If you've ever used your work phone to check your personal email, send a message to friends or family or look up something unrelated to your job, you're not alone. But what happens when that device becomes part of an internal dispute at work? Who actually owns the data on a work phone – the employee or the employer?
The recent Irish case of McShane v Data Protection Commission and Health Service Executive [2025] IEHC 191 offers an answer: it is typically the employer.
A phone, a cyber-attack and a complaint
Eamon McShane, a fire prevention officer employed by the Health Service Executive ("HSE"), was issued with a work phone as part of his role. In May 2021, he found himself at the centre of a legal battle following a cyber-attack on the HSE's computer system. He claimed that as a result of the breach, his personal email accounts and a cryptocurrency account with €1,400 in value were hacked.
McShane acknowledged that the phone was issued by his employer and using his work phone for personal use was against the HSE's acceptable use policy. However, he argued that his personal data had been unfairly processed on the basis that he (and not the HSE) was the data controller of the information held on the device. Seeking compensation and unsatisfied with the HSE's response, McShane escalated the matter via a complaint to the Irish Data Protection Commission ("DPC").
The DPC rejected McShane's complaint on the grounds that the HSE was not a data controller within the meaning of Article 4(7) of the GDPR. The reason was straight forward: the HSE had not authorised or permitted the use of the personal data on the phone.
Consequently, McShane sought substantive relief from the Irish High Court in the form of an order quashing the dismissal of his complaint by the DPC and the finding that the HSE was not a data controller.
Decision of the High Court
The High Court upheld the DPC's decision and dismissed McShane's judicial review proceedings. The decision was that the DPC had acted reasonably and within its powers in refusing to investigate the complaint.
The court highlighted that the DPC had conducted an appropriate and proportionate investigation into McShane's complaint. Furthermore, the HSE's stance was supported, asserting that confidential information should only be stored on work-related IT devices with prior permission and that it was not responsible for fraud or theft resulting from personal use of such devices.
What does this mean?
While McShane doesn't create new law, it offers a useful spotlight on a common grey area.
For employers, having a clear and well-communicated policy on acceptable use and device monitoring is essential. This sets expectations that work devices should not be used for personal reasons and gives both sides clarity that employers are not liable for breaches resulting from the unauthorised personal use of work equipment. Where data is used in the personal context, the employer will not be the controller, which will also have impacts in other contexts, e.g. the right of subject access.
For employees, this case serves as a reminder of the potential risks and consequences of mixing personal and professional use of work devices. It doesn't mean that an employer has free reign to access data without limitation, but if something is truly private, it is best kept on a personal device.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
