A fine and reprimand for unauthorised access of client database

The considerations in this case were:

• the nature and seriousness of misconduct
• whether the misconduct was uncharacteristic
• the employee’s response to misconduct and likelihood of recurrence.

The employee worked in a service delivery agency. They were a client and an employee of the agency.

The employee was found to have accessed the agency’s client database to update their address and add an online account. The conduct was in breach of section 13 (2) and (11) of the Public Service Act. A fine of $1000 and a reprimand were imposed as sanctions.

The Merit Protection Commissioner considered the functions of the agency and the importance it placed on protecting access to client information. The agency had trained all employees on its policies and followed this up with email reminders. While the employee said they were unaware of the rules, the Merit Protection Commissioner considered on the evidence, this was unlikely.

It was noted that the employee had shown remorse for the behaviour saying ‘this will never happen again’. They also submitted a character reference indicating this was a one off incident. The Merit Protection Commissioner was satisfied the misconduct was uncharacteristic and that the risk of recurrence was low.

It was submitted that the investigation had a significant impact on the employee’s health. The Merit Protection Commissioner noted that misconduct processes can be stressful but considered this was not a mitigating factor in this circumstance and did not take it into account in considering sanction.

The Merit Protection Commissioner considered a financial sanction was warranted to reinforce the importance of accessing private and confidential information for business reasons only and not personal ones. The Merit Protection Commissioner recommended that the agency’s decision be upheld.