The Court of Appeal recently issued its judgment in DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. In summary, the ICO successfully appealed that DSG Retail Limited was required to have appropriate organisational and technical security measures even if data that is compromised is not identifiable by a cyber-attacker.
The court considered if the law required a data controller to guard against the risk that data which related to individuals who could be identified by the data controller would be subject to unauthorised or unlawful processing by a third party who could not identify those individuals. The law in force at the relevant time was the Data Protection Act 1998. The key provisions were section 4(4) and the seventh data protection principle (DPP7) contained in paragraph 7 of Schedule 1 Part I.
In 2017-2018 there was a cyber-attack on DSG’s systems. The attackers obtained millions of items of data by “scraping” transaction details as transactions were made, storing the data on DSG’s servers, and attempting to exfiltrate the scraped data. In some cases the attackers obtained the card number or “PAN”, the expiry date and the cardholder’s name. But most of the cards were protected by “chip-and-pin” or “EMV”. So, in those instances, the attackers only obtained the PAN and expiry date (the EMV data). They did not obtain the cardholders’ names or any information that would enable them to identify the cardholders.
The Information Commissioner found DSG in breach of DPP7 and served a monetary penalty notice. DSG appealed to the First-tier Tribunal, arguing that DPP7 did not require them to take appropriate organisational and technical security measures against third-party acquisition of the EMV data as this would not be “personal data” in the “hands” of the third parties. The appeal was dismissed but on a further appeal the Upper Tribunal accepted DSG’s arguments. It held that the question had to be analysed from the perspective of the third party. Viewed in that light, third-party acquisition of data was not “unauthorised or unlawful processing of personal data” if the data itself did not identify the individuals to whom they related and the third party had no other means of identifying those individuals. The Information Commissioner appealed.
The Court of Appeal’s decision
The Court of Appeal has unanimously allowed the appeal. It concluded that information is “personal data” if it falls within the statutory definition of that term. One of the statutory criteria, and the key criterion in this case, is that the individual to whom the information relates is identifiable to the data controller. The security duty requires any data controller of any such information to safeguard it – to the extent set out in the 1998 Act – against any unauthorised or unlawful processing (as well as against its accidental loss, destruction or damage), whether or not the person carrying out that processing (or causing the loss, destruction or damage) would be able to identify the individual(s) to whom the data relates. If the data is “personal” from the perspective of the data controller, it will be unnecessary to pose the further question of whether the information is personal data “in the hands of” or “from the perspective” of any other person. The Court took the view that the First Tier Tribunal reached the right conclusion and its reasoning was essentially correct. The Court of Appeal therefore allowed the appeal and remitted the matter to the First Tier Tribunal to be determined in accordance with the Court’s judgment.
