The UK’s Information Commissioner’s Office (the “ICO”) has fined a service provider, Advanced Computer Software Group Ltd (“Advanced”), £3.07 million for failing to comply with certain data security obligations under the UK General Data Protection Regulation (the “UK GDPR”). The incident impacted the personal information of 79,404 individuals in the UK.

The fine follows a 2022 ransomware attack on Advanced’s health and care subsidiary, which compromised critical healthcare systems. This included disruption to NHS 111, an online service operated by National Health Service (“NHS”) England.

Although this incident occurred in the UK, it is important for Canadian third-party organizations that handle personal information or personal health information on behalf of other organizations to be aware that, in some jurisdictions, privacy regulators can enforce privacy laws directly against third party service providers. In Canada, such actions are typically taken against the entities that have custody or control of, and ultimate accountability for, that personal information – referred to as “controllers” under the UK GDPR, or in Canada, sometimes as the “organization,” “custodian,” or “trustee.” Nevertheless, there are potential risks for third party service providers.

The cost of skipping MFA: What led to the advanced cyberattack

Advanced provides IT and software services to various organizations, including the UK’s NHS. The August 2022 cyberattack occurred when external threat actors gained access to the company’s systems through a customer account that lacked multi-factor authentication (“MFA”). The breach caused significant disruptions to healthcare services and exposed sensitive personal information of thousands of individuals, including details on how to access the homes of 890 people receiving care at home.

Investigation findings

The ICO’s investigation found that Advanced’s health and care subsidiary had inadequate security measures, including:

  • incomplete deployment of MFA;
  • insufficient vulnerability scanning; and
  • weak patch management practices.

The ICO initially intended to fine Advanced £6.09 million but reduced the penalty after considering the company’s proactive engagement with cybersecurity agencies, law enforcement, and its mitigation efforts. The ICO and Advanced agreed to a voluntary settlement and the imposition of a reduced fine.

Important to remember

This decision is important because it reinforces privacy and security expectations for third-party service providers. Regulators in the UK and some other jurisdictions will not hesitate to impose penalties on service providers, particularly for organizations handling sensitive personal information or providing services in the healthcare sector.

Considerations under Canadian law

Similar to the UK GDPR and European data protection law, under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), organizations that collect, use, or disclose personal information must implement appropriate security safeguards to protect against breaches of personal information, including when such information is handled by third parties.

Statutory duties for service providers under PIPEDA

The UK GDPR contains specific requirements on service providers regarding security measures (Article 32(1)). While PIPEDA does not specifically refer to “service providers,” companies that provide services to other organizations with respect to personal information controlled by those entities would still be considered “organizations” under PIPEDA and are therefore subject to its security provisions. This includes:

  • technological safeguards (for example, encryption, MFA, and secure authentication mechanisms);
  • administrative safeguards (for example, security training or regular security audits); and
  • physical safeguards (for example, physically restricted access).

Beyond PIPEDA: Health privacy laws at the provincial level

When it comes to organizations providing services involving the processing of personal health information, it is important for such service providers to consider the application of provincial health privacy legislation, such as Ontario’s Personal Health Information Protection Act, 2004 (“PHIPA”) or Alberta’s Health Information Act (“HIA”), which govern the collection, use, and disclosure of personal health information by health information custodians or custodians.

While service providers are not themselves considered “custodians” under these Acts, this does not mean they are free from statutory obligations. Service providers become subject to the legislation upon contracting with a custodian should they be rendered an “affiliate” or “information manager” (in Alberta), or an “agent,” “electronic service provider,” or “health information network provider” (“HINP”) (in Ontario), as defined in the respective legislation.

The Alberta HIA: Responsibilities of information managers

For example, under the HIA, a service provider that qualifies as an “information manager” within the meaning of s. 66(1) – that is:

  • a person or body that processes, stores, retrieves or disposes of health information;
  • strips, encodes or otherwise transforms individually identifying health information to create non‑identifying health information; or
  • provides information management or information technology services in a manner that requires the use of health information –

is required to comply with the HIA, its regulations, and the terms of an information management agreement (“IMA”).

An information manager who knowingly breaches the terms and conditions of an IMA may be held liable for an offence and subject to a penalty under s. 107(4) of the HIA.

Ontario PHIPA: Stringent obligations for HINPs and other service providers

PHIPA and Regulation 329/04 (the “Regulation”) set out specific obligations for agents, electronic services providers, and HINPs, which are defined as:

“a person who provides services to two or more health information custodians where the services are provided primarily to custodians to use electronic means to disclose personal health information to one another. …”.

The obligations on HINPs set in the Regulation are very prescriptive. Among other things, a HINP is required to:

  • enter into a written agreement with each health information custodian setting out the services and describing the administrative, technical and physical safeguards that are in place to protect the confidentiality and security of the information;
  • conduct and provide to each health information custodian a copy of the results of a threat and risk assessment and privacy impact assessment; and
  • comply with PHIPA and the Regulation.

Enforcement and reputational risks

Even where breaches of privacy legislation do not result in penalty, an investigation by the applicable Information and Privacy Commissioner and publication of unfavourable findings can cause significant reputational harm.

In Ontario, amendments to PHIPA have significantly expanded the investigation, review, and enforcement powers of the Commissioner. In addition to its general order-making authority and the ability to prosecute offences under PHIPA, the Commissioner also has the power to impose administrative penalties against a person if the Commissioner is of the opinion that the person has contravened PHIPA and the Regulation.

The takeaway: Know your legal obligations across jurisdictions

These are examples of the types of statutory obligations that may apply directly to service providers. Health privacy legislation varies by province, and there are differences between these statutes. Regardless of jurisdiction, however, awareness and understanding of specific privacy legislation are critical to ensuring compliance and avoiding risks arising from privacy or security breaches.

If you have questions about your organization’s obligations under privacy legislation – or need guidance on how to mitigate data protection risks – our Privacy and Cybersecurity Group is here to help. We can assist in navigating the complexities of provincial and federal requirements to ensure your compliance framework is both robust and up to date.

Contact us to learn more about how we can support your organization in meeting its privacy and security obligations.