPPs do not. The new, unified set of privacy
principles will apply the higher protections applying to sensitive information to both
agencies and organisations.
Sensitive information is a subset of personal information and includes information
about things such as:
racial or ethnic origin
religious beliefs or affiliations
criminal record information
health information.
The ALRC neatly explains the rationale behind treating biometric information as
'sensitive information':
'Biometric information shares many of the attributes of information currently defined
as sensitive in the Privacy Act.It is very personal because it is information about an
individual's physical self. Biometric information can reveal other sensitive
information, such as health or genetic information and racial or ethnic origin.
Biometric information can provide the basis for unjustified discrimination.'
[2018] FWC 4762
51
What this change will mean then is that organisations and agencies will only be able to
collect sensitive biometric information about an individual in defined circumstances,
including where:
the individual has consented to the collection
the collection is authorised or required by or under law, or
the collection is necessary to prevent a serious threat to the life, health or safety
of any individual.
This change will give individuals greater confidence that their sensitive biometric
information will be appropriately treated by both agencies and organisations. And as
you know, confidence is an important ingredient in building up trust.
This change will also ensure that both agencies and organisations have consistent
obligations regarding the way they handle biometric information.
Technological neutrality
Importantly, the Government has also committed to ensuring that the Privacy Act
remains technologically neutral. What this means is that the Act will continue to
regulate information handling without referring to specific technologies.
This is important because it gives the Privacy Act the flexibility to be relevant to new
technological realities as they present themselves.
The current Privacy Act was introduced in 1988 - a time when many people were only
just buying their first microwave. People did not have access to the internet, mobile
phones and an array of other technologies, including biometric technologies, that are
central parts of our lives today. The principles that underpin the Privacy Act are even
older, having originated in the 1980 OECD Privacy Guidelines.
It is a testament to the success of the principle of technological neutrality that the
Privacy Act has been able to regulate personal information flows in Australia for more
than 20 years without major difficulties.
Of course, technological neutrality does not mean that we bury our heads in the sand
when it comes to technological change. Our Office believes that we can have
technological neutrality of privacy laws while still having laws that are technologically
relevant. We believe that technological neutrality allows the Privacy Act to be
adequately flexible to accommodate technological change. What we don't want is a
privacy regime that goes out of date every time technology changes!
Privacy codes
Going hand-in-hand with the concept of technological neutrality is the proposal to
expand the Privacy Commissioner's powers in relation to privacy codes.
At present, industry groups are able to propose the introduction of a privacy code in a
specific area. If the code has protections equal to or stronger than the NPPs, the
Privacy Commissioner can approve it, and any organisation that opts in to the Code
[2018] FWC 4762
52
must comply with it. Our Office can handle complaints about breaches of privacy
codes.
Many of you here today will of course be familiar with one such code - the Biometrics
Institute Privacy Code although our Office notes, regrettably, the low take up of the
Code by businesses who are members of the Institute. We would encourage you to
look again at the benefit in signing up to the higher privacy protections afforded to
individuals by the Code, such as demonstrating to your clients your commitment to
good privacy practice.
As well our Office welcomes the Institute's recent development of the Privacy
Awareness Checklist which each member has been asked to complete when renewing
their membership.
Under the proposed changes to the Privacy Act, the Privacy Commissioner will be
able to request that an organisation or industry body develop a Privacy Code binding
specified organisations. If an appropriate code is not developed, the Commissioner
will be able to develop and impose one.
Of course, our preferred approach is to allow industries to take responsibility for their
privacy obligations, and we are confident that this will happen. The Office encourages
your industry to be proactive in its approach to privacy, and as I mentioned before,
to build privacy into projects, rather than simply bolting it on.
However, this code-making power will allow our Office and industry the flexibility to
ensure that certain fields dealing with specialised kinds of information and technology
can be regulated appropriately, and in more detail than in the Act if necessary. This
will give the Office the power to respond in a timely manner to new technologies with
specific privacy issues, without needing a Privacy Act legislative change, which can
be a very time-consuming and uncertain process!
Consistent laws in states and territories
With all of these changes planned in the sphere of privacy law, particularly with the
use of biometric technologies, you could be forgiven for feeling slightly intimidated.
My advice to you is not to be overwhelmed by the challenges that come with change,
because the developments unfolding before us actually present great opportunities:
the opportunity to develop consistent privacy laws across the public and
private sectors in Australia
the opportunity for all of us in the room to get ahead of the game, and start
planning for the future
and, perhaps most significantly, the opportunity for parliaments across
Australia to take the new national laws as a model, to simplify and make
consistent information-handling laws across all jurisdictions.
