Complainant

Respondent

Anonymised Parties

An Information Technology Officer

A Credit Union

Representatives

Alastair Purdy, Solicitor

Act

Complaint/Dispute Reference No.

Date of Receipt

Complaint seeking adjudication by the Workplace Relations Commission under Section 8 of the Unfair Dismissals Act, 1977

CA-00030421-001

22/08/2019

Complaint seeking adjudication by the Workplace Relations Commission under Section 12 of the Minimum Notice & Terms of Employment Act, 1973

CA-00030421-002

22/08/2019

The complainant commenced employment with the respondent’s credit union on April 30th 2018, in the role of IT officer. He was recruited on an annual salary of €47,864. The job description that was submitted in evidence at the hearing shows that his key responsibilities were:

§    Operations management, including the provision of IT support to staff and management;

§    Technical support, including maintenance of hardware, consulting with third party suppliers and training of staff;

§    IT governance, involving collaboration with the Risk, Compliance and Audit functions on governance, IT security and operational issues;

§    Service management, including the monitoring and management of IT processes and the development of risk assessment and disaster recovery processes;

§    Relationship management, ensuring that service level agreements are met and reviewing of supplier performance;

§    Project work.

When he started in the job, the complainant reported to the general manager, but following a probation review in January 2019, he moved his reporting line to the risk officer.   The risk officer was more familiar with the job of IT officer, having previously held that role.

On February 19th 2019, the complainant gave the global administration password for the credit union to a member of staff in a remote office. He was helping the staff member to install an application on his computer. At an investigation meeting with his manager the following day, he accepted that he had made a serious mistake and he apologised and said he would be more careful in future. No disciplinary action was taken and the complainant was instructed to review the IT security policy and to ensure that he understood the requirement for password secrecy.  

Between March and May 2019, as a result of further issues concerning the complainant’s ability to do his job, he was placed on a performance improvement plan (PIP). On June 18th, he was on the telephone providing IT support to another member of staff in a remote office.   When he was on the call, he gave the staff member the credit union’s administration password, so that he could gain remote access to that employee’s computer. An investigation was initiated into this breach of IT security. Before the investigation started, on June 21st, when she was finished a meeting with an external vendor in the credit union board room, the general manager discovered a note underneath the board room laptop which had been placed there by the complainant. The note provided written instructions on how to access the organisation’s secure data, including the encryption password code for the laptop and the administrator’s log-in details. This further breach of IT security was included in the terms of reference for the investigation into the complainant’s conduct.

Following the investigation, at a meeting on July 11th 2019, the complainant was dismissed without notice. The complainant argues that his dismissal was unfair. He claims that, overall, he was doing well in his job and that the issues addressed during the investigation “could have been sorted out internally.” He claims that if he had known that he could be dismissed, he would have made a stronger case in defence of his actions.

On behalf of the credit union, Mr Purdy submitted that in accordance with section 27 of the complainant’s contract of employment, the respondent was entitled to dismiss him.   Section 27 of his contract provides as follows:

“In the event of termination of your employment by reason of gross misconduct on your part, you will not be entitled to receive notice in accordance with this clause.”

Notwithstanding what Mr Purdy described as “this absolute right,” he asserted that in accordance with section 6(4)(b) of the Unfair Dismissals Act, the dismissal of an employee for reasons related to conduct is not unfair if there are reasonable grounds to justify the dismissal. The complainant’s dismissal arose his from failure to comply with critical IT policies that resulted in a breach of his employer’s trust and confidence in his ability to do his job. In this regard, Mr Purdy said that the respondent has acted reasonably and has met the objective test of reasonableness, as demonstrated in the findings of the following legal precedents:

Hennessy v Read and Write Shop Limited, UD 192/1978

Bunyan v United Dominions Trust [1982] IRM 404

British Leyland UK Limited v Swift [1981] IRLR 91

Smith v RSA Insurance Ireland Limited UD 1763/2013)

In determining the reasonableness of the respondent’s decision to dismiss the complainant, Mr Purdy said that consideration must be given to his conduct on February 19th, June 18th and June 21st 2019 when he breached the IT security policy by disclosing the global administration or other secure IT administration passwords to a third party, immediately compromising the credit union’s IT security.

