A Health Service Executive (HSE) employee has lost a High Court challenge to the Data Protection Commission’s (DPC’s) decision to refuse to investigate an alleged data breach related to personal information on his work phone.
Eamon McShane, of Burtonport, Co Donegal, claimed he lost €1,400 in cryptocurrency as a result of the May 2021 cyberattack on the HSE computer system.
He said he discovered in the summer of 2021 that his personal email and cryptocurrency accounts were hacked and that his work mobile had been the cause. The court heard he acknowledged that using the phone for personal emails was not an acceptable use of the device.
Mr McShane, a fire prevention officer, made a complaint to the HSE seeking compensation for his loss but was not satisfied with its response. He then complained to the DPC.
Dublin bus routes move, paving way for traffic-free Parliament Street
‘One was always watching’: Woman raped by three men from nightclub said they acted like ‘predators’
Trump tariffs: 90-day ‘pause’ on non-retaliating countries as China is hit with 125% rate
School to stop disciplinary process against teacher who says she was wrongly identified as ‘GAA catfish’
The commission rejected his complaint and appeal attempt, saying the HSE was not a “data controller”.
He then brought High Court judicial review proceedings seeking orders quashing the DPC’s dismissal of his complaint and compelling it to investigate.
He claimed, among other things, that work-related personal data on his phone was data that could identify him as an individual and, therefore, the HSE was a data controller.
He claimed the DPC acted unreasonably in its approach to his complaint.
The DPC and the HSE opposed his challenge.
The DPC argued that he accepted he should not have used his work phone for personal use. If he had not done so, the non-work data would not have been on the phone and would not have been accessible through the phone, it said.
There was no error in finding the HSE was not a data controller in this case, it said.
The HSE, a notice party in the case, said Mr McShane originally sought compensation from it. The service argued confidential information could only be stored on work-related IT devices with prior permission. The HSE is not responsible for fraud or theft that result from a user’s personal use of that device, it said.
Dismissing Mr McShane’s case, Mr Justice Barry O’Donnell said the DPC clearly engaged in an appropriate and proportionate investigation of his complaint.
He said the DPC decision was not only based on the proposition that the HSE was not the data controller, but also referred to the fact it could not be determined whether Mr McShane’s personal accounts were accessed as a result of the cyberattack on the HSE or were compromised through a different route.
The judge said he could not find that the DPC acted irrationally or outside its powers.