I refer again to the example I used earlier of some organisations needing to be
conscious of both the NPPs and the IPPs and possibly even state privacy legislation.
Our Office can see a future where laws across the country relating to information
handling, including the regulation of biometric technologies, will be aligned. With a
[2018] FWC 4762
53
simplified national privacy regime, government and organisations would at the same
time have a reduced compliance burden and greater certainty of their obligations.
Conclusion
So in concluding let me say again that there is nothing wrong with acknowledging that
biometric technologies have the potential to offer our society many great benefits.
Equally though, done badly, the development and use of biometric technologies has
the potential to impinge on individual privacy and thereby risk undermining
community confidence in such technologies. Once that community confidence
evaporates, so too does much of the potential that might have made the technologies
attractive in the first place. This is why it is important to address and build in privacy
now.
If, as I suspect it is, the ultimate goal of the work of this audience is to devise, build
and use innovative technological solutions the work you do is too important to risk
jeopardising good results with poor privacy protections.
It is also vital that the environment in which these biometric technologies are
developing be simple and nationally consistent to allow them to flourish in a
considered, rather than an ad hoc, fashion. By having a simple, clear, nationally
consistent environment, everybody knows where they stand, and individuals can be
more confident that agencies and organisations will appropriately safeguard their
privacy. In a word, it will generate trust.
Thank you.”
Conclusion
[247] Having considered each of the matters specified in s.387, including whether there are
any other relevant matters which make Mr Lee’s dismissal harsh, unjust or unreasonable, I am
satisfied that the dismissal of Mr Lee was not in all the circumstances harsh, unjust or
unreasonable. Accordingly, I find that Mr Lee’s dismissal was not unfair.
[248] The application is dismissed.
COMMISSIONER
Appearances:
Mr C. Martin of Counsel for the Applicant
THE ALORS FA THE COMMISSION THE SEAL
[2018] FWC 4762
54
Mr A. Herbert of Counsel for the Respondent
Hearing details:
15 June 2018.
Brisbane
10 August 2018.
Brisbane
Final written submissions:
Closing submissions for the Applicant, 2 July 2018.
Closing submissions for the Respondent, 25 June 2018.
Printed by authority of the Commonwealth Government Printer
PR609918
1 Exhibit R2, Statement of Mr Ian Swinbourne, Annexure PS5.
2 s.384(2) Fair Work Act (2009)
3 PN104.
4 PN117.
5 PN121.
6 PN135 – PN138, PN141, PN142.
7 PN157 – PN167.
8 PN177.
9 PN178.
10 PN183.
11 PN205.
12 PN215.
13 PN217 – PN220.
14 PN354.
15 PN364.
16 PN269.
17 Austal Ships Pty Ltd v Schrier (AIRCFB, Ross VP Drake DP, Dight C, 13 August 1997).
18 Australian Telecommunications Commission v Hart (1982) 43 ALR 165, 170; Bayley v Osborne (1984) 10 IR 5, 8; Izdes v
LG Bennet & Co Pty Ltd (1995) 61 IR 439, 449.
19 Australian Privacy Principle Guidelines, B.113 – B.115.
20 PN828 – PN835.
21 Edwards v Giudice (1999) 94 FCR 561.
22 Lambeth v University of Western Sydney [2009] AIRC 47.
23 Woolworths (t/as Safeway) v Brown [2005] AIRC 830.
24 Enginemen v State Rail Authority (NSW) (1984) 295 CAR 188.
25 Print P4608 [AG802039].
26 Ibid, [50].
27 Crozier v Palazzo Corporation Pty Ltd (2000) 98 IR 137.
[2018] FWC 4762
55
28 RMIT v Asher [2010] 194 IR 1.
29 Ibid, 14 – 15.
30 Johnston v Woodpile Investments trading as Hogs Breath Café – Mindarie [2012] FWA 2.
31 Fastidia Pty Ltd v Goodwin (AIRCFB) Print S9280.
32 Privacy Amendment (Private Sector) Bill 2000, Explanatory Memorandum (House of Representatives)
33 PN924.
34 Smith v Moore Paragon Australia Ltd (2004) 130 IR 446. [15].
35 (1995) 185 CLR 410, 465.
36 Sayer v Melsteel [2011] FWAFB 7498, [20].
37 Woolworths (t/as Safeway) v Brown [2005] AIRC 830. [35].
38 Privacy Act 1988 (Cth) s.6, “APP Entity”; s.6C.
39 Ibid, Schedule 1, APP 3.3.
40 PN777.
41 PN780 – PN781.
42 PN816.
