ICO v DSG: Court of Appeal confirms wide scope of data security duty

The question

What does the Court of Appeal’s decision in ICO v DSG Retail Ltd mean for the scope of organisations’ duty to secure personal data where third parties cannot identify individuals from the compromised dataset?

The key takeaway

The Court of Appeal has confirmed that the statutory security duty requires controllers to protect all personal data they process, even if a third-party cannot identify individuals from the data they obtain.

The background

DSG Retail Limited (DSG) suffered a cyber attack between 2017–2018, in which attackers scraped transaction details relating to over 5.6 million payment cards from point-of-sale terminals and attempted to exfiltrate them. In most cases, the attackers obtained only the primary account number (PAN) and expiry date for chip and PIN cards, without any names or other direct identifiers (the EMV data).

The ICO fined DSG £500,000 under the Data Protection Act 1998 (DPA 1998) (the maximum amount under that law) for failing to take appropriate technical and organisational measures to protect the personal data under the seventh data protection principle (DPP7), the security duty.

DSG appealed that there was no duty under DPP7 to protect against third party acquisition of EMV data because the data was not personal data in the hands of the attacker, who could not identify individuals from them. The First-tier Tribunal rejected that argument, but the Upper Tribunal accepted it, holding that whether there was “unauthorised or unlawful processing of personal data” had to be judged from the attacker’s perspective.

The ICO appealed to the Court of Appeal on the single ground that "the UT erred in law 'by holding that a data controller is not required to take appropriate technical and organisational measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller, but not in the hands of the third party.'"

The development

The Court of Appeal held that for the purposes of DPP7, it is enough that the data are “personal data” from the controller’s perspective. The statutory duty in section 4(4) DPA 1998 requires a controller to comply with the data protection principles “in relation to all personal data with respect to which he is the data controller” [our emphasis], without qualification by reference to any attacker’s ability to identify individuals. While assessing identifiability may vary by context, for the security duty, the relevant relationship is between data subject and controller, and identifiability is assessed from the controller's perspective.

The Court of Appeal allowed the appeal and sent the case back to the First‑tier Tribunal to re‑determine it in line with the Court of Appeal’s judgment.

Why is this important?

The ruling confirms the ICO’s broader view of the security duty and makes clear that controllers cannot segment their security obligations by guessing how an attacker could use particular fields or datasets. It underlines that “personal data” status for security purposes is anchored at the controller level: if a platform can link a data element to a user (alone or with other information it holds or is likely to obtain), it must be appropriately safeguarded against unauthorised processing, loss, damage or destruction.

Although the case concerns the DPA 1998, the ICO has already signalled that the Court’s reasoning provides an “important guide” to analogous obligations under current data protection law – a view that UK courts are likely to find persuasive absent contrary authority.

Any practical tips?

For businesses with vast datasets, the decision has several practical implications:

1. Any data that qualify as personal data “in your hands” must be within scope of security risk assessments and controls, regardless of whether or not an external attacker could identify individuals from those fields alone.
2. Incident response and regulatory engagement strategies should reflect that the ICO can pursue enforcement, even where exfiltrated data appear only partially identifying or “low value” in attacker hands. Platforms should document their security risk assessments, including how they consider indirect harms and “jigsaw identification”, and ensure that technical and organisational measures are demonstrably “appropriate” to those risks.
3. Finally, when negotiating commercial arrangements (for example, with merchants, advertisers or payment partners), platforms should assume that their security obligations under UK data protection law will extend to all personal data they process, not merely obviously identifying fields, and factor that into contractual allocation of security responsibilities and incident liabilities.