Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
In DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 the Court of Appeal considered the scope of the security duty and the definition of personal data.
The case arises from the infamous cyber-attack on DSG Ltd (the parent company of Dixons and Currys PC World) which took place between 2017 and 2018.
Over the course of nine months attackers scraped transaction details from card readers. Although over 5.6 million cards were affected, in the majority of cases the Chip and Pin system prevented the attackers from gaining information which identified cardholders (e.g. the attackers did not gain the cardholders’ names).
The question on appeal was whether data controllers, such as DSG, are required to take ‘appropriate technical and organisational measures’ (“ATOMS”) to protect the personal data of individuals who can be identified by the data controller, but who could not be identified by a third-party who unlawfully processes their data.
The decision related to the Data Protection Act 1998 (“DPA 1998”) – though plainly it is also relevant to the DPA 2018. Section 1(1) of the DPA 1998 defines personal data:
““personal data” means data which relate to a living individual
who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”
Section 4(4) of the 1998 Act provided that:
“it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”
The security duty, contained within paragraph 7, Schedule 1 of the Act, reads:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data”
The ICO held that DSG had breached the security principle (and issued the maximum possible fine). DSG appealed, arguing that if the subject of the data was not identifiable to the third-party attackers then it did not amount to personal data – such that the security duty did not arise.
The First Tier Tribunal (“FTT”) dismissed the appeal, concluding it was sufficient that the stolen data had been identifiable to DSG and therefore it was personal data. It also halved the penalty issued by the ICO.
The Upper Tier Tribunal allowed DSG’s further appeal. It concluded that the question of whether the stolen data amounted to personal data, such that the security duty arose, should be analysed from the perspective of the third party. Given the third-party could not identify anyone from the data it was not personal data.
The ICO appealed.
The Court of Appeal allowed the appeal. It ruled that the security duty requires a data controller to take ATOMs against the processing by a third party of data which relates to an individual who the data controller can identify (regardless of whether a third-party could do so). Put simply, one has to assess whether the person is identifiable from the perspective of the data controller- not the hacker.
The court analysed the statutory context in considerable detail. It concluded the natural interpretation of the security duty is that it is imposed on all personal data held by a data controller. The concept of personal data is broad and includes data relating to an individual who is indirectly identifiable to the data controller. Data subjects who provide their data to data controllers trust them to keep it secure.
The consequence of the UT’s reading would be that data controllers would have no obligation to take any action against the possibility of third-party hacks provided that the third-party would be unable to identify the individuals to whom the data relates. That would be surprising, particularly given the frequency of attacks. It would also mean that the outcome of a case would turn on fine distinctions on whether individuals affected could be identified using jigsaw identification. The appeal was therefore allowed and the matter was remitted back to the FTT.
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.
