The ICO Issues its First Notice of Intention to Fine a Data Processor

Proposed £6 million fine relates to a “failure to implement appropriate security measures”

Stuart Skelly
|
Senior Consultant at URM
|
PUBLISHED on
30 Aug
2024

Controllers no longer always ‘carry the can’: more than 6 years after the introduction of the General Data Protection Regulation (GDPR), the UK’s Data Protection Authority has issued its first notice of intention to fine a processor, rather than the controller organisation on whose behalf it was processing the data.

One of the many distinguishing features of the GDPR over the previous law, the Data Protection Act 1998, is the joint responsibility for maintaining data protection of data controllers (those which determine the means and purposes of the processing of the personal data) and data processors (organisations such as managed service providers processing personal data on behalf of a data controller, usually their customer, under the direct instruction of that controller/client).  Previously, it was the data controller organisations which were held responsible for any data breaches, including civil liability for damages awarded to individuals and for any fines imposed, whilst data processors were not in the frame to take any such hit.  But now, under the GDPR, processors can be held equally, if not more, liable than controllers, depending on the parties’ respective negligence or culpability for the loss or damage caused.

It has taken more than 6 years of the GDPR being in effect, but in August 2024 the Information Commissioner’s Office (ICO) issued its first provisional fine against a data processor, rather than the controller that provided the personal data and the instructions for the processing.  In its initial announcement of the proposed fine (i.e., yet to be finalised), the UK privacy regulator has signalled that it intends to impose a penalty of £6.09 million on a software supplier, Advanced Computer Software Group Ltd (‘Advanced’).  As readers of URM’s blogs on this subject will appreciate, £6m is in ICO terms quite a hefty fine; to learn more about the ICO’s approach to enforcement and monetary penalties, read our blog where URM Analyses ICO’s Enforcement Actions Since the GDPR was Introduced in 2018.

Background

Advanced processes personal data, including sensitive or ‘special category’ data, on behalf of a range of organisations across the UK including the NHS and other major care providers.  The proposed penalty is in respect of Advanced’s failure to implement appropriate security measures to protect the data in its care, and dates back to a ransomware attack it suffered in 2022 in which a malicious actor accessed its systems through a customer account that was not protected by multi-factor authentication (MFA).  This attack resulted in the exfiltration of the personal data of 82,946 individuals, including phone numbers, medical records and details of how to gain access to the homes of 890 patients receiving at-home care.  The data breach also caused major disruption to Advanced’s controllers and their ability to deliver patient care, most notably crashing the NHS’s 111 advice service.  This, in the words of the Information Commissioner publishing his provisional action, caused significant distress to “people who had no choice but to put their trust in health and care organisations”.

The absence of MFA, particularly in the context of high-volume processing of high-risk data, is notable since it is recommended by common data security standards such as the National Cyber Security Centre’s (NCSC) Cyber Essentials scheme and NIST 800-63B, as well as being considered by the ICO as a comparatively low-cost protective countermeasure, with many MFA solutions commercially available.  Furthermore, in May of this year, the ICO released a report on trends and developments in cyberattacks, including malware and ransomware, in which the authority underlined the requirement for MFA and suitable controls to mitigate threat actors’ attempts to circumvent it – e.g., hackers gaining access by posing as genuine users resetting their passwords.

As the ICO’s first potential fine against a processor in the UK GDPR context, it is confirmation that the security compromise of a major processor that acts for multiple controllers can have far-reaching repercussions, in the public and private sectors.  This has been more recently seen in the incident in June involving the pathology lab Synnovis (resulting in disruption to NHS blood testing and services).  The proposed Cyber Security and Resilience Bill announced in the King’s Speech opening Parliament in July aims at curbing such supply chain cyber vulnerability in certain critical sectors.

GDPR Requirements and Repercussions for Data Processors

Organisations acting as processors are subject to security obligations under the UK GDPR, and the Advanced provisional fine serves as a timely reminder of the potential for direct regulatory enforcement if they fail to prioritise robust security measures.  This is of particular importance where a threat actor’s unauthorised access and exfiltration could leave data subjects at serious risk, which continues to be a central driver for ICO enforcement action, particularly monetary penalties as in this case.

Under Article 82 of the UK GDPR, data subjects have a direct right of action against processors and controllers on a ‘joint and several liability’ basis.  This means that data controllers can ultimately be held financially responsible for the whole failures of their processors, even if the controllers are only partly at fault.  The fact that the ICO is proposing to take enforcement action only against Advanced as the data processor suggests that there was no real direct fault on the part of the NHS as data controller.  Even so, the NHS might be seen by data subjects as a ‘softer target’ for any potential court actions for damages they might bring, particularly from a financial viability perspective (with almost certainly deeper pockets than Advanced).  Controllers such as the NHS might then look to recover any losses from the processor under the liability and indemnity provisions contained in their processing contract or ‘data processing agreement’ (DPA) with Advanced.

