UDD1839

The Adjudication officer, in a decision dated 17^thNovember 2017 decided that the complaint was not well founded.

The within appeal was received by the Court on 20^thDecember 2017.

The Appellant was employed as a night manager with the Respondent from April 2007 until the termination of his employment by way of dismissal on grounds of gross misconduct on 25thMay 2016.

Summary position of the Respondent

The Appellant commenced employment in 2007 and at that time signed a contract of employment which stated that the rules contained in the staff handbook were an integral part of the conditions and contract of employment. The Appellant further signed an Internet, E-mail and Security policy in 2011.

In or about the middle of March 2016 the bar manager, Mr IM, advised the General Manager, Ms ED, that a person, Mr FR, had advised him that the Appellant had a USB with company information on it.

The General Manager and Ms CD, HR, decided to raise this matter with the Appellant and they did so after his shift at 8.00am on 16^thApril 2016. The Appellant confirmed at that meeting that he did have a USB key and he handed it to the General Manager. She inserted the key into a laptop and discovered that it contained a number of sub-folders and shortcuts to PDF reports containing highly confidential company information relating to the business of the Respondent and guests. The General Manager subsequently discovered that the key also allowed access to a folder which contained substantial amounts of company data including Opera reports. The Opera system is the management information system which is the backbone of the hotel.

The Appellant was suspended on full pay later that day due to the potential serious breach of the Respondent’s E-mail and Security Policy. By letter of 19^thApril 2016 he was put on notice that the allegation, if proven, could amount to gross misconduct and result in his dismissal.

A part of an investigation into this matter, the Respondent’s IT providers undertook a review of the Appellant’s company e-mail account and this review indicated that mails had been sent from the Appellant’s company e-mail address to his personal G-mail account and that such e-mails contained company information.

The Respondent wrote to the Appellant on 29^thApril 2016 inviting him to attend an investigation meeting and supplying him with an overview of the Respondent’s financial and customer information accessed from the Appellant’s USB key as well as records of e-mails forwarded from the Appellant’s company e-mail to his personal G-mail account which contained company information.

Investigation meetings were held on 6^th, 10^thand 17^thMay involving the general manager, Ms ED from HR, the Appellant and his representative.

The investigation found that while the material on the USB key could only be accessed through a computer on the Respondent premises it was inexplicable that the Appellant had stored such information as PDF’s and that such information could, in theory, be accessed by unauthorised personnel if the USB key was not secure or kept in a secure manner.

The investigation found that as a night manager there was no requirement for him to have access to the information accessible through the shortcuts on the USB key for the purposes of carrying out his role.

The investigation also found that the Appellant had, in February 2016, sent function sheets to his personal G-mail account. Function sheets contain details of functions held by the Respondent including customer names, numbers of guests, function costs, bedroom rates, booking details, contact details and personal requirements of guests. In addition, the Appellant had, in April 2016, sent historical data related to “Country and Western” payments to his G-mail account.

The Appellant provided no reasonable or coherent explanation in relation to the sending of this information to his personal G-mail account.

A disciplinary meeting was held on 19^thMay 2016. It was chaired by the general manager and Ms CD from HR was in attendance. The Appellant attended with his representative.

Following that hearing the Respondent determined that the actions of the Appellant amounted to gross misconduct. The Respondent decided that the sending of the information, including function sheets, from the Appellant’s work e-mail to his g-mail account was a serious breach of the Respondent’s Internet, E-mail and Security policy. The Respondent also decided that having shortcuts to commercially sensitive financial information and guest personal data via the appellant’s USB key could lead to a serious breach in the Respondent’s guest’s privacy.

By letter dated 21st May 2016 the Respondent advised the appellant of the outcome of the disciplinary process and the termination of his contract of employment due to gross misconduct. That letter also advised the appellant of his right of appeal to the Managing Director, Ms GR.

