Alam v National Australia Bank Limited (No.2)

FEDERAL CIRCUIT COURT OF AUSTRALIA

REPRESENTATION

ORDERS

1. The Further Amended Statement of Claim filed 25 October 2019 be dismissed.

SYG 614 of 2019

Applicant

And

Respondent

REASONS FOR JUDGMENT

Introduction

1. These Reasons for Judgment explain why the Court has dismissed the claim the Applicant brings against her former employer, the Respondent.

Background

1. The Applicant was employed as an Associate Financial Planner by the Respondent at its Dee Why, Sydney branch. The Respondent is a large banking corporation which operates extensively throughout Australia and New Zealand.

2. The Applicant is highly qualified with educational qualifications including a Masters of International Law, Bachelor of Business and Commerce (Applied Finance and Economics, Human Resource Management and Industrial Relations), Diploma of Financial Planning and an Advanced Diploma of Financial Planning. Before joining the Respondent she had worked for 6 years in the financial planning industry.

3. The Applicant commenced employment with the Respondent on 15 October 2018 and was dismissed, effective immediately, on 30 January 2019.

4. The present proceedings were commenced by a Statement of Claim filed 21 March 2019. At the Final Hearing the Applicant was relying on her Further Amended Statement of Claim filed 25 October 2019. She claimed that the Respondent had taken adverse action against her within the meaning of s.342(1) of the Fair Work Act 2009 (Cth) (hereafter referred to as ‘the Act’). There was also an associated claim that the Respondent illegally terminated the Applicant’s contract of employment.

5. The Respondent denies the Applicant’s claim, but acknowledges that adverse action was taken against the Applicant in that she was dismissed. The Respondent contends, however, that the adverse action was not taken for a proscribed reason.

The issues

1. The broad issues that arose during the Hearing were as follows:

   a)Did the Applicant exercise workplace rights within the meaning of s.341(1) of the Act?

   b)Was adverse action taken against the Applicant by the Respondent?

   c)Who were the relevant decision-makers who decided to take adverse action against the Applicant?

   d)Was the adverse action taken for a proscribed reason? In other words, has the Respondent discharged the reverse onus found in s.361 of the Act and satisfied the Court that whilst it took adverse action against the Applicant, it did not do so because she exercised a workplace right?

   e)If the reverse onus is not discharged, what remedies should be applied in this case?

   f)Did the Respondent wrongfully terminate its contract with the Applicant, and if so what are the consequences of this?

Executive summary

1. For the reasons that are set out below, the Court finds:

   a)The Applicant exercised workplace rights under s.342(1) of the Act.

   b)Adverse action was taken by the Respondent against the Applicant when it terminated her employment on 30 January 2019.

   c)There were four relevant decision-makers being the four members of the Respondent’s Professional Standards Committee.

   d)The said adverse action was not taken for a proscribed reason. The Applicant was terminated because she perpetrated a serious data breach involving confidential information relating to the Respondent and its customers and neither admitted nor remedied her conduct.

   e)No remedy should be granted to the Applicant.

   f)The Respondent did not wrongfully terminate its contract with the Applicant.

The evidence

1. In the Applicant’s case, she relied on the following documents:

   a)Further Amended Statement of Claim filed 25 October 2019;

   b)Affidavit of Sumyya Alam affirmed 19 December 2019 and filed 20 December 2019;

   c)Affidavit of Sumyya Alam affirmed and filed 10 April 2020;

   d)Affidavit of Mohammad Alam affirmed 20 August 2019 and filed 21 August 2019;

   e)Affidavit of Mohammad Alam affirmed and filed 10 April 2020;

   f)Affidavit of Daniel Hains affirmed 9 April 2020 and filed 10 April 2020;

   g)Case Outline document filed 16 April 2020; and

   h)Closing written submissions filed 12 June 2020.

2. In the Respondent’s case, they relied on the following documents:

   a)Defence filed 22 November 2019;

   b)Affidavit of Sandhya Maini affirmed 26 July 2019 and filed 29 July 2019;

   c)Affidavit of Sandhya Maini affirmed and filed 4 October 2019;

   d)Affidavit of Sandhya Maini affirmed and filed 6 March 2020;

   e)Affidavit of Alla Gorbunova affirmed and filed 6 March 2020;

   f)Affidavit of Benjamin Smith sworn and filed 6 March 2020;

   g)Affidavit of Matthew King affirmed 5 March 2020 and filed 6 March 2020;

   h)Affidavit of Adrian De Silva affirmed 5 March 2020 and filed 6 March 2020;

   i)Affidavit of Paul Meehan affirmed 12 March 2020 and filed 13 March 2020;

   j)Affidavit of Annabelle Paxton-Hall affirmed and filed 22 April 2020;

   k)Case Outline document filed 16 April 2020; and

   l)Closing written submissions filed 11 June 2020.

3. The following material was tendered as evidence during the course of the proceedings:

   a)‘Form F72 – Application for an order to stop bullying’ dated 30  January 2019;

   b)Documents produced pursuant to subpoena on National Australia Bank; and

   c)Bundle of emails tendered by the Respondent.

4. The following witnesses were cross-examined:

   a)The Applicant;

   b)Mohammad Alam;

   c)Daniel Hains;

   d)Alla Gorbunova;

   e)Sandhya Maini;

   f)Benjamin Smith;

   g)Matthew King;

   h)Adrian De Silva;

   i)Paul Meehan; and

   j)Annabelle Paxton-Hall.

The applicable law

1. The definition of ‘adverse action’ is found in s.340 of the Act:

   Protection

   (1)  A person must not take adverse action against another person:

   (a)  because the other person:

   (i)  has a workplace right; or

   (ii)has, or has not, exercised a workplace right; or

   (iii)proposes or proposes not to, or has at any time proposed or proposed not to, exercise a workplace right; or

   (b)to prevent the exercise of a workplace right by the other person.

   Note: This subsection is a civil remedy provision (see Part 4-1).

   (2)A person must not take adverse action against another person (the second person ) because a third person has exercised, or proposes or has at any time proposed to exercise, a workplace right for the second person's benefit, or for the benefit of a class of persons to which the second person belongs.

   Note: This subsection is a civil remedy provision (see Part 4-1).

2. The definition of ‘workplace right’ is found in s.341 of the Act:

   Meaning of workplace right

   (1)  A person has a workplace right if the person:

   (a)is entitled to the benefit of, or has a role or responsibility under, a workplace law, workplace instrument or order made by an industrial body; or

   (b)is able to initiate, or participate in, a process or proceedings under a workplace law or workplace instrument; or

   (c)is able to make a complaint or inquiry:

   (i)to a person or body having the capacity under a workplace law to seek compliance with that law or a workplace instrument; or

   (ii)if the person is an employee--in relation to his or her employment.

   Meaning of process or proceedings under a workplace law or workplace instrument

   (2)Each of the following is a process or proceedings under a workplace law or workplace instrument :

   (a)a conference conducted or hearing held by the FWC;

   (b)court proceedings under a workplace law or workplace instrument;

   (c)protected industrial action;

   (d)a protected action ballot;

   (e)making, varying or terminating an enterprise agreement;

   (f)appointing, or terminating the appointment of, a bargaining representative;

   (g)making or terminating an individual flexibility arrangement under a modern award or enterprise agreement;

   (h)agreeing to cash out paid annual leave or paid personal/carer's leave;

   (i)making a request under Division 4 of Part 2-2 (which deals with requests for flexible working arrangements);

   (j)dispute settlement for which provision is made by, or under, a workplace law or workplace instrument;

   (k)any other process or proceedings under a workplace law or workplace instrument.

   Prospective employees taken to have workplace rights

   (3)A prospective employee is taken to have the workplace rights he or she would have if he or she were employed in the prospective employment by the prospective employer.

   Note: Among other things, the effect of this subsection would be to prevent a prospective employer making an offer of employment conditional on entering an individual flexibility arrangement.

   Exceptions relating to prospective employees

   (4)Despite subsection (3), a prospective employer does not contravene subsection 340(1) if the prospective employer makes an offer of employment conditional on the prospective employee accepting a guarantee of annual earnings.

   (5)Despite paragraph (1)(a), a prospective employer does not contravene subsection 340(1) if the prospective employer refuses to employ a prospective employee because the prospective employee would be entitled to the benefit of Part 2-8 or 6-3A (which deal with transfer of business).

3. Section 361 of the Act states:

   Reason for action to be presumed unless proved otherwise

   (1)  If:

   (a)in an application in relation to a contravention of this Part, it is alleged that a person took, or is taking, action for a particular reason or with a particular intent; and

   (b)taking that action for that reason or with that intent would constitute a contravention of this Part;

   it is presumed that the action was, or is being, taken for that reason or with that intent, unless the person proves otherwise.

   (2)Subsection (1) does not apply in relation to orders for an interim injunction.

The relevant facts

1. Between the date that the Applicant commenced her employment with the Respondent, and was terminated, she made at least twelve complaints or inquiries in relation to her employment. The Court finds that at least one of those complaints or inquiries constituted a workplace right that the Applicant exercised.

2. On 14 January 2019 the Applicant’s direct manager, Ms Gorbunova, received an email from the Respondent’s Data Protection Team notifying her of a Data Protection Event relating to the Applicant. This was an email sent from the Applicant’s work email address on Saturday 12 January 2019 to two private email addresses each containing the Applicant’s name, and being the Applicant’s personal email addresses. The email in question, henceforth called the ‘data breach email’, had the subject “fyi” and attached a large number of documents including detailed personal and financial information, account numbers and balances for the Respondent’s customers.

3. On 17 January 2019, during a meeting between the Applicant and Ms Gorbunova, the Applicant was informed, and asked about, the data breach email.

4. On 18 January 2019 the Applicant denied sending the data breach email. Ms Gorbunova did not consider the explanation given by the Applicant adequate or honest.

5. Ms Gorbunova reported her concerns to her superiors. A meeting of the Professional Standards Committee was convened on 24 January 2019. The four members of this Committee voted unanimously in favour of the dismissal of the Applicant because the data breach email, and her failure to admit any wrongdoing, demonstrated that her conduct was fundamentally inconsistent with the standards of conduct expected by the Respondent of its employees. The Applicant contended that the members of the Committee, or some of them, included as part of the reasons for terminating her, that she had exercised her workplace rights. The Court finds that only one of the members in fact did so.

