ICO issues its first ever processor fine under UK GDPR

Last month, the ICO issued its first ever monetary penalty notice (“MPN”) against a processor – landing Advanced Computer Software Group (“Advanced”) with a fine of £3.07 million for security failings identified following a ransomware attack which impacted NHS systems.

Although this is a relatively modest fine, the decision to impose a fine directly against a processor rather than a controller is notable as it: (1) emphasises that processors have direct statutory obligations under UK GDPR, (2) clarifies regulatory expectations around the appropriateness of security measures, and (3) could have implications for contractual negotiations going forward.

We discuss the details of the MPN and these implications below.

The ransomware attack

In August 2022, hackers accessed Advanced’s health and care subsidiary systems via a customer account that was not protected by multi-factor authentication (“MFA”). The affected data included health data, national insurance numbers and details on how to gain entry into the houses of 890 people receiving care at home. The attack brought parts of the NHS 111 service to a standstill, and left doctors and other healthcare professionals unable to access patient records. Overall, the attack directly impacted 16 controller customers and put the personal data of 79,404 people at risk.

ICO findings

The ICO found that Advanced had breached Article 32 of the UK GDPR for failing to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the ICO criticised the gaps in Advanced’s deployment of MFA, its lack of comprehensive vulnerability scanning, and inadequate patch management.

The ICO cited a number of aggravating factors which contributed to the seriousness of the fine, including Advanced’s size, and the volume/nature of the personal data it processed. The ICO also emphasised how security measures must cover the entire lifecycle of data from the point of collection through to deletion. For example, a key point of criticism was that, even though Advanced had installed MFA to protect the vast majority of its records, its lack of complete coverage meant hackers could still gain access.

More generally, this fine illustrates that MFA and appropriate vulnerability management controls are not just recommended by the ICO, but nowadays perceived as essential in many circumstances.

Negotiating the fine

So how bad was the penalty for Advanced? In August 2024, the ICO published a notice of its intention to issue Advanced with a provisional fine of just over £6 million.

Subsequently, the ICO considered representations made by Advanced in response to the notice of intent. In its final decision, the ICO determined that the appropriate adjustment for seriousness was 65% of the statutory maximum (£8.7 million) on the basis that there was no evidence of actual harm to data subjects. The ICO further reduced the fine by 15% to reflect Advanced’s “proactive engagement” with the NHS and various security authorities in the wake of the attack, along with other steps taken by Advanced to mitigate the risk to those impacted. Finally, the ICO reduced the penalty by 20% in light of Advanced’s agreement not to appeal the fine. The final settlement figure of £3 million therefore represents almost half of what the ICO originally announced in the notice of intent.

What can we learn from this decision?

Advanced is the first processor to be fined by the ICO. This may of course be a one-off decision triggered by the specific facts of the breach, including perhaps the ICO preferring to go after Advanced as the party with the deeper pockets rather than the NHS as a public body.

However, even if this is the case, the dynamic of controller-processor contract negotiations may change as a result of this decision. Typically, the controller organisations are held responsible for any data breaches, including civil liability for damages awarded to individuals and any administrative fines imposed. By contrast, processors have not historically been in the direct firing line for any such hit.

When negotiating data processing agreements, it is therefore quite common for controllers to argue that the processor is not exposed from a regulatory enforcement perspective. This decision reminds us this is not the case; rather, the ICO (and other regulators) can fine or sanction processors directly where there is a breach of a statutory obligation that applies to them. Under the UK GDPR, processors can be held equally, if not more, liable than controllers – depending on parties’ respective negligence and culpability for the loss or damage caused.

A key issue which was not raised in the decision but has unsurprisingly been the subject of media attention is whether the customers of Advanced (including the NHS) should take some responsibility for this breach, having perhaps carried out substandard due diligence on Advanced.

The ICO’s decision makes it clear that the obligations on the controllers (i.e., Advanced’s customers) should be considered separately to Advanced’s responsibilities as a processor. Regardless, this fine emphasises the importance of exercising care when contracting with processors, as well as creating readiness plans in the event of a processor breach. Although the NHS did not face a hefty fine itself following Advanced’s breach, the cyber security attack was widely reported and undoubtedly caused reputational damage.

Conclusion

It remains to be seen whether this fine is unique based on its facts or whether this indicates a general willingness from the ICO to issue more penalties against processors going forward. Regardless, this decision could have implications for controller-processor contractual negotiations, shifting the dynamic between the parties and removing any perceived safety blanket for processors regarding the enforceability of their statutory obligations.