The Information Commissioner’s Office has won a successful ruling in the Court of Appeal against the decision of the Upper Tribunal on DSG Retail Limited. The ICO fined DSG £500,000 in 2020 after a cyber attack which affected the personal data of over 14m people.

Following appeals by DSG to the First-tier Tribunal and Upper Tribunal, the ICO appealed to the CoA in 2024 to seek clarification from the court on what it says is an important point of data protection law.

In its judgment, the CoA supports the ICO’s grounds for appeal, reinstating a clear interpretation of the legal responsibility on organisations to keep personal data secure. The judgment confirms that DSG was required to take appropriate security measures to protect personal data from unauthorised access – regardless of whether people could be identified from the data exfiltrated by the hackers.

Binnie Goh, ICO general counsel, said: “This judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry. We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.

“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”

---