The ICO exists to empower you through information.

We are seeking permission to appeal the judgment of the Upper Tribunal (Tribunal) on DSG Retail Limited (DSG) to the Court of Appeal.

In 2020, the Commissioner fined DSG £500,000, the maximum amount under the Data Protection Act 1998 (DPA 1998), after a cyber attack that affected the personal information of at least 14 million people.

DSG appealed the Commissioner’s decision and the fine to the First-tier Tribunal (Information Rights) (FTT) which, in its ruling in July 2022, substituted the original amount with a £250,000 fine. DSG was subsequently granted permission to appeal the FTT’s decision to the Tribunal on a limited number of grounds.

In its 2024 ruling, the Tribunal allowed DSG’s appeal and remitted the case to the FTT to be re-decided. The ruling helpfully makes it clear that the duty on an organisation to put in place appropriate technical and organisational measures to guard against the risks of unauthorised or unlawful processing of personal data is an anticipatory one. The obligation is to take precautionary steps to guard against those security risks. This duty is breached if the appropriate measures are not taken, whether or not those risks materialise.

However, the Commissioner considers the Tribunal interpreted the law incorrectly in then finding that an organisation is not required to take appropriate measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller but not in the hands of the third party.

John Edwards, UK Information Commissioner, said:

“We welcome the Tribunal’s clarity that organisations have an anticipatory duty to put in place measures to keep people’s information safe. But it is my view the Tribunal misinterpreted the meaning of personal data in this context. This is a core concept of data protection law, and we are seeking clarification so there’s certainty for organisations and people’s information is better protected.

“The DPA 1998 was clear – organisations must put technical and organisational security measures in place to protect personal data, irrespective of whether this data is pseudonymised. We have seen many cases where people have been affected when malicious actors have accessed, deleted or encrypted pseudonymised personal data, for example when medical or financial data is compromised.

"Similar security requirements apply in the current data protection regime, so it’s crucial that we seek clarification on this important issue from the courts.”

We now await the Upper Tribunal’s decision.