Employers are not necessarily controllers of non-work related personal data that is stored on work devices according to the judicial review decision of McShane v Data Protection Commission [2025] IEHC 191 released by the Irish High Court.
Health Service Executive (HSE) suffered a ransomware attack which affected numerous computer and technical devices. The applicant subsequently discovered that their personal cryptocurrency account, which was stored on their work issued mobile phone, had been hacked (allegedly as part of the ransomware attack) and €1,400 of cryptocurrency stolen. Consequently, the applicant submitted a complaint to the Data Protection Commissioner in respect of that ransomware attack affecting their personal data stored on their work-issued mobile phone.
The Data Protection Commission had dismissed the complaint on the basis that HSE was not a data controller of the non-work related personal data stored on the applicant’s work issued mobile phone. It reaches this decision because the applicant had stored that data on the work phone without HSE’s knowledge or permission (the storage of personal data on the phone was in violation of HSE’s ICT Acceptable Use Policy), as such HSE had not determined the means or the purposes of processing that non-work-related personal data. The High Court was satisfied that this decision was lawful and open to it and refused judicial review.
While this is an Irish decision, the judgment is a useful reminder that a person is not a controller of personal data unless it determines both the means and purposes of the processing of personal data. Additionally, the judgment highlights that an employer is not necessarily a controller of all personal data stored on a work issued device where such personal data is stored without authorisation.
Beverley Flynn
Brigitte Simpson