When privacy meets technology – navigating the law and the rights of employees and customers

| June 5, 2019

In this technologically driven globally connected, highly competitive marketplace, we’re all concerned about cyber security.

In fact, it rates as one of the top four concerns of small business owners and operators according to this year’s Smart Company survey results– in particular keeping up with the rate of change and ensuring protection of customer data.

Consumer data is no doubt, what gives companies an edge. And with new regulations via the Notifiable Data breach Scheme now in force in Australia, there is a significant onus on businesses to ensure top notch security, and many are looking at innovative ways, beyond passwords, to beef up protection.

Asking employees for biometric data – the first case of its kind in Australia

A recent case before the Fair Work tribunal involved whether or not it’s ok to ask your employees for biometric data – for example, their fingerprints – as an identifier of their individual employment status.

The case in this instance involved a sawmill operator in Queensland installing a new access system to its premises. All employees were going to be required to ‘sign in’ using their fingerprint. One employee refused, despite numerous attempts by the company to have him consent to using his fingerprint. He was eventually dismissed.

On the face of it, it seems a reasonable enough request. Most of us don’t think twice about using a fingerprint to unlock our iPhones multiple times a day. And the technology is inherently reliable. It also saves the need for swipe cards and the associated expense (and security risk) of lost, misplaced or stolen access cards.

The Case went before the Fair Work tribunal twice. In the first instance the first time a Commissioner ruled in favour of the employer, ruling that the new fingerprint scanning system was a reasonable policy and that the sawmill company was permitted to require employees to comply with it — and to dismiss employees who did not.

Unhappy with the decision, the employee in question, Jeremy Lee appealed. His appeal went before a panel of judges. His case centred not just on his personal privacy, and the fact that biometric data is unique and therefore highly valuable, it also posed the question whether or not it was appropriate for his employer to ask for it. He argued that pin numbers and swipe cards were perfectly adequate security access tools, and using his fingerprint was unnecessary.

The panel of Commissioners agreed.

While making it clear that employees have an obligation to “comply with all lawful and reasonable directions” from an employer, it noted that the Privacy Act states that when an employer wants to collect sensitive information — such as fingerprints — they must give sufficient notification and allow for a process of informed consent.

It ultimately ruled that Superior Wood failed on both accounts, and as such had unfairly dismissed Mr Lee.

While the case has been described as the first of its kind in Australia, it does not set a precedent about biometric data ownership, but it does pave the way for more cases of this kind as companies harness technology.

There is a hazy intersection where the law meets technology and personal privacy.

Collection, use, storage and protection of data must be high priorities

And for businesses, employees are not the only concern. We need to also be wary of how we roll out technology for customers, and in particular how we collect and use their information.

Facial recognition technology is another technology that is being increasingly used by companies.

Facebook, for example, has long been using facial recognition capabilities (except in Canada and the EU) for some time. Last year it made an important announcement to all users – that the feature is automatically running, and to stop it, you must find the appropriate setting and turn it off. Government agencies and police forces around the world are all embracing the technology.

Closer to home, Westfield, the retail giant, recently copped flack for using its ‘Smartscreen Network’– small cameras fixed to advertising screens throughout its network of shopping centres, to detect individual faces and record the age, gender and mood of shoppers.

Westfield maintains that it deployed the technology to improve the experience of shoppers, but there was significant public backlash asking the corporation to explain exactly how, in more detailed terms, it was using the information, even though under the existing laws, retailers do not need to consent of shoppers to collect data obtained through CCTV cameras.

Westfield suffered the blow and relatively swiftly became yesterday’s news, but for a smaller company, or a fledgling business, the brand reputation of something similar could be catastrophically damaging.

The value of professional advice

Given that the use of these technologies is really just starting to take off in Australia there are still many concerns surrounding biometric identifiers and privacy protections that have not yet been asked, let alone been tested by the courts. And so, laws are being changed and implemented on a regular basis.

However, at such as uncertain time, it’s wise for businesses to proceed with caution. And to seek legal advice at every juncture to work through technological implementation in order for both employees and customers to feel empowered to have open discussions about their rights, and privacy concerns, in order for them to make empowered choices of how and when information is collected, what it is used for and how it is stored.