[2024] UKUT 287 (AAC)

Having set out what we consider to be the correct interpretation of DPP7, we can address quite briefly the FTT’s reasons for concluding that for the purposes of determining whether DSG failed to take ATOMS against unauthorised or unlawful processing of personal data, it should take a limb (ii) approach, simply considering whether the data held by DSG amounted to personal data. At paragraphs 93c and 95 of its decision, the FTT emphasised that the DPP7 duty was imposed on DSG as the data controller in respect of the personal data that it held. As our reasoning indicates, we agree with this point. However, as we have explained, this simply indicates where the duty lies; interpreting the nature of the risk that is to be guarded against is a separate question. At paragraph 93d of its decision, the FTT pointed out that the meaning of “personal data” in DPP7 is not limited by the same contextual considerations that applied in the FOIA cases. Again, we agree that the contextual considerations are not the same. Nonetheless, we have explained why we consider that this caselaw is instructive. The point made in the opening sentence of the FTT’s paragraph 94 overlooks the fact that DPP7 requires the data controller to protect against particular, specified risks. Furthermore, we see nothing inconsistent or surprising in the proposition that there would be no contravention of DPP7 if a data controller’s security failing only enabled third parties to access anonymised data from which individuals could not be identified and that the data that it held which would enable identification to take place remained securely protected. The remainder of this part of the FTT’s decision (particularly paragraphs 93e, 93f and 94) simply focused upon the wrong question, namely whether the limb (ii) test was made out on the facts.

The FTT did not address the majority of points that we have relied upon in arriving at our conclusion as to the correct interpretation of “personal data” in this context. Given the complexity of the law in this area, it is pertinent to observe that it was unfortunate that the FTT went off on a tangent of its own, when neither party had asked them to adopt a limb (ii) approach and they had not invited or heard submissions on this point.

As we have already indicated, in light of its decision that it should apply a limb (ii) approach, the FTT did not make any findings as to whether the security shortcomings that it had upheld (contraventions 3 and 9) entailed a failure to take ATOMS against unauthorised or unlawful processing of data that constituted personal data (limb (i)) or data that would identify a living individual when combined with other information in the possession of or likely reasonably to be in the possession of third parties (limb (iii)). In short, the FTT failed to make relevant findings as to the consequence of the shortcomings that it had identified. The sheer fact that DSG held personal data did not resolve this question. DSG’s case was that neither the limb (i) nor the limb (iii) definitions were met in this instance. We address limb (i) under Issue 4. As regards limb (iii), as explained to us, DSG’s case was that the security failings that were upheld in respect of contraventions 3 and 9 did not give rise to any risk of third party attackers obtaining personal data in respect of the EMV Data, as the information that would have enabled identification of the cardholders was held in an inaccessible secure storage area; and although the FTT appears to have found at paragraphs 93f and 94 that DSG could link Batch 1 and Batch 4.1 data (a proposition that DSG disputes), this could not have been done by third parties. Accordingly, the FTT needed to make findings on these relevant, disputed matters.

In the interests of clarity, we re-emphasise that the issues we have identified in the previous paragraph are to be answered by reference to the risks that shortcomings in security gave rise to, not simply by reference to what actually happened in the attack. This will involve consideration of what a motivated attacker could and could not have obtained data-wise from the DSG estate as a result of the shortcomings. The FTT's decision has not addressed this.

We also note for completeness that in finding that there was a contravention, the FTT did not apply paragraph 9 of Part II of Schedule 1 to determine what was the appropriate level of security required. In turn, this would have involved the FTT in making findings as to the harm that might result from unauthorised or unlawful processing of personal data, understood in the sense that we have referred to in the previous paragraph.

Accordingly, the FTT’s decision involved a material error of law in deciding that there had been a contravention of the DPA 1998 in relation to the EMV Data without determining whether that data would be personal data in the hands of third parties who could access all the data put at risk by DSG’s failings.