Recent FWC case highlights data security risks in HR roles
The Fair Work Commission (FWC) recently dealt with an unfair dismissal application from a junior HR professional who was terminated for sending confidential company information to his personal email account.
The worker claimed he couldn't access his work email from home due to technical issues with his laptop, forcing him to use his personal email to handle attachments and continue working remotely.
He also argued that sending documents to personal email addresses was common practice in the company, pointing to instances where his managers had allegedly done the same.
The employer, however, alleged this behaviour constituted a serious breach of confidentiality obligations, as the information included sensitive personal data of 93 employees.
The case raised questions about data security expectations for HR professionals and what constitutes valid grounds for dismissal.
The worker started employment with the employer on 27 May 2022 as a junior recruitment business partner. His role involved talent acquisition, reviewing employee performance, managing visa statuses, and other HR functions requiring access to confidential information.
His employment contract explicitly stated he must "comply with [the employer's] policies and procedures, together with all lawful directions" and "not disclose to any third party, any confidential information" except when performing his duties. The employer had several policies in place, including an Information System User Charter Policy and Confidentiality Framework.
The worker acknowledged during proceedings that he had received training regarding compliance with company policies and the Code of Conduct during his induction, with additional online training about compliance.
Between February and April 2024, the worker sent confidential company information to his personal email, including visa documentation of 93 employees with details of visa types, tenure, expiry dates, grant numbers, salaries, and costs; commercial information regarding contracts with suppliers; employment contracts; a senior manager's resignation letter; and historical data about another senior manager's bonus amount.
The employer discovered these actions in April 2024 and immediately suspended the worker pending investigation. Between April and August, the employer attempted to schedule multiple investigation meetings, but the worker did not attend, initially providing medical certificates stating he was unfit for work-related meetings.
From May onwards, he provided certificates stating he was fit to work four days per week but still didn't attend scheduled meetings. In July, he informed the employer he would be overseas for three weeks without seeking approval for leave.
When questioned, the worker claimed he couldn't access his work email from home due to technical issues: "I'm unable to work from home due to email application error on my work laptop. I was able to send emails with my phone from home. I was unable utilise my phone email for large attachments hence requiring personal email to work from home."
He also argued that senior managers had previously sent confidential information to his personal email: "[The HR Director] and [the Pacific Human Resources Business Partner] sent confidential information (organisational chart and excel file containing Sydney staff home-residential addresses) to my personal email address, which given these allegations against me, they also stand to breach these same allegations."
During the hearing, he argued he "cannot break a clause in the future" because the confidentiality policy was dated 30 April 2024, after his alleged breach.
However, the FWC determined this was merely Version 2 of a policy effective since March 2020, which stated: "All information that an employee has access too (sic.), should not leave [the employer's] premises without the expressed permission of senior management."
The FWC found the worker's explanations lacked credibility. The Deputy President observed: "I consider it fanciful to suggest that an HR professional, albeit in a junior position, trained as [the worker] was, would consider it allowable to send to his home email address without any authorization" sensitive information relating to 93 employees.
The timing of the emails was considered suspicious: "I also consider it of note that the confidential information was sent in a short and confined period of time around the First Allegations. It was obviously not something that would occur, or had ever occurred, in the ordinary course of employment."
The Commission rejected the IT issues claim, noting records showed the worker had only "logged a ticket" with the IT Helpdesk once, in May 2023, which was resolved within days. The Deputy President found the worker to be "a witness who would provide answers aimed to exculpate him, rather than truthfully answering questions."
Regarding procedural fairness, the Commission determined that "24 hours was more than enough time for [the worker] to arrange a support person" for the meeting, especially since "[the worker] had been for so long aware of the allegations against him."
The Commission concluded that the worker's conduct "involving such wilful and deliberate behaviour inconsistent with the continuation of the Contract, and risking the reputation of [the employer's] business, constituted serious misconduct." The unfair dismissal application was dismissed.