The UK Information Commissioner has published its intention to fine a data processor £6m. This would be a first against a processor.

There are some nuances in this situation. First, the controller is a public body: the NHS. This relates to a ransomware attack against its processor Advanced Computer Software Group. The ICO is no stranger to fining public or state bodies. However, the ICO is looking into errors made by the private company involved. Second, it is only a provisional decision at this stage. The ICO has invited the processor to explain why it shouldn’t receive the fine. Finally, it seems to have been an easily avoidable security error.

The ICO identified that an Advanced customer account didn’t have multi-factor authentication. This enabled the cyber attack. As a result, personal data belonging to 83,000 people was extracted. The attack caused large-scale disruption to NHS 111. Also, other healthcare staff were unable to access patient records. The ICO further identified that the data exfiltrated included phone numbers and medical records, including how to gain entry to the homes of 890 people receiving care at home.

John Edwards, UK Information Commissioner, said:

“This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.”

The ICO has had this power to fine processors all along but normally fines controllers instead. That’s because the primary responsibility for compliance with GDPR falls on the controller. Even so, processors have obligations too. Specifically, those obligations include keeping data secure.

The processor here, Advanced, can make representations before the ICO issues its formal finding. This might mean the ICO concludes there has been no data breach and might not issue a fine. If this fine lands, it will be the first against a processor and will likely cause alarm among processors.

What should you do?

If you’re a data controller: ensure you have a robust contract in place with your processor. This should set out the obligations for the processor, including where the processor is your cloud or IT host or provider. You can’t absolve yourself of all issues but you will be able to show you took relevant steps.

If you’re a processor, make sure you implement security – the so-called “appropriate technical and organisational measures”. These days, that includes multi-factor authentication. And don’t forget to review and adapt your measures. You need to keep up with threats as they change.

If you need advice, contact me at +44 20 3824 9748 or fjennings@hcrlaw.com.