The ICO Issues its First Notice of Intention to Fine a Data Processor

Advanced processes personal data, including sensitive or ‘special category’ data, on behalf of a range of organisations across the UK including the NHS and other major care providers.  The proposed penalty is in respect of Advanced’s failure to implement appropriate security measures to protect the data in its care, and dates back to a ransomware attack it suffered in 2022 in which a malicious actor accessed its systems through a customer account that was not protected by multi-factor authentication (MFA).  This attack resulted in the exfiltration of the personal data of 82,946 individuals, including phone numbers, medical records and details of how to gain access to the homes of 890 patients receiving at-home care.  The data breach also caused major disruption to Advanced’s controllers and their ability to deliver patient care, most notably crashing the NHS’s 111 advice service.  This, in the words of the Information Commissioner publishing his provisional action, caused significant distress to “people who had no choice but to put their trust in health and care organisations”.

The absence of MFA, particularly in the context of high-volume processing of high-risk data, is notable since it is recommended by common data security standards such as the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme and NIST 800-63B, as well as being considered by the ICO as a comparatively low-cost protective countermeasure, with many MFA solutions commercially available.  Furthermore, in May of this year, the ICO released a report on trends and developments in cyberattacks, including malware and ransomware, in which the authority underlined the requirement for MFA and suitable controls to mitigate threat actors’ attempts to circumvent it – e.g., hackers gaining access by posing as genuine users resetting their passwords.

As the ICO’s first potential fine against a processor in the UK GDPR context, it is confirmation that the security compromise of a major processor that acts for multiple controllers can have far-reaching repercussions, in the public and private sectors.  This has been more recently seen in the incident in June involving the pathology lab Synnovis (resulting in disruption to NHS blood testing and services).  The proposed Cyber Security and Resilience Bill announced in the King’s Speech opening Parliament in July aims at curbing such supply chain cyber vulnerability in certain critical sectors.

Organisations acting as processors are subject to security obligations under the UK GDPR, and the Advanced provisional fine serves as a timely reminder of the potential for direct regulatory enforcement if they fail to prioritise robust security measures.  This is of particular importance where a threat actor’s unauthorised access and exfiltration could leave data subjects at serious risk, which continues to be a central driver for ICO enforcement action, particularly monetary penalties as in this case.

Under Article 82 of the UK GDPR, data subjects have a direct right of action against processors and controllers on a ‘joint and several liability’ basis.  This means that data controllers can ultimately be held financially responsible for the whole failures of their processors, even if the controllers are only partly at fault.  The fact that the ICO is proposing to take enforcement action only against Advanced as the data processor suggests that there was no real direct fault on the part of the NHS as data controller.  Even so, the NHS might be seen by data subjects as a ‘softer target’ for any potential court actions for damages they might bring, particularly from a financial viability perspective (with almost certainly deeper pockets than Advanced).  Controllers such as the NHS might then look to recover any losses from the processor under the liability and indemnity provisions contained in their processing contract or ‘data processing agreement’ (DPA) with Advanced.

In this regard, many outsourced data service providers will usually include in their standard DPA terms and conditions a liability cap limited to the amount of fees paid by the customer/controller over a certain period of time (perhaps 12 months).  The costs associated with a data breach (including response costs, regulatory action such as fines and resulting claims) can, however, significantly exceed these fee-based caps.  This is why an increasing number of customers are seeking to negotiate an increased 'super cap', specifically for the type of substantial costs and damages that can result from data breaches.

Although data controllers have ultimate control over how and why personal data is processed, data processors also have legal data protection obligations.  The Advanced case serves as a stark reminder for service providers (particularly in the healthcare sector) of those data protection responsibilities.  Equally, it acts a warning to data controllers, such as healthcare providers, to carry out adequate due diligence on software providers acting as data processors on their behalf.  It remains to be seen whether the DPA between the NHS and Advanced stipulated that MFA should be enabled on customer accounts, and this was not applied for some reason, or whether this basic security provision was simply omitted from the contract.  This is the kind of detail that will come out in the court claims which will inevitably ensue.

On several occasions in the past, provisional fines issued by the ICO have been reduced (sometimes by a substantial amount, as in the British Airways and Doorstep Dispensaree cases, both from 2019) before confirmation, and recently a proposed enforcement action (in the Snap matter) was withdrawn completely.  The Information Commissioner has stated that he “will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.”

In the meantime, the message has also been put out from the Commissioner that all organisations, especially those handling sensitive health data, are expected "to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches."