When Is Personal Data “Personal”? Key Court of Appeal Ruling on Controller Security Duties

By Victoria McCarron

9 Mar 2026 6 min read

On 19 February 2026, the Court of Appeal (“CoA”) handed down its decision in DSG Retail Limited v Information Commissioner, allowing the ICO’s appeal and overturning the Upper Tribunal’s earlier ruling on the scope of a data controller’s security obligations.

The central issue in this judgment concerned whether the seventh data protection principle under the Data Protection Act 1998 (“DPP7”) - commonly referred to as the security duty - required a data controller to implement appropriate technical and organisational measures (“ATOMs”) to protect personal data against unauthorised processing by a third party who could not identify the individuals concerned.

The CoA ruled that information can remain “personal data” which a controller must secure even where a malicious party cannot identify the individuals concerned without additional information. This decision establishes that the security duty is assessed from the controller’s perspective and requires protection of all personal data regardless of a malicious party’s ability to link such data to a living person.

This is a key decision on the scope of the controller’s security duty and carries important implications for any organisation processing personal data.

Background & Significance

This judgment stems from a large‑scale cyber‑attack on DSG Retail Limited (“DSG”) - the operator of Dixons and Currys PC World - during which attackers scraped millions of in‑store payment records between 2017 and 2018. Over a nine month period, more than 5.6 million payment cards were affected; although chip‑and‑pin system meant the attackers obtained only card numbers and expiry dates, without cardholder names or other directly identifying details.

DSG appealed the subsequent £500,000 Monetary Penalty Notice issued by the ICO under the Data Protection Act 1998, arguing that because the attackers could not identify individuals from the compromised chip‑and‑pin data, no security duty under DPP7 arose. The First‑Tier Tribunal rejected this position and upheld a reduced penalty of £250,000, finding it sufficient that the data constituted personal data in DSG’s hands. The Upper Tribunal reversed this decision, holding that whether data qualified as “personal data” must be assessed from the attacker’s perspective, meaning no duty applied where attackers could not identify individuals. The CoA has now overturned that Upper Tribunal decision.

Although decided under the now‑repealed Data Protection Act 1998, the CoA’s ruling reinforces the point that the security obligations under Articles 5(1)(f) and 32 of UK GDPR are attached firmly to the data controller. Organisations cannot assume that partially anonymised or pseudonymised data are “safe” simply because a third‑party intruder may not be able to re‑identify individuals.

We have drawn out three themes from the CoA’s judgment as follows:

1. The security duty is assessed from the data controller's perspective

Agreeing with the First-Tier Tribunal, Lord Justice Warby held that the definition of "personal data" under section 1 of the 1998 Act encompasses data relating to a living individual who is indirectly identifiable to the data controller. DPP7 must be read in the context of the section 4(4) duty, which applies to "all personal data with respect to which [the controller] is the data controller". Accordingly, data does not cease to be "personal data" simply because it is processed by another entity/individual to whom the data subject is not identifiable.

The CoA held that this conclusion was reinforced by the Data Protection Directive 95/46/EC (the Directive), which defines personal data in broader terms than the 1998 Act and expands rather than restricts the reach of the security duty. The CoA also drew support from the CJEU's decision in SRB v EDPS C-413/23, which established that the relevant perspective for assessing identifiability depends on the circumstances of the processing in question. In the context of the security duty (an obligation owed to the data subject by the data controller) identifiability is to be assessed from the data controller's point of view.

Takeaway: If the data controller can identify the individuals, the security obligation applies in full, regardless of whether the data would be "personal data" in an attacker's hands. This principle, although decided under the 1998 Act, is likely to apply equally under the UK GDPR and EU GDPR.

2. Practical consequences for cyber security and risk assessment

The CoA determined that, on the argument DSG was advancing, a controller would have no obligation to protect personal data from intentional third-party interference, including ransomware attacks, where the attacker could not identify the data subjects. Such threats are common and growing; the National Cyber Security Centre handled an average of four 'nationally significant' cyber attacks every week in 2025.

The CoA also dismissed DSG's argument that the broader interpretation would be unduly burdensome. Even on a narrower view, controllers would still need to assess the risk of "jigsaw" identification, where fragments of data combined with other accessible information could reveal an individual's identity. Given the rapidly improving sophistication of AI search tools which are capable of aggregating multiple sources, ruling out that risk would often be impossible. The broader interpretation therefore adds little to the existing burden.

Takeaway: Security measures must not be calibrated on the assumption that partially anonymised or pseudonymised data is "safe". Risk assessments must account for the full range of threats.

3. Freedom of information case law does not narrow the security duty

A further strand of the CoA’s reasoning addressed the domestic case law on which the Upper Tribunal had placed significant weight. DSG had relied on freedom of information (FOI) case law, including the House of Lords' decision in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 (“CSA v SIC”), to support the proposition that data ceased to be "personal data" once it left the controller's hands and could not be used by a third party to identify specific individuals.

The CoA held that CSA v SIC addressed a different issue and could therefore be distinguished from this case. The decision in CSA v SIC was confined to a specific context: where a controller deliberately anonymises data and then discloses the anonymised output, that output is no longer "personal data" for freedom of information purposes. Conversely, in DSG, the data remained personal from the controller's perspective throughout. No positive act of anonymisation was made, and there was no specified purpose for which the information was disclosed (e.g., an FOI request).

Therefore, the question was whether the controller had to guard against unauthorised third-party access. The CoA emphasised that "personal data" has an inherently broad reach, and that the security duty context calls for a broad, not narrow, application. Where the personal data definition applies (as was the case here), so will the security duty.

Takeaway: Freedom of information case law cannot simply be imported into the security duty context. Deliberate anonymisation for lawful disclosure is fundamentally different from unauthorised access to data that remains personal in the controller's hands.

Practical Implications for Organisations

The ICO's General Counsel, Binnie Goh, described the ruling as "a significant victory, bringing much-needed clarity for people affected by cyber-attacks as well as industry" and confirmed that it strengthens the regulator's ability to take robust action in the future.

The practical implications are clear:

If data is personal in the controller's hands, the full weight of the security obligation applies, regardless of whether an attacker who obtains that data could identify any individual specifically, without further addition information (i.e., through “jigsaw” identification).
Organisations should ensure their security frameworks, risk assessments and incident response plans reflect this position, and practitioners should be wary of importing reasoning from the freedom of information context into the security duty.

The case now returns to the First-Tier Tribunal on the remaining issues (including the adequacy of DSG's security measures and the validity of the penalty notice). It remains to be seen whether DSG will seek permission to appeal to the Supreme Court.

How We Can Help

If you would like advice on how the ICO's enforcement approach may affect your platform, product, or procurement decisions, please contact Hamish Corner, Lucy Pegler, Madelin Sinclair McAusland, Amanda Leiu or any other member in our Technology team.