![[2024] UKUT 287 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
The substituted MPN
The substituted MPN
The last issue the FTT had to decide was whether to impose a MPN. It considered it was appropriate to do so because the contravention was particularly serious given the nature of the personal data involved in the contravention and the number of people affected, the length of time the inconsistent patch management was allowed to continue and the obvious risk that the large volume of personal data held by DSG was of a kind likely to be targeted by a criminal attack. The FTT balanced this against the fact that at the time of the attack DSG was directing substantial resources to long-term security transformation and had employed external security consultants to address the position in the interim. However, in the FTT’s view this did not abrogate DSG of responsibility. In imposing an MPN the FTT also considered the resources of DSG, and took into account that the contraventions it had identified were fewer than those that had led to the ICO’s MPN.
Having decided that it was appropriate to impose an MPN, the FTT then considered relevant aggravating and mitigating features. The FTT’s analysis included the following passage:
“120. We note again that the identified contravention is serious for reasons already given relating to the nature and volume of data processed by DSG and the number of individuals whose data was put at risk.
121. We are not persuaded that the number of PAN accessed by the Attackers is an additional, relevant consideration for the purpose of identifying the quantum of any MPN imposed in this context. As previously stated, we have concluded that the exact number of PAN meeting the definition of personal data remains unknown. Rather, we consider the overall volume of personal data, both financial and non-financial, which is known to have been unlawfully processed to be a more relevant consideration.”
In terms of the quantum of the MPN, the FTT noted that the highest penalty was generally reserved for multiple contraventions of DPPs and/or contraventions of DPP7 comprising several inadequacies. Neither consideration applied in this case. It concluded that the appropriate figure in this case was £250,000.
- Heading
- THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
- Decision date: 23 September 2024
- A summary of the relevant background
- The ICO’s MPN
- The FTT’s decision
- Personal data
- The contravention of DPP7
- Seriousness of the contravention
- Substantial damage and distress and knowledge
- The substituted MPN
- The issues on this appeal
- The grant of permission to appeal
- The legal framework
- Scope of grants of permission
- Relevant provisions of the DPA 1998
- Relevant case law and guidance on the meaning of “personal data”
- Security of processing
- Relevant principle of judicial decision-making
- Issue 1: the EMV Data Issue: the parties’ submissions
- The respondent’s submissions
- Issue 1: the EMV Data Issue: discussion and conclusions
- The statutory provisions
- The case law
- The FTT’s reasoning and the FTT’s error
- Issue 2: the Consistency Issue: the parties’ submissions
- The respondent’s submissions
- Issue 2: the Consistency Issue: discussion and conclusions
- Scope of the grant of permission
- The FTT’s errors
- Issue 3: the Procedural Fairness Issue
- Issue 4: the Implications Issue: the parties’ submissions
- The respondent’s submissions
- Issue 4: the Implications Issue: discussion and conclusions
- Issue 5: the Seriousness Issue: the parties’ submissions
- The respondent’s submissions
- Issue 5: the Seriousness Issue: discussion and conclusions
- Conclusions