Lauren Wills-Dixon quoted by BBC in NHS data breach ICO fine coverage
Monday 12th August 2024
Head of privacy, Lauren Wills-Dixon, has been quoted by the BBC in its coverage of the provisional £6m fine for an NHS software provider following a data breach in 2022.
The comments ran on the BBC’s piece discussing the Information Commissioner’s Office (ICO) provisionally imposed fine for Advanced Computer Software Group. The ICO stated it would make a final decision once it had spoken with the software provider.
The fine is linked to a 2022 data breach where personal information belonging to 82,946 people had been accessed by hackers.
Commenting on ICO’s actions Lauren said: “The scale of this potential ICO enforcement is another reminder to any organisation, particularly those processing special category or “sensitive” data on behalf of customers (such as health data) which is given special protection under data protection laws, that they must have robust security measures in place to protect their systems and data.
“The ICO’s initial finding shows that that Advanced Computer Software Group Ltd failed to implement such measures to protect personal information as the data processor on behalf of the NHS and other customer organisations.
“In the current climate, with cyber attacks on the increase, it’s increasingly important to take legal, regulatory and best practice measures to build and maintain cyber resilience. In fact, the UK Informational Commissioner said himself that he is publicising the provisional decision to help other organisations secure their systems and prevent future incidents.
“Such measures would typically include investing in appropriate technical and organisational measures, implementing robust IT infrastructure and monitoring/detection, developing effective policies, procedures and training, as well as creating, maintaining and testing a business continuity and disaster recovery plan.
“As we have seen in this example, failure to do so can have a significant impact on essential operations (in this case vital NHS procedures), reputation and potentially lead to significant financial penalties too.
“This is particularly interesting as the majority of breaches result in fines to the ‘controller’ and not the ‘processor’ – it shows that IT vendors entrusted to process personal data are not exempt from being fined directly by regulators.”
Our data privacy lawyers provide specialist, practical and straight-forward advice. Find out more about what they can do for you.