Information Commissioner's Office
 Printable version
|
ICO wins Court of Appeal case in DSG Retail ruling
We welcome the Court of Appeal’s (CoA) ruling that we have succeeded in our appeal against the decision of the Upper Tribunal on DSG Retail Limited (DSG).
In its judgment published yesterday, the CoA supports our grounds for appeal, reinstating a clear interpretation of the legal responsibility on organisations to keep personal data secure.
In 2020, we fined DSG £500,000 after a cyber attack affected the personal data of at least 14 million people.
Following appeals by DSG to the First-tier Tribunal (FTT) and Upper Tribunal (UT), we appealed to the CoA in 2024 to seek clarification from the court on an important point of data protection law.
The CoA judgment confirms that DSG was required to take appropriate security measures to protect personal data from unauthorised access – regardless of whether people could be identified from the data exfiltrated by the hackers.
Binnie Goh, ICO General Counsel, said:
“Today’s judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry.
“We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.
“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”
While this case is rooted in the Data Protection Act 1998, the legal interpretation of the security duty by the CoA offers an important guide to similar requirements in the current data protection regime.
Now the point of law has been clarified by the CoA, the case will return to the FTT at a later date to apply this interpretation to the facts of the DSG cyber attack.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator that exists to empower people through their information rights. The ICO regulates the whole economy, including government and the public sector.
- The ICO has specific responsibilities set out in the Data Protection Act 2018, the United Kingdom General Data Protection Regulation, the Freedom of Information Act 2000, Environmental Information Regulations 2004, Privacy and Electronic Communications Regulations 2003 and a further five acts and regulations.
- Civil monetary penalties (CMP) are paid directly into the Consolidated Fund. From 1 April 2022, HM Treasury has allowed the ICO to keep some funds to cover certain pre-agreed costs up to a maximum cap of £7.5m per financial year. The approach is explained in our Annual Report and Accounts and is externally audited by the National Audit Office.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Original article link: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/ico-wins-court-of-appeal-case-in-dsg-retail-ruling/
