A Health Service Executive (HSE) employee has lost a High Court challenge to the Data Protection Commission’s (DPC’s) decision to refuse to investigate an alleged data breach related to personal information on his work phone.
Eamon McShane, of Burtonport, Co Donegal, claimed he lost €1,400 in cryptocurrency as a result of the May 2021 cyberattack on the HSE computer system.
He said he discovered in the summer of 2021 that his personal email and cryptocurrency accounts were hacked and that his work mobile had been the cause. The court heard he acknowledged that using the phone for personal emails was not an acceptable use of the device.
Mr McShane, a fire prevention officer, made a complaint to the HSE seeking compensation for his loss but was not satisfied with its response. He then complained to the DPC.
Referee tolerated too much chat and needless sledging from Munster
The White Lotus finale review: The upbeat conclusion of this dark episode feels trite and unearned
Boy found guilty of raping girl at Limerick Racecourse when he was 13
‘The EU has been very bad to us’: Trump not considering pausing tariffs and threatens additional 50% on China
The commission rejected his complaint and appeal attempt, saying the HSE was not a “data controller”.
He then brought High Court judicial review proceedings seeking orders quashing the DPC’s dismissal of his complaint and compelling it to investigate.
He claimed, among other things, that work-related personal data on his phone was data that could identify him as an individual and, therefore, the HSE was a data controller.
He claimed the DPC acted unreasonably in its approach to his complaint.
The DPC and the HSE opposed his challenge.
The DPC argued that he accepted he should not have used his work phone for personal use. If he had not done so, the non-work data would not have been on the phone and would not have been accessible through the phone, it said.
There was no error in finding the HSE was not a data controller in this case, it said.
The HSE, a notice party in the case, said Mr McShane originally sought compensation from it. The service argued confidential information could only be stored on work-related IT devices with prior permission. The HSE is not responsible for fraud or theft that result from a user’s personal use of that device, it said.
Dismissing Mr McShane’s case, Mr Justice Barry O’Donnell said the DPC clearly engaged in an appropriate and proportionate investigation of his complaint.
He said the DPC decision was not only based on the proposition that the HSE was not the data controller, but also referred to the fact it could not be determined whether Mr McShane’s personal accounts were accessed as a result of the cyberattack on the HSE or were compromised through a different route.
The judge said he could not find that the DPC acted irrationally or outside its powers.
