Upper Tribunal Administrative Appeals Chamber

[2024] UKUT 287 (AAC)

Fecha: 23-Sep-2024

Decision date: 23 September 2024

Decided after a hearing on: 11 and 12 June 2024

Representation:

Appellant: Mr Timothy Pitt-Payne KC and Mr Rupert Paines of counsel, instructed by Pinsent Masons.

Respondent: Mr Peter Lockley of counsel, instructed by the Information Commissioner

DECISION

The decision of the Upper Tribunal is to allow the appeal by DSG Retail Limited.

As a consequence of our decision, and pursuant to section 12(2)(a) and 12(2)(b)(i) of the Tribunals, Courts and Enforcement Act 2007, we set aside the words “and is substituted by this Decision" in paragraph 1 and the whole of paragraph 2 of the First-tier Tribunal’s decision in EA/2020/0048, dated 5 July 2022. We remit the appeal to be redecided by an entirely freshly constituted First-tier Tribunal in accordance with the law in this decision and on the basis of the uncontested matters as set out in this decision.

REASONS FOR DECISION

Introduction

This appeal concerns the lawful basis for the Information Commissioner (“ICO”) imposing a monetary penalty notice (“MPN”) on a data controller under section 55A of the Data Protection Act 1998 (“DPA 1998”). A key issue on the appeal is the correct construction of the phrase “personal data” as it appears within the seventh data protection principle in Schedule 1 of the DPA 1998 (“DPP7”), which is concerned with data security. A three-judge panel of the Upper Tribunal was convened to hear the appeal because this issue of construction raises a question of law of special difficulty.

The structure of this decision is as follows:-

A summary of the relevant background 3

The ICO’s MPN 3

The FTT’s decision 5

Personal data 7

The contravention of DPP7 10

Seriousness of the contravention 12

Substantial damage and distress and knowledge 12

The substituted MPN 13

The issues on this appeal 13

The grant of permission to appeal 14

The legal framework 16