The Privacy Act (Commonwealth) together with guidelines provided by the Office of the Australian Information Commissioner suggest that employers can lawfully store employee data without breaching the Act if the data relates to the employee’s employment.
However, in the recent Fair Work Commission Full Bench case Jeremy Lee v Superior Wood (2019) FWCFB 2946 has held that this exception only applies to data already held by the employer. Furthermore, employees are entitled to refuse to allow their employer to collect and store ‘sensitive information’ about them, including biometric data obtained from BYOD personal devices, or in this case, fingerprints.
The issue in the case was the enforceability of the company’s Site Attendance Policy which involved the mandatory submission of biometric data (fingerprints) by employees.
At the heart of the matter was the employee’s unfair dismissal claim which arose from his dismissal based upon his refusal to provide the data to the employer. His case was to the effect that biometric data is sensitive personal information under the Privacy Act 1988 (Privacy Act) and thus that his employer was not entitled to require that information from him; and that his refusal to give the information to the employer was not a valid reason for his dismissal.
Here is the essence of the Full Bench decision.
Grounds 1 and 8 – whether having regard to the Privacy Act, failure to comply with the Policy was a valid reason for dismissal
 It is well established that a valid reason is one that is sound, defensible or well founded, and not capricious, fanciful, spiteful or prejudiced. 30 The reason must be valid in the context of the employee’s capacity or conduct. Consideration of valid reason must have regard for the practical sphere of the relationship between an employer and an employee, balancing the rights, privileges, duties and obligations conferred and imposed on each to ensure a fair outcome.31
 It is not in dispute that Mr Lee was aware of the Policy and its contents. Nor is it in dispute that he refused to comply with the Policy and that his refusal was the reason for his dismissal.
 There is no contention to the effect that the Policy formed part of Mr Lee’s contract of employment, 32 with the result that he was obliged to comply with its terms. The contract provided as follows:
“2.2 Various policies, procedures and work rules also exist for the safe operation of Superior Wood Businesses and the welfare and interest of those who work for the organization.
2.3 You are required to comply with the conditions of employment as identified in the Enterprise Agreement, Policies, Procedures and Work Rules at all times. Policies are displayed at various locations throughout the operations:
- Superior Wood Intranet
- Lunchroom noticeboards
2.4 A copy of the display policies is also attached.”
 As can be seen, the contract required Mr Lee to comply with the “various policies, procedures and work rules that exist” and that “are displayed at various locations” and that were attached to his contract in November 2014. A strict reading suggests that only those policies, procedures and work rules in place at the time of entry into the contract of employment were within scope of the requirement to comply.
 The Policy came into existence well after he was employed, and there is no evidence that Mr Lee agreed to vary his contract of employment to incorporate the Policy as one of its terms. His refusal to comply with its terms is evidence to the contrary. We are not satisfied that compliance with the Policy was a term of his employment.
 His obligation to comply with the Policy therefore depends on whether the direction to do so, using the scanners to sign in and out of work each day, was a reasonable and lawful direction.
 The Policy provides as follows:
“Site Attendance Policy
Due to company Workplace Health and Safety and Payroll requirements it is imperative all employees are accounted for on site.
Therefore as at the 2nd January 2018 it is policy that all employees must use the biometric scanners to record attendance on site.
It is reinforced that the biometric scanners do not take a finger print. The algorithm data used to record attendance cannot be used to generate a fingerprint.
Please ensure you scan in when arriving on site and leaving site at the end of your shift. If you are having issues with scanning please see your supervisor. If you fail to use or attempt to use the biometric scanner then disciplinary action may be taken. Signing the attendance sheets alone is no longer acceptable.
The Directors and Superior Wood Leadership would like to thank employees for their assistance and patience during the ‘trial’ period.
 According to the Policy, all employees must use the scanners to record their attendance on site, both when arriving and leaving the site. Signing attendance sheets alone is no longer acceptable.