The Appellant appealed the outcome of the disciplinary process and an appeal hearing was convened on 7^thJune 2016. That meeting was attended by the Managing Director, the Appellant and his witness. Following the meeting the Managing Director met with the General Manager and Ms CD from HR. The Managing Director decided to uphold the decision to dismiss the Appellant by reason of gross misconduct. She found that there had been a serious breach by the Appellant in relation to company information and she was alarmed at his ‘laissez faire’ approach to the handling of information.

The Respondent submitted that the procedures which were followed were fair at all stages and that the Appellant was on full notice of the allegations against him and of the information available to the Respondent which formed the basis for the allegations. He was at all times allowed the opportunity to comment and respond before any decision was made.

The Respondent, relying on relevant authorities, submitted that it was not for the Court to substitute its views for those of the Respondent but rather, having regard to all of the circumstances of the case, to determine whether the decision to dismiss fell within the range of responses of a reasonable employer.

Testimony on behalf of the Respondent.

Ms CD gave evidence on behalf of the Respondent. Ms CD was at all material times responsible for HR in the Respondent hotel.

She said that the Appellant had been provided with the detail of the Respondent’s internet and e-mail policy and had signed for receipt of that documentation. The Appellant had also signed his contract of employment which stated that the Respondent’s standard rules and regulations formed part of his contract of employment.

She stated that the Opera system was the software used to hold all of the Respondent’s key operational information. That system was backed up each day and there was no requirement for any member of staff to otherwise back up the system. She said that the system provided different levels of access to different staff.

She said that the decision to dismiss was taken by the General Manager with no input from her.

She said that the posting by the Appellant of a negative social media comment regarding the Respondent following his dismissal meant that any prospect of re-engagement or re-instatement was not possible.

Under cross examination she stated that the General Manager led the investigation phase and she was merely the note-taker. She said that the hotel did not have an IT department and so relied upon its IT service provider to carry out the technical investigation of the Appellant’s e-mail account. She said that the Appellant was provided with all the material which was discovered by the technical investigation save for the machine codes related to the information which were unintelligible to most readers.

She accepted that the investigation did not establish that the Appellant had disclosed information to any other person or body.

She stated that her role in the disciplinary process which followed the investigation was as a note-taker. She said that the Managing Director who ultimately carried out the appeal met with her only to go through the minutes which she had taken.

The General Manager, Ms ED, gave evidence.

She said that the job of the night manager is to keep the hotel ‘ticking over’ while few staff are there. That job involves cashing up, taking orders and carrying out night audit reports.

She said that she was informed in March 2016 by the bar manager that the Appellant had a USB key containing company financial and other data.

She said that on 19^thApril, at and following a meeting with the Appellant she identified that the USB key contained shortcuts to a range of sensitive data related to the Respondent’s business and that she decided to suspend him with pay with effect from that date.

She stated that, on 29^thApril 2016, she supplied the Appellant with all material upon which she later relied to make her decision to dismiss. That material had been gathered from the USB key and the technical investigation carried out by the Respondent’s IT service provider.

She said that the Appellant had said that the function sheets which he e-mailed to his G-mail account were required for rostering purposes. However, the rosters for the relevant period had been completed and submitted prior to the e-mail of the material.

She did not accept that the Appellant had provided credible explanation as to why he retained data on a USB stick or why he had e-mailed material to his G-mail address.

She said that the decision to dismiss was hers and that the letter of 21^stMay 2016 confirming the dismissal was her letter.

She said that in coming to her decision to dismiss that she had considered alternatives and had taken account of his length of service. She said that she did not trust the Appellant any longer and it was not possible to employ somebody who she did not trust.

Under cross examination she said that Ms CD was a note taker throughout the investigation and disciplinary processes and that she played no decision-making role. She said that the Managing Director who carried out the appeal did speak to her during that process to understand how the decision to dismiss was reached and to have details as regards dates of meetings.

She said that the investigation and disciplinary processes did not establish that the Appellant had supplied any of the material at issue to another person. She said that the USB key could only be used in the hotel. She said that she did not know how the Appellant had procured a USB key and did not know if other managers were aware that the Appellant used such a device. She said that the Appellant had breached the trust placed in him and had offered no credible explanation during the disciplinary or investigation processes.