6. After the Applicant was terminated the Respondent, through its officers, conducted further investigations into the Applicant’s use of her work email accounts. The business records of the Respondent indicated that in addition to the data breach email of 12 January 2019 the Applicant had sent numerous other emails from her work to her personal email accounts. Technical evidence was led in both the Applicant and the Respondent’s case on this issue.

7. The Applicant’s credibility was a major issue in this case. The Court found that the Applicant’s denials in relation to the data breach email, and the other emails she sent from her work to her personal accounts, to be implausible.

When the Applicant made the complaints referred to in her Further Amended Statement of Claim filed 25 October 2019 and her Affidavit affirmed 19 December 2019, did she exercise a workplace right for the purposes of sections 340(1) and 341 of the Act?

1. The Applicant contends that she did, but the Respondent contends that she did not.

2. At paragraph 6 of the Applicant’s further Amended Statement of Claim filed 25 October 2019, she pleads:

   In making the requests referred to in paragraph 4, the Applicant was exercising a workplace right under s.341 (1) (c) (ii) of the Act and thus engaging the general protections provisions of the Act.

3. The requests referred to were requests to the Applicant’s managers and co-workers that unfair treatment and unreasonable behaviour cease. 

4. Paragraph 6 relies on s.341(1)(c)(ii) i.e. that the complaint or inquiry related to her employment with the Respondent.

5. At paragraph 7B the Applicant also pleads s.340(1)(a)(iii) i.e. that she proposed to exercise a workplace right.

6. The Applicant’s evidence about the complaints and requests that she made is found in her Affidavit affirmed 19 December 2019 and commence from paragraph 22. She made 12 complaints. The fact of the complaints is not in issue. What is in contention is whether they related to workplace rights and her employment with the Respondent.

7. In closing submissions Counsel for the Respondent submitted that there was a real doubt about whether 11 out of 12 complaints were underpinned by any entitlement at law, or by Award or contract and thus were not matters in respect of which a workplace right existed. 

8. At paragraphs 131 and 132 of the Applicant’s above mentioned Affidavit she deposes:

   [131] On 27 January 2019, I notified Alla that I was seeking legal advice and asked for my previous lawyer Mr Geoff Baldwin (“Geoff”) to be present during Alla’s requested meeting. 

   [132] On 29 January 2019, I sent an email to Alla in relation to “bullying” by proposing to exercise a workplace right and I told Alla, “This is to inform you that I am making the anti-bullying submission to the Fair Work Commission in light of my experience.” 

9. This evidence was not challenged in cross-examination. 

10. The Court finds, therefore, that on 27 January 2019 the Applicant had a workplace right that was underpinned by law i.e. she was going to make an application to the Fair Work Commission pursuant to the Fair Work Act 2009 (Cth). This proposed action is a workplace right for the purposes of s.341(1). The fact that she did not actually do so until after her employment was terminated does not change the character of the workplace right.

11. The Applicant only needs to establish that one of the complaints she made related to her employment and that the making of the complaint was the exercise of a workplace right. She has established this. 

12. There is no need, therefore, for the Court to consider whether the other complaints made by the Applicant related to workplace rights. 

Who were the relevant decision-makers who decided to take adverse action against the Applicant?

1. The Applicant contends that the adverse action involved multiple decision-makers or actors who were not called by the Respondent to give evidence, and thus it was impossible for the Respondent to reverse the presumption found in s.361. The Applicant contented that the decision-makers not called included: Erin Butler, a member of the Respondent’s Employee Relations Team who had been consulted several times about the termination; other members of the Respondent’s Employee Relations Team whose names and positions had not been disclosed; and attendees at the Respondent’s Professional Standards Committee who have not provided evidence, namely, Silvia Mallavey, Vesna Chehade and Claire Harrison.

2. The Respondent contends that the relevant decision-makers were only the actual members of the Professional Standards Committee namely, Ms Maini, Mr Smith, Mr De Silva and Mr King. Whilst the Respondent concedes that both Ms Butler and Ms Gorbunova were present, they had limited input in the process and it was ultimately the Professional Standards Committee as constituted who made the decision to dismiss the Applicant. It was, therefore, the states of mind of Messrs Maini, Smith, De Silva and King that are relevant in discharging the burden imposed by s.361.

3. The Court accepts the Respondent’s submissions on this issue, and the evidence of its witnesses. The other persons asserted by the Applicant to be part of the decision-making process did nothing more than provide information and advice to the members of the Committee who then made the decision to terminate. To adopt a broader formulation of who is a decision-maker for present purposes would result in impractical, indeed unrealistic and unintended implications for corporate and organisational employers. The fallacy in the Applicant’s case is manifested by the contention that Ms Chehade, who was identified as the minute-taker for the meeting, had her role somehow converted to decision-maker because of her role and virtual presence. 

4. The Committee in question was established by a document known as NAB Financial Planning Professional Standards Committee Charter (hereafter referred to as ‘the Charter’), which was in evidence. There are 7 members of the Committee and a quorum is a minimum of 4 members. The Committee in this case consisted of 4 members. Clause 4.3 of the Charter expressly contemplated that other persons may attend, as in fact occurred in this case. There is nothing in the Charter which extends to these other persons any decision-making power. In this case only the 4 named members attended and made the decision to terminate the Applicant. 

Has the reverse onus in s.361 been engaged on the facts of this case?

1. The Respondent contends that the only basis of the decision to terminate was the Applicant’s data breach. The Applicant contends that one of the reasons for terminating her employment was the fact that she had sought to exercise a workplace right (the proscribed reason). 

2. The Applicant correctly contended in closing submissions that the Act does not require the decision-makers to establish that his/her decision had nothing to do with the Applicant’s alleged proscribed reasons being a substantial and operative factor in the reason or reasons for taking adverse action: Rares and Katzmann JJ in Rumble v The Partnership Trading as Ebsworth Lawyers [2020] FCAFC 37 at [41]. It does not cease to be such a factor because it is coupled with other circumstances or because regard is had to it in association with other circumstances not mentioned in the section: General Motors Holden Pty Ltd v Bawliny (1976) ALR 605 at 619.40 - 48 (Mason J). The alleged reason need only be one reason of a number of reasons actuating the conduct, and not the sole or dominant reason: Australian Meat Industry Employees Union v Belandra Pty Ltd [2003] FCA 910 at 218. 

3. During the cross-examination of one of the relevant decision-makers, Mr Matthew King, the following question was asked and answered: 

   Mr Docking:  Given without looking at the minutes you have no recollection of what was said at this meeting, you cannot deny that it was raised at the meeting part of the reason that the Applicant was to be dismissed was because she had made complaints and enquiries in relation to her employment?

   Mr King:Yes.

4. The Court is prepared to accept that the circumstances of the Hearing taking place via Microsoft Teams video technology made it impossible for Counsel for the Respondent to object to the question as the transmission had either been interrupted or was lost at the critical time. When transmission was resumed Counsel explained what had occurred, and that he was denied the opportunity to object to the question on the basis that Mr King could not give evidence about the state of mind of every other decision-maker. Counsel for the Respondent was permitted to re-examine. The following question was asked and answered.

   Mr Seck:Mr Smith, when you gave the answer that you cannot deny it was raised during the meeting that the reason for Ms Alam’s dismissal was because she made complaints or enquiries in relation to her employment, can you confirm whether ..... you recall your state of mind when you made the decision?

   Mr King:Yes.  I cannot deny it was present during the meeting because I wasn’t aware of it during the meeting and the decision I made to support the determination was in the specificity of the Professional Standards Committee and was based on the professional conduct and the issue with professional conduct being brought to me as opposed to anything else.

5. The Court is concerned about the weight that can be given to the evidence this witness gave in re-examination in the unfortunate circumstances of this case. The question that he was asked in cross-examination was quite clear, as was his answer. When the answer to the question is assessed in light of the legitimate (but unfortunately late) objection, what the Court is prepared to find is that in making his decision at the meeting, Mr King did take into account as a substantial and operative but nonetheless as an non-exclusive factor that the Applicant had made complaints and enquires in relation to her employment.

6. In circumstances where the Court finds that there is no other direct or indirect evidence to suggest the other 3 members of the Committee made their decision for a proscribed reason, Mr King’s evidence does not mean of itself that the reverse onus has not been discharged. This contention is summarised in the Respondent’s updated closing submissions dated 11 June 2020 at paragraph 59:

   Even if the Court finds that just one member of the PSC acted for a prohibited reason, it is insufficient to demonstrate that the Respondent made the decision to dismiss the Applicant for a prohibited reason. In IW v City Of Perth (1997) 191 CLR 1, Toohey and Kirby JJ considered under anti-discrimination legislation that, where there were multiple decision makers, even if some decision-makers make their decision affected by an unlawful reason, their votes are simply discounted and if there is still a majority who are unaffected, then a causal link between the prohibited reason and the decision has not been shown: IW v City of Perth (1997) 191 CLR 1, 32 & 66.  In the context of general protections claims, the Court has applied the same approach. As 4 persons comprised the PSC, it must be shown that there is a majority acted for one or more of the alleged prohibited reason: Voigtsberger v Council for Pine Rivers (No 2) [1981] FCA 243.

7. The Court accepts this submission. The Court notes that no argument was directed to Clause 6.3 of the Charter which provides that decisions need to be based on a unanimous vote. The vote was unanimous in this case. It remained unanimous even though one vote was motivated, at least in part, by a proscribed reason. Despite rigorous cross-examination the Court finds that the evidence of Messrs Maini, Smith and De Silva records no direct or indirect evidence of a proscribed reason. The Court finds, however, that all had notice of the Applicant’s “behavioural issues” as this is expressly referred to in Section 2 of the template used by the Committee.

8. It is important to examine the Applicant’s contention that the direct evidence of the decision-makers should not be accepted because it was unreliable, and to explain why the Court does not accept this. The legitimacy of considering contradictory evidence including inconsistencies, discrepancies and inadequacies is not in doubt. In this case all of the evidence led in the Applicant’s case and elicited from the Respondent’s witnesses, does not create a sufficient doubt in the Court’s mind about the veracity of the evidence of Messrs Maini, Smith and De Silva about the central issue of what motivated the decision to terminate the Applicant. The Court accepts, for example, that the documentation pertaining to the Committee deliberations was minimalistic, but rejects the express or implied contention that this was deliberately so. There was no basis in the evidence for this submission. There was some inconsistency in the evidence of Ms Maini and Ms Gorbunova but that is hardly surprising either in the organisational context, or in the context of litigation such as this, and neither singularly or cumulatively does this lead the Court to reject the relevant evidence of the decision-makers in question. Inconsistencies in the evidence about the length of the Committee meeting is hardly determinative, as is the absence of documentation. Defective procedures including a possible failure to allow to the Applicant natural justice including a right of appeal, again does not establish a decision made for a proscribed reason. The cumulative concerns raised in terminating her may well suggest to the Respondent that it needs to review its procedures, but it does not inform the Court’s decision that the majority of the Committee that decided to recommend the termination of the Applicant’s employment were not influenced by the workplace complaints made by the Applicant, but were based on her alleged data breaches.