 To comply with the Policy, employees must first register their fingerprint for use with the scanners and then use their fingerprint to scan in and out of work each day. The terms of the Privacy Act require consent to the collection of employee biometric information by Superior Wood to be used for the purpose of automated biometric verification or biometric identification. 33
The Privacy Act
 The Privacy Act commenced on 1 January 1989. 34 Relevantly, it applies to an “APP entity”, including an organisation that is a body corporate. It is common ground that Superior Wood is an APP entity.
 Section 2 sets out the objects of the Privacy Act, which include:
(a) To promote the protection of the privacy of individuals;
(b) To recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities; and
(d) To promote responsible and transparent handling of personal information by entities.
 The Full Federal Court has observed that the Privacy Act reflects the Parliament’s concern to recognise and protect individual privacy within the framework of a complex statutory regime. It is to be construed so as to give effect to Australia’s international obligations, so far as the statutory language permits. 35 The Privacy Act contains a series of statutory provisions “which protect the privacy of individuals from unlawful or arbitrary interference” but also specify “circumstances (or “exceptions”) which reflect the Parliament’s concern to strike an appropriate balance between competing community interests.” Those exceptions are to be interpreted carefully, with an eye to preserving the balance struck.36 The Privacy Act does not make paramount the protection of individual privacy. What it does, or seeks to do, is to protect individual privacy from arbitrary or unlawful interference.37
 Section 13 of the Privacy Act deals with interferences with privacy. Relevantly, an act or practice of an ‘APP entity’ is an interference with the privacy of an individual if it breaches an Australian Privacy Principle in relation to personal information about the individual. By reason of section 15, acts and practices that breach an Australian Privacy Principle are prohibited.
 Separately, section 13G is a civil penalty provision dealing with serious and repeated interferences with privacy. It covers serious interferences with the privacy of an individual as well as repeated acts or practices that are an interference with the privacy of one or more individuals.
 There are exceptions to the general obligation to comply with the Australian Privacy Principles. Section 16A sets out some of those exceptions, which relevantly include the collection, use or disclosure of personal information where:
- it is unreasonable or impracticable to obtain the individual’s consent to that collection, use or disclosure; or
- there is reason to suspect unlawful activity or serious misconduct and a reasonable belief that such collection, use or disclosure is necessary for the purposes of taking appropriate action.
 It was not contended, and we are not satisfied, that any of the section 16A exemptions applied to the collection of Mr Lee’s fingerprint.
 Section 7B(3) of the Privacy Act also contains an exemption in relation to employee records. An act done, or a practice engaged in, by an employer that is directly related to a current or former employment relationship between the employer and the individual and an employee record held by the organisation and relating to the individual, is exempt from the obligation to comply with the Australian Privacy Principles.
 “Employee record” is a defined term and in relation to an employee, means a record of personal information relating to the employment of the employee.
The Australian Privacy Principles
 The Australian Privacy Principles are found in Schedule 1 to the Privacy Act.
 Principle 1 provides for open and transparent management of personal information. Among other things, it requires (at 1.3) that entities have a clearly expressed and up to date policy about their management of personal information.
 Principle 3 deals with the collection of solicited personal information that is solicited by an APP entity. It prohibits the collection of sensitive information about an individual, unless that person consents to the collection of the information, and the information is reasonably necessary for one or more of the entity’s functions or activities (at 3.3). ‘Sensitive information’ includes biometric information that is to be used for the purpose of automated biometric verification or biometric identification. 38 It is not in dispute that the collection of fingerprint data by the scanners meets the description of sensitive information. Collection of personal information may only occur by lawful and fair means (at 3.5).
 Principle 5 deals with notification of the collection of personal information. It provides that, at, before or (if that is not practicable) as soon as practicable after the time that an APP entity collects personal information, it must take reasonable steps to notify the individual of certain specified matters, or to otherwise ensure the individual is aware of those matters. That which must be notified to an individual depends on what is reasonable in the circumstances. The specified list of matters includes:
- The identity and contact details of the APP entity;
- If personal information is collected from someone other than the individual, or the person may not be aware that the organisation has collected the personal information, the fact that the APP entity does, or has, collected the information and the circumstances of that collection;
- The purposes for which the APP entity collects the personal information;
- The main consequences for the individual if all or some of the personal information is not collected by the APP entity;
- Any other entity or type of entity to which the APP entity usually discloses personal information of the kind collected;
- Whether the APP entity is likely to disclose the personal information to overseas recipients; and
- If overseas disclosure is likely, the countries where recipients of personal information are located (if practicable to identify).
