HSE was found not to be a “data controller” for personal data stored without authorisation on complainant's work-issued phone.

The Complainant, a fire prevention officer with the HSE, made a complaint to the Data Protection Commission (DPC) in December 2021 alleging a data breach concerning personal data stored on his HSE-issued work mobile phone. He believed this phone, used without authorisation for personal matters, was compromised during the May 2021 cyberattack on the HSE, leading to the hacking of his personal email and cryptocurrency accounts. The DPC concluded in May 2022 that the HSE was not a “data controller” of the Complainant’s personal data because his use of the work phone for personal purposes was unauthorised and outside HSE’s control. Dissatisfied, the Complainant sought judicial review, challenging the DPC’s decision as unlawful, and contending that even his work-related personal data (e.g., work emails, call logs) should have been investigated. The HSE, meanwhile, emphasised that its ICT Acceptable Use Policy prohibited personal use without explicit permission. The High Court had granted the Complainant leave to pursue judicial review but confined the challenge to whether the DPC had lawfully determined that the HSE was not a data controller for his personal data stored on the work phone.

The DPC and HSE argued that the complaint, as presented, solely concerned personal (non-work) data, such as Gmail and cryptocurrency accounts, and not work-related data. The DPC contended it investigated appropriately and proportionately, finding the HSE was not a controller of non-work personal data uploaded by the Complainant without authorisation. They asserted that the applicant tried to expand his case beyond what he originally pleaded and that judicial review was inappropriate where a statutory appeal mechanism existed. The HSE also argued that the Complainant’s breach of its Acceptable Use Policy severed any data protection obligations regarding his personal use of the device.

The judge dismissed the Complainant’s application for judicial review. The judge held that the DPC lawfully handled the Complainant’s complaint by appropriately focusing on the non-work-related personal data stored without authorisation. He found that the DPC’s decision was neither irrational nor ultra vires (the HSE could not be regarded as the data controller of personal data processed contrary to its express ICT policies). The judge stressed that the scope of the court’s review was confined to the issues raised in the original complaint and that the Complainant was not entitled to widen the grounds during the proceedings. Furthermore, although there was some vagueness in the DPC’s communication, it was not sufficient to require the exhaustion of the statutory appeal process before pursuing judicial review. Ultimately, the judge found that the DPC had acted within its statutory discretion under the GDPR and Data Protection Act 2018, applying an appropriate, proportionate response to the specific complaint before it. The attempt to broaden the claim was rejected, and no investigation into HSE’s general data practices was warranted. Consequently, the court refused the judicial review application, affirming the lawfulness of the DPC’s handling and dismissal of the Complainant’s data protection complaint.

Employers should ensure clear policies are in place regarding the use of work-issued devices, particularly prohibiting unauthorised personal use. Policies like Acceptable Use Policies must be explicit, communicated clearly to employees, and consistently enforced. Employers should emphasise that personal data stored without authorisation on work devices falls outside their control and may not attract data controller responsibilities under GDPR.

In the event of a data breach, maintaining documented evidence of policies and permissions (or the lack thereof) is crucial. Employers should also ensure staff are aware that personal misuse may affect their rights in a subsequent complaint. Importantly, while employers have responsibilities for work-related data, they are not automatically liable for unauthorised personal use. However, careful documentation, policy training, and regular audits of device usage can help mitigate both practical risks and potential legal exposure in any future disputes.

The full case can be found here.