9. It must follow that the Respondent has discharged on the evidence the reverse onus set out in s.361. The adverse action taken against the Respondent was not for a proscribed reason.

Other witnesses

1. Before moving to a detailed consideration of aspects of the Applicant’s evidence, the Court will briefly deal with the evidence of two other witnesses. The evidence of the Applicant’s father, Mr Mohammed Alam, related mainly to the Applicant’s contention that on the day the data breach email was sent, she was with her family, including her father, on an outing to the Blue Mountains of New South Wales. As the Court has concluded that the Applicant could have, and indeed did send the data breach email, and could have done so from wherever she was on the date, it is unnecessary to consider evidence about the outing, or the evidence of Mr Alam.

2. Ms Annabelle Paxton-Hall is the Respondent’s Solicitor in this case. She affirmed an Affidavit on 22 April 2020. Nothing turns on her evidence. She prepared a summary document being the annexure APH-3 to her Affidavit, but it was nothing more than an aide memoire which the Court did not rely on, preferring to rely on exhibit R2 itself. Whether or not the Applicant in fact sent a total of 78 emails to herself from her work email is not material to the Court’s findings. The Court’s conclusion about matters of tendency pertaining to the Applicant are based on the rigorous cross-examination of the Applicant, specifically in relation to exhibit R2. Moreover the Court places minimal weight on paragraphs 14 and 15 of Ms Paxton-Hall’s Affidavit. The issue of the time stamp differences between the emails in exhibit R2 and those annexed by the Applicant in her Affidavit, does not detract from the weight given by the Court to exhibit R2. As a matter of logic the difference is likely to be attributable to daylight saving. It was not submitted in the Applicant’s case, for example, that the time stamp difference were indicative of fraud of fabrication. The Court notes that Ms Paxton-Hall was criticised in cross-examination for the lateness in filing her Affidavit, and thus disclosing the full extent of the emails in question, namely those allegedly from the Applicant to herself. The complaint was similar to the one made in relation to exhibit R2. The Court’s response was also similar. The emails in question were, purportedly, the Applicant’s own emails. The Court finds this to be the case for the emails comprised in exhibit R2. For Counsel for the Applicant to suggest to this witness that the delay in disclosure to the Applicant was “…to ambush the Applicant so she didn’t get notice?” (transcript 23 April 2020, page 50, line 30) overreaches in circumstances where at least those in exhibit R2 were clearly the Applicant’s own emails.

The Applicant’s denial about the data breach email

1. It is important to consider the Applicant’s case as to why it would not have been possible for her to send the data breach email.  There seems to be two related, indeed interdependent, components to her case in this regard.  The first component is her assertion that she simply did not have the means to access the confidential data from the electronic devices available to her.  The second component is that on the day in question, 12 January 2019, she was neither at work nor at home, but at the Blue Mountains on a family outing.  Thus, she asserts, it was impossible for her to have accessed the data and sent the email in question, using the only device available to her on that day, which she contended was her private telephone.

2. Whether or not the Applicant was, in fact, at the Blue Mountains on a family outing on the day in question is a finding that is not necessary in this case.  Thus, she may well have been at the Blue Mountains but if she had electronic access to the documents comprising the data breach email, together with its annexure, it really does not matter where she was.  The Court is not, of course, obliged to accept her evidence but, in the first instance, it is important to carefully examine the Applicant’s evidence in order to assess the plausibility of her denials.

3. In the Applicant’s Affidavit affirmed 19 December 2019 at paragraph 34 she asserts that on 19 October 2018 Ms Gorbunova declined the setup of remote access to her computer.  She goes on to say in the same paragraph, however: “Weeks and months later remote access did not properly work and did not enable me to log in to my computer outside of the office.” From the Court’s perspective, however, bundle 1 of exhibit R2 contains an email to the Applicant from NAB FP Practice Support dated Monday, 29 October 2018 at 8:57am indicating that remote access had been approved, though acknowledging that it might take two business weeks for this to be implemented.

4. The Applicant was aware of the email in question as the Court is satisfied that she sent it to herself on 1 November 2018 at 8:40pm.  In any event, the Applicant’s evidence at paragraph 34 needs to be examined carefully.  In the sentence quoted above, the Applicant is not asserting that she did not have remote access but rather that it “did not properly work”.  Her assertion that it “did not enable me to log into my computer outside of the office” seems quite inconsistent with the documents comprised in exhibit R2.

5. At paragraph 55 of the same Affidavit, the Applicant deposes that she “was finally given an Xplan system login and access” on 27 November 2018, but it did not provide access to the client databases of her senior financial planners.  The first difficulty with this evidence is that it is inconsistent with the representation contained in the Applicant’s own email dated 1 November 2018 at 9:23am to Ms Gorbunova in which she says: “I have been provided with login for Xplan, however, I do not have access to the client database for Stephen and Dominic.” A further inconsistency arises when one has regard to paragraph 64 of the same Affidavit, where the Applicant asserts that by “7 December 2018, eight weeks into the job, Alla had still not arranged for Xplan access…” 

6. In many cases such inconsistency would not attract judicial attention on issues of credit but in this case the Applicant demonstrated, even under the most intense cross‑examination by Counsel for the Respondent, that she was meticulous about detail, indeed insistent on focusing on the detail.  The significance of when the Applicant was actually granted access to Xplan is partly (and from her perspective) that it was one component of her workplace complaint and partly (and from the Respondent’s perspective) that it manifests a tendency to exaggerate. It also provides a hypothesis for her trenchant unwillingness to accept in cross-examination her knowledge of the source of the document in exhibit R2, including the email of 1 November 2018 referred to above.

7. The evidence seems to indicate that the Applicant knew as at 1 November 2018 that she had been provided with a login for Xplan but provided inconsistent, and indeed misleading evidence at both paragraphs 55 and 64 of the Affidavit in question. 

8. At paragraph 112 of the same Affidavit, the Applicant responds to the allegations about the data breach email on 12 January 2019.  She is quite categorical in asserting that it was “a Saturday, a weekend, a day off from work”.  She goes on to assert that she was not working and she did not send the alleged email.  Whilst there is the occasional reference in the Applicant’s evidence to having to work extended hours on weekdays because of the pressures of work (e.g. paragraphs 71 and 73 of the said Affidavit), there is no reference in the Applicant’s evidence to working on weekends.

9. Indeed, the Applicant’s Counsel robustly cross‑examined Ms Gorbunova on her assertion that the Applicant had complained about working on weekends.  The Court can only assume that this cross‑examination took place on instructions and that it was, therefore, no part of the Applicant’s case that she did work on weekends. 

10. The significance of this, of course, is that five of the emails from the Applicant’s work account to herself which form part of exhibit R2, including the data breach email, were sent on weekends.  If the Applicant’s evidence is taken at face value, and she was not working on weekends, then the emails in question could not have been sent from her workplace and, by reference to the documents attached, the Applicant must have had some level of remote access.

11. At paragraph 122 of the said Affidavit, where the Applicant specifically responds to the assertions made in the Affidavit of Ms Maini pertaining to documents which included those comprised in exhibit R2, the Applicant asserts:

    I am able to say that it was impossible for me to access those documents and attach them to any email because I was not provided with access to the documents that were to be found on NAB’s systems and databases, and I did not have access to the systems necessary to obtain any of those documents.

12. The difficulty with this assertion is that, firstly, it does not explain how those of the said documents that the Applicant contends she had no access to turned up in her own evidence.  Secondly, her explanation is inconsistent with the synchronicity of some of the documents, especially those in bundles 10 and 12 (discussed below). 

13. At paragraph 123 the Applicant sets out further evidence, no doubt intended to lead the Court to accept her contention.  In row 1 of the table set out at paragraph 123 she contends that the statement of advice documents were saved as part of a process on a shared drive, which is on the NAB network, to which she was not given access.  This is inconsistent, for example, with her own email to Stephen Cordaiy of 22 November 2018 at 1:42pm in which she refers to a record of advice generated through Xplan which is saved to the shared drive.  It must follow that the Applicant had access to the shared drive.

14. Her assertion in the second row of that table, to the effect that she was not given access to customer accounts relating to term deposits, seems prima facie inconsistent with her email of Monday, 7 January 2019 where, referring to a named client, she sets out detailed information about assets including term deposits.

15. At paragraph 124 of the same Affidavit, the Applicant again makes assertions about remote access that need to be carefully examined.  In the Applicant’s Counsel’s written closing outline document dated 11 June 2020, he asserts at paragraph 21.7.1, by reference to named paragraphs in the Applicant’s Affidavits, that: “…the Applicant was not given remote access…”. With respect, that is not the Applicant’s evidence and paragraph 124 is an example of this.  What the Applicant in fact says is: “I was not provided with functional remote access and the level of access that was given to me did not enable me to access my work email account or any of NAB’s systems on its server.”

16. In the next sentence, again the Applicant asserts that she was not given “proper remote access” and asserts that such access as she had did not enable her to log in due to limited access and server issues.  Thus, even the Applicant qualifies her own previously stated assertion that she did not have remote access.  What the Applicant meant by asserting that she did not have “functional” remote access is unknown.  When this is coupled with her reference to the “level of access” that she had, it is clear that she did have remote access but the Court is left to accept, or reject, her assertion that the level of access she had did not enable her to send the data breach email.

17. The Court has already pointed out the inconsistency between the assertions made by the Applicant about lack of remote access and the documents which form part of exhibit R2.  Once again, it needs to be acknowledged that a business record exists dated Monday, 29 October 2018 in the form of an email to the Applicant from NAB FP Practice Support confirming that her remote access had been approved. 

