The Information Commissioner’s Office (ICO) has announced today that it has issued a GDPR Notice of Intent to an NHS IT supplier, Advanced Computer Software Group Ltd (Advanced), following a significant data breach in 2022.
The ICO’s preliminary decision is to impose a £6.09 million fine on Advanced.
This comes after its findings that the company failed to adequately protect the personal data of 82,946 individuals in breach of Article 32 of the UK GDPR.
As a key IT and software provider for the NHS and other healthcare organisations across the country, Advanced often holds role of Data Processor for many of its clients.
The breach in question occurred during a ransomware attack in August 2022.
Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The compromised data included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care.
The cyber-attack caused widespread disruption, with NHS 111 services impacted and some GPs resorting to pen and paper as electronic systems went offline. At the time, doctors warned that it could take months to clear the backlog of paperwork created by the incident.
This Notice of Intent serves as a reminder that Data Processors, like Advanced, have a duty to implement robust technical and organisational measures to safeguard personal data. This includes regularly assessing risks, applying multi-factor authentication, and keeping systems updated with the latest security patches. Data Processors cannot shift the responsibility to Data Controllers; their GDPR security obligations are independent of those of the Data Controller.
It is important to note that a Notice of Intent is not a fine — yet. It is a legal precursor, outlining the ICO’s provisional stance. Advanced now has the opportunity to make representations that could influence the final decision. This process is not without precedent: in 2018, British Airways faced a Notice of Intent for a £183 million fine due to a cybersecurity breach, but the actual fine issued in 2020 was reduced to £20 million. Similarly, Marriott International Inc.’s fine dropped from £99 million to £18.4 million after a Notice of Intent in 2020.
It will be interesting to see how the ICO’s final decision on Advanced compares with its approach in other cases, such as the Police Service of Northern Ireland (PSNI) incident. The PSNI was issued a Notice of Intent for £750,000 earlier this year after mistakenly releasing sensitive information about every police officer and staff member in response to a Freedom of Information request.
The Act Now Advanced Certificate in GDPR Practice is designed for experienced Data Protection Officers seeking to develop their skills and confidence to tackle the most challenging data protection projects within their organisation.
Please subscribe to this blog and help us to get to 10,000 subscribers.