At the hearing, Mr Purdy said that the credit union is licensed by the Central Bank of Ireland to operate as a financial institution under certain rules and procedures. Security of data and confidentiality of customer information is a critical requirement of the credit union’s license to operate.   The complainant’s contract provides that,

“You will be expected to keep all information concerning the credit union, its members, clients, fellow employees, stakeholders and any other businesses or credit unions within the Irish credit union movement with whom you are involved as an employee of the credit union, absolutely confidential. Any deliberate breach of confidence will be regarded as a matter justifying summary dismissal.”

Despite the fact that, on February 19th 2019, the complainant was aware of the seriousness of his conduct, he committed two further breaches in June. At the hearing, the risk manager, who is the complainant’s line manager, gave evidence concerning the incident that occurred on June 18th. He said that he was in the room with the complainant and two others when the complainant was on the telephone to a staff member in another office. The complainant was attempting to assist the staff member by logging on to his computer remotely. The risk manager said that he told the complainant to “give him the password,” which involved opening a remote access password and amending it with an “x.” However, he then heard the complainant giving the staff member the administrator’s password. He said that the complainant doesn’t regard this password as an administrator’s password and he didn’t seem to appreciate the seriousness of what he had done. He appeared to simply consider the administrator’s password as a way of remotely logging in.

In classifying the complainant’s conduct as gross misconduct, Mr Purdy referred to the case of Pacelli v Irish Distillers Limited, UD 2006/417. Here, the Tribunal stated that the test to be applied to the actions of an employer who dismisses for gross misconduct was the question of what a reasonable, prudent and wise employer would do in the circumstances.

On the issue of the fairness of the procedures that resulted in the complainant’s dismissal, it is the respondent’s case that the complainant’s right to fair procedures and natural justice were adhered to at all times. The procedure followed by the managers leading up to the complainant’s dismissal was summarised as follows:

§    There was an independent investigation by a third party;

§    The facts surrounding the allegations against the complainant were thoroughly investigated;

§    The complainant was provided with all the relevant documentation before the investigation meeting and the disciplinary meeting and he was put on notice of the complaints regarding his conduct;

§    The complainant was made aware of the severity of the breach and that disciplinary action may include the termination of his employment;

§    Each stage of the disciplinary procedure was conducted by a different person;

§    The complainant was afforded the right to be represented at the investigation and disciplinary meetings;

§    He was issued with written confirmation of the reason for his dismissal;

§    He was given the right to appeal.

The respondent’s submission states that the complainant was not only made aware of the severity of the allegations against him, but he was given every opportunity to prepare for the meetings and to be represented and to rebut the allegations, but he failed to do so.

In his submission at the hearing, the complainant referred to the incident that occurred in February 2019, when he gave what he described as the domain admin password to a colleague in the Cork office to enable him to complete an installation.   He said that he was given a verbal warning as a result of this breach of password protocols. It is apparent however, from the documents submitted in evidence by the respondent, that a warning was not issued and the complainant was instructed to review the IT security policy and to ensure that, in the future, he did not provide administrator passwords to employees.

The complainant then referred to the disciplinary meeting of June 28th 2019, which was held to discuss two incidents. The first of these was the fact that he gave an administrator’s password to an employee in another branch of the credit union. The complainant said that this was “not perceived by me as an admin password but as a remote access password that allows access to the PC, with the users consent by clicking OK to allow the remote access request.” The risk manager had heard the complainant’s interaction on the phone and he advised him to give the colleague “the password.” It subsequently emerged that the risk manager did not intend the complainant to reveal the administrator’s password. In the note of the disciplinary investigation held on June 28th, the complainant said, “I feel I misunderstood (my manager) and I gave the administrator’s password in error.” At the hearing, the complainant said that his action was due to a misunderstanding and should not have been the subject of a disciplinary investigation.

In a written response to the employer’s submission, the complainant disagrees about the seriousness of sharing this password with the employee in the branch office. He said that it was not a global password and remote access does not require the sharing of a global admin password. He also said that the method of providing an alternative password to a user so that they can facilitate remote access is not well known.

In his submission, the complainant challenged the risk manager’s assessment of the risk presented by the administrator’s password being given to a staff member. He said that if the risks were as described by the risk manager, and if a “rogue file” could be dropped on to older computers then, this was never highlighted. He said that before his time, and when he was employed by the credit union, the remote access password was never identified as a high-level password. He also said that he advised his manager to include a reference to higher level passwords in the IT Security Policy, but that this wasn’t done.