18. The Court’s growing unease with the reliability of the Applicant’s evidence increases proportionate to the greater attention that is focused on aspects of it, especially when compared to competing contentions.  Thus, for example, the Applicant’s file note of her meeting with Ms Maini on 9 January 2019 contains the assertion at paragraph 89(v):

    …I was not given office, computer, system, accounts and database access for months into the job and necessary information and resources were withheld from me, which resulted in hindering me from commencing or completing my new employee mandatory training required to meet clauses 5 and 6 of my employment contract, necessary to discharge to the duties in the Position; that despite all of these problems I persevered and completed all of my mandatory training and completed tasks…

1. The Court has a number of concerns about the Applicant’s depiction of her own situation, as recorded in this file note.  Firstly, it is plainly inconsistent with the more objective data, including her own representations, in the documents comprised in exhibit R2.  The Applicant is either overstating her case, by way of exaggeration, or she is being wilfully misleading.  Ms Maini’s account of the same meeting is found in her file note where, relevantly, she records:

   Sumyya also mentioned that it took her a while to get her systems in the beginning but also understands that sometimes getting access to all systems and training can take a while but had no current concerns. 

2. The Court prefers Ms Maini’s account in relation to the relevant complaint by the Applicant, particularly as regard the absence of database access.  The more likely scenario, the Court finds, is that whatever problems had existed up until 9 January 2019, the Applicant’s concerns were in fact limited.  Thus, for example, when the Applicant’s emails in exhibit R2 are carefully examined, after 9 January 2019, the only evident complaint she had was in her emails to her senior financial planners of 17 January 2019, in which she complains that she did not have access to the Siebel system insofar as it related to client account balances and details.

3. Turning now to the Applicant’s Affidavit affirmed 10 April 2020, at paragraph 5, and responding to the evidence of Mr Meehan, she denies having any NAB electronic device or functional remote access on 12 January 2019, at or around the time of the alleged data breach email.  Mr Meehan’s evidence will be considered in more detail below, but his evidence included the observation that the Applicant’s work email account had been used for web browsing between 1:48pm to 3:20pm on Saturday afternoon, 12 January 2019.

4. It is to be recalled that the Applicant’s case is that she did not have her NAB phone, or any other NAB electronic device, with her at the relevant time but that, of course, is dependent on the Court accepting her evidence, and otherwise excluding the possibility that using two‑factor authentication she could have accessed the data in question using her own phone.  The Applicant’s contention in her Affidavit, not just in paragraph 5 but in paragraph 10 as well, is that she could not have undertaken the web browsing asserted by Mr Meehan because she was at Katoomba, in the Blue Mountains of New South Wales.

5. Mr Meehan’s contention and the Applicant’s contention are not necessarily inconsistent.  The real issue is: did the Applicant have remote access and, if she did, is it more likely than not that she sent the data breach email, particularly when her actions are so consistent with the actions manifested in the emails comprised in exhibit R2?

6. At paragraph 50 of this Affidavit, the Court senses that the Applicant attempts to explain what she has previously referred to as the absence of “functional” remote access.  In paragraph 50, she uses the term “effective”.  At paragraph 50 she deposes:

   Effective remote access was not arranged … the remote access was not functional.  My experience was that it was possible to work for NAB without remote access because Microsoft files could be worked on from the desktop without access to any NAB systems.

7. The Applicant’s own evidence establishes another hypothesis which, indeed, makes the Respondent’s contention that the Applicant sent the data breach email even more plausible.  Doing the best the Court can, the Applicant seems to be asserting at paragraph 50 that because of the non‑functionality, and ineffectiveness, of remote access, she could get around this by copying files being worked on “from the desktop”.

8. On one view, this merely explains another way that the Applicant could have gained access to the various documents that are attached to her emails which comprise exhibit R2, including the data breach email.  This hypothesis is further strengthened by her evidence at paragraph 54, where the Applicant asserts that she took her laptop home on some occasions.  If, consistent with paragraph 50, relevant files had been saved to the desktop, which, the Court infers in this context, means the laptop, the laptop could have been taken home and that might comfortably explain the weekend emails in exhibit R2, even if there were no remote access.

9. At paragraph 63 the Applicant introduces yet another hypothesis which explains the evidence in exhibit R2.  Here she deposes that one of the emails referred in Ms Gorbunova’s Affidavit of 25 January 2019 at 3:48pm, was sent through the NAB mobile phone.  The NAB mobile phone clearly had a degree of access to documents, and thus the hypothesis of the data breach email having been sent using access by the NAB mobile phone becomes plausible, if the Court does not accept the Applicant’s evidence that she only had her private phone with her.

Exhibit R2:  The Applicant’s emails to herself

1. Exhibit R2 consists of 14 different bundles of documents, the common feature of which is that they are, the Court is satisfied, emails which the Applicant sent from her NAB work email to one of her private email accounts, being either a Hotmail or a Gmail account.  What has been described earlier in these Reasons as the data breach email comprises part of this exhibit.  The Court proposes to set out a number of observations about the documents, or some of them, comprising this exhibit.

2. At 8:40pm on Thursday, 1 November 2018, the Applicant sent an email from her NAB email account (the work account) to her Hotmail account.  As will be seen, many of the emails referred to in this section are sent after hours which, for present purposes, the Court will define as before 8:00am or after 6:00pm, simply for the purposes of clarity.  This email attaches a number of other emails, obviously preceding the time of the email presently being examined, either to or from the Applicant.

3. As mentioned earlier in these Reasons, many of these emails feature in the Applicant’s evidence but, from the Court’s perspective, she could not satisfactorily explain how they came to be in her possession, given that they were clearly the property of the Respondent.  The Court does not accept the Applicant’s evidence that she does not know how they came into her possession.  The Court finds that the documents in question came into her possession because she sent them to herself from her work email account.

4. In any event, in this first bundle the Applicant forwarded to herself is an email that she sent to Ms Gorbunova at 9:23am on 1 November 2018, which states: “I have been provided with login for Xplan, however I do not have access to the client database for Stephen and Dominic.” Thus, the Applicant’s own evidence is that she had access to Xplan no later than 1 November 2018, though, it would seem, this did not extend to client database access for the two named persons who were the senior financial planners with whom she worked.

5. Moreover, there is an email dated Monday, 29 October 2018 at 8:57am, addressed to the Applicant which states: “Your remote access has been approved by the cost centre manager today.  Please allow two business weeks for the team to provision your access.” An earlier email which is part of this bundle provides some context to the reference to remote access.  An email from Ms Gorbunova sent to NAB FP Practice Support and to the Applicant states: “Sumyya now has her mobile phone.  Could you please organise remote access for her?” This evidence leads the Court to find that as at 29 October 2018 remote access via the Applicant’s work mobile telephone number had been approved, noting, however, that two business weeks could pass before this could be implemented.

6. The fifth bundle in this exhibit is an email from the Applicant’s work account to herself dated Sunday, 25 November 2018 at 3:27pm.  She attaches correspondence involving herself but for present purposes, the most relevant one is dated 22 November 2018 at 1:42 pm.  This email between the Applicant and Stephen Cordaiy, one of the senior financial planners to which she was attached, states: “I have reviewed the Record of Advice you’ve generated through Xplan that is saved to the shared drive.” It is therefore clear that no later than 22 November 2018 the Applicant had access through Xplan to a record of advice in relation to a named client which had been saved to the shared drive.

7. Document 6 in this bundle is another after hours email, from the Applicant to herself, at 6:51pm on Tuesday, 27 November 2018.  In this email she attaches an email sent to her, but this time there are several documents, including her letter of authority and what appears to be a MoneySmart financial adviser register appointment form which is populated with information seemingly related to the Applicant.

8. Document 7 in the bundle is an email the Applicant sent from her work account to herself on Saturday, 1 December 2018 at 12:48pm. 

9. Document 8 is another after hours email, this time Monday, 10 December 2018 at 7:37pm.  Attached are emails, but there also appears to be a template financial review report, entitled Review Report. 

10. Document 9 is another after hours email from the Applicant’s work account to herself dated Sunday, 16 December 2018 at 1:18pm.  She attaches an email that she sent to Ms Gorbunova on the same day, and seemingly at the same time, with the subject line, “Areas of impact”.  Here the Applicant refers to a number of matters that “are hindering my work …”.  What is absent from this particular email is any complaint about accessing information from various internal sources and websites, a complaint which features frequently in the Applicant’s Affidavit evidence.

11. There is also attached an email that the Applicant sent to Stephen Cordaiy at 12:35pm on that day, referring to records of advice completed and stored in Xplan for four named clients.  This suggests that the Applicant had access to the documents referred to pertaining to the clients, as well as to Xplan and, it would seem, something called WealthSolver. 

12. Bundle number 10 is an email from the Applicant’s work account to herself dated Friday, 4 January 2019 at 5:50pm.  It attaches correspondence in relation to named clients, Stephen and Janet Howard and Silvio and Ida Raso, as well as other email correspondence.  One of the email chains in this bundle indicates that on Thursday, 3 January 2019 the Applicant had been approved to gain access to a research website, apparently named Research Partners.

13. The documents comprising bundle 11 consist of an email from the Applicant’s work account to herself on Monday, 7 January 2019 at 8:07am.  One of the emails attached is an email from the Applicant sent at 7:44am that morning with the subject line “MLC website Age Pension Calculator”, relating to the clients known as “RasoS&I”.  This email creates the impression that the Applicant had access to the MLC website aged pension calculator, as well as the Xplan and Xtools+ modelling projection.  The information relates to the client and contains some quite detailed financial information which could reasonably be assumed to be private and confidential. 

14. Bundle 12 is what became known as the data breach email.  What is significant about this email is that it was sent from the Applicant’s work account to her private account on Saturday, 12 January 2019 at 1:39pm.  The subject line is “fyi”.  It attaches quite a number of documents, including emails.  One of the most significant features of this email is its synchronicity with bundle 10, the email Friday, 4 January 2019 at 5:50pm.  The 4 January 2019 email refers, for example, to an “SOA request for Stephen and Jane Howard”.  It becomes apparent that SOA is the acronym for Statement of Advice. 

15. In bundle 10 the email referred to the request for the SOA for Stephen and Janet Howard, whereas the email 12 January 2019 in bundle 12 actually contained the completed statement of advice for Stephen and Janet Howard.  There are also emails to and from the Applicant pertaining to this client.  There are documents that seem to pertain to statements of advice for other clients.

16. Viewed as simply a bundle of documents, the common thread is the Applicant.  The emails are either sent to her, or from her.  All of the documents seem to be linked to the Applicant, in some fashion.  Someone was responsible for curating this bundle that was attached to the email from the Applicant to herself. It was, more likely than not, the Applicant.

