DSG Retail Limited v The Information Commissioner: [2024] UKUT 287 (AAC)

Upper Tribunal Administrative Appeals Chamber decision by Judges H Williams, S Wright, H Stout on 23 September 2024

• From: HM Courts & Tribunals Service and Upper Tribunal (Administrative Appeals Chamber)
• Published: 8 October 2024

• Categories: Information rights
• Sub-categories: Information rights - Data protection
• Judges: Stout, H, Williams, H and Wright, S
• Decision date: 23 September 2024

Read the full decision in .

Judicial Summary

The appeal concerned a Monetary Penalty Notice (MPN) issued by the Information Commissioner (IC) under section 55A of the Data Protection Act 1998. The MPN was issued against the appellant company (바카라 사이트淒SG바카라 사이트�) following a cyber-attack on the company바카라 사이트檚 in-store payment systems. The IC had imposed the then maximum penalty of 拢500,000. On appeal to the First-tier Tribunal, the Tribunal allowed DSG바카라 사이트檚 appeal in part, substituting a penalty of 拢250,000. DSG appealed to the Upper Tribunal. The appeal is allowed and the case remitted to the First-tier Tribunal for further determination.

The appeal raised issues about: (i) the scope of the seventh data protection principle (DPP7) which provides 바카라 사이트渁ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data바카라 사이트�; (ii) the proper interpretation and application of the monetary penalty provision in section 55A of the DPA 1998; and (iii) the definition of personal data in section 1 of the DPP 1998.

The Upper Tribunal holds that the unique 16-digit number and expiry date on a credit or debit card (together 바카라 사이트淓MV data바카라 사이트�) are not themselves 바카라 사이트減ersonal data바카라 사이트� for the purposes of the DPA 1998 because they identify only a bank account and not any individual directly. This data will only be personal data if it can be combined with other personal data in the hands of the data controller or a third party.

The Upper Tribunal further holds that although DPP7 requires data controllers to take 바카라 사이트渁ppropriate technical and organisational measures바카라 사이트� (바카라 사이트淎TOMS바카라 사이트�) against accidental loss or destruction of, or damage to, all data that is personal data in the hands of the data controller, DPP7 will only be breached in an 바카라 사이트榓ccidental loss바카라 사이트�-type case if the data controller has failed to take ATOMS in respect of data which would be personal data in the hands of a third party. The First-tier Tribunal erred in this case in determining that DSG had failed to comply with DPP7 in respect of the EMV Data on the basis that this was 바카라 사이트減ersonal data바카라 사이트� in DSG바카라 사이트檚 hands, rather than deciding whether the security shortcomings that it had upheld entailed a failure to take ATOMS against 바카라 사이트渦nauthorised or lawful processing of personal data바카라 사이트�, which required consideration of whether the data that was rendered vulnerable would be 바카라 사이트減ersonal data바카라 사이트� in the hands of third parties who could access it.

The Upper Tribunal also held that the First-tier Tribunal erred in law in relying on the undisputed fact that the EMV Data was 바카라 사이트減ersonal data바카라 사이트� in DSG바카라 사이트檚 hands, when reaching its conclusions on the section 55A DPA 1998 criteria (in particular whether there had been a 바카라 사이트渟erious contravention바카라 사이트� and, if so, whether it was 바카라 사이트渙f a kind likely to cause substantial damage or substantial distress바카라 사이트�) and on the quantum of the MPN. The First-tier Tribunal had also erred in law by finding that the contravention of DPP7 was 바카라 사이트渟erious바카라 사이트�, without having assessed the applicable standard or how far below it DSG바카라 사이트檚 conduct had fallen.

Published 8 October 2024