Employer argues it was 'unauthorised' use despite 'genuine legitimate work'
A worker recently filed a dismissal claim over his termination concerning his unauthorised access to his employer’s IT systems while he was abroad.
Diandong Ren started his role with the Bureau of Meteorology on September 25, 2018, employed as a non-ongoing Australian Public Service (APS) worker.
He was a research scientist in the Satellite Data Assimilation team in the Melbourne office.
As an APS worker, Ren had to follow various policies, including the APS Code of Conduct, APS Values, Acceptable use of Information Systems Policy, Secure Mobile Computing Procedure, Working from Home Procedure, and the Bureau of Meteorology Enterprise Agreement.
During his induction, Ren was familiarised with these policies and reminded of his obligation to comply, reinforced by annual refresher training.
On August 23, 2022, Ren had his approved recreational leave until September 16, 2022. However, concerns arose on September 28, 2022, when his supervisor complained to the employer that Ren hadn't returned to work onsite in Melbourne, allegedly representing himself as working in Australia while still overseas.
Subsequent inquiries led to a request for information about Ren's overseas work activities, and later, a direction to provide evidence of his travel dates to the United States by October 24, 2022.
Allegedly failing to comply with this direction, Ren faced a Notice of Suspected Breach of the APS Code of Conduct on October 25, 2022, prompting a formal investigation.
The investigation focused on unauthorised network access, non-compliance with Working From Home arrangements, making false statements about his whereabouts, and failure to follow a lawful and reasonable direction.
After submitting a draft report on December 21, 2022, the employer shared its preliminary findings to Ren on January 17, 2023, inviting a formal response.
In his reply on January 19, 2023, Ren questioned the basis for the allegations and expressed confusion about the situation.
Around March 2023, the employer concluded that Ren breached the APS Code of Conduct. Ren then wrote a letter to try and defend himself against dismissal.
The worker wrote: "I acknowledge there are serious risks associated with accessing work systems through a personal device without adequate clearance. I now understand that although Bureau IT staff installed for the me the work-related apps for remote access, they did not grant me clearance to access the Bureau systems remotely even if it was for genuine work-related purposes.”
“As I have previously indicated to you, and believe, my actions demonstrate, I am a committed employee who deeply values my position and the opportunity to do significant and meaningful work,” he added.
On June 22, 2023, the employer issued the Final Sanction Decision, affirming termination of employment as the appropriate sanction.
According to records, the employer said that its “employees hold a unique position in their employment and are required to uphold appropriate standards of conduct consistent with those reflected in the APS Code of Conduct.”
It said the worker “failed to conduct himself consistent with these obligations and knowingly or negligently engaged in multiple breaches of the APS Code of Conduct.”
It said he “acted without honesty and integrity and demonstrated a distinct lack of regard to the policies and procedures applying to his employment. This resulted in a breakdown of the trust and confidence that was necessary for [his] employment relationship to continue and provided a valid reason for the termination of his employment.”
The employer said that the worker was “explicitly aware of [its] polices and processes, and the requirements of him to seek approval to gain access to the IT systems from overseas.”
It said he “demonstrated his awareness of these requirements by making a formal application for approval to work from overseas which was considered and subsequently denied.”
On the other hand, the worker argued that “it was his employer who facilitated the enablement of his mobile phone and computer with the necessary technology to access its systems from remote locations, including overseas.”
Moreover, he said that “his employer was aware of his working remotely and did not object. Moreover, that other employees also worked remotely and that while on leave he was in fact performing work to the benefit of his employer.”
The Fair Work Commission (FWC) accepted the worker’s position that he accessed his employer’s network in good faith. “Ren had no malice or ill intent in accessing his employer’s IT systems from overseas,” the Commission said.
However, it said it wasn’t the worker’s prerogative to determine if his conduct was proper or not. “While [his] intentions may have been honourable in these circumstances, it is not for him to decide when and from where he can access the employer’s IT networks, without prior approval,” it added.
Thus, the FWC said that he breached the employer’s protocol, which gave the latter a reason to validly dismiss him. It then rejected his application against the employer.