[2024] UKUT 287 (AAC)

This case is concerned with the ‘old’ data protection regime under the DPA 1998. Both parties to this appeal suggest that the relevant provisions of the ‘new’ regime under the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) are materially the same, but we make clear that we have not considered the provisions of the new regime in this case.

Section 1 of the DPA 1998 defines “personal data” as follows:-

“personal data” means data which relate to a living individual who can be identified—

(a)

from those data, or

(b)

from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;”

Whilst the statutory wording only refers to the two possibilities of a living individual who can be identified from the data itself or from the data and other information in the possession of or likely to come into the possession of the data controller, it is apparent from Directive 95/46/EC (which the DPA 1998 implements) and the caselaw that we discuss below, that whether data amounts to “personal data” for these purposes may entail consideration of whether a living individual can be identified from the data itself in combination with additional information that is in the possession of, or reasonably likely to be in the possession of, a third party.

Section 1(1) of the DPA 1998 also contains the definition of “data controller” as follows:-

“data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;”

The DPA 1998 refers to seven “data protection principles”. These data protection principles are set out in Part I of Schedule 1 (section 4(1)). The data protection principles are to interpreted in accordance with Part II of Schedule 1 (section 4(2)). By section 4(4):

“… it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”

This case concerns DPP7, which is set out at paragraph 7 of Part I of Schedule 1 as follows:

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Part II of Schedule 1 makes provision as to the interpretation of DPP7 including, paragraph 9 which is relevant to this appeal:

“9.

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a)

the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as

are mentioned in the seventh principle, and

(b)

the nature of the data to be protected.”

By section 40 of the DPA 1998, where a data controller contravenes any of the data protection principles, the ICO may serve him with an enforcement notice requiring the data controller to take (or refrain from taking) certain specified steps. In deciding whether to serve an enforcement notice, the ICO must take into account “whether the contravention has caused or is likely to cause any person damage or distress” (section 40(2)) (but is not limited to issuing an enforcement notice only in such cases). There is also provision under section 13 for an individual who suffers damage or distress by reason of any contravention by a data controller of the data protection principles to make a claim for compensation (and we note that a number of such claims have been brought by individuals in the courts in relation to the same matters as led to the imposition of the MPN in this case).

This case, however, is concerned with an MPN issued under section 55A, which is a provision that applies only where the ICO is satisfied that there has been a serious contravention likely to cause substantial damage or distress. We need to consider the full text of the section, which is as follows:

“55A Power of Commissioner to impose monetary penalty

(1)

The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

(a)

there has been a serious contravention of section 4(4) by the data controller,

(b)

the contravention was of a kind likely to cause substantial damage or substantial distress, and

(c)

subsection (2) or (3) applies.

(2)

This subsection applies if the contravention was deliberate.

(3)

This subsection applies if the data controller—

(a)

knew or ought to have known—

(i)

that there was a risk that the contravention would occur, and

(ii)

that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

(b)

failed to take reasonable steps to prevent the contravention.

…

(4)

A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.

(5)

The amount determined by the Commissioner must not exceed the prescribed amount.

(6)

The monetary penalty must be paid to the Commissioner within the period specified in the notice.

(7)

The notice must contain such information as may be prescribed.”

A right of appeal lies to the Tribunal under section 48(1). By section 49(1) the Tribunal must allow the appeal or substitute an alternative decision notice, if it considers that the enforcement notice was not in accordance with the law or that, to the extent that the notice involved an exercise of discretion by the ICO, that the discretion ought to have been exercised differently. In any other case, the Tribunal must dismiss the appeal. By section 49(2) the Tribunal has power to review any determination of fact on which the notice in question was based.