During the course of their employment, employees may have access to confidential information which belongs to their employer. This information may be in the form of personal information provided by customers and is therefore sensitive in nature.
While access to customer information may be required by an employee in order to carry out their duties, it is critical that employers have policies in place to protect customer information and ensure that it is not misused or improperly accessed.
The importance of employers having policies in place is demonstrated in a recent case, where the Fair Work Commission (FWC) upheld an employee’s dismissal after finding that she had contravened policies which were in place to protect customers’ confidential information.
The employee was a part-time personal banker who had been employed by ANZ. Following an investigation, ANZ found the employee had engaged in unacceptable conduct by using its software system on a number of occasions to search and access the profiles of customers without approval or a legitimate purpose.
Amongst those customer profiles accessed by the employee were accounts held by her brother, a colleague and a celebrity.
Unfair dismissal claim
ANZ’s policies stated that employees were not permitted to access customer accounts including those belonging to family members or friends without an appropriate business reason or account holder approval.
Accordingly, ANZ commenced disciplinary action against the employee putting allegations to her of unacceptable conduct. The employee denied all of the allegations and instead suggested that another person had tampered with her work station to obtain her password which was kept in a drawer and used it to conduct the searches in question.
ANZ did not accept the employee’s explanation and terminated her employment immediately on the grounds that she had contravened ANZ’s policies and procedures by deliberately and repeatedly accessing its customers’ confidential information.
The employee subsequently lodged an application with the FWC claiming that ANZ had unfairly dismissed her.
The employee denied all allegations and submitted that she had no knowledge of why the searches were made, although acknowledged that her account had been used to carry out the searches. She claimed that she did not know any of the people whose accounts were accessed and therefore had no reason to search for people not known to her.
The employee also accused ANZ of creating accounts under her family member’s name to support the allegations against her and subsequent termination. However, in response to ANZ’s evidence indicating the contrary, the employee conceded that this was in fact inaccurate.
The employee maintained in her submissions before the FWC that an unknown person had tampered with her work station to conduct the searches themselves and that she had raised this concern with senior management on a number of occasions, however her concerns were disregarded.
In response, ANZ submitted that the employee’s explanation was not “plausible” or “logical” as:
- The employee was the only consistent employee working at the time each search was conducted;
- It was policy for all employees to change their password every 60 days; and
- The searching of accounts occurred in a short period of time between the employee having made legitimate work-related searches.
The FWC agreed with ANZ and found that the employee’s explanations were “completely without substance” and on the balance of probabilities, the misconduct alleged was indeed undertaken by the employee.
The FWC noted that ANZ’s customers entrusted them with highly sensitive and personal information and to allow the employee to continue with her employment would directly undermine ANZ’s values.
On this basis, it found that there was a valid reason for the employee’s dismissal.
While the FWC acknowledged that the employee would now struggle to obtain employment in the banking industry given she had to disclose her misconduct with future employers in line with industry protocol, it considered this factor to be significantly outweighed by the employee’s continual denial and lack of remorse for the apparent misconduct.
The FWC held that the employee had not been unfairly dismissed and accordingly dismissed her application.
A lesson for employers
This case serves as a reminder for employers to ensure that they have policies in place regarding the access and use of confidential information. Where it involves personal information, these policies should reflect the Australian Privacy Principles in relation to access, use and non-disclosure of personal information.
Employers must also ensure that their policies are regularly communicated to employees, as this knowledge can be relied upon in the event there is a breach of policy.
This article was first published by Workplace Law.