 We will refer to the requirement to notify individuals in accordance with Principle 5 as a requirement to issue a ‘privacy collection notice’.
 Principle 8 deals with the cross-border disclosure of personal information. Before an organisation discloses personal information about an individual to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to that information. There are some exceptions to Principle 8, but none appear presently relevant.
 Principle 11 deals with the security of personal information. If an organisation holds personal information, it must take such steps as are reasonable in the circumstances to protect the information, and to destroy that information once it is no longer needed in the relevant sense.
 Principles 12 and 13 deal with access to, and correction of personal information.
Was the direction lawful?
 As noted above, Mr Lee was directed to consent to the collection of his biometric information by Superior Wood, for use for the purpose of automated biometric verification or biometric identification. He did not consent as required, and his fingerprint was not collected.
 However, in our view, Principle 3 has a broader application than that contended for by Superior Wood. An entity “collects” personal information if they collect that information for inclusion in a record or generally available publication. 39 Superior Wood did not breach Principle 3 by actually collecting Mr Lee’s sensitive information. Principle 3 also deals with the solicitation of information (see 3.7). An entity “solicits” personal information if it requests another entity to provide the personal information.40 The express requirement to obtain an individual’s consent would become meaningless if Principle 3 was only enlivened once information had been collected. Construed in context, Principle 3 applies both to the solicitation and collection of sensitive information. It necessarily operates at a time before collection, because an APP entity ‘must not’ collect sensitive information ‘unless’ the individual consents to that collection. Any collection that occurs without first having obtained consent to that collection would be contrary to Principle 3.
 Mr Lee was directed to submit to the collection of his fingerprint data in circumstances where he did not consent to that collection. In our view, the direction was directly inconsistent with Principle 3. The Commissioner was correct to find that Mr Lee was entitled to refuse to provide his biometric data under the Policy.
 Superior Wood also had not issued a privacy collection notice to Mr Lee (or any other employee) in accordance with Principle 5. That is not to say that Superior Wood failed to give any information to Mr Lee as required by Principle 5. Plainly, he was aware of Superior Wood’s identity and contact details and there is no dispute that he was also informed of the purpose for collecting the information, which was to enhance its payroll system and improve workplace safety. He was informed of the main consequences for him if the information was not collected – that is, he would face disciplinary action and ultimately, termination of employment.
 As to the timing of the privacy collection notice, there is no basis for concluding that it was not practicable for Superior Wood to provide this information to Mr Lee, either before or at the time it sought to register his fingerprint for use with the scanners. While it first sought to do so approximately one week after the scanners were announced, formal implementation of the scanners was trialled throughout November and December 2017 and only commenced from early January 2018. Mr Lee was dismissed in February 2018 and the manual sign in and sign out system continued in use on site until it was discontinued in or about June 2018. 41 There was no shortage of time available to Superior Wood to collate and provide the information described above to Mr Lee.
 Neither the text of section 7B nor the surrounding provisions of the Privacy Act support a wider construction. Section 8 uses the language of an agency that “does not hold that record” or “holds that record”. Section 10 deems certain agencies to hold a record if it is “in the care” or “in the custody” of a different agency.
 In context, it is clear that the wording of section 7B(3) speaks to an act or practice in relation to an actual record held by the organisation that relates to a particular individual. It does not encompass employee records that are yet to be held by an organisation. Nor is the act or practice of generating employee records an act or practice directly related to the relationship between an employer and a particular employee. It is an act or practice in relation to employees generally.
 It follows that we agree with the Commissioner’s finding that the employee records exemption applies to records obtained and held by an organisation. A record is not held if it has not yet been created or is not yet in the possession or control of the organisation. The exemption does not apply to a thing that does not exist or to the creation of future records.