17. There are two other bundles in the exhibit.  The last bundle, numbered 14, is an email from the Applicant’s work account to her Hotmail account dated Thursday, 17 January 2019 at 8.11 am using the subject line “fyi”.  Both of the emails attached are emails from the Applicant to Dominic Sgro and Stephen Cordaiy, and the context and content of the emails suggest that they were the senior financial planners to whom she was attached at the time.  One of the matters raised in each email is the Applicant’s assertion that she did not have access to “the Siebel system for client account balances and details …”, and there is reference to her once again seeking access via NAB IT helpdesk to Siebel.

18. The Court notes that the last email which is referred to in the evidence as being an email from the Applicant’s work account to her private account was sent at 8:11am on Thursday, 17 January 2019, and it was later that day that Ms Gorbunova met with the Applicant and raised the issue of the alleged data breach email on 12 January 2019.

The technical evidence

1. In the Respondent’s case, Mr Paul Meehan, affirmed an Affidavit on 12 March 2020.  Mr Meehan was cross-examined.  Mr Meehan holds the position of Senior Consultant – Cyber Investigations for the Respondent.  In his Affidavit, he sets out his background and experience.  At various points during the Hearing, Counsel for the Applicant sought to contend that Mr Meehan was an expert, but that is not the case.  Even if Mr Meehan was an expert the relevant issue is whether he gave expert evidence. He is an employee of the Respondent, engaged in a technical role which included, amongst other things, investigation of cyber security issues.  He had access to the business records of the Respondent.  Some of those business records are relevant to the present case.  Objections were taken to parts of Mr Meehan’s Affidavit where he sought to express opinions which were, for all practical purposes, expert opinions.  That evidence was struck out. 

2. It is one thing for Mr Meehan to give evidence to the Court about the Respondent’s business system, and how they work.  It is acceptable for him to give evidence about what, precisely, he was asked to do and in fact did, in his role.  Only an expert, however, can look at the Respondent’s business records and, in the context of this case, express an opinion about what those records indicate.  Mr Meehan was never qualified as an expert for the purposes of this case, and thus could not give that evidence. 

3. The Court is satisfied, therefore, that Mr Meehan did not give an inadmissible opinion under s.76 of the Evidence Act 1995 (Cth). Whilst there is no definition of ‘opinion’ in the Evidence Act (supra), the cases cited below indicate a broad acceptance of the common law definition often attributed to Wigmore i.e. an inference from observed and communicable data. Before evidence constitutes an opinion, therefore, there must be some inference drawn. When Mr Meehan’s evidence is closely examined, he draws no inference. Mr Meehan’s evidence is, in this regard, no different to the evidence of a Mr Conn who, in effect, described “the workings of a complex piece of equipment, namely a computer” in Hodgson v Amcor Ltd; Amcor Ltd v Barnes (No 3) [2011] VSC 272. Mr Meehan gave factual evidence about how the business records of the Respondent operated relevant to the facts of this case. It was not, therefore, evidence which “…may be described as evidence of a conclusion, usually judgmental or debatable, reasoned from facts”; Giles J in R W Miller & Co Pty Ltd v Krupp (Australia) Pty Ltd (1991) 34 NSWLR 129 at 130. Mr Meehan’s evidence is analogous to the evidence of Mr Melick in Bank of Valletta plc v National Crime Authority (1999) 90 FCR 565; [1999] FCA 1099. Mr Melick was at all material times the person in charge of an investigation conducted by the National Crime Authority. When he stated that the information then available to the Authority did not identify any particular suspect person in relation to any offence, the Full Court of the Federal Court (Wilcox, Whitlam and Lehane JJ) agreed with the trial Judge, Hely J, that this was a statement of fact. See also: Hodgson v Amcor Ltd; Amcor Ltd v Barnes (No 3) [2011] VSC 272 (2 June 2011) at [38] – [50]; Cargill Australia Ltd v Viterra Malt Pty Ltd (No 20) [2019] VSC 44 (11 February 2019) at [16] – [17]; Director of Public Prosecutions (DPP) (Vic) v Iliopoulos (No 2) [2016] VSC 47 (15 February 2016) at [52] – [56]; and Yara Pilbara Fertilisers Pty Ltd v Oswal [2016] VSC 440 (3 August 2016) at [80] – [129] and [133] – [146]. The Court is nonetheless very much alive to the issue of the reliability of Mr Meehan’s evidence but, as will be seen, not only was his evidence tested in cross-examination, but the Applicant led her own expert evidence.

4. No doubt in response to the evidence of Mr Meehan, the Applicant did call expert evidence.  Mr Daniel Hains affirmed an Affidavit on 9 April 2020.  He is a Chartered Accountant with specialities in computer forensics and financial investigations.  It is apparent from his report, annexed to his Affidavit, that he was instructed on behalf of the Applicant to undertake a review of Mr Meehan’s Affidavit.  As Mr Hains indicates at 1.2 of his report he has: 

   …considered whether the conclusions reached by Mr Meehan in his affidavit in relation to the matters which form the basis of this action (i.e. allegations that the Applicant remotely accessed certain NAB systems and sent information to her personal webmail accounts) are reasonable and supportable.

   Thus, for all practical purposes, Mr Hains had access to the same business records which Mr Meehan had access to. 

5. At paragraph 2.7 of Mr Hains’ report, at page 6 of the same, he states: 

   Conclusion by Meehan regarding Remote Access by Alam

   1d. Your comments on paragraph 40 of the Affidavit of Paul Meehan, “Based on my review of the Alam RSA Log and Alam Proxy Log, I believe that Ms Alam successfully entered her Token, pin and NAB user name and password and successfully logged on NAB’s systems remotely from 1.49 pm to 3.20 pm on 12 January 2019.”? 

   As paragraph 40 of Mr Meehan’s Affidavit had been struck out as clearly being an inadmissible opinion, the only basis for the Court being appraised of Mr Meehan’s albeit otherwise inadmissible conclusion was the report of Mr Hains.

6. It is necessary to consider the evidence given by Messrs Meehan and Hains, including their cross-examination, and then to form some conclusions about this evidence, informed by the other evidence in this case.

7. Mr Meehan’s evidence explains to the Court that as the Respondent held a licence for a product called “Symantec Enterprise Vault Discovery Accelerator”, the Respondent has a database that stores a copy of every email sent to or from a NAB employee email address.  He described this database as a journal, which includes an identical copy of every email sent or received by a NAB email account, even if deleted from the user’s inbox or outbox.  This explains, for example, why the Respondent had access to the emails comprised in exhibit R2.

8. Mr Meehan gave evidence explaining how the employees of NAB are able to access resources outside of the workplace.  Thus, there are three options available to employees: 

   (i)     Using a NAB device with a remote access token; 

   (ii)    Using a personal device with a remote access token; and 

   (iii)   Using a NAB device without a remote access token.

9. Pausing here, it is to be remembered that the Applicant’s evidence was to the effect that she did not have remote access.  Her evidence was that on the date of the data breach email, she only had with her a personal telephone.  Whilst it is not entirely clear, the Court will assume that the Applicant’s case is that she did not have a remote access token.

1. Mr Meehan explains that a remote access token is a two-factor authentication technology which acts, in general terms, as a second password that is generated after an employee logs in using their user name and password.  Mr Meehan also explained that the token can be generated by an NAB employee using the “RSA” application on an employee’s personal, or NAB, mobile phone or using a physical RSA generator, which is typically a keyring which automatically generates a new token at various intervals of time. 

2. Pausing here, it is to be noted that the Applicant’s case was that she did not send the data breach email on 12 January 2019 and that she could not have done so because she was on a family outing to the Blue Mountains.  By reference to Mr Meehan’s general factual evidence, however, even if the Applicant’s contention that she did not have her NAB mobile phone with her is correct, from the Court’s perspective at least in theory, even with her personal mobile phone, she could have sent emails and accessed documents if she had some form of RSA application. 

3. Mr Meehan acknowledged that even an employee entering the correct user name, password and token on a personal device would not necessarily have access to all internal NAB resources. 

4. Mr Meehan deposes to the system that the Respondent uses in relation to RSA authentication requests (the “RSA log”), as well as what he described as the proxy log, that is records of internet traffic (e.g. website browsing etcetera) of employees. 

5. The most relevant evidence, for present purposes, is found at paragraphs 32 and 33 of Mr Meehan’s Affidavit, under the heading:  “RSA Log and Proxy Log of Ms Alam on 12 January 2019”.  Paragraph 32 states: 

   In February 2020, upon request from Annabelle Paxton-Hall of King & Wood Mallesons, I retrieved an extract of the RSA and Proxy Logs associated to Ms Alam’s account for the 12 January 2019.  These documents are referred to as the Alam RSA Log and the Alam Proxy Log.  Annexed and marked “PM-03” is a true copy of the Alam RSA Log and annexed and marked “PM-04” is a true copy of the Alam Proxy Log.  

6. Paragraph 33, excluding the sentences struck out, states as follows:  “The Alam RSA Log and Alam Proxy Log are produced in a form that is difficult to interpret for a layperson without experience in the subject matters.”

7. The Alam RSA log and the Alam proxy log are both annexed to Mr Meehan’s Affidavit.  The Court agrees that the form of these documents makes it not just difficult, but indeed impossible for a layperson to interpret.

8. The report of Mr Hains, attached to his Affidavit, consistent with his instructions, assesses what he describes as the conclusions reached by Mr Meehan.  The Court notes that just because Mr Hains describes Mr Meehan’s evidence as conclusions, it does not change the Court’s view that it was evidence of facts observed.

9. Mr Hains was asked to consider the Affidavit of Mr Meehan by reference to the possibility that someone else had access on Saturday 12 January 2019 to the Applicant’s login and password and a NAB device at a workplace of NAB, or through remote access or any other possibility. 

10. Pausing here, that was the consistent hypothesis advanced in the Applicant’s case:  not only did the Applicant not send the email in question, but it was possible for others to have done so. 

11. What Mr Hains concludes is that, in his professional opinion, it is only correct to state that electronic records exist of a person with the Applicant’s credentials remotely accessing NAB resources.  He then lists at 2.2 of his report the following additional details which would be required to show non-repudiation of only one individual having access to the Applicant’s login credentials and/or remote access permissions:

    [2.2] The description in Mr Meehan's affidavit concerning "Access to NAB resources outside of the workplace by Ms Sumyya Alam" is incomplete. Based on the information provided, in my opinion, it is only correct to state that electronic records exist of a person with the Applicant's credentials remotely accessing NAB resources. The following additional details would be required to show non-repudiation of only one individual having access to the Applicants login credentials and / or remote access permissions:

    [2.2.1] The source IP address, that is, the electronic record where the remote access originated from, and also that record also connected to a physical location;

    [2.2.2] Physical address (MAC) of the computer, that is, the fixed identity of the device where the traffic originated from and comparison to previous remote access, or, whether this matched a NAB corporate device assigned to an NAB user;

    [2.2.3] An inventory of how many RSA tokens (hardware and software) were assigned to the Applicant's NAB account;

    [2.2.4] A detailed examination of the processes by which the 2-Factor-Authentication system (RSA) personal identification number was delivered to the Applicant to ensure that no-one else had access;

    [2.2.5] A detailed investigation and confirmation that local password hashes are securely stored or, at a minimum, not stored on any computer where another person so motivated could obtain, even without authority, or otherwise 'crack' Ms Alam's password and gain unauthorised access to her account.

