DSG Retail Limited v The Information Commissioner: [2024] UKUT 287 (AAC)
Upper Tribunal Administrative Appeals Chamber decision by Judges H Williams, S Wright, H Stout on 23 September 2024
Read the full decision in .
Judicial Summary
The appeal concerned a Monetary Penalty Notice (MPN) issued by the Information Commissioner (IC) under section 55A of the Data Protection Act 1998. The MPN was issued against the appellant company (鈥淒SG鈥�) following a cyber-attack on the company鈥檚 in-store payment systems. The IC had imposed the then maximum penalty of 拢500,000. On appeal to the First-tier Tribunal, the Tribunal allowed DSG鈥檚 appeal in part, substituting a penalty of 拢250,000. DSG appealed to the Upper Tribunal. The appeal is allowed and the case remitted to the First-tier Tribunal for further determination.
The appeal raised issues about: (i) the scope of the seventh data protection principle (DPP7) which provides 鈥渁ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data鈥�; (ii) the proper interpretation and application of the monetary penalty provision in section 55A of the DPA 1998; and (iii) the definition of personal data in section 1 of the DPP 1998.
The Upper Tribunal holds that the unique 16-digit number and expiry date on a credit or debit card (together 鈥淓MV data鈥�) are not themselves 鈥減ersonal data鈥� for the purposes of the DPA 1998 because they identify only a bank account and not any individual directly. This data will only be personal data if it can be combined with other personal data in the hands of the data controller or a third party.
The Upper Tribunal further holds that although DPP7 requires data controllers to take 鈥渁ppropriate technical and organisational measures鈥� (鈥淎TOMS鈥�) against accidental loss or destruction of, or damage to, all data that is personal data in the hands of the data controller, DPP7 will only be breached in an 鈥榓ccidental loss鈥�-type case if the data controller has failed to take ATOMS in respect of data which would be personal data in the hands of a third party. The First-tier Tribunal erred in this case in determining that DSG had failed to comply with DPP7 in respect of the EMV Data on the basis that this was 鈥減ersonal data鈥� in DSG鈥檚 hands, rather than deciding whether the security shortcomings that it had upheld entailed a failure to take ATOMS against 鈥渦nauthorised or lawful processing of personal data鈥�, which required consideration of whether the data that was rendered vulnerable would be 鈥減ersonal data鈥� in the hands of third parties who could access it.
The Upper Tribunal also held that the First-tier Tribunal erred in law in relying on the undisputed fact that the EMV Data was 鈥減ersonal data鈥� in DSG鈥檚 hands, when reaching its conclusions on the section 55A DPA 1998 criteria (in particular whether there had been a 鈥渟erious contravention鈥� and, if so, whether it was 鈥渙f a kind likely to cause substantial damage or substantial distress鈥�) and on the quantum of the MPN. The First-tier Tribunal had also erred in law by finding that the contravention of DPP7 was 鈥渟erious鈥�, without having assessed the applicable standard or how far below it DSG鈥檚 conduct had fallen.