 The significance of that finding is that the Australian Privacy Principles applied to Superior Wood in connection with the solicitation and collection of sensitive information from employees, up to the point of collection. Once collected, the employee records exemption was enlivened and the Privacy Act no longer regulated its use or disclosure.
 For the reasons set out above, we consider the direction to Mr Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction. Moreover we consider that any “consent” that he might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent. Given this finding, it is not necessary to consider whether the direction was reasonable. Nonetheless had it been necessary to do so we conclude the direction was unreasonable. A necessary counterpart to a right to consent to a thing is a right to refuse it. A direction to a person to give consent does not vest in that person a meaningful right at all. Such a direction is in the circumstances of this case, unreasonable. It was not a valid reason for dismissal.
 We uphold Grounds 1 and 8 of the appeal. Given our findings, it is not necessary to deal further with Ground 9 of the appeal.
Ground 2 – finding that Mr Lee’s dismissal for protecting ownership of his sensitive information was not harsh, unjust and unreasonable in circumstances where he was threatened with dismissal for refusing to allow the collection of his biometric data
 For the reasons we set out above, Superior Wood did not have a valid reason for dismissal arising from Mr Lee’s refusal to comply with its Policy. That reason was the sole reason for dismissal, and no other separate matter that might give rise to a valid reason for dismissal is apparent on the materials or submissions in this case.
 The Commissioner properly considered each of the factors relevant to whether a dismissal is harsh, unjust or unreasonable within the meaning of section 387 of the Act. For the most part, those findings are not challenged in this appeal. However, her findings in relation to section 387(h) do have a bearing on the matters raised in this appeal.
 Firstly, the finding that Mr Lee’s position in relation to the use of his biometric data by the scanners was at odds with his position in relation to DNA in connection with drug and alcohol testing had its origins in questions raised independently of the parties by the Commissioner. 43
 The evidence of Mr Lee on the matter was to the following effect:
- he had never been the subject of drug and alcohol testing at work;
- there was a company policy requiring urine testing under certain circumstances;
- if required under that policy, he would undertake a urine test;
- his concerns about a third party provider holding his information from a urine test were different to his concerns about third party providers holding his biometric data, because he didn’t think they would be getting DNA or any kind of biometric data; and
- that he did not know how drug and alcohol testing worked;
- he would be okay with a hypothetical scenario involving a drug and alcohol test required by Superior Wood, but carried out by a third party, which then took a DNA sample to a laboratory for further testing. 44
 In our view, this evidence was of limited probative value in relation to matters the Commissioner was required to determine. There was no evidence in the proceeding of any actual testing, or testing procedure. There was no evidence of what the company policy was in relation to drug and alcohol testing, other than Mr Lee’s evidence above and induction material which refers simply to a “process” that “Superior Wood conducts” 45 (although it is not clear that this material was in existence at any time prior to Mr Lee’s dismissal). There was no detail as to the actual method of collection or holding of DNA, or whether those functions might be outsourced to a third party. To the extent that the Commissioner relied on Mr Lee’s evidence in this respect and weighed it against a finding of unfair dismissal, we consider she was in error.
 Secondly, the Commissioner held that Mr Lee’s objection to the use of his biometric data by Superior Wood, FTH and a third party supplier was unreasonable when taking into consideration the purposes of the Policy, improvements to payroll and health and safety and the costly alternatives that would have been required to be put in place for him. Her conclusion in this regard is likely to have been informed by her earlier conclusion that there was a valid reason for dismissal. In our view, this conclusion constituted an error which tainted the approach to weighing up the various factors relevant to whether the dismissal was harsh, unjust or unreasonable.
 We uphold this ground of appeal.
Ground 3 – mistaking the facts in finding that the new scanners improved safety
 This appeal ground raises for consideration the Commissioner’s findings at paragraph  and  of the Decision, as follows:
“ It is entirely reasonable for the employer to improve upon an inherently unsafe obligation to run to the front administration office in the event of an emergency, locate a paper sign-on sheet and attempt to ascertain who is at work over a site of significant size. On the evidence before the Commission, supervisors can immediately see who from their area of work is present in the workplace using the information collected through their adherence to the Site Attendance Policy and displayed on a supervisor’s phone.