    Remote Access / RSA Log files

    [1b.] What interpretations of the Alam RSA Log annexed as PM-03 and page 208 to the Affidavit of Paul Meehan are available including whether or not there can be excluded the one internal workplace alternative possibility, or any other possibility identified by you? (extracted from my instructions per Annexure 1)

12. Again pausing here, the Court makes two observations.  Firstly, even the Applicant’s own expert seems to acknowledge that the business records of the Respondent indicate that a person with the Applicant’s credentials remotely accessed a NAB resource on the date, and at about the time of the data breach email.  If this were the only evidence in this case connecting the Applicant to the data breach email, it clearly would not suffice.  Of course, in this case the Court has much other evidence that casts doubts on the Applicant’s denials that she sent the data breach email.  Secondly, it is clear from the entirety of the evidence that there is not before the Court the additional details referred to by Mr Hains which would show what he described as the non-repudiation of only one individual having access to the Applicant’s login credentials and/or remote access permissions.

13. Mr Hains’ response to Mr Meehan’s evidence about the RSA log is that it shows the name of the Applicant, but not any other supporting details for remote access assigned and used by the Applicant.  In relation to the Alam proxy log, Mr Hains’ evidence was that he was not able to interpret or extract information from the proxy log which would enable him to describe the source IT where the traffic originated from nor how those records conclusively refer back to the Applicant’s account. 

14. Finally, in relation to Mr Meehan’s conclusion that the Applicant successfully entered her token, PIN and NAB user name and password, and successfully logged on the Respondent’s systems remotely at specified times on 12 January 2019, Mr Hains’ conclusion was that he would not have made the same definitive conclusion.  His main concern was that the evidence did not establish that the Applicant was the only person with access to the relevant login credentials, and thus the information provided does not exclude the possibility that another user had access to the Applicant’s account.  It is important to note that here Mr Hains is responding to evidence of Mr Meehan that had been struck out as being an inadmissible opinion.

15. Finally, Mr Hains, at 2.8.3, sets out his understanding that Mr Meehan’s Affidavit sets out the electronic records of the successful access to the NAB systems, without being able to identify who actually caused that login to be made. 

16. Mr Meehan was cross-examined by Counsel for the Respondent.  Before that, however, the Court granted leave for Counsel for the Applicant to lead further evidence by way of examination-in-chief from Mr Hains.  Mr Hains was asked to assume that the Respondent maintained that an email was sent at 2:39pm on 12 January 2019.  Mr Hains was able to identify from the proxy log email activity at about that time.  Specifically, he was able to identify bytes in, and bytes out.  By virtue of this he was able to calculate the approximate size of the email attachment sent at 2:39pm.  His conclusion was, in effect, that the activity recorded in the proxy log at that time was actually very small compared to the size of the document allegedly sent by the Applicant.  Indeed, in the transcript of the evidence of Mr Hains on 22 April 2020, page 4 lines 20-34 the following evidence is recorded:

    Mr Docking:    And your study, training and experience, looking at the information provided in this soft copy of PMO4, what, if anything, does that mean about the email allegedly sent at that time?

    Mr Hains: Well, it’s not represented by the data contained in PMO4, your Honour, because I’m not able to locate around that time any sort of traffic that would – I would associate with an email of that size.  And I also note that almost every entry, your Honour, in PMO4, simply mentions general browsing.  It doesn’t mention at all an email artefact that I would associate with a server sending or receiving an email, or files being cached or uploaded.  Your Honour, by that I mean a reference to a file being uploaded for the purposes of sending an email.  It’s not represented within this log file, your Honour.

    Mr Docking:    And looking by way of searching in the rows in the soft copy of PMO4, could you find any references that purports an email being sent by Ms Alam?

    Mr Hains:I haven’t, no. 

17. In short, the evidence of Mr Hains in chief was that the proxy log at the relevant time indicated general browsing and not an email that he would associate with the server sending or receiving an email, or files being cached or uploaded.  He confirmed that the log indicated a login event, or a session being commenced, a server being connected and:  “after that, every other entry seems to indicate that it’s just general browsing, which I take to be a user doing general internet browsing…”.  (Transcript 22 April 2020, page 5, lines 2-4). 

18. When clarification was sought as to the nature of the browsing Mr Hains responded:-

    I’ve found references to a website or, at least, a host that said it’s denoted as MLC.com.au.  There are, also, I beg your pardon, your Honour, I’m just referring to my notes – I wasn’t – so again, MLC.com.au, your Honour, safebrowsing.google.com, api.morningstar.com, gstatic.com and some references to LinkedIn and Facebook…those are the only sites I have been able to identify.

19. Pausing here, the Court makes a number of observations about the evidence of Mr Hains so far.  His evidence is that the proxy log evidences internet use at the relevant time that included websites such as MLC.com.au and api.morningstar.com, as well as LinkedIn and Facebook.  Both the MLC and Morningstar websites are referred to in the Applicant’s evidence, and specifically in the emails comprising exhibit R2.  The impression created is that these are websites the Applicant used in the course of her work.  The Applicant herself also refers to using her LinkedIn and Facebook sites in her evidence.  The Applicant’s alternative hypothesis was, consistently in this case, that someone else accessed her email to send the data breach email.  Presumably, her hypothesis extends to someone else accessing her email and internet and using two websites that the Applicant herself used in the course of her work, and her LinkedIn and Facebook.  Why would someone else do that?  Why would someone else hack into the Applicant’s NAB email account to view her Facebook and LinkedIn and to access sites that she uses in the course of her work?  The plausibility of the Applicant’s alternative hypothesis becomes increasingly questionable. 

20. Nonetheless, Mr Hains maintained that on the evidence before him he still would not have concluded that the activity in question was connected with the Applicant.

21. Mr Hains was cross-examined by Counsel for the Respondent.

22. Mr Hains confirmed that multi-factor authentication is designed to try and ensure that there are, in effect, multiple hurdles before someone can access a particular computer system.  He agreed that the more factors which exist, the more difficult it is for someone to enter the internet or enter that particular computer system without having all the relevant authentication factors.  Mr Hains understood that the Respondent used a two-factor authentication, the first being a username and password, and the second being an RSA token, which could be obtained through a mobile phone having a program which sends an RSA token.  Mr Hains concluded that without the username, password, and the RSA token, a person would not be able to gain access to the system, provided that system was secure.  Mr Hains accepted that he had not seen any evidence to suggest that the system was not secure, other than the Applicant’s denials about her participation in the data breach email.

23. At page 8 of the transcript, line 34 to page 9, line 18, the following exchanges occur:

Mr Seck	And so I want you to assume that there’s no evidence to suggest that the username or password of Ms Alam, who’s the Applicant in these proceedings, has not been securely kept, okay?  And I want you to also assume that Ms Alam has not disclosed the username and password to any other person and that she, at the time of the email being sent at 2:39pm or thereabouts on 12th of January 2019, was also in possession of a mobile phone with the RSA program on it.  Now, based on those assumptions, Mr Hains, would you agree that it is more than likely the only person who could have accessed the system is Ms Alam?
Mr Hains	Am I to assume that she was using an NAB device or a personal device?
Mr Seck	I don’t know, sorry.  NAB mobile phone and an NAB computer.
Mr Hains	And to assume that the passwords are secure and that the RSA token process was also secure.
Mr Seck	Correct.
Mr Hains	Okay.  So if I’m to assume those things, could you just repeat the question.
Mr Seck	That the person who’s most likely to have sent the email on 12th of January 2019 at 2:39pm is Ms Alam?
Mr Hains	But I would also have to assume, would I not, that PMO3 – I beg your pardon, PMO4 represents the session in which the email was sent.  Or am I not to assume that.
Mr Seck	Not going to assume that at the moment.  Do you agree?
Mr Hains	Okay, so am I also to assume that no one in the NAB office could access one of the Applicant’s computers where her emails were accessible?
Mr Seck	Yes.  Just assume they’re secure.
Mr Hains	Then yes, it would be difficult.
Judge Altobelli	I’m sorry, what would be difficult?
Mr Hains	For a person who did not have those credentials, your Honour, to have sent the email.

1. Given the assumptions put to him, Mr Hains conceded, in effect, that the Applicant was the most likely person to have sent the email on 12 January 2019 at 2:39pm.  It is important to examine the assumptions that were asked. 

2. The first assumption was that there was no evidence to suggest that the username or password of the Applicant had not been kept securely.  This is a safe assumption, from the Court’s perspective.  The Applicant herself gave evidence that she kept her username and password secure.  As will be seen, the delegation that she was required to give to the senior financial planners for whom she worked to access her email did not necessarily empower them to send emails from her account, and even in the Applicant’s case, it was not asserted that she had to disclose her username or password to the senior financial planners for whom she worked. 

3. The second assumption is also a safe one, based on the Applicant’s own evidence. 

4. The third assumption was that at the relevant time the Applicant was in possession of a mobile phone with the RSA program on it.  There is no contest that the Applicant had a mobile phone at the relevant time, but she firmly denies that she sent the data breach email.  The Court does not recall the Applicant asserting that she did not have an RSA program on her personal mobile or denying that she did have an RSA program on her personal mobile.  The Court, of course, does not have to accept this evidence, whether it is expressed or implied.  There are, in fact, two possibilities:  that the mobile phone that she had on the day and time in question did have an RSA program on it:  or alternatively, that, in fact, she had the NAB-issued mobile phone which already had the RSA on it.  It is likely that one of these scenarios is true. The Court’s findings in this regard are made having regard to the totality of the evidence, and not just by reference to the Applicant’s assertion on this issue, expressed or implied.