In response to a question from the Court she confirmed that in the Respondent’s hotel it was normal for her to carry out the roles of investigator and convenor of disciplinary hearings because the hotel had a small number of staff and a flat structure.

Mr C gave evidence. Mr C was an agent of the Respondent’s IT service provider at the material time.

He stated that he prepared a report of the Appellant’s e-mails which contained the subject line but not the content of e-mails sent from the Appellant’s e-mail account at work to his home e-mail address. He stated that he did not carry out an examination of the Appellant’s USB key.

Ms GR, Managing Director of the Respondent gave evidence. Ms GR was the person who heard the appeal of the outcome of the disciplinary process.

Ms GR heard the appeal on 7^thJune 2016. She said that she had no involvement in the decision to dismiss the Appellant. The Appellant attended the meeting accompanied by a manager and a note taker from HR was present.

She concluded that the conduct involved was gross misconduct. The shortcuts created on the USB key and the files which had been created on the system were, to her view, not relevant to the performance of the Appellant’s job.

In addition, the fact of having sent sensitive material to his private G-mail account was very serious.

All of the material involved was very important and sensitive and the Appellant’s handling of that information in contravention of the policies of the Respondent was very serious.

Under cross examination she said that she had met with the General Manager and Ms CD as part of the appeal procedure and they confirmed that they viewed the conduct of the Appellant as gross misconduct.

She confirmed that her decision was to uphold the finding of gross misconduct and that the breaches she considered the creation of files and shortcuts to information not relevant to the work of the Appellant and the use of a USB key to store those shortcuts as breaches of the Internet, E-mail and Security policies of the Respondent. She similarly found that the sending of e-mails containing commercially sensitive data and information to his personal e-mail account to be breaches of those policies.

Summary position of the Appellant

The Appellant submitted that the basis for his dismissal was that he had breached the respondent’s internet and email security, had breached confidentiality, privacy and copyright and data storage policies.

He submitted that the breaches alleged by the Respondent were vague and generalised and described what may have been risks. The Respondent did not attribute any ill-will or malice on the part of the Appellant or indicate that any gain or benefit had accrued or might accrue to him.

The Appellant also submitted that the investigation and disciplinary processes were pre-determined and prejudiced.

He submitted that he did not know that he was doing anything wrong as staff receive e-mails from the hotel to their personal e-mail account all the time. During the investigation and disciplinary process, the allegations against him and possible consequences were subject to change. He was not made aware of the extent of the investigations carried out by the Respondent and / or the information gathered in the process.

The Appellant submitted that he did not breach the policies of the Respondent and that the risks alluded to by the Respondent were introduced as a means to smear the appellant.

He submitted that the alleged breaches did not constitute misconduct.

He submitted that no data or documents could be opened on the USB key and his use of the key was known by management for years. He also submitted that the shortcuts on the key could only be accessed on a computer that was connected to the hotel system.

He submitted that he was dismissed as part of ‘some other management agenda’.

Summary testimony on behalf of the Appellant

Ms SC, a former employee of the Respondent gave evidence.

She said that most managers received e-mails on their mobile phones and she had also received such mails. She continued to receive company mails for four or five months after she left the employment of the Respondent.

She said she had a USB key for forecasting purposes and for doing business related presentations. She said that people did use USB keys in the employment of the Respondent.

Under cross examination she confirmed that she had signed confidentiality agreements with the Respondent. She also confirmed that the fact that she received e-mails after she left the employment was an error and that she had not notified the Respondent of the matter.

Mr MH, a former employee and night auditor gave evidence.

Mr MH said that as a night auditor he was required to save five different files to the Opera system every night and he confirmed that he was required to change his roster occasionally.

Under cross examination he stated that he was not aware of the nature or type of file he was required to save each night.

He stated that, notwithstanding that he had been dismissed by the Respondent as a result of an alleged breach of the Respondent’s social media policy, he held no grudge against the Respondent.

The Appellant also gave evidence

He stated that he had been employed in the industry prior to his employment by the Respondent in 2006.

He ran the hotel at night and was responsible for problems in a range of Departments from 11.00pm to 7.00am.

