Personal data classification depends on recipient's ability to identify an individual
25/09/2025 | What Do They KNow
The Upper Tribunal has delivered a significant ruling, stating that the classification of personal data depends on the recipient's ability to identify an individual from the information. The decision in DSG Retail Limited v The Information Commissioner held that the risk is judged from the perspective of the data that a third party can access, rather than the entire data set held by the data controller.
This judgment, which has the status of binding precedent, clarifies that if a recipient cannot identify an individual from the requested information, the information is not personal data in their hands. This is highly important for Freedom of Information Act (FOIA) requests, as it suggests that disclosure would not breach data protection principles if the applicant cannot identify the subject.
In a LinkedIn post examining the decision, data protection specialist Jon Baines notes that the decision largely mirrors a recent ruling by the European Court of Justice (CJEU).
Having failed in its appeal to the Upper Tribunal, the Court of Appeal has granted the ICO permission to appeal.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 6,250 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.