A HSE employee wants the court to compel the Data Protection Commission (DPC) to investigate his complaint that personal data on his work mobile phone was accessed as part of the 2021 cyberattack on the health service's computer system.
Fire prevention officer Eamon McShane, of Burtonport, Co Donegal, claims his personal email account and “Binance” account were hacked, with some €1,400 worth of cryptocurrency stolen.
In High Court documents, Mr McShane alleges he discovered this hack about a month after the HSE’s systems suffered a system-wide ransomware attack in May 2021. He believes his work phone was the source of the hack and, thus, had been affected by the HSE attack.
His work phone contained work-related personal data, as well as personal data unrelated to work, such as his personal emails.
Mr McShane claims his complaint was dismissed last May by the DPC, which held that the HSE was not a “data controller” under the General Data Protection Regulation (GDPR). His attempt to appeal was also rejected.
He alleges the DPC erred in law by not finding the HSE was a data controller that processed his personal data. The decision, he says, was “unreasonable” and constitutes a breach of his right to respect for private and family rights.
He is asking the court to quash the DPC’s decision to dismiss his complaint and to compel it to investigate.
Mr Justice Charles Meenan was this week asked to give permission for the case to proceed through the High Court.
The judge said he struggled to find arguable grounds in the case, which came before him ex parte (only the plaintiff was represented). He ordered Mr McShane’s legal team to notify the DPC and HSE of the action and adjourned the application for leave.