A Health Service Executive (HSE) employee has lost a High Court challenge to the Data Protection Commission’s (DPC’s) decision to refuse to investigate an alleged data breach related to personal information on his work phone.
Eamon McShane, of Burtonport, Co Donegal, claimed he lost €1,400 in cryptocurrency as a result of the May 2021 cyberattack on the HSE computer system.
He said he discovered in the summer of 2021 that his personal email and cryptocurrency accounts were hacked and that his work mobile had been the cause. The court heard he acknowledged that using the phone for personal emails was not an acceptable use of the device.
Mr McShane, a fire prevention officer, made a complaint to the HSE seeking compensation for his loss but was not satisfied with its response. He then complained to the DPC.
A flight to New York for €15. Is this the Trump effect on transatlantic travel?
Northern Ireland teachers in Qatar: ‘We’re 25 and middle management. A lot of friends at home are still sub teaching’
Leo Cullen under scrutiny after Leinster loss to Northampton
Ireland’s mobile saunas in danger of being killed off by red tape and bureaucratic confusion
The commission rejected his complaint and appeal attempt, saying the HSE was not a “data controller”.
He then brought High Court judicial review proceedings seeking orders quashing the DPC’s dismissal of his complaint and compelling it to investigate.
He claimed, among other things, that work-related personal data on his phone was data that could identify him as an individual and, therefore, the HSE was a data controller.
He claimed the DPC acted unreasonably in its approach to his complaint.
The DPC and the HSE opposed his challenge.
The DPC argued that he accepted he should not have used his work phone for personal use. If he had not done so, the non-work data would not have been on the phone and would not have been accessible through the phone, it said.
There was no error in finding the HSE was not a data controller in this case, it said.
The HSE, a notice party in the case, said Mr McShane originally sought compensation from it. The service argued confidential information could only be stored on work-related IT devices with prior permission. The HSE is not responsible for fraud or theft that result from a user’s personal use of that device, it said.
Dismissing Mr McShane’s case, Mr Justice Barry O’Donnell said the DPC clearly engaged in an appropriate and proportionate investigation of his complaint.
He said the DPC decision was not only based on the proposition that the HSE was not the data controller, but also referred to the fact it could not be determined whether Mr McShane’s personal accounts were accessed as a result of the cyberattack on the HSE or were compromised through a different route.
The judge said he could not find that the DPC acted irrationally or outside its powers.
