Background:
In the recent case of Eamon McShane v Data Protection Commission [2015] IEHC 19, the High Court upheld a decision of the Data Protection Commissioner (“DPC”) which dismissed a complaint by Mr. McShane (the “Applicant”) on the basis of a finding that the HSE was not the “data controller” in respect of non-work related personal data stored by the Applicant on a work phone issued to him by the HSE.
Facts:
This case arose out of the well-publicised HSE hack in 2021. The Applicant’s case was that in June/July, 2021 he discovered that his personal email accounts had been hacked as well as his personal cryptocurrency account from which €1,400 of cryptocurrency had been stolen. The Applicant believed that his work mobile phone was the source or cause of the hack, and as such, believed his work mobile phone had been affected by the hack of May 2021. He made a complaint about the matter to the HSE in September 2021. The Complainant was not satisfied with the response he received and thereafter made a complaint to the DPC.
The HSE’s position was that it had an Acceptable Use Policy in place which provided that, absent express agreement, non-work use of the work phone was not permitted. The Applicant accepted that the use of the work phone to conduct his personal business was not permitted.
On the 23rd of May 2022, the DPC dismissed the Applicant’s complaint against the HSE.
The DPC was of the view that the HSE was not a “data controller”, within the meaning of that term in article 4.7 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as it did not authorise the use of the personal data on the phone. The Applicant attempted to appeal the DPC decision internally and thereafter brought judicial review proceedings to the High Court.
The High Court determined that the DPC’s decision was lawful and refused Mr. McShane’s application for judicial review.
Takeaway for employers:
The decision in this case is helpful for employers as it decided the employer here could not be liable as a data controller in respect of the non-work related personal data stored by the employee on a work phone in breach of the employer’s Acceptable Use Policy.
Employers may wish to give consideration to updating their Policies around company devices to ensure they specifically prohibit the use of those devices by employees to store non-work related personal data.
Authors- Jane Holian and Laura Killelea
09 May 2025
Anne O’Connell Solicitors
19-22 Lower Baggot Street
Dublin 2.
If you found this article useful you might like our employment law newsletter. We write monthly articles, like this, covering interesting cases, decisions, news and developments in Ireland.