 Further, I note that the scanners allowed for additional safety benefits beyond simple attendance verification, such as reviewing site attendance on supervisors’ phones. The other methods identified by Mr Lee do not provide such additional benefits.”
 Mr Lee contends that the evidence did not establish that the scanners improved safety. In support of this contention, he claimed that a fire alarm did sound after the introduction of the scanners and rather than rely on information gleaned from the scanners, Superior Wood relied on the manual sign in and out sheets to verify attendance on site.
 We agree with Mr Lee as to the effect of the evidence in relation to the fire alarm in January 2018. The timing coincides with the scanners having been formally implemented after a trial period. However, despite its formal implementation, both the scanners and the manual sign in and out sheets remained in use.
 In our view, the primary purpose for introducing the scanners was to address payroll issues across the Finlayson Group. However, we accept that the potential for improved safety was also a reason for its introduction. The Mitrefinch Proposal put forward the prospect of safety improvements. From its initial communication with employees in 2 November 2017, Superior Wood consistently referred to its perceived benefit of helping to keep track of people on site. It appears to us that prima facie, this makes logical common sense.
 We do not necessarily agree that it was “inherently unsafe” to have to run from the front office in the event of an emergency to locate the sign in and out sheets. However, we are satisfied that there was a sufficient evidentiary basis for the Commissioner to find that the scanners, through their capacity to display attendance records on supervisor’s phones, offered safety benefits, even though the main function was clearly to improve its payroll operation.
 We reject this ground of appeal.
Ground 4 – mistaking the facts in finding that Mr Lee did not consent to the collection of his biometric data, when he was never asked for his consent
 In our view this ground of appeal is misconceived. We accept that Superior Wood’s request for Mr Lee’s biometric data was expressed in the form of a direction, rather than a choice. It was nevertheless a request for his consent. It thereafter erroneously sought to negate his choice by threatening him with disciplinary action.
 Mr Lee’s correspondence to Superior Wood on 7 November 2017 expressly stated that he was “unwilling to consent to having his fingerprints scanned” because he regarded his biometric data as personal and private. 46
 According to Mr Lee, on 24 January 2018 Skene Finlayson, Director of Superior Wood, asked him if he would use the scanner, and he said no. 47 This plainly amounted to a request, albeit one which he refused.
 Accordingly, this ground of appeal is rejected.
Ground 5 – finding that the introduction of biometric scanners was reasonably necessary
 This ground of appeal raises for consideration the Commissioner’s findings at paragraphs ,  and  of the Decision.
 The relevant findings are as follows:
“ Having regard to the issue of whether the introduction of biometric scanners at the Superior Wood premises is ‘reasonably necessary’, I have no hesitation in so finding. For the same reasons stated earlier, the Finlayson Group wished to consolidate its payroll. Superior Wood was the last entity to have the scanners introduced, and after a suitable period of time where there was duplication, it was a reasonable course for the employer to then remove the paper payroll system to join in with its parent entity activities. Once Superior Wood and the Finlayson Group was satisfied the biometric scanning was properly implemented, the entities wished to do away with all manual payroll handling. Once that decision was made, I do then consider the collection of the biometric information to be reasonably necessary for its functions or activities.
 On a fairness and reasonableness consideration, I am minded to side with the views of management of Superior Wood that having Mr Lee use some alternative method such as a swipe pass or continue to use a paper sign-on would be inefficient, inequitable, and a burden. Requiring a manual pay run to be implemented for a single employee, as against either 150 employees or 400 employees in the group would be an onerous obligation.
 The evidence in relation to alternatives to fingerprint scanners was limited. The Mitrefinch proposal to FTH confirms that it offered data capture alternatives to fingerprint scanners, including key fobs and swipe cards. 48 Other options set out in that proposal included computer and mobile login systems, as well as SMS and email options. The Commissioner concluded at paragraph  of the Decision that there was no evidence of any evaluation of the costs of alternative options by Superior Wood. In our view, there was no evidence that it even considered those alternatives.
