First fine imposed against a data processor – what does this mean for processors?

The Information Commissioner’s Office (“ICO”) has made a provisional decision to fine a software provider more than £6 million. If the provisional decision is confirmed, it would mark the first case where the ICO impose a monetary penalty notice on a processor under the UK General Data Protection Regulations (“UK GDPR”).

The ICO have not shied away from imposing monetary penalty notice to data controllers, because ultimately they are responsible for the failures of their processors. However, the ICO’s recent announcement demonstrates a willingness to fine data processors  for failing to implement appropriate technical and organisational measures to ensure the security of personal data (thereby breaching Article 32 of the UK GDPR).

In the recent announcement, the ICO has provisionally decided to fine Advanced Computer Software Group Ltd (“Advanced”) £6.09 million for its failure to implement measures to protect the personal information of 82,946 people. Critically, the information also included what is known as ‘special categories of personal data’ such as health data which demands a higher level of protection under UK GDPR.

Advanced provides IT and software services and is a data processor on behalf of organisations such as the NHS and other healthcare providers. The provisional decision to fine Advanced relates to a ransomware incident in August 2022 where hackers were able to access Advanced’s systems via a customer account.

As a result of the cyber attack on Advanced, there was disruption to critical services to the NHS 111, and other healthcare staff were unable to access patient records. Given the circumstances of the attack, and the fact that Advanced services were critical, it could explain ICO’s willingness to make a provisional finding against a data processor for the first time. However, it is worth noting that the ICO have yet to make a final decision and the ICO’s statement clearly warns that “No conclusion should be drawn at this stage that there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed”. Advanced will have an opportunity to submit representation to the ICO before a final decision is made.

Data processors obligation under UK GDPR

Under the UK GDPR, a data processor acts on the instructions of the data controller who has overall control over how and why personal information is used. However, data processors have their own obligations under the act, which include the following:

• to only process the personal data on instructions from a controller, unless otherwise required by law
• to enter into a binding contract with the controller and must not engage a sub-processor with the controller’s prior specific or general written authorisation
• to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• to notify the relevant controller without undue delay if they become aware of a personal data breach
• to notify the controller immediately if any of their instructions would lead to a breach of the UK GDPR or the Data Protection Act 2018.

What does the ICO’s announcement mean for processors?

Whilst fines have historically been imposed on data controllers, the ICO’s provisional decision to fine Advanced as a data processor could potentially open the floodgates and pave the way for similar fines being imposed against data processors in the future.

Alternatively, it may be that the ICO took this unprecedented provisional decision to fine Advanced due to Advanced providing critical services to the public sector, and one wonders whether a different outcome would have been reached if it provided services to the private sector instead.

However, at this stage it’s difficult to determine what effect this case may have on the future of data processors until we see the final decision from the ICO.

What steps can processors take to mitigate risks?

The Information Commission, John Edwards, outlined his decision to publicise the provisional decision as a way to help “ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future”.  Data processors can mitigate the risks to their systems by taking the following steps:

• regularly check for vulnerabilities
• implement multi-factor authentication
• keep systems up to date with the latest security patches
• conduct regular training and guidance to staff for example on phishing emails
• develop robust procedures, for example, on incident response and disaster recovery

Our data protection specialists have the expertise to deal with the legal issues that surround data breaches, cyber attacks, notification obligations to the ICO and analysing risks to your systems. Our data protection specialists have advised companies on wide spectrum of data protection related issues.

If you have any concerns about your obligations under UK GDPR and how to mitigate risks to your business, please contact Waterfront here and a member of our Data Protection Team will be in touch.