ICO issues provisional £6 million fine to data processor following ransomware attack

The ICO has provisionally decided to fine Advanced Computer Software Group Ltd (“Advanced”) £6.09m. This is the first publicised fine issued by the ICO to a data processor under the UK General Data Protection Regulation (“UK GDPR”).

Background: UK GDPR fines for data controllers and processors

The UK GDPR introduced a significant overhaul on data protection, creating new responsibilities for both data controllers and processors. Until recently, ICO enforcement action and penalties were targeted at data controllers, despite the UK GDPR providing for both controllers and processors to be liable.

The recent provisional fine issued to Advanced illustrates the ICO’s evolving approach to enforcing the UK GDPR's provisions across the entire data processing chain.

Data controllers vs data processors: understanding the difference

The UK GDPR distinguishes between two key roles in the data processing ecosystem: controllers and processors. A data controller is an entity (individual, company, or public body) that determines the purpose and means of processing personal data. In other words, data controllers decide how and why personal data is collected and how it may be used. For example, a hospital would be a data controller because it decides what patient health data is processed, how it is processed, how long it is stored for and why it is needed.

A data processor, on the other hand, processes personal data on behalf of the controller. Processors have limited autonomy - they must process personal data according to the controller's instructions. For example, an IT service provider managing patient records on behalf of a hospital would be a processor. Although processors generally have fewer obligations than controllers, they still face significant responsibilities under the UK GDPR, in particular concerning data security and breach notifications.

ICO’s provisional fine: facts of the case

In August 2024, the ICO issued a provisional fine of £6.09 million to Advanced, a UK based IT services provider. The fine arose from a ransomware attack in August 2022, which compromised the personal data of 82,946 individuals. Advanced provides critical IT services to the NHS and other social care organisations. The ICO found that Advanced failed to implement sufficient security measures to protect sensitive healthcare data, including medical records, phone numbers, and details of how to gain entry to the homes of 890 people who were receiving care at home.

The data breach had severe consequences: it disrupted NHS services, including the NHS 111 helpline, and put vulnerable people at risk. The attack resulted in the exfiltration of special category personal data, which is subject to heightened protection.

Why the ICO decided to fine Advanced

The ICO's provisional fine (both the size of the fine and decision to fine a processor) is significant. Its decision to impose a fine of this magnitude reflects several critical factors:

1. Severity of the data breach: the breach affected highly sensitive data and had significant real-world impacts, including the disruption of critical healthcare services. Personal data of vulnerable individuals, such as medical records and entry details for people receiving home care, were compromised.
2. Failure to implement adequate security measures: Advanced had already installed certain security measures on its corporate systems. However, the ICO determined that the protections for its healthcare systems were inadequate, leaving them vulnerable to cyberattacks.
3. Responsibility as a processor: the ICO emphasised that processors are directly responsible for implementing technical and organisational security measures to protect data. Advanced failed to implement basic security protocols, such as multi-factor authentication, which could have prevented or mitigated the breach.

1. Deterrence and public interest: the ICO outlined that the fine was intended not only to penalise Advanced but also to serve as a warning to other processors, especially those handling sensitive data such as health information.

The ICO stressed that processors must take proactive steps to secure their systems to avoid similar incidents. John Edwards, the UK’s Information Commissioner, stated “I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

Implications for organisations: what should you be doing?

The ICO’s provisional fine has important implications for both controllers and processors under the UK GDPR. Organisations should note the following key takeaways and recommended actions:

1. Processors must strengthen security measures: the fine underscores the importance of robust cybersecurity measures for processors, particularly those handling sensitive data. Multi-factor authentication, regular system vulnerability checks, and timely installation of security patches are essential.
2. Increased scrutiny and accountability for processors: this case demonstrates that processors are not immune to regulatory action. Processors must comply with their obligations under the UK GDPR, including breach notification, security measures, and due diligence when working with sub-processors.
3. Review contracts between controllers and processors: the decision highlights the growing need for clearer, more comprehensive contracts between controllers and processors – a data processing agreement is mandatory between data controllers and processors (Article 28(3) UK GDPR). Based on the latest ICO action, processors must be aware of their exposure to enforcement action and financial penalties.
4. Due diligence: controllers should conduct detailed due diligence on their processors to ensure compliance with the UK GDPR. This includes checking that processors are implementing appropriate security measures, as well as ensuring that contractual provisions cover potential liabilities arising from data breaches. This is particularly important following the European Data Protection Board’s recent Opinion outlining that controllers should manage and oversee their processors and sub-processors’ activities.
5. Enhance cybersecurity frameworks: both controllers and processors must implement and maintain robust cybersecurity frameworks to protect personal data (in particular, special category data such as any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation data). The potential high value of healthcare data makes it a prime target for cybercriminals, and organisations must take proactive steps to safeguard it.

Conclusion

The ICO’s provisional fine against Advanced marks a pivotal moment in UK GDPR enforcement. It is a reminder that processors, too, can face significant penalties for failing to protect personal data. By strengthening security measures, reviewing contractual terms, and prioritising data protection, both controllers and processors can mitigate their risk of enforcement actions and safeguard the sensitive data they manage.

Our Data Protection team can assist with any data protection issues you face, including ensuring that appropriate contracts are in place between data controllers and processors. For more information on how we can support you, please contact a member of our Data Protection team or submit an enquiry form, below.