Is Data Still ‘Personal’ If The Recipient Cannot Identify The Data Subject?

Data protection practitioners know that the first question to ask when considering their organisation’s data protection obligations in relation to any data is: “Is it personal data?” 

The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.    

DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018. 

The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders. 

In 2020, the ICO fined DSG £500,000 for breach of the data security principle. 
This was the maximum fine under the DPA 1998. There then followed a series of appeals. The First Tier Tribunal (FTT) upheld the ICO’s findings but reduced the fine by half.  

The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.  

Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller,  regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person. 

The CoA considered it implausible that (absent an explicit statement) Parliament intended to limit the scope of the data security duty so that a Data Controller would have no obligation to protect some parts of the data provided by the Data Subject. The CoA also noted the potential consequences of a contrary reading; there would be no obligation for the Data Controller to protect data when a third party would be unable to identify the Data Subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the Data Subjects, can still be harmful. Moreover, the Court found it impractical to put Data Controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques. 

More - 
https://actnowtraining.blog/2026/03/02/is-data-still-personal-if-the-recipient-cannot-identify-the-data-subject/

Gwynedd Council - Leader Of The Gang...?

In November, 2021, Neil Foden, headteacher at Ysgol Dyffryn Nantlle in Penygroes wrote to parents informing that any child with a debt of 2p would be refused school meals. This caused a national furore with interventions from Marcus Rashford and blogger Simon Harris (men behaving dadly)

The headteacher blamed the decision on his council bosses who he claims 'threw him under a bus' -
https://www.bbc.co.uk/news/uk-wales-59341464
"All I did was to pass on the authority's message to parents."

Gwynedd Council blamed "lack of clarity" from its education department on school food debt policy -
https://www.walesonline.co.uk/news/education/council-apologises-school-meal-debt-22153658

Councillors of Gwynedd's Education and Economy Scrutiny Committee challenged the Head of Education, Garem Jackson, for an explanation. He did not provide one but promised an update for the next meeting.

Two months later, a video was posted online that appears to show Neil Foden grabbing a pupil by the scruff of the neck -
https://www.walesonline.co.uk/news/education/head-teacher-filmed-appearing-grab-22967578

At the next scrutiny meeting, Mr Jackson failed to answer the committees previous concerns and was also unwilling to respond to the latest incident. Once again, promising to get the full facts and return with an update for councillors.
There is no record of Mr Jackson updating the committee on either incident...

Mr Foden has a history of controversy. In 2018, a Biology teacher was awarded £8,000 compensation after an 'outrageous' suspension by the Ysgol Friars headteacher -
The tribunal was convinced Mr Foden had at one stage been “looking for an excuse to make things difficult for the claimant”.
https://www.dailypost.co.uk/news/biology-teacher-awarded-8000-compensation-14867550

Also -
“We developed a particular view about the evidence given by Mr Foden which undermined his credibility and/or reliability as a witness.”
https://www.dailypost.co.uk/news/north-wales-news/autocratic-gwynedd-headmaster-included-malpractice-14853841
How is this not perjury?

In 2020, he was found guilty of unacceptable professional conduct by the Education Workforce Council.
It was proved that Mr Foden treated a third teacher unfairly when providing a reference in 2016 in which he said he was facing an allegation of malpractice when, in fact, the teacher had been cleared.
https://www.bbc.co.uk/news/uk-wales-54300055

The panel heard evidence that included -
"I felt victimised by Neil Foden due to the way he operated. You were either in his gang or you were not," person D told the panel. He claimed he was never interviewed by school governors and that Mr Foden's daughter had investigated the allegations against him.
https://www.bbc.co.uk/news/uk-wales-51710557

The teacher claimed Mr Foden was looking to "pressurise" him after he made whistleblowing complaints over erroneous submissions of exam results by his department boss.
Person D said he made the whistleblowing complaints in 2014 because pupils had been "awarded an exam pass" and he was initially concerned it was an "administrative error".

However, he said the evidence had been moved for the five pupils concerned. "The evidence had been removed from a computer file. It had taken a year and a quarter for the exam board to be told."
Person D said he and two other concerned teachers were not interviewed about the exam concerns until "four to six months later".
https://www.dailypost.co.uk/news/north-wales-news/headmaster-victimised-teacher-who-blew-17850450

The delay in interviewing the teachers will affect any legal process as there is a very short window to lodge complaints and/or take legal action. After one year, it is presumed that the exam board would dismiss any concerns as out of time...
Mr Foden is also Head of Ysgol Friars in Bangor.

Perhaps the scrutiny committee could remind the Head of Education of his promise to report on the incidents and also ask for an update on the two teachers believed to have been suspended on full pay for 9 years...

In 2014, the council's safeguarding team began an investigation alongside north wales police.. It did not go well. In 2016, the CPS threw out the case after they did a deep dive of the 'evidence'. 

A spokesman for the council said -
"This process concluded with the CPS deciding not to proceed with any prosecutions. The council is currently carrying out its own subsequent internal investigation into the matter and as a result the individuals remain suspended from their posts.”
https://web.archive.org/web/20180729072902/https://www.walesonline.co.uk/news/wales-news/welsh-councils-paid-9m-staff-14876849

Gwynedd council also paid over £800,000 of public money to north wales police. For what...?
The costs of this case, including the legal fees, must be approaching 2 million pounds - if not more... 

An FOI seeking information on the matter was shut down by the monitoring officer who simply ignored the request for an internal review. The next step in the legal process - a complaint to the ICO - usually requires an internal review to have been undertaken. Regardless, the ICO can only 'advise' the council to release information. Gwynedd council have ignored the 'advice' of the ICO in the past...

Questions to the integrity and professionalism of the safeguarding team remain. The senior safeguarding officer for Gwynedd has not been seen at a council meeting since 2019 when he was called out for deceiving the care scrutiny committee in another case.

Something is so very wrong within Gwynedd council...