Using Biometrics: What’s the status in Australia

The use of biometrics in Australia is increasing, in the workplace, by retailers, educational institutions and law enforcement. What are some of the issues for organisations considering introducing biometrics, for employee management, or just to better understand their customers?

Collecting biometrics?

Biometric information scanning is when an organisation or agency takes an electronic copy of your biometric information, which might be any features of your face, fingerprints, iris, palm, signature, voice, gait or breathing patterns.  The list seems to be expanding at a great pace with emotion scanning now added.

It’s widely recognised that the capture of biometric identifiers poses greater risks to an individual’s security, privacy, and safety than the capture of other identifiers, such as names and addresses.  This is because biometric information although unique can be easily accessed and collected, potentially even without the awareness of the data subject, and is difficult to change or conceal.

Some examples of the way biometrics are being used in Australia:

  • 7-Eleven is reported to be deploying Rate It, a customer experience (CX) measurement tool that runs on a tablet device in-store and which uses facial recognition. The use of facial recognition is to ensure that the feedback is real and that the system is not ‘gamed’.  There are reported to be limitations on the storage and access to encrypted algorithmic representations (of the facial scan).
  • In 2017, Superior Wood announced the introduction of fingerprint scanners as part of a new employee sign-in system. Employees were advised that they would have to register their fingerprints over the following week and register their attendance using the scanners at the start and finish of each shift. Mr Lee, one of the employees, objected to the collection of his biometric data and was dismissed.  His dismissal was held to be unfair because the collection of his biometric data required his consent under the Privacy Act 1988 (Cth).[1]
  • Australian police agencies are reportedly using Clear View AI, a private, facial recognition service that combines machine learning and wide-ranging data-gathering practices to identify members of the public from online photographs. Clearview AI says its facial recognition tool can be used to identify a person in almost any situation.[2]

Internationally, there are increasing concerns about the use of technologies – particularly the use facial recognition in public places.  So much so that technology giants like IBM, Microsoft and Amazon have all announced a moratorium on initiatives involving facial recognition, AI and ‘mass surveillance.’ The American Civil Liberties Union (ACLU) has sued Clearview AI alleging violation of Illinois residents’ privacy rights under the Illinois Biometric Information Privacy Act, through the collection of their images for use in their facial recognition system without notice or consent.   Meanwhile in Australia, the Department of Home Affairs, which oversees the federal police, is reported to be seeking to increase the use of facial recognition and other biometric identity systems. [3] This is notwithstanding a recent review of the Australian Human Rights Commission recommended a moratorium on the use of facial recognition and other biometric technologies.  The EU is also considering a ban on the use of facial recognition in public places for five years.

Unlike the United States, in Australia there is a broadly applicable law governing the way personal information, including biometric data, is collected and used – the Australian Privacy Act 1988 (Cth). But what protections are available under the Privacy Act?  And are they good enough?

What protections apply to use of biometrics under the Privacy Act?

Under the Privacy Act biometric information (when used for the purposes of identification) is included explicitly as a type of sensitive information, which in turn is a special type of personal information. Stricter requirements apply to the collection and use of sensitive information, including (in most circumstances):

  • Needing the consent of the individual, and
  • Ensuring that the collection is reasonably necessary for one or more of the functions or activities of the organisation.[4]

These requirements are in addition to other requirements, including for example, the provision of notice of collection.[5]

There are some exceptions to the need for consent, but these are limited, including where the law authorises or requires the collection of the data or it’s necessary to prevent a serious threat to the life, health or safety of any individual.[6]

The Office of the Australian Information Commissioner generally expects that consent should  be voluntary, specific, informed and current.[7] Although yet to be tested, this suggests that the consent must be based on a fully informed independent and current decision.  Obtaining genuinely voluntary consent is problematic in the employment context. In Lee v Superior Wood, the Full Bench of the Federal Court noted that any “consent” that Mr Lee ‘might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent.’[8]

In instances like the installation in 7-Eleven’s it will be interesting to see how informed, voluntary, specific and current consent is obtained, and whether the collection of facial biometrics is reasonably necessary for the purpose of the organisation.

Biometrics and employment records in Australia?

The Privacy Act exempts from application employment records held by private entities, often referred to as the ’employee record exemption.’[9]  The exemption applies to ‘An act done, or a practice engaged in, by an employer that is directly related to a current or former employment relationship between the employer and the individual and an employee record held by the organisation and relating to the individual.’  “Employee record” is also a defined term and in relation to an employee, means a record of personal information relating to the employment of that employee.

Significantly, and somewhat contrary to accepted thinking,  in Lee v Superior Wood, the court found that the employee records exemption only applied to records actually held by the employer, that is, only after they had been collected.  The Full Bench held that: ‘A record is not held if it has not yet been created or is not yet in the possession or control of the organisation. The exemption does not apply to a thing that does not exist or to the creation of future records.’[10]

The effect of this decision is that all behaviour by employers leading up to the actual collection and recording of the biometric data is still covered by the Privacy Act and is not exempt.  In other words, the employee record exemption does not cover requiring consent from employees to the collection of sensitive information such as biometric data (in the case of Mr Lee, it was his thumb print which was required as part of a employee check in system).