 It was established that for many months after Mr Lee was dismissed, and notwithstanding the formal introduction of the scanners from 2 January 2018, manual sign in and out sheets continued to be used at the site. 49 The timing of the decision to dismiss Mr Lee in February 2018 is therefore difficult to explain. Mr Finlayson gave evidence that Mr Lee would not have been able to be paid through the payroll system if he did not use the scanners, and yet there does not seem to be any controversy that he was in fact paid after the scanners were formally introduced.50
 Both Mr Finlayson and Mr Swinbourne gave evidence that Superior Wood could not allow Mr Lee to continue to sign in and out manually because it left Superior Wood open to time recording inaccuracy and fraud; they would not know where he was in case of emergency; the costs of an alternative mechanism were too high; and for reasons of consistency with other employees.
 No evidence was introduced to establish that Mr Lee posed a risk to Superior Wood in relation to inaccurate time recording or fraud. Rather, the evidence tends to the contrary view. 51
 In our view, the notion that Superior Wood would not know where Mr Lee was in case of an emergency was, in the present case, somewhat overstated. Whether Mr Lee used the manual sign in and out sheets or the scanners, the data then recorded would not have allowed it to locate him at a particular place during work on what was described by Mr Finlayson as a very large site. On the one occasion where there was evidence of having to verify attendance due to an emergency (that is, the fire alarm in January 2018), the manual records were relied upon rather than the scanners. Both systems remained in use well after his dismissal.
 We have dealt above with the purported costs of an alternative to the scanners. That contention takes the matter no further.
 Overall, the evidentiary basis for concluding that collection of Mr Lee’s fingerprint data was reasonably necessary for Superior Wood’s functions or activities was not compelling. It is clear that Superior Wood’s introduction of the scanners was administratively convenient for FTH, who operated the payroll system on its behalf. We also accept that had the direction to Mr Lee been lawful, it might also have been reasonable to decline to make an exception for him in circumstances where he was the only one of approximately 400 employees seeking a different method. However, neither of those matters establish that it was ‘reasonably necessary’ for Superior Wood to proceed with the collection of Mr Lee’s fingerprint, particularly in circumstances where other options had been identified and had not yet been considered.
 For these reasons, we uphold this ground of appeal.
Grounds 6 and 7 – finding that employees gave implied consent by registering their fingerprints instead of finding that biometric data was collected from employees other than Mr Lee by unlawful and unfair means; and failing to find that implied consent is not sufficient for the purposes of collecting sensitive information
 Mr Lee submits that the Decision is in error because it did not make findings at large about whether breaches of the Privacy Act effectively vitiated the consent of all other employees (which might otherwise be implied by their cooperation with the Policy). He also submits that a higher standard of consent is required in the collection of sensitive information, and the Commissioner was in error in not finding to that effect.
 In our view, neither of those matters are findings the Commissioner was required to make. Her task was to consider the circumstances relevant to Mr Lee’s dismissal by Superior Wood. Her finding that other employees gave implied consent by registering their fingerprints were made in response to the case put by Mr Lee. We discern no error in her finding, at least on a prima facie basis, that employees gave implied consent by registering their fingerprints.
 As to whether a higher standard of consent is required in relation to sensitive information, that ground is not made out and nor is it apparent that it is a matter that falls for resolution by the Commission. Grounds 6 and 7 of the appeal are rejected.
Disposition of appeal……………………
 It is apparent from the above that Superior Wood did not have a valid reason for the dismissal which related to Mr Lee’s capacity or conduct. This is a significant factor in the circumstances of this case. As we have also concluded, some relevant matters weigh neutrally, some weigh against a finding that dismissal was unfair and others weigh in favour of such a conclusion. However the procedural fairness matters do not weigh so heavily in favour of a finding that the dismissal was not unfair as to outweigh the significance of an absence of valid reason. After all, Superior Wood was procedurally fair in effecting the dismissal for a reason that was not valid and in contravention of its obligations under the Privacy Act. Therefore for the reasons set out above, on balance we find that Mr Lee’s dismissal was unjust. It was unjust because Mr Lee was not guilty of the conduct alleged. As the direction was unlawful he was entitled to refuse to follow it. Mr Lee was unfairly dismissed.