Court of Appeal confirms scope of data controllers’ security obligations

In a recent decision, the Court of Appeal allowed the UK Information Commissioner’s appeal against the decision of the Upper Tribunal in proceedings involving DSG Retail Limited (“DSG”). The case arose from a nine-month cyber-attack in 2017-2018 on DSG’s systems, during which the attackers scraped transaction data from point-of-sale terminals from over 5.6 million payment cards. The compromised data included card numbers and expiry dates, but not cardholders’ names, meaning the attackers could not directly identify individuals from the data alone. 

The central issue was whether a data controller’s obligation to implement appropriate technical and organisational measures (“ATOMs”) under the Data Protection Act 1998 applied by reference to whether data is personal in the hands of the controller, even where that same data might not constitute personal data, in isolation, once obtained by a third-party attacker.

The Court of Appeal rejected the Upper Tribunal’s narrow interpretation. It held that the security duty applies based on whether the data is personal from the perspective of the data controller, not on whether it would remain personal data after being acquired by third parties.

Why this matters

This judgment provides an important reaffirmation of data security obligations for organisations processing personal data. It confirms that all personal data held by a controller is subject to the ATOMs requirement, irrespective of whether a particular dataset might appear to be non-identifiable.

Crucially, the court acknowledges modern realities. With vast amounts of publicly accessible information, sophisticated technology, and the enhanced ability to combine disparate data sets, “jigsaw” identification is far more feasible than in the past.

The ruling clarifies that security duties are assessed from the data controller’s perspective and that risk is allocated firmly to organisations holding personal data. Robust security measures must therefore be implemented and maintained without relying on assumptions about the practical utility of stolen data once it leaves a data controller’s systems.

Key takeaways

• Organisations must assess their security obligations by reference to whether data is personal in their hands, not by whether it would remain personal data if obtained by third parties.
• Controllers cannot avoid security obligations by arguing that breached data fragments would be meaningless or anonymous to attackers lacking additional identifying information.
• Courts recognise that modern technology and widely available data increase the risk of re-identification, requiring thorough and realistic risk assessments.
• The case involved an original £500,000 monetary penalty, issued by the UK Information Commissioner’s Office under the Data Protection Act 1998, which was reduced by the First-tier Tribunal to £250,000. Following the Court of Appeal’s judgment on the scope of the security duty, the case has been remitted back to the First-tier Tribunal to reconsider liability and penalty under the correct legal framework. Its outcome may provide further guidance on what constitutes “appropriate” technical and organisational measures in practice.

Although the underlying breach pre-dated the GDPR and was assessed under the Data Protection Act 1998, the Court of Appeal’s reasoning has clear relevance under the current regime. The obligation to implement ATOMs under Article 32 of the GDPR closely mirrors the former seventh data protection principle. The judgment therefore provides authoritative guidance on how courts are likely to assess security obligations, identifiability and re-identification risk under the GDPR going forward.