[2024] UKUT 287 (AAC)

As for the PAN scraped by the attackers from the POS terminals, the FTT said the following:

“92.

We conclude that, in the context of these proceedings, any PAN that identifies the bank account held solely by a living individual are personal data for the purposes of DPP7. This is because we are satisfied, on the balance of probabilities, that a living individual can be identified indirectly from the PAN held by DSG when combined with additional information which is also in the possession of, or reasonably likely to come into the possession of, DSG.

93.

The reasons for these conclusions are as follows:

a.

The primary definition of personal data, set out in s. 1 of the DPA, read with Recital 26 of Directive 95/46/EC, is data from which a living individual can be identified either directly, or from those data and other information, which is in the possession of, or likely [reasonably] to come into the possession of, the data controller or a third party. Thus, distilled from the relevant legislation and Upper Tribunal Judge Jacob’s approach in NHS BA, there are 3 limbs to the definition of personal data:

i.

Data which identifies a living individual directly;

ii.

Data which identifies a living individual indirectly when combined with other information in the possession of (or likely reasonably to be in the possession of) the data controller; and

iii.

As (ii) but where the additional information is or is likely reasonably to be in the possession of a 3rd party.

b.

The Parties’ submissions concerning the PAN have focussed mainly on limbs (i) and (iii). They disagree as to whether the PAN directly identifies a living individual (the ‘cloakroom ticket’ argument in relation to identification of an account); or, in the alternative, whether a living individual could be identified indirectly from the PAN when combined with other information that is [reasonably] likely to come into the possession of a third party such as the Attackers. Less attention has been paid to limb (ii).

c.

One of the purposes of the DPA is to create legal rights and obligations relating to personal data that are enforceable against the data controller. Unless exempt by virtue of s. 27(1), s. 4(4) requires a data controller to comply with all data protection principles in relation to all of the personal data in respect of which they are the data controller. In short, a data controller has obligations in relation to the personal data they are processing. None of the authorities to which we have been directed suggest that these obligations do not apply to data which is personal data when in the hands of the data controller, but which ceases to be personal data when in the possession of a 3rd party.

d.

The fact personal data may be anonymised to the extent that it becomes ‘vanilla data’ if or when it is published to the world at large, for example following an information request made pursuant s. 1 FOIA, does not preclude the data meeting the definition of personal data whilst it remains in possession of the data controller, provided the data controller is reasonably likely to have other information with which the data could be ‘de-anonymised’. Whilst FOIA understandably points towards the DPA and related authorities for its definition of personal data, the DPA’s definition of personal data is not limited by the contextual considerations of whether data remains personal data following publication as a result of a FOIA request.

e.

It appears to be uncontroversial that the Batch 1 data was scraped from the POS terminals. Mr Islam’s evidence is that the PAN processed by the POS terminals was separated from other transaction data, including presumably the name on the payment card, and was transmitted outside DSG’s IT domain for processing. He described this as a security measure introduced in part due to concerns about the risks inherent in the POS terminals’ internet gateway.

f.

However, it has not been suggested that DSG could not thereafter combine the PAN with other data from the transaction should the need arise. In our view and as a matter of common sense, there must be a range of business needs that might require the PAN of a card used in a transaction to be linked to other data in DSG’s IT estate, for example when processing a refund to the payment card. Therefore, whilst we accept that there may be some PAN stored on some parts of DSG’s IT estate that may have been incapable of being linked to other data records, we are satisfied that a significant proportion of the PAN being processed must have been capable for being linked to other data, if only to the other data from the payment card (which would necessarily include the cardholder’s name) or with partial PAN. We note in this regard that Batch 4.1 data comprised 2.9 million records that included masked PAN stored in combination with records that are unarguably personal data and that Batch 1 also included data from 8,628 payment cards in relation to which the records comprised PAN, expiry date and card holder name.

94.

We are therefore satisfied that at least some of the PAN processed by DSG was capable of leading to the identification indirectly of a living individual, when combined with other data reasonably likely to be processed by DSG. However, we cannot say definitively on the evidence before us how many of the PAN processed by DSG, or by the Attackers, could be combined with other information in such a manner. We therefore find only that some were so capable and make no findings as to quantity.

95.

To clarify, our findings in this regard are not limited to a conclusion that the data in Batch 1 could have been combined with information from other Batches in order to achieve indirect identification. Mr Pitt-Payne objected in closing submissions to Mr Lockley putting such a case in cross examination, which he described as being a significant amendment to the Information Commissioner’s case. We note that the Information Commissioner has previously raised as an issue in these proceedings the extent to which PAN could be matched to data from other Batches, primarily to data that contain partial PAN. More recently, both Parties have focussed on the nature of a PAN once it has passed into the possession of 3rd parties, and on any consequent risks of harm. In our view this overlooks the fundamental purpose of the DPA and the Data Protection Principles, which imposes obligations on data controllers in relation to personal data when it is held by the data controller.

96.

Put another way, the approach taken by the Parties in this case would, if taken to its logical conclusion, support a view whereby a data controller need only comply with DPP7 in relation to personal data that will continue to be personal data if and when it is unlawfully processed in isolation by a 3rd party. The fact that a record comprising personal data in the hands of a data controller will become purely ‘data’ in such circumstances must be relevant to any assessment of the risk of consequent damage and distress. However, this does not remove the requirement for appropriate technical and organisational measures to be in place in relation to the record while it remains personal data in the hands of the data controller.

97.

Having concluded that at least some of the PAN processed by DSG were personal data pursuant to limb (ii), we have not gone on to consider whether, as a matter of principle, the PAN also met the limb (i) definition of personal data. We note that this is the approach relied upon by the Information Commissioner in paragraph 16 of the MPN. Our preliminary view is that data comprising a unique identifier of a financial account is capable of meeting the limb (i) definition but that, in the context of this case, the limb (ii) definition is much more obviously appropriate and applicable. Similarly, we have not gone on to determine whether the limb (iii) definition also applies. Although we appreciate the submissions made with considerable force by both Parties and have considered with care the evidence of the expert witnesses, we are satisfied that no further findings are required. The central question we were asked to determine was whether DSG had obligations under DPP7 in relation to the PAN it processed. We have concluded that it did, for the reasons given.”