Shiundlana v Ashley and Another (072432/2023) [2024] ZAGPJHC 1853 (27 August 2024)


REPUBLIC OF SOUTH AFRICA



IN THE HIGH COURT OF SOUTH AFRICA

GAUTENG DIVISION, JOHANNESBURG



Case Number: 072432/2023

Shape1

(1) REPORTABLE: NO

(2) OF INTEREST TO OTHER JUDGES: NO

(3) REVISED: YES



27 August 2024

DATE SIGNATURE




In the matter between:







In the matter between:



MAXWELL SHIUNDLANA Appellant


AND



THE DECISION MAKER, JOHN ASHLEY First Respondent


ABSA BANK LIMITED Second Respondent


This judgment was handed down electronically by circulation to the parties’ legal representatives by e-mail and released to SAFLII. The date and time for hand-down is deemed to be 10h00 on 27 August 2024.

Mini summary: Application for reviewing a decision for listing on the Register of Dishonest Employees System (“REDS”), which is a database administered by the Banking Association of South Africa (“BASA”) within the context of an employment contract.


Order application dismissed.



JUDGMENT

Mudau, J:



[1] This is an application to set aside a decision by the second respondent (Absa) to refer the applicant’s name for listing on the Register of Dishonest Employees System (“REDS”). REDS is a database administered by the Banking Association of South Africa (“BASA”), which contains details of employees of banks and other financial institutions that were dismissed for dishonesty-related offences. Although the notice of motion is framed as a review application, the applicant (“Shiundlana”) however, has not pleaded the legal basis for bringing a review application in his founding papers. In essence, the application is a challenge to the lawfulness of the exercise of Absa’s rights to RED list the applicant emanating from their employment relationship.


Background Facts


[2] The background facts are largely common cause. Mr Shiundlana was employed by Absa as of 1 May 2021, in the position of Specialist: IT Security Analysis, specialising in SailPoint IdentitylQ Development (“SailPoint”). In this capacity he reported to Ms Mpho Musida (“Musida”), a “DevOps Manager”. According to Absa, SailPoint refers to a suite of identity access management software that can be deployed on-premise, in the cloud, or in a data center. SailPoint is designed to securely manage user access to data, software, and applications that the client company regularly uses. It is an international company that provides IT and online security products to large corporate clients around the world. Absa uses SailPoint software and services and employs teams of developers to customize these products to suit its specific needs.



[3] As an IT Security Analyst Specialist, Mr Shiundlana’s role included onboarding applications; developing rules, custom objects and workflows that were business specific. As a result, he had access to what is described as “the internal workings of critical parts of Absa's coding environment, including details of users, passwords, and access to the source code of various applications and programs”. In essence, he would also conduct prescribed standard troubleshooting and coding tasks, which included testing for security weaknesses or debugging sensitive code



[4] REDS is an industry database established as a central point of reference of employees in the banking, finance and related industries who have been dismissed for dishonesty related offences or found guilty of dishonesty related offences after a post termination enquiry. Participating entities may use REDS as a reference for prospective employees to manage the risk of repetition behaviour. The REDS database, which all participating entities in South Africa subscribe to, and which is maintained by BASA on behalf of and in the interests of the financial sector and the broader public, is a legitimate means of assisting banks in their hiring processes and removing dishonest employees from the industry.



[5] In Muthusamy v Nedbank Ltd1 Tip AJ within the context of a Red Listing stated aptly as follows:



“Its role is to promote responsible, competitive and profitable banking and all its members subscribe to a Code of Banking Practice which inter alia aims to cultivate ethical practices within the industry. The RED system forms an important part of this program. In essence it comprises a centrally maintained database on which are recorded the names of all employees in the banking industry who have been dismissed for dishonesty-related offences. This database provides a screening resource for the use of participating banks in respect of prospective employees”.



[6] Against the above background and with specific reference to REDS, Clause 7 of Mr Shiundlana’s employment agreement provides as follows:



7. REGISTER OF EMPLOYEES'DISHONESTY SYSTEM (REDS)

7.1 You agree that by virtue of your employment, you are bound by the principles of the REDS system which applies to you both during and after termination of your employment. 7.2 Should your services with Absa be terminated for any reason related to dishonesty, your name and biographical details will be recorded on a central database, REDS, administered by the Banking Association of South Africa. If you were to resign from Absa to avoid facing a disciplinary process relating to a misconduct involving an element of dishonesty or if Absa, after termination of your employment, were to uncover serious misconduct by you involving an element of dishonesty committed whilst employed, Absa shall be entitled to convene a REDS enquiry. The purpose of the enquiry shall be to determine whether you should be listed on REDS and to afford you an opportunity to be heard before a decision is made.”

