The Elusive Notion of “Consent “in the collection of sensitive data Under the Privacy Act
Errol Price, Legal Director at Symmetra Global discusses the elusive notion of consent in the collection of sensitive data as seen in the case of CFMMEU and Ors v BHP Coal Pty Ltd t/a BHP Billiton Mitsubishi Alliance/ BMA and Ors.
As employees return to work in physical workplaces after the COVID pandemic enforced virtual and distance working, employers must wrestle with a range of new circumstances. Many employers will require that employees and visitors have been vaccinated before entering business premises. Others will consider it desirable to have a permanent record of their employees’ vaccination status. Sometimes the right of an employer to make these sorts of demands will be contested.
This was the situation in the case of:
CFMMEU and Ors v BHP Coal Pty Ltd t/a BHP Billiton Mitsubishi Alliance/ BMA and Ors [i]
The Fair Work Commission (FWC) had to weigh whether an employer could legitimately apply economic pressure to secure the vaccination records of its employees The FWC held that it could do so lawfully. In this respect it is submitted that the conclusion of the FWC was wrong.
Salient Facts
On 7 October 2021 employees of coal mines operated by BHP in Queensland were informed of a Site Access Requirement (SAR) which provided that as a condition of entry to a site they would:
a) have to be fully vaccinated against Covid-19 and
b) would have to provide proof of vaccination which would be collected and stored by BHP in a data base controlled by BHP or an independent organisation acting under its direction.
Failure by an employee to accede to the demands embodied in both (a) and (b) would result in denial of access to any BHP sites and consequent dismissal of the employee.
An employee’s vaccination status could be recorded either by
i. uploading it directly onto a vaccination portal; or
ii. by visiting designated stations on-site at which authorised personnel could sight and record the vaccination information.
Some employees apparently resisted these demands, and a dispute arose for determination before the Fair Work Commission under section 739 of the Fair Work Act (2009). The Unions acting on behalf of the employees were the Applicants.
The Issues
In essence, the questions to be resolved were to what extent could an employer enforce its will to : firstly, deny an unvaccinated employee access to a worksite and secondly, demand the right to record and store permanently personal vaccination data of the employee.
These are distinct legal issues, and their resolution necessitates different lines of inquiry.
A conclusion that the employer was entitled in law to deny entry to an unvaccinated worker does not imply as a corollary that the same employer has unfettered right to record proof of vaccination.
Resolution of the first issue (the right to deny access) depends on whether the employer is adjudged to be taking legally appropriate steps to maintain a safe workplace. Resolution of the second issue depends purely on interpreting the Privacy Act (1988).
Where the Fair Work Commission fell into error
For the reasons which follow it is submitted that the Commission misapplied the provisions of the Act. It concluded that the Privacy Act permits an employer to stipulate that an employee must accede to collection or be fired. This conclusion was reached after the Commission had set out its interpretation of the Act in general and Australian Privacy Principle 3.3 more specifically.
In Section 2A of the Privacy Act, amongst the objects of the Act are:
a) “to promote the protection of the privacy of individuals; and
b) to recognise that the protection of the privacy of individuals is balanced with the interests of the entities in carrying out their functions and activities. “
Thus, protection of personal data is the pre-eminent and overarching purpose of the legislation. The mischief which it seeks to guard against is the illegitimate collection and use by organisations or agencies of such data.
It was common cause that information relating to Covid-19 vaccination is ’sensitive Information’ as defined by the Act. Sensitive information is entitled to a higher degree of protection than ordinary personal information.
As stated above, the decision turned on the interpretation of Australian Privacy Principle 3.3 (one of thirteen privacy principles appended to the Act)
Relevantly the APP provided:
“An APP entity must not collect sensitive information about an individual unless:
i. The individual consents to the collection of the information and;
ii. if the entity is an organisation, the information is reasonably necessary for one or more functions or activities.”
The Commission correctly observed that the permissive part of the APP allowing the collection of the data had two arms both of which had to be satisfied; one being consent and the second being the reasonable necessity to store the information. The Commission found that both arms were indeed satisfied. In this respect, we submit with respect that it erred.
