Biometric data never needed

The recent cyber-attack on hospitals across regional Victoria highlights that many of the systems we rely on in our health care system are quite vulnerable to these sorts of attacks. It has also highlighted the problems with efforts by some employers to introduce biometric scanning and why the collection and use of biometric data is not needed and should never be allowed.

The Union has been tackling this issue at Monash Health. Management claims it’s about making sure they know who is on site and other so-called safety reasons but they have not been able to justify how this is necessary for the normal operation of the hospital. In fact, they haven’t been very open about anything as they intimidate staff insisting that they hand over extremely sensitive personal data.

Monash management has failed to consult with staff or to even consider alternatives like swipe cards which provide the same information about when an employee ‘signs in’ for work. While they’ll be prepared to discipline an employee for being late, they refuse to guarantee they will pay overtime if the same employee scans out after their shift was supposed to end.

The recent cyber-attack on a significant number of Victorian public hospitals also highlighted the very poor digital security of these hospitals and the very poor level of digital literacy among those required to administer such systems, which is a recipe for disaster. And worse it’s a recipe for your identity to be stolen. All it takes is your finger print, which is the main piece of biometric data Monash Health is demanding be handed over, and your whole identity can be taken – your driver’s license, bank accounts and other highly personal information.

Instead of outlining the measures Monash Health will take to protect data, we get the usual line about how we should trust them. This response also illustrate that they have not fully thought through the implications of collecting biometric data nor have they put in the resources and effort to guarantee that such highly sensitive information is securely stored.

Monash haven’t outlined what will happen if, and when, this data is breached how they will protect your personal identity from being stolen. There are no policies developed about who has access to such data, how that access will be monitored and what happens if access has been unauthorised or records shared without permission.

Legal advice the Union has seen would indicate that Monash Health is on shaky ground given the requirements under the Commonwealth and Victorian Privacy Principles. This advice indicates that organisations must not collect personal sensitive information unless it is necessary for one or more of its functions or activities. We haven’t been convinced nor seen any evidence from Monash Health that the collection of biometric data is necessary for any of its activities or functions, which is delivering health care to patients. And to-date Monash Health hasn’t been able to provide the information members need in order to be properly consulted on such an invasive change to how people are treated.

It is safe to say that between the Commonwealth and Victorian privacy principles there are a lot of grey areas; and it’s not as simple as Monash Health deciding they can simply collect biometric data. It also becomes more complicated at the intersection of the enterprise agreement.

The Union will continue to fight against these sorts of intrusions into your privacy given the poor digital security shown by health services and the very real chance that your identity could be stolen. We want to know how far and wide such initiatives are taking hold, so if your health service is considering finger print scanning or other biometric scanning please let us know as soon as possible.

If you’re working at Monash Health take the pledge and share it with us. It will help us keep the pressure on.

In the meantime, if you have any questions get in contact with us on 9623 9623 or at enquiry[at]

Paul Elliott

Share This Post On