The Information Commissioner's Office (ICO) has provisionally imposed a £6m fine on Advanced Computer Software Group Ltd, an NHS software provider which suffered a data breach in 2022, affecting more than 80,000 people.

The ICO said:

Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.

Role of the data processor

The UK GDPR places a lot of responsibility on data controllers when it comes to making strategic decisions about data and setting the standard for compliance. However, this decision is notable for issuing such a significant fine to Advanced in its role as a data processor and the failure to comply with its own direct legal obligations under the UK GDPR. 

Whilst data processors have less autonomy and independence over the data they process, they must still implement appropriate technical and organisational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorised disclosure or access. In this case, the ICO has provisionally found ‘serious failings’ with Advance's approach to information security and explained that hackers were able to access Advanced’s health and care systems via a customer account that did not have multi-factor authentication. 

As the body with ultimate responsibility for ensuring the processing complies with UK GDPR, data controllers must only use data processors that provide sufficient guarantees to implement appropriate technical and organisational measures to ensure their processing meets UK GDPR requirements. This may require digging into more details about the data processor's information security systems and agreeing to remedial action to address any risks or concerns.

Protecting your data supply chain

Cyber security threats continue to evolve and both data controllers and data processors are required to keep up to date with these developments to learn from common security mistakes and to adopt suitable measures to safeguard against known risks. Whether the threat comes from a security failure like the Advanced ransomware attack, or the failed systems update from Crowdstrike, there is an increasing number of cyber incidents resulting from vulnerabilities within the supply chain.

In practice, there are several key security principles both data controllers and data processors should consider:

• Follow good cyber hygiene; refer to the National Cyber Security Centre’s 10 Steps to Cyber Security as a helpful guide.
• Use multi-factor authentication (MFA/2FA), protect user credentials and information used in credential verification, and utilise the principle of ‘least privilege’ for accounts. Be mindful of new attack techniques that seek to bypass multi-factor authentication and deploy appropriate controls to mitigate those, in line with your risk assessment.
• Have appropriate, secure, and tested back-ups.
• Provide appropriate security training for staff.
• Actively manage and monitor systems to detect issues early.
• Test response and recovery plans.
• Sign up for the National Cyber Security Centre’s Early Warning service, where appropriate, and keep up-to-date with security issues.

To read the ICO's warning in full click here. For support with your information governance and data protection obligations, please contact me to discuss further.