In its judgment, published yesterday, the CoA supports the ICO’s grounds for appeal, reinstating a clear interpretation of the legal responsibility on organisations to keep personal data secure. 

In 2020, the ICO fined DSG £500,000 after a cyber attack affected the personal data of at least 14 million people.

Following appeals by DSG to the First-tier Tribunal (FTT) and Upper Tribunal (UT), the ICO appealed to the CoA in 2024 to seek clarification from the court on an important point of data protection law.

The CoA judgment confirms that DSG was required to take appropriate security measures to protect personal data from unauthorised access – regardless of whether people could be identified from the data exfiltrated by the hackers.

Binnie Goh, ICO general counsel, said: “[This] judgment is a significant victory, bringing much-needed clarity for people affected by cyber attacks as well as industry.

“We welcome the CoA’s confirmation that organisations must protect all personal data they process, regardless of how it might be used or exploited by hackers. This recognises that even if hackers can’t identify people individually from stolen datasets, cyber attacks can and do still cause real harm.

“With the rising threat of cyber crime, this decision strengthens our ability to take robust action in the future and sends a clear message to all organisations: you have a protective duty to safeguard the personal data you hold.”

While this case is rooted in the Data Protection Act 1998, the legal interpretation of the security duty by the CoA offers an important guide to similar requirements in the current data protection regime. 

Now the point of law has been clarified by the CoA, the case will return to the FTT at a later date to apply this interpretation to the facts of the DSG cyber attack.