5. The cross-examination of Mr Hains continued.  The focus turned to the proxy log which Mr Hains acknowledged was a record of internet traffic, for example, website browsing.  Mr Hains acknowledged, however, that when one sends an email one is not necessarily browsing the internet.  Mr Hains’ view was that the proxy log indicated sending emails as well as browsing.  Indeed, he accepted the proposition that an email could be sent through an email client system, without going through an internet browser.  Mr Hains accepted that it was possible, therefore, that such an email were excluded from the proxy log.  Specifically, Mr Hains had to accept that in Mr Meehan’s report, where he describes the proxy log as a record of internet traffic, and where Mr Meehan asserts that the Applicant was browsing the internet from about 1:48pm to 3:20pm on 12 January 2019 it was possible that he was referring there to browsing the internet which is different from sending emails.  Once again, it is clear from this evidence that the proxy log did not necessarily record the data breach email but was recording internet traffic such as web browsing.

6. Finally, Mr Hains acknowledged in cross-examination that if an email purports to have been sent to the Applicant’s Gmail and Hotmail accounts one would have expected it to be received at those two email addresses if they were correct email addresses. 

7. Counsel for the Applicant re-examined Mr Hains.  Specifically, and over the objection of Counsel for the Respondent, re-examination was allowed on the topic of the Applicant’s evidence that she was required to make the two senior financial planners with whom she worked delegates with access to her email account.  Mr Hains was asked to consider the implications of this delegation.  His answer is found at page 13 of the transcript, lines 31 – 34:

   Well, it would seem to be that if the username and password is known – if those credentials, your Honour, are known to others, then the devices that are within the National Australia Bank network might not be secure in terms of the Applicant’s account.

8. When leave was granted to Counsel for the Respondent to further cross-examine Mr Hains on the evidence lead in re-examination referred to above, Mr Hains readily conceded a number of matters.  Firstly, from the Court’s perspective that the evidence did not indicate that the Applicant disclosed her username or password as part of the delegation in relation to her email account.  Secondly, the nature and the effect of the particular delegation depended on the particular system.  Thirdly, delegating someone to access another’s emails does not necessarily mean that they have been delegated the power to send emails on that person’s behalf.

9. Pausing here, the Court comfortably concludes that the evidence in its totality does not support the Applicant’s contention, express or implied, that because she had been instructed to make two senior financial planners delegates with access to her email account that it necessarily thus gave them the capacity to send an email from the Applicant’s work account. 

1. Mr Meehan, the Respondent’s witness, was also cross-examined.  In chief, however, Counsel for the Respondent in effect sought to put to Mr Meehan something that Mr Hains had said in his evidence.  Specifically, the question was: “Can you tell the Court whether or not the reference to the proxy log which is kept by NAB records email traffic?” His answer was: “No.  It’s only web traffic.”

2. The significance of this evidence means that the absence of any reference to large emails in the proxy log does not mean that the email was not sent. It is important to record, however, Counsel for the Applicant’s strident objection to the question which was on the basis that Mr Meehan was being asked to give an opinion for the purposes of the Evidence Act which he was not entitled to give. The basis of the objection was, presumably, that Mr Meehan was not an expert. The Court allowed the question and, thus, the answer. Mr Meehan was explaining how the NAB proxy log worked. He was not being asked to draw any inference from that. For reasons already stated, the Court finds that Mr Meehan was not articulating an inadmissible opinion. He was stating matters of fact within his knowledge without drawing any inference.

3. Even if the Court was wrong in allowing the question and, thus, the answer and even if Mr Meehan were found to have expressed an inadmissible opinion, the fact remains that Mr Hains’ own evidence allows the Court to reach the same conclusion – that is, that the absence of any reference to a large email such as the data breach email in the proxy log does not mean that the email was not sent.

4. Mr Meehan was cross-examined by Counsel for the Applicant.  Mr Meehan confirmed that in conducting his investigation he relied on information that was provided to him by Telstra, namely, the RSA logs.  He could not produce that email.  This was the evidence that Counsel for the Applicant needed to, in his opinion, sustain his objection about the inadmissibility of Mr Meehan’s evidence because of what he described as lack of continuity.  Counsel’s detailed submission in this regard is found at 21.6 of his written closing outline dated 11 June 2020:

   There is a lack of continuity and chain of custody for any data produced by Meehan and some of which is referred to also in the Maini 6 March 2020 trial affidavit at [17] SM-04 (not admitted as to truth and allowed conditionally) and [18] SM-05. See Kyluk Pty Ltd v Chief Executive Office of Environment and Heritage (2013) 298 ALR 532; [2013] NSWCCA 114 at [55] - [57], [60] - [69], [136] - [139], [140] - [148], [150] - [179] and, in the context of reviewing the removal of a police officer, Harrison v Commissioner of Police [2006] NSWIRComm 319 at [44] - [47] (Backman J), citing Young v The Commissioner for Railways [1962] SR (NSW) 647 and Commissioner for Railways (N.S.W.) v Young (1962) 106 CLR 535). The cross-examination of Meehan at T47.21 - 48.7 about PM-01 establishes that: Meehan did not produce a copy of the Dave Carroll Telstra email re the RSA logs and that the RSA logs are something from Telstra mean that no evidence is admissible in relation to those logs and judicial economy means that no evidence should be let in or taken into account concerning the RSA logs, i.e., a log that shows RSA authentication requests that have been made including a timestamp.

5. There are two difficulties with Counsel’s submissions.  Firstly, the fact remains that his client’s expert, Mr Hains, provided evidence about the proxy log which is sufficient for the Court to found its conclusion described above.  Secondly, Kyluk Pty Ltd v Chief Executive, Office of Environment and Heritage (2013) 298 ALR 532 (‘Kyluk’) deals with expert evidence. The evidence of Mr Meehan was not expert evidence. In any event, on the facts of this case any failure by Mr Meehan to produce the email from Telstra setting out the information about the RSA logs does not necessarily mean that his evidence, howsoever characterised, lacks probative value for the purposes of section 135 of the Evidence Act 1995 (Cth).

6. When the totality of the evidence in this case is considered from all witnesses but especially that of the Applicant herself, it is difficult to discern any unfair prejudice to her.  In any event, Kyluk involved criminal proceedings whereas the present case is a civil proceedings.  In Kyluk, once the admission was found to be prejudicial, its exclusion was mandated.  That is not the case here even if the evidence were found to be prejudicial. 

7. Moreover, in the Court’s opinion, the decision of the New South Wales Industrial Relations Commission in Harrison v Commissioner of Police [2006] NSWIRComm 319 does not assist the Applicant. This Court is not bound by that decision. This Court does not necessarily share the same views about there being no difference between the relevance of continuity evidence tendered in either civil or criminal proceedings.

Would reinstatement, and the other remedies sought by the Applicant, been granted by the Court in any event?

1. In the event that the Court is mistaken in any way on the assessment of the facts or understanding of the law, it is important to explain why the Court would grant no remedy to the Applicant even if her adverse action claim succeeded.

2. The relief sought by the Applicant is clearly discretionary. The Court would not exercise its discretion in favour of the Applicant in circumstances where it believes that the evidence establishes that she did, in fact, perpetrate a data breach. This is a case where the decision-maker made their decision to terminate on an entirely correct basis.

3. The fact that an email or emails was/were sent from the Applicant’s work email account to her personal email account is not a fact in issue. That this is confidential information of the Respondent is also not in issue. For present purposes, this event or events will be described as the data breach.

4. The Applicant’s case is that she did not send the email or emails.  In her Affidavit affirmed 19 December 2019, she deals with this issue commencing from paragraph 97.  The Applicant acknowledges that on 17 January 2019 Ms Gorbunova alleged that the Applicant had on 12 January sent an email from her Outlook work email account to her personal email account.  The Applicant denied that she did this. She explained that 12 January was a Saturday, that the workplace was closed and that she had spent the whole day with family and thus it was not possible for her to have sent the email.

5. The Applicant further asserts that Ms Gorbunova’s account of the discussions with her are incorrect.  She specifically denies saying that the alleged email might have been sent by mistake, or at all.  The Applicant construed the allegation as a form of bullying against her and retaliation for making complaints and enquiries in relation to her employment.  The Applicant insists that after being requested to do a thorough check of her emails, she found no such alleged email that was sent or received through her email accounts, work or personal.

6. The Applicant was clearly aware of the nature of the allegation made against her, and acknowledged having seen a copy of the email in question to which appear to have been attached a number of documents.  The Applicant attached to her Affidavit copies of entries from her Hotmail inbox, junk email and deleted the emails for 12 January 2019 in order to demonstrate that she did not receive the email alleged by the Respondent.  Moreover, she also attached copies of entries from her Gmail inbox, spam and trash for 12 January 2019 that likewise showed that she did not receive the email as alleged by the Respondent.

7. She insisted that it was not possible for her to have sent the alleged email because on the Saturday in question, she was not at work, and in fact was on a trip to the Blue Mountains with her family, and did not have access to a computer.  The Applicant also deposed in this Affidavit that her personal email addresses were available on LinkedIn and were also available to the Respondent at all relevant times.  Moreover, the Applicant deposed that her email was accessible to IT as well as management and employee relations.  In addition her two senior financial planners had instructed her to make them delegates with access to her Outlook email account.

8. The Applicant became aware of the documents allegedly attached to the 12 January 2019 email after her employment was terminated on 30 January.  She deposed that it was impossible for her to access these documents and attach them to any email because she was not provided with access to the documents which were found on the Respondent’s systems and databases, and she did not have access to those systems.  Moreover, the Applicant deposed that even though she had asked to be given remote access to her computer, she was not provided with functional remote access and the level of access that was given to her did not enable her to access her work email account or any of the Respondents systems on its server.

9. The cross-examination of the Applicant focused on how she came into possession of a significant quantity of internal emails between herself and other employees of the Respondent.  These emails were annexed to her Affidavits.

10. The Applicant acknowledged in cross-examination that she was aware of both the provisions of her contract of employment, and of various policies that required her to return to her employer any company property at the time she left employment.  She was aware that company property included emails.  Her evidence in cross-examination was that she did not have any such property with her at the time she left, and she did not have any emails which she had created whilst employed by the Respondent.  When it was suggested to her in cross-examination that, in fact, she kept emails after leaving her employment with the Respondent she denied this.  Counsel sought confirmation from the Applicant that she held no emails which she had created or received whilst with the Respondent, at the time she left the Respondent.  There was a distinct pause before the Applicant responded.  She indicated that she did have emails relating to the complaints she had made to her manager.  She explained that she kept those emails in hard copies, but denied taking the printed versions with her.  Indeed, she maintained that after printing out the emails she left them at work.  Counsel suggested that in fact the Applicant had sent to herself copies of these emails, and the Applicant denied this.

