A Department of Foreign Affairs porter who was one of two civil servants sacked in the wake of a data breach and the discovery of an unauthorised computer in the basement of the Passport Office in Dublin in 2022 has lost a challenge to his dismissal.
There had been “sustained” unauthorised access to the restricted passport database in 2022 after a civil servant with clearance to log into it gave out his login details so that he could be clocked in and out on the Civil Service flexi-time system, the Workplace Relations Commission was told last year.
That civil servant, a clerical officer, was found guilty of serious misconduct and got a final written warning and a transfer – but remained in the civil service without demotion, the tribunal was told.
The Workplace Relations Commission has rejected a complaint under the Unfair Dismissals Act 1977 by the porter, Declan Cosgrave, against the Department in a decision published today.
Mr Cosgrave was sacked in September 2023 from his job as deputy head service officer for the Department’s passport service offices on Mount Street, Dublin 2.
It was the end of 37 years’ service to the State after 16 years in the Department and 21 in the Army. He told the Commission at the hearing into his claim on 16 December last year that he had taken up a part-time job as a bus driver since his dismissal.
Mr Cosgrave denied under oath that he “deliberately or knowingly breached the secure access system” for the State’s Automated Passport System (APS) database, a restricted system which holds the names, addresses, dates of birth, next of kin, and PPS numbers for seven million passport applicants.
The State’s position is that the explanations Mr Cosgrave gave to account for the logins were “not credible” and that the porter “did access the APS over a sustained period” in a “flagrant breach” of the Department’s IT policies.
The department’s secretary-general called Mr Cosgrave’s actions “damaging to the State” – while his trade union said he had been the victim of a “hatchet job”.
Former DFA human resources director, Barry Mulligan, said: “What Declan Cosgrave did, and never admitted to, was to access the APS system using two other individuals’ login details, which infringed on the security of our passport systems.”
He said Mr Cosgrave’s computer account and that of another named civil servant, Mr X, was identified in the security probe as having been used to go to the home page of the database at times when a compromised set of credentials were used to access it.
Mr Mulligan’s evidence was that a third civil servant who was an authorised user of the database, Mr Y, had given his login details to Mr X in an arrangement to “change his flexi-time” – referring to the Civil Service clocking system.
The tribunal was told Mr Y kept his job, with a final written warning, a situation Mr Cosgrave’s representative, Fórsa deputy general secretary Éamon Donnelly, argued amounted to “entirely different treatment” for “the same type of offence”.
While Mr Mulligan had recommended termination, the board urged transfer or demotion, the tribunal heard. The final decision lay with the department’s secretary-general, Joseph Hackett, who said Mr Cosgrave’s case was the only time he ever overruled the recommendation of the board.
He said he was faced with “a person who, over a sustained time, exposed seven million citizens’ data in a way that is damaging to the State” and that he could not accept the appeal board’s recommendation to “move them sideways”.
“I felt strongly that an individual who we believed was responsible for such a serious breach… could not be entrusted to either of those roles. I couldn’t be confident I could explain that to a member of the public,” Mr Hackett said.
Mr Cosgrave said in his evidence that he never signed or saw a set of security policies referred to by the State prior to his dismissal.
Mr Donnelly asked him: “Did you ever deliberately or knowingly breach the secure access system in that office?”
“No, no I have not,” Mr Cosgrave said.
State solicitor Dylan West BL said there were 11 dates when the complainant had been “logged in at the desktop and [Mr Y’s] credentials were used to access” the database.
“They were, yeah, but it wasn’t me,” Mr Cosgrave said in response.
In a decision published today, WRC adjudicator Kara Turner found she was satisfied Mr Cosgrave was “afforded fair procedures at each of the stages of the investigation and disciplinary processes” and that the Department’s handling of the matter was “reasonable”.
She said there were “reasonable grounds” for the finding of serious misconduct against Mr Cosgrave and accepted the position that the prospect of a demotion or a transfer were “not reasonable or practicable” because of the trust and confidence concerns that had arisen.
Ms Turner noted that one of the workers investigated after the discovery of the computer was dismissed and the other had been given a final written warning – and concluded dismissing Mr Cosgrave was “within the range of reasonable responses of a reasonable employer”.
“My decision is that the complainant was fairly dismissed,” Ms Turner concluded.
The data breaches came to light following the 2022 discovery of a computer in the basement of Knockmount House, on Mount Street in Dublin which was “linked into the Department of Foreign Affairs network,” Mr Mulligan said in evidence to the WRC.
The computer was “unauthorised” and wasn’t meant to be there at all, he said.
After the computer was flagged as a potential security risk by the head of the passport service, the Department’s IT team established that a civil servant, Mr X, had access to the secret computer in the basement over the course of three months.
A “deeper investigation” put the spotlight on a desktop computer in the Passport Office’s CCTV room, Mr Mulligan said. He explained that the investigation established that the usernames of both Mr Cosgrave and Mr X were used to get to the database’s login page from that computer over the course of six months.
Then Mr Y’s credentials were used to access the database, Mr Mulligan said.
