In United Firefighters’ Union of Australia v Fire Rescue Victoria [2024] FWC 2197 (23 August 2024) (Wilson C) the UFU sought orders to require Fire Rescue Victoria (FRV) to pay an allowance to firefighters who had to use their own mobile phones to use multi-factor authentication (‘MFA’) to access the FRV IT system.

The issue arose after FRV was subject to a cyber-attack in December 2022.  It was decided to introduce MFA to make their system more secure.  To use MFA employees had to either receive a text message or have the Microsoft Authenticator App.  If they did not have a FRV issued phone then they needed to use their own personal phone for this purpose.  There were options for people who did not want to use their own phone. Authentication could be via a pre-registered land line phone but only one employee could be registered for a particular number ([17]) so that could not work for firefighters on a station. There were tokens that could be issued that would generate a security passcode ([24]) but there were, initially, few of these available.

The Fair Work Commission determined that it only had jurisdiction to determine whether firefighters should be paid an allowance to use their own phones for the purposes of MFA going forward. It could not impose a retrospective allowance ([50]).

Effectively the requirement, if there was a requirement, to use a personal device had been overtaken by events. At [93]-[95] the Commission said:

Whereas it could be said that at some stage in the past the practicality of the circumstance might have been that any particular employee needed to use their personal mobile phone in order to undertake MFA authentication, that need is no longer the case. The evidence is that, by March 2024, FRV had approximately 5000 physical tokens, of which approximately 3650 had been distributed to staff. A further 1000 had been allocated but not distributed…

… more than enough tokens are available throughout FRV and so, to the extent that any person wants FRV to provide them with the tools to authenticate, a token is available for such purpose. Because of that, I am unable to find that FRV employees are suffering “any imposition, detriment or disadvantage” over the requirement for multi-factor authentication.

Finally, at [100] Commissioner Wilson said (emphasis in original):

I am unable to find employees are required to use their personal mobile phones in the course of their employment. While employees may use their phones in this way, it is not required. Accordingly, there is no justification to answer in the affirmative those parts of the questions for determination which would seek the creation or payment of an allowance or compensatory payment.

This blog is made possible with generous financial support from (in alphabetical order) the Australasian College of Paramedicine, the Australian Paramedics Association (NSW)the Australian Paramedics Association (Qld)Natural Hazards Research AustraliaNSW Rural Fire Service Association and the NSW SES Volunteers Association. I am responsible for the content in this post including any errors or omissions. Any opinions expressed are mine, and do not necessarily reflect the opinion or understanding of the donors.