The Information Commissioner's Office (ICO) has recently made a provisional decision to fine Advanced Computer Software Group Ltd (ACS) over £6 million for failing to take appropriate security measures to protect personal data. The provisional decision follows a ransomware attack which disrupted NHS and social care services. The provisional findings are potentially significant as it would be the first time that the ICO has taken action to fine a data processor for breaching UK data protection law. To date, only data controllers have been issued with fines by the ICO. The provisional decision underscores that the ICO will seek to hold data processors - not just data controllers - accountable for inadequate security measures.
What happened?
ACS provide IT services to organisations, including the NHS and other healthcare providers, and handle personal information on their behalf as a data processor. In August 2022, ACS' systems were hacked through a customer account that did not have multi-factor authentication. The personal information of 82,946 people was exfiltrated - including phone numbers, medical records, and the details of how to enter the homes of 890 individuals receiving home care. There were also reports of disruption to services, such as NHS 111 and staff access to patient records - putting additional strain on a sector already under pressure. Those impacted were notified, and ACS found no evidence that the data was published to the dark web.
The ICO reiterate that this is an interim decision and no conclusions have been drawn as regards any breach of data protection laws or financial penalties. However, the Information Commissioner has chosen to publicise this incident to demonstrate the importance of information security and the responsibilities that data processors have to safeguard personal information.
Do data processors have a new found responsibility?
Of crucial importance in the ICO's statement is the reminder to processors of their legal obligation to ensure that strong organisational and technical security measures are in place to safeguard the security of personal information. This is despite their clients, data controllers, having the final say over how and why such information is used.
There are no previous instances of the ICO issuing fines against data processors. As such, this provisional decision reinforces the fact that data processors are subject to the ICO's investigative and corrective powers, as well as considerable penalties. In this case, the data processor's services were crucial to the operation of the NHS, the controller is a public sector body, and the data involved was of a significant volume, obviously sensitive, and involved special category data. The decision may though also suggest a growing willingness on the part of the ICO to scrutinise the actions of processors and hold them accountable.
Practical guidance
The UK Information Commissioner, John Edwards, said: "We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches."
The ICO has also highlighted its guidance on protecting systems from ransomware attacks, and on the responsibilities of data processors and controllers.
A wider concern?
More generally, this provisional decision may reflect a rising concern over cyber-attacks on data processors and supply chains, such as the cyber security attack on Synnovis, a provider of pathology services to the NHS. Recently, the ICO called for organisations to do more to safeguard against cyber-attacks (see here). In addition, the UK government announced the Cyber Security and Resilience Bill. This builds upon The Network and Information Systems Regulations 2018 and aims to create a stronger regulatory regime to keep pace with the rising threat to supply chains underpinning vital services.
Are you a data processor or data controller and wish to discuss your compliance with data security laws? If so, please get in touch with David Gourlay or another member of the Commercial Team at Morton Fraser McRoberts LLP.