The second incident was the fact that the complainant left instructions on a piece of paper under the laptop in the board room. He had configured a new laptop for the boardroom and a meeting of staff and directors was scheduled for the evening of June 21st. The note contained the log in details for the administrator account of the laptop and the encryption password. The complainant said that he wasn’t sure if the people using the laptop would be checking their emails so he left the instructions to assist them. In his submission, the complainant said that he advised a colleague where the piece of paper was hidden, but it was discovered by a different colleague and given to the general manager. He said that no information was released outside the credit union as a result of him leaving the note in the room.

In his second written submission, the complainant said that what he described as “this cheat sheet” was meant for the use of just one person, and not everyone at the meeting and it was to be disposed of afterwards by that person.

In this submission, the complainant said that his manager’s recollection of the incident of June 18th is different to his recollection. At the investigation meeting, he said that his manager referred to offsite training that he claims he never received.   Finally, he said that his manager raised an issue about the sending of an IT report by email which, he claims, resulted in unfair influence on the decision-maker. He said that he was praised for his work and, during a PIP review, his manager suggested that his workload might be impacting on his performance. He said that he introduced a weekly report that indicated progress and the completion status of assigned tasks. He said that no information was disclosed as a result of his actions and “why let me go over issues that could have been sorted internally?”

The complainant said that he did not appeal against his dismissal because he didn’t think he would get a fair hearing due to the close working relationship of the risk manager and the general manager and, because the general manager would hear the appeal. He said that he needed proper professional advice to conduct an appeal.

The Legal Framework

Section 6(1) of the Unfair Dismissals Act 1977 – 2015 (“the Act”) provides that:

“Subject to the provisions of this section, the dismissal of an employee shall be deemed, for the purposes of this Act, to be an unfair dismissal, unless, having regard to all the circumstances, there were substantial grounds justifying the dismissal.”

As set out in the respondent’s submission, section 6(4)(b) of the Act provides that;

“…the dismissal of an employee shall be deemed, for the purposes of this Act not to be an unfair dismissal if it results wholly or mainly from …the conduct of the employee.”

The burden of proof rests with the respondent to establish the substantial grounds justifying the dismissal of the complainant in this case. The letter of July 12th 2019 sets out the reasons for his dismissal:

“You have failed to understand the severity of your actions and have blatantly disregarded the training provided to you in understanding the importance of safeguarding the credit union systems, networks and data.   Based on the balance of probabilities, you are knowledgeable of the correct procedure of what constitutes an unauthorised release of credit union information. You breached company policies which amounts to gross misconduct.”

“Given your capacity in safeguarding the IT resources of the Credit Union, this conduct founded (sic) is inexcusable. It has resulted in a serious breach of trust in your ability to manage same and to follow the Company policy. Your failure to comply with the policies and procedures is unacceptable. Your actions clearly fall short of your responsibilities entrusted to you.”

In summary, the complainant was dismissed because he revealed critical and secret IT passwords to people who were not authorised to have them and because he failed to appreciate the seriousness of this actions.

Was the Decision to Dismiss Reasonable and in Proportion to the Conduct?

My role here is to consider if, as set out in Pacelli v Irish Distillers Limited, the respondent’s decision to dismiss the complainant was done so on the basis of what “a reasonable, prudent and wise employer would have done having regard to the nature of the case.”

In his evidence, the complainant said that he was getting on well in his job; however, this was clearly not the case because, in January 2019, he was moved to report to a manager who had greater oversight of the IT function and then he was placed on a performance improvement plan.  In February 2019, following an incident in which he gave the global administrator password to an employee in another branch, he apologised and said that he would be more careful in future. On June 18th, he again provided an administrator password to a staff member in another office, although he claims that the password he divulged then was a remote access password and less risky. The risk manager does not agree that the password that he provided over the phone on June 18th was simply a remote access password and I find the manager’s evidence on this matter more credible.

Three days after this incident, on June 21st, the complainant left written instructions to whoever was hosting an evening meeting in the credit union board room, with the administrator’s log in and encryption password for a new laptop.   From his evidence at the hearing, it appears that he was unsure who was hosting the meeting or who would use what he described as a “cheat sheet,” to log on to the computer.