11. The Court observes at this juncture that the Applicant gave inconsistent evidence in relation to emails retained after she left employment with the Respondent, as well as giving implausible evidence that she printed out emails relating to complaints, but did not take them with her.

12. When Counsel returned to the issue of the complaint emails which the Applicant had shortly before told the Court that she had not taken with her, but had printed out, she then added that she had read those emails and shredded them.

13. The difficulty with the Applicant’s evidence increasingly emerged as Counsel took her to documents attached to her Affidavit that could only have come from the Applicant.  The Applicant was taken to document after document attached to her Affidavit, purportedly in support of her case, the origin of which could not be satisfactorily explained except by reference to the Applicant both having printed out the documents and taken them with her, or the Applicant having emailed them to herself. 

14. The Applicant originally sought to explain her possession of the documents by reference to the anti-bullying application that she made, but even that did not explain how she came to be in possession of the documents.  Time and time again, when given the opportunity to explain how she came into possession of documents that clearly were property of the Respondent, she explained that she could not recall.  The emails in question were attached to her Affidavit of 10 July 2019 in support of her Interlocutory Application.  The emails may well have formed part of the Applicant’s anti-bullying application to the Fair Work Commission.  Nonetheless, she consistently stated in cross-examination that she did not recall how these documents came into her possession.

15. The Court observes that even before it was contended to the Applicant that she had emailed the documents to herself, at her private email addresses, the Applicant’s denials were unconvincing and implausible.

16. The Applicant was taken to her Affidavit of 10 April 2020 where, at paragraphs 20 and 21, she replies to evidence given by one of the Respondent’s witnesses, Ms Maini and in particular to paragraph 16.  Paragraph 16 of Ms Maini Affidavit of 6 March 2020 was in fact ruled inadmissible.  That did not, of course, preclude cross-examination on the Applicant’s contention at paragraph 20 that she had not been provided with a copy of any of what is alleged to be the 45 emails that she, the Applicant, had sent from her work email account to her private Hotmail or Gmail account.  Moreover, at paragraph 21 the Applicant specifically deposed, once again, that she did not send any email from her work email account to her personal email accounts.

17. Counsel suggested to the Applicant that if she had sent emails from her work to her personal accounts, it was something that she would recall.  The Applicant responded to the effect: “Not necessarily.”  Counsel reminded the Applicant that she had previously given evidence that she was aware of her employer’s policies and procedures about confidential information, and understood that she had to return to the bank what was bank property.  Counsel again suggested to the Applicant that surely she would recall if she did anything to breach the obligation she had to her employer by sending work emails to her personal account.  The Applicant agreed.  She maintained, however, that she did not recall sending such emails to her personal accounts.

18. At paragraph 20 of her Affidavit made 10 April 2020 the Applicant expressed concern that she had not been given an opportunity to adequately respond to the assertion about emails sent to her private accounts.  At paragraph 21 she deposes that without obtaining a copy of all the alleged emails, it nonetheless appeared to her that she did not send any of the alleged emails.  Counsel reminded the Applicant that she would not need to look at the emails because, according to the Applicant, she would recall their existence anyway as it was contrary to policy.  In response, the Applicant maintained that she did not do what was alleged.

19. A series of emails were put to the Applicant which subsequently became part of the bundle known as exhibit R2.  This bundle is voluminous.  It includes many emails from the Applicant’s work email address, to her own private email accounts.  Chronologically, the first email falling into this category is dated 1 November 2018, and the last email 16 January 2019.  Within this bundle is the email dated Saturday, 12 January 2019 at 1:39pm which was the data breach email that the Respondent asserts was the basis of the Applicant’s termination.  Many of the emails in question attach documents including other emails.  Many of the emails in question are almost identical (except for minor differences that were satisfactorily explained in cross-examination or in submissions) to documents attached to the Applicant’s Affidavit and relied on in her case.

20. The minor differences referred to above consisted mainly of differences in colours, flags, whether an email address was abbreviated or not and differences of style attributed to whether the email account was the Respondent’s, or the Applicant’s Hotmail or Gmail account.  The differences in the time stamps on the documents are, the Court is satisfied, attributable to daylight saving, and the passing of time before an email was printed.

21. In cross-examination, the Applicant consistently denied the proposition that she had sent the documents attached to her Affidavit by emails to herself.  The Applicant would not retract or explain the answer to an earlier question in cross-examination where she had said that she did not recall where she obtained the emails from.  The Applicant maintained that she still could not explain where she obtained the emails attached to her own evidence.  The Applicant denied that the emails attached to her Affidavit were printed either from her Gmail or Hotmail account, and this explains their appearance.

22. The Applicant’s denials and purported lack of knowledge are implausible.  The emails in question are her documents in the sense that she created many of them, was a party to the correspondence, and was relying on them in her case.  Her complaint that it was somehow unfair to her to be confronted with copies of the actual emails that she sent to herself from her work to personal accounts is disingenuous.

23. The Court finds that it is more likely than not that the Applicant in fact sent the documents attached to her Affidavit and relied on in her case from her work email address to one of her personal email accounts.  The Court finds that the documents in question were all forwarded by the Applicant to herself, from her work email account, to one of her personal email accounts.  This included bundle numbered 12 in exhibit R2 being the data breach email of Saturday, 12 January 2019 at 1:39pm.

24. The Applicant obfuscated in cross-examination about this issue.  This casts a shadow of doubt over other aspects of the Applicant’s evidence, and in particular relating to the data breach email.

25. On 17 January 2019 the Applicant’s immediate supervisor, Ms Gorbunova, met with the Applicant to discuss the data breach notification that was generated as a result of the data breach email.  In cross-examination the Applicant asserted that she had not been asked for an explanation in relation to the email, but she had been asked if she had sent the same.  Counsel suggested to the Applicant that she told Ms Gorbunova that she did not recall sending it.  The Applicant denied this.

26. The evidence of Ms Gorbunova in relation to this is found at paragraph 33 of her Affidavit of 6 March 2020.  That paragraph states:

    Towards the end of the meeting, I asked Ms Alam about the Data Breach. She responded by saying words to the effect of “umm I don ’t recall doing that, but maybe I sent it by mistake She explained that this may have occurred because she may have accidentally auto populated her personal email address. I asked her to go home and check whether she sent or received the email and if she did, to delete the Data Breach email. I asked her to come back to me as soon as possible, noting that I was required to respond to the Data Protection Alerts within 3 business days.

27. Counsel for the Applicant cross-examined Ms Gorbunova about this evidence.  At its highest, this cross-examination suggested that what, in fact, the Applicant had told her on 17 January 2019 was “you must have been mistaken”.  The witness firmly rejected that.  The Court accepts the evidence of Ms Gorbunova in relation to the meeting that occurred on 17 January 2019. It is more likely than not, the Court finds, that the Applicant did in fact tell Ms Gorbunova that she (the Applicant) did not recall sending the email, but that it was perhaps sent by way of mistake.

28. When Counsel formally put to the Applicant that she had, in fact, sent the data breach email on 12 January 2019, the Applicant denied the same.  The Court has grave reservations in relation to the Applicant’s evidence in this regard.  Exhibit R2, the bundle of emails from the Applicant’s work account to her personal accounts, establish a clear pattern of the Applicant sending emails which included documents from her work account to her personal account.  There is a similarity in the visual presentation of the emails in question.  Thus, for example, the Applicant’s email dated 1 November 2018 sent from her work account to her Hotmail account, and annexing a range of work-related documents, is very similar to emails including 25 November 2018, 1 December 2018, 10 December 2018, 4 January 2019, 7 January 2019, 12 January 2019 and 17 January 2019.  The inability of, or perhaps the refusal by, the Applicant to provide any explanation as to how these documents either came into her possession, or was sent by her to herself, is disconcerting.  Of all the dramatis personae in this case, she would know, but offers no explanation.  There is a strong inference that she sent these documents, and that the documents included the data breach email of 12 January 2019.

1. The Court acknowledges that Counsel for the Applicant made a strong objection to the admissibility of what become exhibit R2 based on the Respondent’s alleged non-compliance with s.97 of the Evidence Act1995 (Cth) (‘the Evidence Act’) or to seek dispensation under s.100 of the said Act. Indeed Counsel for the Respondent quite properly conceded that there was non-compliance with the notice requirements enshrined in s.97. The Court received the evidence, however, on the following basis. Whilst the Respondent’s Counsel did not specifically refer to s.100 of the Evidence Act it was plainly implicit that he was relying on the provision which enables the Court to dispense with the notice requirements of s.97 of the Evidence Act as it applies to the documents constituting exhibit R2 because:

   a)The documents have significant probative value and are otherwise admissible; and

   b)Given that the documents are the Applicant’s own documents, there is no discernible prejudice to her.

2. Indeed the Court is concerned that if the Respondent had given the Applicant prior notice of how the documents were going to be used in cross-examination, there was a possible risk of fabrication. In any event the Court is further of the view that:

   a)The evidence in question does not attract s.135 of the Evidence Act;

   b)There is no basis for not permitting the use of the evidence for the purposes of s.136 of the Evidence Act; and

   c)It would have been an abuse of power on the facts of this case to allow the Applicant’s objection to the use in cross-examination of the documents she had in her possession at all relevant times, and used in her case against the Respondent.

3. The Court is satisfied from the totality of the evidence that the Applicant in fact sent the data breach email. This finding is based on the preponderance of the evidence including:

   a)The overall implausibility of the Applicant’s denials as regards:

   i)how she came into possession of the emails comprised in exhibit R2; and

   ii)sending the data breach email;

   b)The technical evidence of both Mr Meehan and Mr Hains;

   c)More general concerns about the Applicant’s credit including a propensity to exaggerate in her evidence the concerns about her workplace rights;

   d)The Court’s unwillingness in the circumstances of this case to accept the Applicant’s evidence that she did not have some form of remote access to her work email on 12 January 2019; and

   e)The Court’s preference of the evidence of Ms Gorbunova over that of the Applicant insofar as it related to the data breach email.

Conclusion

1. The Court would not have ordered reinstatement even if the Applicant had been successful in establishing all the elements of her claim. The Respondent was justified in dismissing her. The Applicant is entitled to no remedy. There is no scope on these facts of imposing a pecuniary penalty. There is no basis for the Applicant to seek damages for breach of contract or otherwise. The Court would decline to grant specific performance, for the reasons articulated.

I certify that the preceding one hundred and seventy-four (174) paragraphs are a true copy of the reasons for judgment of Judge Altobelli

Associate: 

Date: 30 September 2020