Prior to Lee v Superior Wood, most commentators believed that the  employee record exemption covered the collection as well as the subsequent use, disclosure, storage and other handling of any employee related information.

The ultimate finding in the case (which turned on whether Mr Lee had been unfairly dismissed) was that, as a matter of employment law, the direction to use the fingerprint scanner was not a lawful direction because it was in breach of the Privacy Act.  Mr Lee’s consent to the collection was required. Mr Lee’s termination for refusal to follow that direction was therefore unfair.

Some employment specialists warn that this case may turn on its circumstances, particularly that Mr Lee was not bound to comply with company policies issued after the date of his employment contract.  There have been many cases where employers have required access to sensitive information without being challenged.  For example, it is common for employers to be granted access  to medical records as part of employment related proceedings, without requiring consent from the relevant employee.

Similar issues in regard to whether genuine consent can be given by employees apply to employers requiring compulsory drug and alcohol testing programs.

It’s unlikely that cases where these requirements have been noted will be overturned but they are difficult to reconcile with the decision in Lee v Superior Wood. It remains to be seen how the Full Bench’s observation that consent will not be ‘freely given’ if a refusal to give consent might result in disciplinary action against the employee sits with existing cases.

Biometrics – what can you do?

Implementing any system that involves the collection of biometric data (whether as part of employee tracking, safety or customer experience tracking) should be treated with caution.

Firstly, is the collection of biometric information reasonably necessary for the purposes of the organisation?

Then, you must consider whether consent is required and how you can go about procuring that consent and recording that consent has been obtained.  This will probably include ensuring proper notice is provided and that employees have some alternative if they do not agree to the collection.

Once it’s determined that consent can be obtained, consideration must also be given to additional factors including:

  • Is the collection justifiable (reasonably necessary for one of the functions or activities of the organisation)?
  • How will notice of collection by given?
  • How will access to the organisation’s Privacy Notice be provided?
  • How is the data going to be stored? How long will it be kept? How will it be disposed of?

For employers, it’s also prudent to ensure that your current employment contract requires employees:

  • to comply with all current and future workplace policies;
  • to provide consent if reasonably required as part of any process as a fundamental obligation of employment.

The future

The use of biometrics is similar to AI and other technical advances – they bring some benefits but also raise issues, for employers, retailers, governments and civil society.

Australia seems to be a fertile testing ground for some of these new technologies and there seems to be little pushback so far to the use of technologies like facial recognition which could support massive surveillance.

There is certainly little to fear from our privacy regulator who has to date published only the most general guidance around biometrics[11],  Compare the situation in Canada, where Clearview AI has announced that it is withdrawing its product from Canada in response to a joint investigation by the privacy protection authorities for Canada, Alberta, British Columbia and Quebec[12] which resulted in the Canadian regulator finding Clearview in breach of its privacy regulations earlier this year.

In Australia, the OAIC announced a joint investigation with the UK ICO into Clearview in July 2020 (over 1 year ago).  We’re yet to hear on the outcome of that exercise.

Read some of our previous posts on the use of AI:

Australia’s AI Ethical Framework: Another paper tiger? – Privacy108 | Australian Data Privacy & Security Consulting

Ensuring AI supports Human Rights? Recommendations from the Australian Human Rights Commission – Privacy108 | Australian Data Privacy & Security Consulting

New AI Regulation in the EU: A risk based approach with teeth – Privacy108 | Australian Data Privacy & Security Consulting

And finally, if you’re interested in hearing from Jeremy Lee, who acted for himself in the Lee v Superior Woods proceedings, listen to this Podcast from the ABC Law Report.

Disclaimer

Privacy108 publications and communications constitute commentary and are for general information only. They should not be relied upon as legal advice. Formal legal advice should be sought for specific issues concerning this material. Listed authors are not admitted to practice in all Australian States and Territories.

[1] Lee v Superior Wood [2019] FWCFB 2946

[2] https://www.buzzfeed.com/hannahryan/clearview-ai-australia-police

[3] https://theconversation.com/australian-police-are-using-the-clearview-ai-facial-recognition-system-with-no-accountability-132667

[4] Australian Privacy Principle 3.3

[5] Australian Privacy Principle 5

[6] https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-monitoring/biometric-scanning/

[7] https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-3-app-3-collection-of-solicited-personal-information/ at [3.23]

[8] [58].

[9] Section 7B(3) Privacy Act

[10]Lee v Superior Wood [2019] FWCFB 2946 [56]

[11] https://www.oaic.gov.au/privacy/your-privacy-rights/surveillance-and-monitoring/biometric-scanning/

[12] https://www.oipc.bc.ca/news-releases/3445

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.