A BURTONPORT Health Service Executive (HSE) employee has lost a High Court challenge to the Data Protection Commission’s (DPC) decision to refuse to investigate an alleged data breach related to personal information on his work phone.
Eamon McShane claimed he lost €1,400 in crypto currency as a result of the May 2021 cyber attack on the HSE computer system.
The Irish Times reported how Mr McShane said he discovered in the summer of 2021 that his personal email and crypto currency accounts were hacked and that his work mobile had been the cause. The court heard he acknowledged that using the phone for personal emails was not an acceptable use of the device.
Mr McShane, a fire prevention officer, made a complaint to the HSE seeking compensation for his loss but was not satisfied with its response. He then complained to the DPC.
The commission rejected his complaint and appeal attempt, saying the HSE was not a “data controller”.
He then brought High Court judicial review proceedings seeking orders quashing the DPC’s dismissal of his complaint and compelling it to investigate. He claimed, among other things, that work-related personal data on his phone was data that could identify him as an individual and, therefore, the HSE was a data controller.
He claimed the DPC acted unreasonably in its approach to his complaint.
The DPC and the HSE opposed his challenge. The DPC argued that he accepted he should not have used his work phone for personal use. If he had not done so, the non-work data would not have been on the phone and would not have been accessible through the phone, it said. There was no error in finding the HSE was not a data controller in this case, it said.
The HSE, a notice party in the case, said Mr McShane originally sought compensation from it. The service argued confidential information could only be stored on work-related IT devices with prior permission. The HSE is not responsible for fraud or theft that result from a user’s personal use of that device, it said. Dismissing Mr McShane’s case, Mr Justice Barry O’Donnell said the DPC clearly engaged in an appropriate and proportionate investigation of his complaint.
He said the DPC decision was not only based on the proposition that the HSE was not the data controller, but also referred to the fact it could not be determined whether Mr McShane’s personal accounts were accessed as a result of the cyber attack on the HSE or were compromised through a different route.
The judge said he could not find that the DPC acted irrationally or outside its powers.
Related posts:
Receive quality journalism wherever you are, on any device. Keep up to date from the comfort of your own home with a digital subscription.
Any time | Any place | Anywhere
SUBSCRIBE TO CURRENT EDITION TODAY
and get access to our archive editions dating back to 2007(CLICK ON THE TITLE BELOW TO SUBSCRIBE)