[7] Equally significant for current purposes are the REDS guidelines issued by BASA which provide as follows

1. Scope of application of the Industry Database using the REDScheck Framework and Procedures: Linking to the Industry Database on the REDScheck Framework may happen in the following instances:

1.1 Where an employee was found guilty of dishonest conduct and dismissed after disciplinary proceedings were followed or after a post termination inquiry.

1.2 Where an employee resigned or absconded after having been charged or notified of the allegation and before the disciplinary inquiry was held or completed and thereafter a decision to link is made at an Industry Enquiry.” My underling.

The Misconduct

[8] On 30 September 2022, Timofey Llinykh (“Llinykh”), a CTO Platform Engineer, employed by Absa Technology Prague, alerted Absa to an internal Absa Africa data exposure on GitHub (GitHub is a cloud-based service for IT developers). GitHub, it is said, allows developers to store and manage versions of computer code, and to collaborate with other developers across the world, for example in debugging code or in copying useful portions of code developed by other developers and made available for open-source access.



[9] However, anyone can open a free GitHub account, and can choose whether to store information in the public or private repositories linked to their account. Public repositories can be viewed and their copied by all other GitHub users reported to be in their millions). On the other hand, the private repositors in a private user's Github account is not publicly accessible. It can only be accessed by persons who have the necessary permissions and passwords. By way of example, Absa has a corporate GitHub account, with private and public repositories. Developers such as Mr Shiundlana’s would have access to Absa's private repository.



[10] In this case, Llinykh discovered that Internal Absa Africa Access workgroups metadata was exposed in a publicly available personal GitHub repository. He found that the person with the associated GitHub account profile is Mr Shiundlana, which increases the risks to Absa. The resultant investigation revealed that Mr Shundlana had copied large portions of Absa's proprietary code and technical information, including lists of users and login information, to his public GitHub repository, which was open to public viewing and access. The conduct complained of according to Absa constituted a major leak of highly confidential information, which could enable hackers to penetrate Absa's security far more easily. It was feared that the applicant planned to sell sensitive technical information. After being interviewed the Applicant failed to provide a satisfactory explanation for his conduct.


[11] Consequently, Absa placed him on suspension on 3 October 2022, pending a disciplinary enquiry given the seriousness of the conduct complained of. The Applicant's access to Absa’s network was also removed followed by a notification of disciplinary charge (s) and disciplinary meeting the next day. The allegations of misconduct were, inter alia “dishonesty in that on 30 September 2022, the Applicant informed his line manager, Musida, during a discussion about his improper transfer of Absa confidential information, that it was a mistake as he was testing auto commit functionality as it was not working on Absa GitHub repository”.





[12] The disciplinary hearing was scheduled to proceed on 7 October 2022 at 13h00. However, at 12:58, the applicant delivered an affidavit indicating that he would not attend the disciplinary hearing due to ill health. The applicant provided a copy of a medical certificate. As the applicant's notice period expired on 7 October 2022, it was not possible for Absa to conduct a disciplinary hearing, or to finalise the investigation into the full extent of the applicant's misconduct.



[13] The applicant was subsequently notified to attend a post termination REDS listing fact-finding enquiry consistent with Absa's obligations in terms of REDS. The notice explained that the purpose of the enquiry is to determine whether the applicant's name should be listed on the REDS system based on (i) misappropriation and/or unauthorised possession of Absa confidential and proprietary information and (ii) dishonesty by making misrepresentations during the investigations. By agreement between the parties, the applicant was given an opportunity to make written submissions in relation to the allegations.


[14] On 7 July 2023, the first respondent, cited as the decision maker (John Schley, an employee of Absa), issued the decision and found that the applicant should be listed on REDS as per minutes of the post-termination inquiry, Annexure 2. Significantly, the decision maker also found that the applicant's explanation, that he was testing the auto commit functionality, was belied by the evidence because no requests for him to troubleshoot were made during the period of his notice to resign.


[15] Mr Shiundlana contends that the timing of his resignation and the discovery of his misconduct are such that it is not competent for Absa to place him on the REDS database. On 8 September 2022, the applicant gave one month's notice of his resignation, which expired on 7 October 2022.


