ARTICLE
28 April 2025

Whose Data Is It Anyway? Irish Courts Decide Whether Personal Data Held On A Work Phone Belongs To You Or Your Employer

LS
Lewis Silkin

Contributor

We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
If you've ever used your work phone to check your personal email, send a message to friends or family or look up something unrelated to your job, you're not alone.
United Kingdom Privacy

If you've ever used your work phone to check your personal email, send a message to friends or family or look up something unrelated to your job, you're not alone. But what happens when that device becomes part of an internal dispute at work? Who actually owns the data on a work phone – the employee or the employer?

The recent Irish case of McShane v Data Protection Commission and Health Service Executive [2025] IEHC 191 offers an answer: it is typically the employer.

A phone, a cyber-attack and a complaint

Eamon McShane, a fire prevention officer employed by the Health Service Executive ("HSE"), was issued with a work phone as part of his role. In May 2021, he found himself at the centre of a legal battle following a cyber-attack on the HSE's computer system. He claimed that as a result of the breach, his personal email accounts and a cryptocurrency account with €1,400 in value were hacked.

McShane acknowledged that the phone was issued by his employer and using his work phone for personal use was against the HSE's acceptable use policy. However, he argued that his personal data had been unfairly processed on the basis that he (and not the HSE) was the data controller of the information held on the device. Seeking compensation and unsatisfied with the HSE's response, McShane escalated the matter via a complaint to the Irish Data Protection Commission ("DPC").

The DPC rejected McShane's complaint on the grounds that the HSE was not a data controller within the meaning of Article 4(7) of the GDPR. The reason was straight forward: the HSE had not authorised or permitted the use of the personal data on the phone.

Consequently, McShane sought substantive relief from the Irish High Court in the form of an order quashing the dismissal of his complaint by the DPC and the finding that the HSE was not a data controller.

Decision of the High Court

The High Court upheld the DPC's decision and dismissed McShane's judicial review proceedings. The decision was that the DPC had acted reasonably and within its powers in refusing to investigate the complaint.

The court highlighted that the DPC had conducted an appropriate and proportionate investigation into McShane's complaint. Furthermore, the HSE's stance was supported, asserting that confidential information should only be stored on work-related IT devices with prior permission and that it was not responsible for fraud or theft resulting from personal use of such devices.

What does this mean?

While McShane doesn't create new law, it offers a useful spotlight on a common grey area.

For employers, having a clear and well-communicated policy on acceptable use and device monitoring is essential. This sets expectations that work devices should not be used for personal reasons and gives both sides clarity that employers are not liable for breaches resulting from the unauthorised personal use of work equipment. Where data is used in the personal context, the employer will not be the controller, which will also have impacts in other contexts, e.g. the right of subject access.

For employees, this case serves as a reminder of the potential risks and consequences of mixing personal and professional use of work devices. It doesn't mean that an employer has free reign to access data without limitation, but if something is truly private, it is best kept on a personal device.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More