The ICO has provisionally decided to fine Advanced Computer Software Group Ltd ("Advanced") £6.09m. This is the first publicised fine issued by the ICO to a data processor under the UK General Data Protection Regulation ("UK GDPR").
Background: UK GDPR fines for data controllers and processors
The UK GDPR introduced a significant overhaul on data protection, creating new responsibilities for both data controllers and processors. Until recently, ICO enforcement action and penalties were targeted at data controllers, despite the UK GDPR providing for both controllers and processors to be liable.
The recent provisional fine issued to Advanced illustrates the ICO's evolving approach to enforcing the UK GDPR's provisions across the entire data processing chain.
Data controllers vs data processors: understanding the difference
The UK GDPR distinguishes between two key roles in the data processing ecosystem: controllers and processors. A data controller is an entity (individual, company, or public body) that determines the purpose and means of processing personal data. In other words, data controllers decide how and why personal data is collected and how it may be used. For example, a hospital would be a data controller because it decides what patient health data is processed, how it is processed, how long it is stored for and why it is needed.
A data processor, on the other hand, processes personal data on behalf of the controller. Processors have limited autonomy - they must process personal data according to the controller's instructions. For example, an IT service provider managing patient records on behalf of a hospital would be a processor. Although processors generally have fewer obligations than controllers, they still face significant responsibilities under the UK GDPR, in particular concerning data security and breach notifications.
ICO's provisional fine: facts of the case
In August 2024, the ICO issued a provisional fine of £6.09 million to Advanced, a UK based IT services provider. The fine arose from a ransomware attack in August 2022, which compromised the personal data of 82,946 individuals. Advanced provides critical IT services to the NHS and other social care organisations. The ICO found that Advanced failed to implement sufficient security measures to protect sensitive healthcare data, including medical records, phone numbers, and details of how to gain entry to the homes of 890 people who were receiving care at home.
The data breach had severe consequences: it disrupted NHS services, including the NHS 111 helpline, and put vulnerable people at risk. The attack resulted in the exfiltration of special category personal data, which is subject to heightened protection.
Why the ICO decided to fine Advanced
The ICO's provisional fine (both the size of the fine and decision to fine a processor) is significant. Its decision to impose a fine of this magnitude reflects several critical factors:
The ICO stressed that processors must take proactive steps to secure their systems to avoid similar incidents. John Edwards, the UK's Information Commissioner, stated "I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication."
Implications for organisations: what should you be doing?
The ICO's provisional fine has important implications for both controllers and processors under the UK GDPR. Organisations should note the following key takeaways and recommended actions:
Conclusion
The ICO's provisional fine against Advanced marks a pivotal moment in UK GDPR enforcement. It is a reminder that processors, too, can face significant penalties for failing to protect personal data. By strengthening security measures, reviewing contractual terms, and prioritising data protection, both controllers and processors can mitigate their risk of enforcement actions and safeguard the sensitive data they manage.