[16] It is well established and therefore the correct legal position in our law is that interpretation is an objective process of attributing meaning to the words used in a document, read in the context of the document as a whole and having regard to the apparent purpose of the words. It is a unitary exercise which must be approached holistically: simultaneously considering the text, context and purpose.2



[17] In University of Johannesburg v Auckland Park Theological Seminary and Another3, the Constitutional Court puts it thus:

The approach in Endumeni “updated” the previous position, which was that context could be resorted to if there was ambiguity or lack of clarity in the text. The Supreme Court of Appeal has explicitly pointed out in cases subsequent to Endumeni that context and purpose must be taken into account as a matter of course, whether or not the words used in the contract are ambiguous. A court interpreting a contract has to, from the onset, consider the contract’s factual matrix, its purpose, the circumstances leading up to its conclusion, and the knowledge at the time of those who negotiated and produced the contract”.

[18] Mr Shiundlana’s contention is clearly wrong. The REDS guidelines provide for listing in the event of a disciplinary hearing not being finalised. The guidelines plainly contemplate a situation where an employer did not conduct or did not complete disciplinary proceedings. In those circumstances, an employer is required to conduct a post termination inquiry before listing in terms of the applicable guidelines and the applicant’s employment contract, which Absa duly did. Properly interpreted, the employment agreement gives Absa the contractual right to convene a post termination enquiry to determine whether the Applicant should be listed on REDS database as it did. Accordingly, Absa was not precluded from proceeding with a post termination enquiry, in circumstances where the applicant's employment terminated after the misconduct was first discovered, and where the applicant alleged, he was ill and could not attend a disciplinary hearing on his last day of employment.



[19] There is an additional reason why this application stands to fail. As indicated from the onset, Mr Shiundlana failed to plead the legal basis for bringing this review application. It is trite that in motion proceedings the papers stand as the pleadings and evidence, the relevance of the evidence offered is dependent on its cogent connection with the relief being sought as defined in the notice of motion.4


[20] From the Preamble, the Promotion of Administrative Justice Act (“PAJA”)5 has been enacted to “give effect to the right to administrative action that is lawful, reasonable and procedurally fair and to the right to written reasons for administrative action as contemplated in section 33 of the Constitution South Africa”6. A review application may be instituted either in terms of the relevant provisions of PAJA or on the principle of legality. Neither of these paths to review finds application in this matter, because Absa's decision to add the applicant's name to the RED database, occurred in the context of the contractual employment relationship between him and Absa, and does not amount to the exercise of a public power as demonstrated above within the definition of the Act7. It follows, accordingly, that this application lacks merit and falls to be dismissed with the question of costs following the resultant order.


Order



[21] The application be dismissed with costs, including costs consequent upon the employment of two counsel.



___________________________

TP MUDAU

JUDGE OF THE HIGH COURT

GAUTENG DIVISION, JOHANNESBURG



Date of Hearing: 12 August 2024


Date of Judgment: 27 August 2024




APPEARANCES


Counsel for the Applicant: Mr. KP Masenya

Instructed by: Masenya Attorneys



Counsel Respondent: Adv. GA Fourie SC

Accompanied by: Adv. Z Ngwenya

Instructed by: Cliffe Dekker Hofmeyer Inc.





1 (J2211/09) [2010] ZALC 216; (2010) 31 ILJ 1453 (LC) (16 April 2010) at para 2.

2 See Coral Lagoon Investments 194 (Pty) Ltd and Another v Capitec Bank Holdings Limited (Case no.887/2021) [2022] ZASCA 144; [2023] 1 All SA 1 (SCA) (24 October 2022) at para 15.

3 (CCT 70/20) [2021] ZACC 13; 2021 (8) BCLR 807 (CC); 2021 (6) SA 1 (CC) (11 June 2021) at para 66.

4 See Kouga Local Municipality v St Francis Bay (Ward 12) Concerned Residents Association (1052022) [2023] ZASCA 168; 2024 (4) SA 70 (SCA) (1 December 2023) at para 15.

7 In terms of Section 1(b), administrative action means any decision taken, or anything like to take a decision, by- a natural or juristic person, other than an organ of state, when exercising a public power or performing a public function in terms of an empowering provision, which obviously affect the rights of any person, and which has a direct, external legal effect…”.

▲ To the top