[2024] UKUT 287 (AAC)

Although this appeared to be in issue during the earlier part of his submissions, Mr Pitt-Payne subsequently clarified that he accepted that as regards DPP7, the section 4(4) DPA 1998 duty to comply with the data protection principles is placed on the data controller in respect of all data that is personal data in their hands. He was right to do so. This is clear from the statutory wording and it is reinforced by the terms of recital 46 and article 17.1 of the Directive and by Langstaff J’s judgment in Morrisons (paragraphs 86 – 90 above). Accordingly, it follows that DSG was subject to the DPP7 duty at all material times and that it applied to all the data that was personal data in its hands.

It is clear from the statutory language that the duty is an anticipatory one. The obligation is to take precautionary steps, ATOMS, to guard against the risks that are referred to in DPP7, namely the risk of unauthorised or unlawful processing of personal data and the risk of accidental loss or destruction of, or damage to, personal data. The duty will be breached if the appropriate measures are not taken, whether or not these eventualities materialise and, indeed, if they do, the breach will have occurred prior to that time. Our understanding in this regard is reinforced by the language of paragraph 9 of Part II of Schedule 1 DPA 1998, which identifies the standard of security measures to be taken by reference to (amongst other factors) “the harm that might result” from the eventualities specified in DPP7. The position is, again, reinforced by the terms of the Directive; recital 46 refers to ATOMS that are to be taken “to prevent any unauthorized processing” and article 17 to ATOMS that the controller must implement “to protect personal data against.[…]”.

Accordingly, whether a contravention has occurred is to be determined by reference to whether the appropriate precautionary steps have been taken, not just by reference to what (if any) third party attack occurred in practice, albeit that may well be good evidence of an antecedent failure to take ATOMS. Applying that approach to the present case, the correct focus is upon the extent to which DSG failed to take appropriate steps to guard against the risks specified in DPP7, not simply upon what the attackers managed to achieve in the particular attack that took place upon DSG’s data.

However, the fact that the DPP7 duty lies on the data controller and is an anticipatory one does not of itself answer the question we have to resolve as to the meaning of “personal data” in the context we have identified. As Mr Pitt-Payne emphasised in the refined version of his submission, for DPP7 purposes there is a distinction between the questions of who is subject to the duty and what data that duty applies to (on the one hand) and the question of what are the risks to protect against and whether that duty was breached (on the other). DSG was subject to the DPP7 duty in respect of all of the personal data that it held. However, in order to decide whether DSG breached that duty, it is necessary to determine whether it failed to take ATOMS to guard against a specified risk. Here, the risk that the ICO considered DSG had failed to take appropriate steps to guard against was the risk of unauthorised or unlawful processing of personal data, that is to say unauthorised or unlawful processing of personal data by third parties. Thus, it is necessary to consider what third parties would be able to obtain as a result of the alleged failings and to determine whether this would constitute personal data in their hands. This necessarily involves considering the data from a limb (i) and a limb (iii) perspective, not a limb (ii) perspective.

We will take a hypothetical example which Mr Pitt-Payne raised in submissions in order to illustrate this point. As it accepts, DSG held information that was personal data; in relation to the EMV Data, it held information within its estate as to cardholders’ identity. It was therefore obliged to take appropriate steps to protect the security of this personal data. However, if the only data that was accessible as a result of its security failings was vanilla data in data protection terms, for example, financial data relating to the performance of the company and none of the data that it held relating to identifiable individuals could be accessed, then there would be no contravention of DPP7, as in that scenario no personal data was put at risk of exposure. The sheer fact that the data controller also held personal data in another part of its estate that would make the data at risk of exposure limb (ii) personal data would be irrelevant. However, if data that became accessible as a result of security failings included material about identifiable living individuals (i.e. limb (i) personal data in anybody’s hands) or material that enabled their identification when combined with other available information (limb (iii) personal data), then DSG would have failed to guard against the risk that DPP7 required it to protect against.

In other words, we conclude that it is not possible to know whether the data controller has failed to take ATOMS against “unauthorised or unlawful processing of personal data” without ascertaining whether personal data has been put at risk of exposure by the absence of those measures. If a third party can only obtain anonymous data and the key to any pseudonymised material remains behind a completely secure wall then, consistent with the case law that we return to below, accessing that vanilla data would not amount to an “unauthorised or unlawful processing of personal data”. To take an example from a very different context, which does not provide a precise analogy, but serves to illustrate the point: if a householder goes out to work leaving the front door of their house unlocked, for DPP7 purposes, the failure to lock the door would not amount to a breach in itself, it would depend on the risks that this gave rise to, specifically upon what a potential intruder would be able to access if they took advantage of the unlocked door.

We do not accept Mr Lockley’s suggestion that an alternative interpretation can be applied because DSG’s failings were of a general kind that impacted broadly on the security of its data, rather than solely on particular sub-sets of data. For the reasons we have explained, it remains necessary to focus on the statutory wording and to determine whether the data controller has failed to take ATOMS in respect of the risks that are specified in DPP7. Whilst it does not alter the interpretation of DPP7, plainly the nature and scale of the failings are likely to be relevant to whether the duty has been complied with. We also observe that Mr Lockley’s suggestion about the nature of DSG’s failings is not rooted in the FTT's findings of fact in this case: the FTT has not made any finding about whether DSG’s failings had exposed to risk not just the data it identified as Batch 1, Batch 4.1 and 4.2 (etc.), but also the other data held by DSG that it considered could be combined with that data in order to make it personal data on a limb (ii) basis (and thus which could if released render the data limb (iii) personal data in the hands of any third party).

This interpretation is reinforced by the terms of paragraph 9 of Part II of Schedule 1, which, as we have explained, informs the question of what is an “appropriate” measure for the data controller to take. Amongst other things, paragraph 9 requires that the measures must ensure a level of security appropriate to “the harm that might result from such unauthorised or unlawful processing…as are mentioned in the seventh principle” (emphasis added). In order to understand the harm that might result from the unauthorised or unlawful processing of personal data and thus the standard of security that is required, it is necessary to understand the data that stands to be exposed if such steps are not taken. Again, the fact that the data controller holds what amounts to personal data in its hands is only pertinent if that data is at risk of being exposed.

Contrary to Mr Lockley’s submission, we do not consider that this interpretation is precluded or counter-indicated by the terms of section 4(4) or that it gives rise to problematic internal inconsistency within DPP7. As to the former, as we have explained, we accept that the DPP7 duty lies on the data controller in respect of all of the personal data that it holds. As to the latter, DPP7 imposes an obligation on the data controller to take appropriate steps to guard against two different kinds of risk. The first risk it covers is the one we have just discussed, namely the risk of third parties undertaking unauthorised or unlawful processing of personal data. However, the data controller is also required to take appropriate steps to guard against the distinct risk of “accidental loss or destruction of, or damage to, personal data”. In this scenario, the risk to be guarded against is the inadvertent actions of the data controller, who accidently loses, damages or destroys personal data whilst it is in its possession. Accordingly, for the purposes of this risk, the reference to “personal data” is inevitably a reference to data that amounts to personal data in the data controller’s hands.

We consider that our interpretation of “personal data” in DPP7 is also supported by the terms of the Directive. Article 17.1 requires Member States to provide that data controllers implement ATOMS to protect personal data against a number of specified risks, including the risk of “all other unlawful forms of processing”. Consistent with the caselaw that we return to below, in order to decide whether there is a risk of unlawful processing by a third party it is necessary to know whether the data in question would be personal data in their hands.