The Court of Appeal handed down judgment on 19 February 2026 in DSG v information Commissioner [2026] EWCA Civ 140. This significant appeal concerned the scope of the data security duty in the Data Protection Act 1998 (“DPA”), i.e. the duty imposed on a data controller to protect personal data against unauthorised or unlawful processing. The Court (reversing the Upper Tribunal) held that the duty applies to all data that is “personal data” in the controller’s hands – i.e., all data where the data controller can directly or indirectly identify the data subject – whether or not that data is also “personal data” in the hands of any third party carrying out the unauthorised or unlawful processing. The Court’s reasoning has obvious implications for the similar duty in the UK GDPR. The reasoning establishes that a data controller will not necessarily comply with the data security duty simply by “pseudonymising” personal data, so that any third party getting hold of it (whether a hacker, malicious actor, or anyone else) cannot themselves identify the individuals to which the data relate.
Julian Milford KC and Peter Lockley of 11KBW acted for the Information Commissioner; Timothy Pitt-Payne KC and Rupert Paines of 11KBW acted for DSG.