In February 2019, when the complainant gave the administrator password to a colleague during a telephone call, the risk manager accepted his apology and his undertaking not to repeat the behaviour. It is my view that, as an employee who was still on probation, it would have been reasonable to dismiss the complainant then. When he behaved in a similar manner twice in June, it was reasonable for the respondent to initiate a disciplinary investigation.   The complainant did not deny that he gave out the passwords. He accepted the seriousness of the June 21st “cheat sheet” incident, but he thinks that he shouldn’t have been dismissed.

I have considered this matter and I disagree with the complainant’s position concerning his dismissal. I note that he has an honours degree in IT Management, is a Microsoft certified system administrator and he holds a certificate of excellence from Microsoft.   As part of his induction, he had formal training on the company’s IT and Information Security Policies, which he was subsequently involved in reviewing and updating. Following the February incident, the complainant was reminded of the importance of password security. Clause 11 of the IT / Information Security Policy that was submitted in evidence is headed “Information Exchange” and states as follows:”

“To minimise the risk to the Credit Union from external business connections required by authorised personnel or companies, access must be restricted so that in the event of an attempt to access the credit union’s information systems, the amount of information at risk is minimised.

“Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.”

As an IT professional, the complainant’s conduct in divulging critical passwords is inexplicable and inexcusable. At a meeting with his manager the day after the incident on February 19th, he said that “he fully understood and accepted the seriousness of the breach…” It seems therefore, that he understood the seriousness of the risk he caused to the integrity of the IT system and the security of information on the system.   I can only surmise that by repeating the offence on June 18th, he must have been distracted or pre-occupied and his mind wasn’t on what he was doing. His decision three days later to write the log on credentials for a board room computer on a piece of paper in the board room is baffling, even if for someone not qualified in IT. His explanation is even more worrying: “I wasn’t sure if those who would need access to the laptop would be checking their mails so I left a note…” This response demonstrates a complete disregard concerning who needed the information and who might unwittingly find it. It seems to me that again, with this incident, the complainant didn’t give his full attention to his job.

I understand that at present, when Ireland is experiencing almost full employment, it is difficult to find experienced and qualified people to fill roles in IT. In February 2019, when the complainant committed the first serious offence, it seems to me that his manager was hoping for the best that he could turn things around, even though his first months were not encouraging. The incidents of June 2019 showed that he was not the right person for the job of IT manager in a regulated environment and it is my view that any reasonable employer would have dismissed him.

Was the Process Fair?

Having reviewed the notes of the investigation meeting and the disciplinary outcome meeting that were submitted in evidence, I find that the complainant represented himself well and had an opportunity to argue against his employer’s concerns that his behaviour merited a serious sanction such as dismissal. He was accompanied by a colleague at the investigation meeting and by a different colleague at the disciplinary outcome meeting. I am satisfied that the complainant was dismissed at the end of a procedure that was conducted fairly and without bias.

It is my view that, in advance of submitting his complaint to the WRC, the complainant had an obligation to use the company’s appeal procedure to argue against his dismissal.   His failure to conclude the process to its end is evidence of his disrespect for standard workplace procedures and for the resources of the WRC.

Having considered all the evidence, verbal and written, and having taken account of the legal framework regarding the dismissal of an employee due to misconduct, I have decided that from a substantive and a procedural perspective, the decision to dismiss the complainant was not unfair.

In his submission relating to notice, the complainant said that he worked up to the day of his termination meeting. He asked if the issue was classified as gross misconduct, why was he allowed to remain at work?

In their submission, the respondent referred to section 8 of the Minimum Notice and Terms of Employment Act 1973-2017 and the employer’s entitlement to reserve the right not to give an employee notice where they are being dismissed for gross misconduct.   As the complainant was dismissed for gross misconduct as provided for under section 6(4)(b) of the Unfair Dismissals Act, the respondent’s position is that he is not entitled to statutory notice.  

In advance of the outcome from the investigation and the disciplinary outcome meeting, no decision was made regarding the classification of the complainant’s actions as gross misconduct. This came at the conclusion of the disciplinary process. Nothing arises from the respondent’s decision not to suspend him and to allow him to continue working for three weeks, pending the outcome of the investigation.

I find that because the complainant was dismissed due to gross misconduct, he is not entitled to notice or pay in lieu of notice.

As I have found that the complainant was not entitled to notice, I decide that his complaint under the Minimum Notice and Terms of Employment Act 1973 is not upheld.

Dismissal, gross misconduct