Personal relationship: what constitutes personal data in the context of cyber security breaches?

28 January 2025

DSG Retail Limited v The Information Commissioner [2024] UKUT 287 (AAC) is vital reading for those concerned with data security and the obligations to secure data against breaches under the DPA and UKGDPR.

The appellants (DSG) were operators of retail stores that were subject to a cyber-attack compromising over 5 million payment cards and a cache of non-financial information. As part of the breach, the attackers obtained a significant volume of card 16-digit PIN numbers and expiry dates. These PIN numbers and expiry dates in isolation were not sufficient to personally identify individuals. The data breach caused the ICO to impose a £500,000 penalty, reduced on appeal to the First Tier Tribunal (“FTT”) to £250,000. As part of their finding, the FTT concluded that the PIN numbers and expiry dates were personal data because they could be combined with other information on DSG systems to identify persons.

The question on appeal to the Upper Tribunal was whether the FTT should have considered the PIN numbers and expiry dates to have been ‘personal data’ in the hands of the attackers, such that DSG had breached their obligations to secure data under the seventh Data Protection Principle (“DPP7”).

Personal data may fall into three categories (see NHS Business Services Authority v Information Commissioner and Spivack [2021] UKUT 192 (AAC)):

(i) Data which identifies a living individual directly;

(ii) Data which identifies a living individual indirectly when combined with other information in the possession of (or likely reasonably to be in the possession of) the data controller; and

(iii) As limb (ii), but where the information is or is likely reasonably to be in the possession of a third party.

The judgment of the Upper Tribunal is that, in the context of considering whether a party has breached DPP7 when certain data has been obtained by attackers, a court must consider the personal data in the context of category (iii) above. In the instant case, the appropriate question for the FTT was whether DSG had failed to take appropriate security measures because the attackers had obtained the PIN numbers, expiry dates and because this information could be combined with further information that was or was reasonably likely to be in the attackers’ possession in order that a living individual could be identified. It was not a relevant consideration for the FTT to consider the PIN numbers and expiry dates in the context of category (ii), namely that DPP7 was breached because it was known that the PIN numbers and card details could be combined with information held by DSG to identify individuals. The tribunal used this analogy to elucidate the point: “if a householder goes out to work leaving the front door of their house unlocked, for DPP7 purposes, the failure to lock the door would not amount to a breach in itself, it would depend on the risks that this gave rise to, specifically upon what a potential intruder would be able to access if they took advantage of the unlocked door.”

The case gives rise to the following practical implications for data controllers:

Security risk assessments must focus on what combinations of data could become available to attackers through vulnerabilities, not theoretical ability to combine data across internal systems.
The fact that organisations can internally link pseudonymised data with identifying information does not automatically trigger DPP7 obligations – what matters is whether unauthorised parties could make that linkage.
When implementing security measures, assess what specific data could be exposed by vulnerabilities and whether that data would enable identification if accessed. It is this practical risk that engages DPP7 obligations.

While decided under DPA 1998, these principles remain highly relevant to organisations’ security obligations under DPA 2018 and Article 32 UK GDPR. The case has been remitted to the FTT to determine whether attackers could in fact combine payment data with identifying information – that outcome will provide further guidance on the practical application of the judgment.

The case also demonstrates the continuing willingness of tribunals to reduce significant ICO penalties where the scope of actual contraventions is narrower than initially determined by the ICO.

Authors

Jack Palmer

Call 2022

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
pum-2210	1 month	This cookie is set to hide the move of address notification
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
pum-2210	1 month	Description is currently not available.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.

Personal relationship: what constitutes personal data in the context of cyber security breaches?

Further reading: DSG Retail Limited v The Information Commissioner [2024] UKUT 287 (AAC)

Authors

Jack Palmer

Other articles in this edition

The Data Brief

Search The Data Brief

Search