Processor fine proposed in UK GDPR first

Data protection law expert Malcolm Dowden of Pinsent Masons said the case highlights how the GDPR applies directly to processors, unlike was the case under its predecessor legislation. This move, he said, perhaps indicates a growing willingness of the ICO to enforce against non-compliance it perceives by processors – especially if the controllers that engage those processors are public sector bodies.

Dowden was commenting after the ICO, the UK’s data protection authority, announced that it had provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) after identifying shortcomings with its data security measures.

Advanced is a data processor that handles personal data on behalf of organisations – including the NHS and other healthcare providers. The ICO said its provisional decision to fine Advanced relates to a ransomware attack that occurred in August 2022 which reportedly disrupted the operation of the NHS 111 service and prevented healthcare staff from accessing patient records.

Hear Katherine Metcalfe and Stuart Davey discuss this story on The Pinsent Masons podcast here or wherever you get your podcasts.

According to the ICO, hackers were able to access Advanced’s systems via a customer account. It said access to the account was not protected by multi-factor authentication. Once in the systems, the ICO said, the hackers were able to exfiltrate data belonging to almost 83,000 people – including their phone numbers and medical records, as well as, in the case of 890 people who receive home care, details of how to gain entry to their property.

Dowden said: “While responsibility under UK GDPR falls primarily on data controllers, the GDPR introduced a number of obligations that directly apply to data processors. They include the obligation under Article 32 to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.”

“Under Article 83 of the UK GDPR, the ICO has the power to impose an administrative fine having regard to a range of factors including ‘the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to [in the case of processors, Article 32]’,” he said. “In appropriate circumstances, the ICO is able to impose a fine only on the processor, as long as it reflects the degree of responsibility that is properly attributable to the processor.”

“To date, administrative fines under both the EU and UK GDPR have been imposed on data controllers. Data controllers who have sought to avoid enforcement action by deflecting blame onto their processors have received short shrift. However, the ICO’s provisional decision to fine Advanced Computer Software Group as data processor might, in part, reflect the fact that the data controllers in this instance are NHS bodies, and the services affected by the 2022 ransomware attack included NHS 111 and access to patient records. Given the context, the services provided by the data processor were critical, and the sensitive nature of the data involved obvious,” Dowden said.

The ICO’s said in its statement that no conclusion should yet be drawn that there has, in fact, been any breach of data protection law or that it will ultimately impose a fine on Advanced. UK information commissioner John Edwards said, however, that he had chosen to publicise the provisional decision because he considers it his “duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future”.

Edwards said: “For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”

According to Computer Weekly, Advanced, which now trades as OneAdvanced, intends to make representations to the ICO in response to the notice of intent it has been served.

A OneAdvanced spokesperson said: “Upon detecting suspicious cyber activity in August 2022, we promptly isolated certain systems leading to a temporary loss of service for some customers. Following our robust investigation we ascertained that 16 customers had data that was exfiltrated, out of more than 550 customers using these systems at the time. These 16 customers were notified about the impact to their data which related to 82,946 data subjects in total.”

“We supported customers throughout the incident and can confirm that no data was ever made available publicly. Patient data controlled by NHS Trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse. There was no impact to any of Advanced’s other customer-serving systems. We apologise to our customers. It is wholly regrettable that threat actors disrupted our services in this incident. We value our customers in the healthcare sector and take our responsibility to them and their patients and communities very seriously,” they said.

The spokesperson added: “Cybersecurity continues to be a primary investment throughout our business, we continue to adapt and evolve our response to the ever-changing cyber security threats and challenges. Since the incident in August 2022, we have continued to transform our business and are a more secure and resilient company than we were two years ago.”

Cyber risk expert Stuart Davey of Pinsent Masons said: “The ICO’s intended course of action should be seen against wider concern about the potential for cyber attacks on data processors affecting a larger number of data controller customers. There have been a number of well-publicised such supply chain incidents.”

“In the recent King’s Speech, the UK government indicated its intention to introduce a Cyber Security and Resilience Bill, which will expand the remit of the existing UK NIS Regulations 2018 to cover more digital services and supply chains,” he said. “The supporting materials specifically refer to recent ransomware attacks against hospitals and other local authorities.”

“In light of the ICO’s action and this increasing regulation, technology providers and other organisations that act as data processors should be ensuring that they are properly prioritising appropriate information security,” Davey added.