In this regard, many outsourced data service providers will usually include in their standard DPA terms and conditions a liability cap limited to the amount of fees paid by the customer/controller over a certain period of time (perhaps 12 months).  The costs associated with a data breach (including response costs, regulatory action such as fines and resulting claims) can, however, significantly exceed these fee-based caps.  This is why an increasing number of customers are seeking to negotiate an increased 'super cap', specifically for the type of substantial costs and damages that can result from data breaches.

Lessons Learned

Although data controllers have ultimate control over how and why personal data is processed, data processors also have legal data protection obligations.  The Advanced case serves as a stark reminder for service providers (particularly in the healthcare sector) of those data protection responsibilities.  Equally, it acts a warning to data controllers, such as healthcare providers, to carry out adequate due diligence on software providers acting as data processors on their behalf.  It remains to be seen whether the DPA between the NHS and Advanced stipulated that MFA should be enabled on customer accounts, and this was not applied for some reason, or whether this basic security provision was simply omitted from the contract.  This is the kind of detail that will come out in the court claims which will inevitably ensue.

On several occasions in the past, provisional fines issued by the ICO have been reduced (sometimes by a substantial amount, as in the British Airways and Doorstep Dispensaree cases, both from 2019) before confirmation, and recently a proposed enforcement action (in the Snap matter) was withdrawn completely.  The Information Commissioner has stated that he “will carefully consider any representations Advanced make before making a final decision, with the fine amount also subject to change.”

In the meantime, the message has also been put out from the Commissioner that all organisations, especially those handling sensitive health data, are expected "to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches."

How URM can Help?

GDPR Consultancy

Almost all organisations are required to maintain GDPR compliance in order to avoid a data breach and subsequent enforcement action from the ICO, but understanding how to comply can be difficult when exclusively relying on the guidance provided by the legislation.  Drawing upon nearly 2 decades of experience assisting organisations to comply with data protection legislation (such as the GDPR and Data Protection Act), URM can provide effective and comprehensive GDPR consultancy to support you through your compliance journey.  

Our team of experienced GDPR consultants can offer a range of services to help align your organisation’s data processing activities with the Regulation’s requirements. Our GDPR consultancy services include conducting a gap analysis to help you understand your current level of compliance and the areas where you are not currently meeting GDPR requirements, a virtual data protection officer (DPO) service which provides you with access to a team of data protection practitioners, and assisting with DPIAs, to name a few.  If you need help completing data subject access requests (DSARs) in compliance with the Regulation, we also offer a GDPR DSAR redaction service.  

Data Protection Training

As well as providing compliance support in the form of consultancy, URM can also offer a range of data protection-related training courses, all of which are led by a practising GDPR consultant.  We regularly run half-day courses on Conducting Data Protection Impact Assessments (DPIAs), and on Conducting Data Transfer Impact Assessments (DTIAs) in full compliance with the Regulation.  Meanwhile, if you would like to gain an industry-recognised data protection qualification, we regularly deliver the BCS Foundation Certificate in Data Protection (CDP) course.  To enhance your understanding of how to fulfil a DSAR, establish the validity of a DSAR request, and verify the data subject’s identity, we also regularly run a ‘How to Manage DSARs’ course which will provide you with invaluable insights and guidance.

Penetration Testing and Information Security Support

As demonstrated by the Advanced case, in which a serious data breach was caused by a failure to implement appropriate information security measures (i.e., MFA), taking steps to ensure you are adequately protecting  your organisation's  sensitive information is vitally important in order to avoid  a data breach and subsequent enforcement action from the regulator.  With our extensive experience providing information security consultancy and penetration testing, URM can help evaluate and enhance the effectiveness of any measures you have implemented to maintain the security of your organisation’s information, including the personally identifiable information (PII) it processes.  For example, we can help you to conform to or certify to a range of information security standards, such as ISO 27001.  This will allow you to both enhance your organisation’s information security posture and to demonstrate this strengthened information security approach to prospective clients, providing you with a competitive edge in the market.  Meanwhile, our penetration testing services will help you to assess the effectiveness of your cyber security measures and to proactively identify and remediate any vulnerabilities before any malicious actors can take advantage of them.

Stuart Skelly
Senior Consultant at URM
Stuart is a highly experienced and knowledgeable GRC consultant at URM who has specialised in data protection law for 25 years.
Read more

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
9/8/2023
Everything You Need to Know about DSARs

We are answering questions: what is a GDPR DSAR, what information can a data subject request, what should you do when you receive a DSAR, and many more.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
18/7/2024
ICO Enforcement Action January – June 2024

URM’s blog reviews ICO enforcement activities for the 1st half of 2024, highlighting trends & shifts in how it enforces against data protection breaches.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
27/11/2023
Clearview Case

URM details Clearview AI’s successful appeal against the ICO imposing a £7.5 million fine for breach of the UK GDPR and their grounds for reversing the ruling.

Read more
Without URM, Havas People would not of achieved its certification goals.
Director, Havas People
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.