Court Confirms Broad Data Security Duty: Controllers Must Protect Against Third-party "Jigsaw" Identification

In DSG Retail Limited -v- The Information Commissioner [2026] EWCA Civ 140, the Court of Appeal delivered a landmark judgment (19 February 2026) clarifying the scope of the security duty imposed on data controllers under data protection law.

The appeal arose from the Information Commissioner's challenge to an Upper Tribunal decision which had narrowed the duty imposed by the seventh data protection principle (DPP7) under the Data Protection Act 1998 (which was the data protection framework in force at the time of events in the case).

The central question was whether a data controller is required to take appropriate technical and organisational measures (ATOMs) against unauthorised or unlawful processing by a third party, where the data constitute "personal data" in the hands of the controller but not in the hands of the third party. The Court of Appeal unanimously allowed the Information Commissioner's appeal, holding that the security duty applies to all data that are personal data from the perspective of the data controller, regardless of whether the third party acquiring or processing the data can identify the individuals concerned.

In this article, we look at the Court of Appeal's decision in DSG Retail v The Information Commissioner, which clarifies the scope of the data security duty and confirms that it is the controller's responsibility to protect personal data against third‑party "jigsaw" identification.

The cyber attack behind the Court of Appeal's DSG Retail decision

In a significant cyber attack on DSG Retail Limited (owner of Dixons and Currys PC World) (DSG) between 2017 and 2018, attackers scraped transaction data from over 5.6 million payment cards. For the vast majority of cards protected by EMV (chip-and-pin), the attackers obtained only the 16-digit card number and expiry date, without cardholder names or other identifying information.

After an investigation, the Information Commissioner found DSG in breach of DPP7 and served a monetary penalty notice (MPN) in the maximum sum of £500,000. DSG appealed to the First Tier Tribunal who upheld the MPN, though it reduced the penalty by half. DSG appealed to the Upper Tribunal which accepted DSG's case and reversed the findings of the lower court on this issue. The Commissioner appealed to the Court of Appeal on the ground that the Upper Tribunal erred in law.

DSG contended that it owed no duty under DPP7 to protect against acquisition of such data by third parties who could not identify the individuals concerned, because the data would not be "personal data" in their hands. The Upper Tribunal had accepted this argument, but the Court of Appeal has now decisively rejected it, remitting the matter to the First-tier Tribunal for determination in accordance with its judgment.

The judgment: the Court of Appeal's reasoning on personal data and security

Lord Justice Warby, giving the lead judgment, conducted a thorough analysis of the statutory language in section 4(4) and Schedule 1 to the 1998 Act, read in conjunction with the Data Protection Directive 95/46/EC. His Lordship identified that the definition of "personal data" in section 1 comprises two categories: data from which an individual is directly identifiable by anyone (category (a)), and data from which an individual is indirectly identifiable to the data controller (category (b)). This latter category encompasses what is sometimes referred to as "jigsaw identification"—the process by which disparate pieces of information, each innocuous on its own, can be combined to identify an individual. Critically, the statute contains no reference to indirect identifiability by third parties as a factor that limits or controls the scope of the data controller's duties.

The Court held that the term "personal data" in DPP7 must bear the same meaning as in the primary definition, and accordingly the security duty extends to all data that are personal data from the data controller's perspective, without any qualification based on third-party identifiability.

The Court also emphasised the practical consequences of the narrower interpretation: it would leave data controllers with no obligation to guard against ransomware attacks, malicious encryption, or data destruction by third parties who cannot identify individuals, thereby exposing data subjects to real and substantial risks of harm.

The judgment engages extensively with two recent Court of Justice of the European Union (CJEU) decisions that bear on the question of perspective for assessing identifiability: Gesamtverband Autoteile-Handel eV v Scania CV AB (C-319/22) and Single Resolution Board v European Data Protection Supervisor (C-413/23). In Scania, delivered in November 2023, the CJEU held that vehicle identification numbers, though not personal data per se, become personal data "as regards someone who reasonably has means enabling that datum to be associated with a specific person" and, indirectly, for the controller making them available.

In SRB v EDPS, the CJEU (in its judgment of 4 September 2025) overturned the General Court's earlier ruling and confirmed that the relevant perspective for assessing identifiability depends on the circumstances of the processing in each individual case. Crucially, the CJEU held that for the transparency duty (Article 13 GDPR), identifiability must be assessed at the time of collection and from the point of view of the controller.

Lord Justice Warby applied this reasoning by analogy to the security duty, concluding that the security duty is likewise an incident of the legal relationship between the data subject and the data controller, and that identifiability should be assessed from the controller's perspective. The Court expressly noted that the CJEU's decision in SRB v EDPS undermines the analysis adopted by the Upper Tribunal, which had relied on the now-overturned General Court decision.

Key takeaways from the Court of Appeal decision in DSG Retail

1. The scope of the security duty is determined by the controller's perspective, not the attacker's

The Court has definitively established that a data controller's obligation to implement ATOMs against unauthorised or unlawful processing applies whenever the data are "personal data" from the controller's point of view. It is irrelevant whether a third party who acquires or processes the data without authorisation would be able to identify the individuals to whom the data relate. This represents a broad, protective interpretation that aligns with the fundamental purpose of data protection legislation.

2. Alignment with CJEU jurisprudence following SRB v EDPS

The judgment explicitly engages with and applies the CJEU's September 2025 ruling in SRB v EDPS (C-413/23), in which the CJEU confirmed that the perspective for assessing identifiability is context-dependent and, for obligations arising from the controller-data subject relationship, should be assessed from the controller's standpoint. This brings UK law into close alignment with the EU position on the conceptual question of whose perspective matters when determining whether data protection duties apply. The Court's reasoning follows the CJEU's observation that the security duty, like the transparency duty, is "part of the legal relationship between the data subject and the controller."

3. Consistency with the principle that pseudonymisation does not remove data from scope

The judgment is consistent with the broader principle, now confirmed by the CJEU in SRB v EDPS, that pseudonymised data remain personal data for the controller who holds the key to identification. The exemption for anonymised data under Recital 26 of the Directive applies only where data have been "rendered anonymous" such that they no longer contribute to identification by anyone.

The Court distinguished the 2008 House of Lords decision in Common Services Agency v Scottish Information Commissioner as being concerned with a fundamentally different context—deliberate anonymisation for public disclosure—and held that it provides no support for limiting the security duty.

4. Ransomware attacks and importance of early data security risk analysis

The Court took judicial notice of the prevalence of ransomware attacks and other malicious third-party interference with corporate databases. The judgment makes clear that controllers cannot avoid security obligations simply because attackers are unlikely to be able to identify data subjects. This reinforces the need for comprehensive security programmes covering all personal data held by the organisation, without distinction based on the format or identifiability characteristics of particular data sets.

In considering the impact of cyber attacks, Lord Justice Warby stated, "it is to be borne in mind that the security duty requires a data controller to conduct a risk assessment, and to consider prospectively what measures are appropriate to guard against the risks identified."

He further concluded that, "A data controller in possession of a set of information that amounts to personal data "in its hands" will only be able confidently to draw a clear line around its security duty if it has first conducted a thorough analysis of that issue."

A rigorous, prospective analysis of data security risk is essential to understanding and fulfilling the data security duty as a data controller.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.