Something quite unusual happened on 27 March 2025 in the UK, when the Information Commissioner’s Office (ICO) announced it had issued a multi-million pound fine for breach of the UK General Data Protection Regulation (UK GDPR). While rare in itself (there have been just five UK GDPR fines since the start of 2023), what made this fine particularly unusual, even by EU standards, is that it was imposed on a data processor rather than a data controller. In fact, the ICO acknowledged in its press release that this is the first time it has fined a data processor, despite all the concern in 2018 when the (EU) GDPR came into effect which introduced direct, enforceable obligations for data processors.
What led to such an unusual fine?
The £3.07 million fine was imposed on Advanced Computer Software Group Ltd, a software supplier to the NHS, following a cyber-attack in 2022. The fact that Advanced’s software was being used by the NHS almost certainly contributed to the scale of the fine, as the attack caused significant and high-profile disruption to critical health services. In some cases, healthcare staff were unable to access essential patient records. According to the ICO’s enforcement notice, 79,404 people were impacted and the data exfiltrated included information that could have been used to gain access to the homes of 890 patients who were receiving care at home.
How could this happen to an organisation like the NHS?
The reality is IT systems cannot be 100% secure at all times – this applies whether the organisation in question is a public body or a private organisation. This case therefore serves as a stark reminder that all organisations must select their IT products and suppliers carefully and only after thorough due diligence. Even in 2025, many years after the (EU) GDPR came into effect, no customer should assume a supplier has implemented appropriate security measures without verification.
In this case, the hackers accessed the IT systems of Advanced’s health and care subsidiary through a customer account without multi-factor authentication (MFA), a security measure which has been considered essential for many years. In data protection terms, this failing meant that Advanced’s subsidiary didn’t have appropriate technical and organisational measures in place, which is a straightforward breach of the UK GDPR.
Further failings included a lack of comprehensive vulnerability scanning and inadequate patch management, both of which are considered essential cybersecurity requirements of all IT systems.
John Edwards, the UK Information Commissioner, explained:
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it. With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”
Is this the last we have heard on this matter?
Whilst it is not uncommon for regulator fines to be appealed, the ICO announced its provisional intention to fine Advanced £6.09 million in August 2024. With nothing further heard on the subject more than six months later, many UK data protection commentators thought no further action would be taken (which has been the case following notices of provisional intention to fine in the past).
As it turns out, following that provisional notice, dialogue took place between the ICO and Advanced and the eventual reduced fine was agreed via a voluntary settlement, meaning there can be no appeal. On this, John Edwards said:
“I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process.”
What can organisations learn from this fine?
Above all, cooperation with regulatory authorities after a data breach (however it has occurred) is essential. In its press release, the ICO explained that Advanced’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS contributed to the decision to reduce the fine by almost 50%.
Prompt cooperation is not only viewed favourably by regulators but is also critical to limiting the impact on affected individuals, which remains the priority.
Final thoughts on contract drafting
Finally, a thought for those involved in drafting contracts for the supply of IT products from the supplier’s perspective. Whilst this fine isn’t likely to be proceeded by an array of data processor fines (so it shouldn’t provide much comfort for customers), IT providers need to be aware that their extensive, non-negotiable limitations on liability in their contracts with customers will not necessarily protect them from liability for data protection non-compliance.
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
