[2024] UKUT 287 (AAC)

We have already set out the material provisions on security of processing in the DPA 1998. Recital 46 of Directive 95/46/EC states:

“Whereas the protection of the rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organizational measures be taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorized processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing; and the nature of the data to be protected;”

Article 17.1 of the Directive provides:

“Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.”

DPP7 was considered by Langstaff J in Various Claimants v Wm Morrison Supermarkets plc [2017] EWHC 3113 (QB), [2019] QB 772 (“Morrisons”). (The further appeals to the Court of Appeal and the Supreme Court in that case were focused on other issues.) An internal auditor employed by the defendant company had copied personal information relating to its employees and had published them on a file-sharing website to which links were published on the internet. Amongst the claims brought by data subjects, it was alleged that Morrisons had breached its duties under the DPA 1998. Langstaff J held that the short answer in relation to the other data protection principles that were relied upon was that the acts in question were those of a third party (the internal auditor) rather than those of Morrisons (paragraph 65). However, he explained that DPP7 stood apart from the first, second and third data protection principles, in that Morrisons was undoubtedly the data controller in respect of the relevant information at the time when the duty fell to be discharged. If appropriate technical and organisational measures (“ATOMS”) were not taken by Morrisons against unauthorised or unlawful processing of personal data then, provided the claimants could show that the breach of duty had caused the disclosure that was central to their complaints, liability would be made out (paragraph 71).

At paragraph 68 Langstaff J made some observations on the nature of the DPP7 duty:

“The seventh principle does not impose a duty to take “reasonable care” as such. Those words do not appear in the statute. This might suggest that the draftsman was aiming at a rather different target when he required that “appropriate” measures be taken. The word comes from the Directive: it is likely therefore to bear an autonomous meaning, which will apply in each member state of the European Union…to whom it is addressed. However, it is clear that the principle is a qualified one. The mere fact of disclosure or loss of data is not sufficient for there to be a breach. Rather, “appropriate” sets a minimum standard as to the security which is to be achieved. This is expressly subject to both the state of the technological development and the cost of measures. Thus the fact that a degree of security may technologically be achievable, which has not been implemented, does not of itself amount to a failure to reach an appropriate standard…the following words in DPP7 indicate that a balance has to be struck between the significance of the cost of preventative measures and the significance of the harm that might arise if they are not taken.”

In that case there was no dispute that the exfiltrated data was personal data both in the hands of Morrisons and when it was released, given the personal information that was included. We were told by counsel that there has been no authority so far on the meaning of “personal data” in the context of DPP7.