Exploring the limits of the employee records exemption

13 March 2025

Hamish Fraser
Partner
Sparke Helmore Lawyers

Hamish Fraser
Partner
Sparke Helmore Lawyers
t: +61 2 9373 3616

Hamish is an accomplished senior technology lawyer with more than 30 years’ experience advising clients on commercial issues and regulatory matters across the information technology and communication industries. Hamish enjoys demystifying the complex interaction of technology and the law.

With the recent increase in the availability of facial scanners and fingerprint readers, businesses are increasingly using these technologies to monitor the activities of their staff. It is timely, therefore, to explore the overlap between privacy laws, employment laws, and the increasingly narrow scope of the employee records exemption to the Privacy Act 1988 (Cth) (Privacy Act).

This article examines two judgments that demonstrate the importance of businesses carefully considering how and when they collect and use information about their employees and whether that information is, in fact, personal information for the purposes of the Privacy Act.

Biometric data, such as facial images and fingerprints scans, is classified as 'sensitive information' under the Privacy Act, which means businesses need to exercise extra care when collecting this type of information and ensure a consent is obtained.

Lee v Superior Wood [2019] FWCFB 2946

In Lee v Superior Wood [2019] FWCFB 2946:

Superior Wood introduced fingerprint scanners to track the attendance of its employees by requiring them to scan their fingerprints on arrival and departure from the site.
The company introduced a new Site Attendance Policy (Policy) requiring that all employees use the fingerprint scanners.
Mr Lee, an employee of Superior Wood, refused to use the fingerprint scanners and declined to have his biometric collected and stored.
Mr Lee was dismissed for a failure to comply with the Policy.
Mr Lee subsequently lodged a claim for unfair dismissal and succeeded before the Fair Work Commission.

The impact of the decision

The Full Bench of the Fair Work Commission held that Superior Wood’s direction requiring Mr Lee to comply with the Policy was not lawful.

Since fingerprints are 'sensitive information' and require consent for collection, the Commission concluded that ' … a necessary counterpart to a right to consent to a thing is a right to refuse it.' That is, one of the elements of a valid consent is for the consent to be voluntary. By directing Mr Lee to comply with the Policy his consent was not given voluntarily.

The Commission also held that collecting Mr Lee’s fingerprint data was not 'reasonably necessary' for Superior Wood’s functions or activities in circumstances where other options could have been explored to manage Mr Lee’s attendance at the workplace, given he was only one of approximately 400 employees who had refused to follow the Policy.

Key takeaways for businesses

There is an exemption (s 7B(3) of the Privacy Act) in relation to employee records for current or former employees. However, the Court confirmed that until the record is held by the employer the employee record exemption did not apply. That is, the personal information needs to be collected lawfully and in accordance with the Privacy Act before the employee records exemption applies. If the information you are collecting is sensitive information—such as biometric data—consent is needed.

Employers should implement a suitable privacy collection notice for employees and ensure that the information collection is reasonably necessary for their business functions.

ALI v AJL (Privacy) [2024] AICmr 131

Even when the employee records are obtained appropriately, the decision in ALI V ALJ establishes clear boundaries on the use of such records.

Summary of the key facts

An employee experienced a medical episode in the company’s carpark.
Colleagues witnessed the incident, during which she was seen unconscious on the ground while CPR was performed.
Following her hospital visit, the employee’s husband gave a full report to the managing director with details of the medical episode, her current condition, the hospital’s name, and his own name.
On the same day, the Managing Director sent an email to all staff disclosing these details.
The Privacy Commissioner found that the employee’s privacy had been interfered with as the information provided by the husband was not directly related to her employment but concerned the welfare of the staff who had witnessed the incident. Therefore, the exemption did not apply.

Conclusion

When using biometric information, companies must ensure the collection occurs in accordance with the Privacy Act (including obtaining a valid consent from the individual), and that the information is then used for a purpose directly related to the current or former employment relationship (and accordance with the relevant employment contract) in order for the employee records exemption to apply. Any other use will be a use of sensitive information and must comply with the Privacy Act.

Given the limits of the employee records exemption discussed above, businesses should carefully consider the privacy and employment law implications when deploying biometric systems as part of their business to ensure they get the benefit of these technologies while also complying with privacy and employment laws.

18-12-2025 | 2025 year end cyber reflections

18-11-2025 | Vinomofo data breach determination - the obligation to take reasonable steps

24-10-2025 | Significant penalty ordered by Federal Court in ACL cyber breach

30-09-2025 | Sparke Bytes - September 2025

05-09-2025 | Thinking of getting legal advice from an AI assistant? Think again.

25-06-2025 | Sparke Bytes - June 2025

Media room