He stated that he needed the USB key to provide shortcuts to important documents he required in his role and he had always used the key.

He had e-mailed function sheets to his personal e-mail account because of potential changes to rostering requirements as the event came closer.

He had sent material regarding events which had taken place years previously to his personal e-mail account in order to protect himself should any queries arise therefrom which could affect him negatively.

He said that he had left the USB key in a pigeon hole facility on occasion but that pigeon hole was accessible only to authorised staff.

Under cross examination he stated that he had a requirement for all data which was accessible via the shortcuts on the USB key and the material which he sent his personal g-mail account was relevant to possible roster changes should they occur. He also clarified that he sent material in 2016 to his personal account concerning functions which had occurred no later than 2014 because he had decided that there may have been cash handling irregularities associated with those events and he wished to provide protection for himself if any query ever arose.

Discussion

The Court has given careful consideration to the written and oral submissions of the parties and the evidence tendered by both parties.

It is clear that the Respondent places great weight on the importance on its commercial data and regards that information as central to its business operations. It is also clear that the Respondent’s Opera system holds a range of personal data regarding the customers of the client’s business.

The Appellant contends that no actual breach of the security of the system occurred as a result of his use of a USB key or as a result of his mailing of data and information to his personal e-mail account.

The Court notes the extensive policies of the Respondent dealing with internet and e-mail security as well as data storage.

The Court notes that the Appellant has contended that function sheet information was e-mailed to his personal g-mail account because of his concern that, notwithstanding that the rosters for the events had been drawn up and submitted, they might require to be changed. The Court notes the comprehensive nature of the data held on function sheets in the Respondent business. The Court also notes that the rosters at issue relate to a maximum of three people and that is the accepted reality that rosters for these staff change rarely throughout the year once they have been drawn up.

The Court therefore finds that the reason proffered for the mailing of a comprehensive range of function related data to the personal e-mail account of the Appellant lacks credibility.

The Court notes that the Appellant, in 2016, e-mailed from his business e-mail account to his personal account a range of information regarding functions held no later than 2014. The Court notes the Appellant’s evidence that this occurred because he had decided that he should do so at that remove in time because of a concern as regards the propriety of cash handling arrangements at those functions and a desire to protect himself. No evidence has been put before the Court as to any event or happening which could have triggered this concern in 2016. As a result, the Court finds the evidence of the Appellant in this regard lacks credibility.

The Court notes that there is a conflict of evidence between the parties as regards the requirement for the Appellant in his role to have ready access to the type of data available through the short cuts on the USB key. The General Manager and the Managing Director have each given evidence that the Appellant did not, in his job role, require access to such data. The Appellant, on the other hand, has failed to explain adequately to the Court the reasons why he required such access to such comprehensive information.

It is not for the Court to substitute its view for that of the Respondent in this case. It is rather for the Court to determine whether the decision to dismiss was within the range of responses of a reasonable employer in the same circumstances.

In this case the Respondent had articulated a range of policies dealing comprehensively with internet and e-mail security. The Appellant failed to provide the Respondent with a reasonable account of the reasons why he would have e-mailed sensitive data to his personal e-mail account and why he would have been required to use a USB key to provide him with access via a shortcut to a wide range of sensitive commercial data on the Respondent’s Opera system.

In all of the circumstances the Court accepts that the Respondent was satisfied that the Appellant had breached its internet and e-mail security policies and that the Respondent regarded such breaches as extremely serious.

In those circumstances the Court finds that the Respondent’s decision to dismiss the Appellant following the conduct of an investigation and disciplinary process was within the range of responses of a reasonable employer to the conduct of the appellant and was not unfair within the meaning of the Act.

Determination

The Court, for the reasons stated above, determines that the appellant was not unfairly dismissed.

The decision of the Adjudication Officer is affirmed and the appeal fails.

The Court so determines.

Signed on behalf of the Labour Court



Kevin Foley
LS______________________
28 June 2018Chairman



NOTE

Enquiries concerning this Determination should be addressed to Louise Shally, Court Secretary.