IT providers beware: ICO issues its first fine under the UK GDPR against a data processor

The Information Commissioner’s Office (ICO) has issued a landmark fine of £3.07 million to Advanced Computer Software Group Ltd, a major SaaS provider with a number of clients in the healthcare and education sectors. The fine was reduced from an initial £6.09 million due to the company’s agreement to a voluntary settlement. 

This fine relates to a ransomware attack from 2022, which was reported in the press due to the effect it had on the NHS, who were a key customer. The fine was imposed by the ICO due to the Advanced Computer Software Group's failure to implement adequate security measures, notably multi-factor authentication, which left the personal data of almost 80,000 individuals vulnerable to cyberattacks.

In this article, we highlight why this case is significant, what security obligations data processors have under UK GDPR, what the security failures were in this particular case, and whether the processing of sensitive personal data attracts any additional security obligations.  

Why is this case significant?

The breach involved a ransomware attack where hackers accessed a substantial volume of sensitive personal data, including medical records. The incident disrupted the NHS 111 services and patient records, and the hackers obtained entry details for the homes of 890 individuals that were receiving care at home.

This is the first time the ICO has directly fined a data processor under UK General Data Protection Regulation (UK GDPR). The case underscores the regulator’s willingness to enforce security obligations beyond data controllers and signals heightened scrutiny of IT providers handling sensitive data on behalf of their customers. It also shows that the ICO is willing to penalise organisations that fail to implement appropriate security measures. John Edwards, the information commissioner, said 'there is no excuse for leaving any part of your system vulnerable'.

The ICO’s fine is relevant to all organisations which process personal data, particularly organisations that handle such sensitive personal data, and those that act as data processors of sensitive personal data such as IT providers in the healthcare sector. 

What are data processor’s security obligations? 

Data processors process personal data on behalf of and in accordance with instructions provided by controllers. In this case the Advanced Computer Software Group processed its customer’s personal data, including sensitive personal data held by its healthcare customers such as the NHS, in order to provide its SaaS offering. 

UK GDPR sets out that data processors and data controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. The risk-based approach allows for flexibility in the specific security measures adopted when considering the specific risks posed by the processing activity. 

Despite this, UK GDPR does name a series of security measures that should be considered including:

1. pseudonymisation and encryption;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and 
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 

UK GDPR also requires processors to be contractually obliged to implement these security measures. 

Additionally, UK GDPR goes on to set out that in assessing the appropriate level of security, account must be taken of:

1. the state of the art and the costs of implementation, 
2. the nature, cope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals; and 
3. the risks that are presented by the data processing from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data stored or otherwise processed. 

What were the security failures in this case? 

The ICO found that the Advanced Computer Software Group didn't have the appropriate technical and organisational measures in place to keep its systems secure, and the ICO concluded that the company's security measures fell 'seriously short of what [the ICO] would expect from an organisation processing such a large volume of sensitive personal data'.

Specifically, the company’s security failings were:

• Gaps in its deployment of multi-factor authentication - this was the means through which the hackers were able to undertake the ransomware attack.
• A lack of comprehensive vulnerability scanning.
• Inadequate patch management. 

Does processing sensitive personal data attract additional security obligations?

Sensitive personal data, which means any data which, if compromised, may pose a risk of physical, financial or psychological harm or detriment to the individuals concerned, should have additional and more comprehensive security measures applied to it. For example, encryption will usually always be required for sensitive personal data. 

The ICO’s focus on sensitive personal information in the context of data security is broader than the categorisation of 'special category' data as defined in the UK GDPR as: 

Whilst special category data will always be sensitive and require a high degree of protection, other data such as payment card data may also be sensitive, warranting equally high degrees of protection. 

For further information on how to ensure compliance with UK data protection law, please contact our data protection team.