Two preliminary points can be made about the APP quoted above.
Firstly, it begins with a broad prohibition against the collection of sensitive data which is then qualified by a proviso or exception. The authorities are clear that where a party relies on a proviso or exception, the onus of proof rests on that party to bring itself within its boundaries. [ii] That onus would have rested on the employers in this case.
Secondly, having regard to the way the APP has been linguistically and structurally cast, the element of consent is logically and analytically anterior to any consideration of the second arm, that is whether the organisation reasonably needs to store the data. If the organisation falls at the consent hurdle, the second arm is irrelevant.
The Appropriate Standard for Consent Under the Privacy Act
The element of ‘consent’ plays a role, often crucial, in many areas of the law: criminal; contract tort statutes and so forth. It will mean different things, depending on the context.
But intrinsic to the law’s view of consent is the premise that humans are agents with free will. The presumption is that rights are acquired and obligations are assumed by persons able to exercise a choice. Where no choice is offered or where the so-called choice is illusory and not real there cannot be true consent.
The extraordinary conclusion reached by the Commission in the case above is that a threat of severe adverse consequences including crippling financial outcomes by way of losing one’s employment does not vitiate the consent requirement under the legislation.
The Commission stated:
“While I accept that employees faced with a direction that requires them to consent to providing sensitive information on the basis that if they do not do so their employment will be terminated have a difficult decision to make. I do not accept that this constitutes coercion or duress of the kind that vitiates consent or results in consent not being legally effective. “
It is hard to imagine any more blatant or serious form of coercion than being assured of losing employment if one does not capitulate.
In this regard the website of the Australian Information Commissioner states:
“You give voluntary consent if you’re not forced or pressured to give your consent.” [iii]
No one who must accede to sensitive data being collected or be fired can be held to have consented in any meaningful respect.
Moreover, in many foreign jurisdictions where the relevant legislation has ‘consent’ as one of the grounds for permitting collection of personal data it is emphasised that an extreme imbalance in bargaining power nullifies any ostensible consent. The prevailing views amongst the authorities who administer the legislation as well as most legal commentators is that the ‘consent’ ground in the legislation should either not be used in the employer-employee relationship or, if used, should only be done with the highest degree of caution. [iv] [Note that both under the Australian Privacy Act and most foreign legislation, where consent cannot be obtained, there may be other bases provided for the lawful collection of personal data including sensitive data].
The decision of the FWC in the case considered above means that Australia is out of step with the accepted trends in many foreign jurisdictions with regard to privacy and protection of personal data. In a global environment where companies operate in many countries and data flows across borders continuously, this is an undesirable situation.
It is to hoped that an opportunity will arise soon for the above decision to be reconsidered.
Errol Price has decades of experience in commercial law, and specifically as an advisor to leading companies on equity, discrimination and workplace relations. He has helped in formulating human resource and workplace relations policies for many multinational and blue-chip companies as well as advising clients on the impact of equity and anti-discrimination have helped position Symmetra as one of the leading consultancies on diversity and inclusion. He has expertise in the laws pertaining to discrimination, harassment and bullying in the Australian workplace. This has provided the legal foundation for Symmetra’s highly successful diversity, EEO and anti-bullying and harassment programs, delivered across Australia for the past 15 years.
In recent years, Errol has gained experience in the field of privacy and data security laws in Australia and globally due to the fact that Symmetra is a leader in the provision and administration of online assessments for leaders and employees working in mullti-jurisdictional businesses. Connect with Errol via LinkedIn.
[i] (2022) Fair Work Commission 81
[ii] Vines v Djordjevitch (1955) 91 CLR 512 at 519; Avel Pty Ltd v Multicoin Amusements Pty Ltd (1990) 171 CLR 88 at 119
[iii] https://www.oaic.gov.au
[iv] EU General Data Protection Regulation- Article 4(11); EU GDPR recital 43 : UK GDPR Article 4; UK Information Commissioner’s Office (“Consent”)