• HOME
  • Insights
  • Work phones and personal data: Who’s in control?
28 04 2025 Insights Cyber and Data Protection

Work phones and personal data: Who’s in control?

Reading time: 4 mins

Jennifer Noctor2
Jennifer Noctor Partner Email
Lisa Mannion
Lisa Mannion Senior Associate Email
Insights and Publications Template 3

A recent judgment issued by Justice Barry O Donnell saw the dismissal of a Judicial Review (JR) concerning personal data on a work phone provided by the HSE.  The case highlights the challenges well known to those working in this area involving mixed personal data on work devices. The case provides some comfort to employers, like the HSE, who had a clear Policy which provided that, absent express agreement, non-work use of the phone was not permitted. This was critical in the finding that the HSE was not a controller of non-work-related personal data which was the issue of contention here.

Background

The applicant alleged that his work phone had been hacked as a result of the 2021 ransomware attack on the HSE’s computers and technical devices. The applicant stored two types of data on his HSE issued phone, namely ‘work related personal data’ which was collected and stored in the course of and for the purposes of his work related activities and ‘non-work related personal data’, which referred to data that was collected and stored on the work phone when the applicant used his work phone for his personal business. As a result of the attack, the applicants personal email account and personal cryptocurrency account were breached and he suffered a financial loss of €1,400 of cryptocurrency.

The applicant made a complaint to the Irish Data Protection Commissioner (DPC) on the 15 December 2021 in respect of the data breach. On the 23 May 2022, the DPC decided that the HSE was not a “data controller” as defined under Article 4(7) of the General Data Protection Regulation (GDPR) as they had not authorised or permitted the applicant to use his work phone for personal use.

Judicial Review

The applicant issued a JR seeking a number of reliefs to include an order compelling the DPC to investigate his complaint and a declaration that the process followed by the DPC and finding that the HSE was not a data controller under the GDPR was unlawful.

He claimed, inter alia, that his “work-related” personal data on his work phone constituted data, which is capable of identifying him as an individual, and, according to the DPC’s own guidance, this meant that the HSE is a data controller for the purposes of the legislation. He further claimed that the DPC acted unreasonably in its approach to his complaint.

The HSE contended that: 

The applicant should not have used his work phone for personal use and if had not done so then non work related data would not have been on the phone (the HSE ICT Acceptable Use Policy provided that, absent express agreement, non-work use of the phone was not permitted).

The complaint made by the applicant related entirely to non-work-related personal data. As such, the DPC had not been asked to address whether the HSE was a data controller in respect of the applicant’s “work related personal data”.

The decision of the 23 May 2022 amounted to a rejection of the complaint within the meaning of section 109(5)(a) of the 2018 Act, and was a “legally binding decision” for the purposes of section 150(12) of the 2018 Act.

It was only when the applicant sought to appeal the decision of the DPC by letter of 27 May 2022 that he raised the issue work related personal data on his work phone.

As the HSE did not determine the purpose or means of processing the non-work related data, therefore it was not a controller.

The court was clear that it was not conducting an inquiry into the origins of the cyberattack or whether any underlying vulnerabilities contributed to the effects of that attack and that the process before this court should not be utilised to attempt to impugn the actions of the DPC by reference to matters that were not the subject of the complaint.

Conclusion

The application was refused on the basis that the High Courts agreement that the DPC’s decision that the HSE was not a data controller was correct. The issue of whether the HSE could be considered a data controller of the work-related personal data on the phone was not at issue or relevant to the proceedings. The decision of the High Court hinged on the specific complaint, which was made by the applicant to the DPC, namely that the applicant’s non-work-related personal data was the subject of a data breach, for which the applicant was never authorised by the HSE to store on his phone.

This case highlights the importance of having a clear policy in place regarding work devices and their use by employees.

AUTHOR: Jennifer Noctor, Partner | Lisa Mannion, Senior Associate

SHARE
Stay loop bg
Sign up

Stay in the loop

Sign up to our newsletter

Related Insights

I Stock 1306500205
Cyber and Data Protection 25 04 2025

EU fines Apple and Meta €700m for non-compliance with Digital Markets Act

The European Commission has fined Apple and Meta a total of €700 million for breaches of the Digital Markets Act (DMA).The highly anticipated decisions are the first to be issued under the DMA and act as a warning to other organisations to fully…

Read more About This EU fines Apple and Meta €700m for non-compliance with Digital Markets Act
I Stock 1393901795
Cyber and Data Protection 13 01 2025

Data Protection Commissioner publishes Toolkit for Schools

The Data Protection Toolkit for Schools was published on 19 December 2024 to assist schools in understanding the nature of their obligations as data controllers. In this insight, Jenny Noctor and Lisa Mannion from RDJ's Data Protection team outline…

Read more About This Data Protection Commissioner publishes Toolkit for Schools
Practice
Cyber and Data Protection 05 04 2024

Data breach claim struck out in Cork Circuit court as ‘minor’ incident

In our latest Insight, Jennifer Noctor, Partner in RDJ's Cyber and Data Protection team, discusses a data breach claim which was struck out in the Circuit Court affirming the principal that a certain minimum level of severity must be obtained in…

Read more About This Data breach claim struck out in Cork Circuit court as ‘minor’ incident
I Stock 1485820940
Cyber and Data Protection 24 01 2024

Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts

As we edge closer to the AI Act being adopted into an agreed and final text, the European Commission have published a draft of what are known as 'standard contractual clauses' for the procurement of artificial intelligence systems. In this insight,…

Read more About This Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts
AI woman
Cyber and Data Protection 17 01 2024

2024: The Year Of AI

On 29 December 2023, on the floor of the New York Stock Exchange, 2024 was declared to be the “year of AI” by top tech analyst Dan Ives. In this insight, Ricky Kelly and Sadhbh Walsh look at efforts made to regulate the use of AI around the world in…

Read more About This 2024: The Year Of AI
EU Flag and Binary code
Cyber and Data Protection 29 05 2023

Recent Developments To The EU'S Cyber Resilience Framework

Cybersecurity continues to be a significant risk for organisations across all sectors. This year, we have already seen a significant bolstering of the European Commission’s legal framework with initiatives that seek to advance a comprehensive…

Read more About This Recent Developments To The EU'S Cyber Resilience Framework