Is Data Still ‘Personal’ If The Recipient Cannot Identify The Data Subject?

Data protection practitioners know that the first question to ask when considering their organisation’s data protection obligations in relation to any data is: “Is it personal data?” 

The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.    

DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018. 

The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders. 

In 2020, the ICO fined DSG £500,000 for breach of the data security principle. 
This was the maximum fine under the DPA 1998. There then followed a series of appeals. The First Tier Tribunal (FTT) upheld the ICO’s findings but reduced the fine by half.  

The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.  

Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller,  regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person. 

The CoA considered it implausible that (absent an explicit statement) Parliament intended to limit the scope of the data security duty so that a Data Controller would have no obligation to protect some parts of the data provided by the Data Subject. The CoA also noted the potential consequences of a contrary reading; there would be no obligation for the Data Controller to protect data when a third party would be unable to identify the Data Subject from that data. In the Court’s view, third-party interference with data, even where the attacker is unable to identify the Data Subjects, can still be harmful. Moreover, the Court found it impractical to put Data Controllers in a position where, in determining their data security obligations, they would need to assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques. 

More - 
https://actnowtraining.blog/2026/03/02/is-data-still-personal-if-the-recipient-cannot-identify-the-data-subject/

Legal challenge launched against government SEND proposals that “significantly weaken the legal rights of children and young people”

Well, that didn’t take long. It’s less than a week since the Government published long-awaited proposals for “reforming” the SEND system, and the first steps have already been taken in a legal challenge against the Secretary of State for Education.

If successful, this could force ministers to publish an amended version of the consultation to add more information about what is proposed, as well as specific questions on some key changes. It could also mean extending the consultation period.

Consultation lawfulness questioned

The family of Jessica Hayhurst, a little girl with complex special educational needs, has instructed lawyers to send a formal letter before legal action to Bridget Phillipson. The letter questions the lawfulness of the consultation process on SEND reform in relation to two things:

1. The proposed weakening of SEND Tribunal powers, and
2. A shift in legal duties from local authorities to schools.

The family is being represented by Polly Sweeney and Bethany Parr from Rook Irwin Sweeney, which is funding the claim through its Social Justice Fund. Barrister Steve Broach KC is providing pro bono support.

The letter says:

“Many of the proposals being put forward in the White Paper will result in parents and children losing important existing legal rights”.

As we outlined in our first post on the Schools White Paper and SEND proposals, the 132-page consultation paper invites views and responses to 40 specific questions from anyone with an interest in the plans by 18^th May 2026. The questions cover things such as how children can be supported in the new proposed ‘layers’ and how “Inclusion Bases” should work.

More - 
https://www.specialneedsjungle.com/legal-challenge-against-send-proposals-significantly-weaken-legal-rights-children/