{"id":32389,"date":"2025-05-01T14:25:57","date_gmt":"2025-05-01T18:25:57","guid":{"rendered":"https:\/\/www.millerthomson.com\/?p=32389"},"modified":"2026-04-01T16:47:06","modified_gmt":"2026-04-01T20:47:06","slug":"data-processors-beware-uk-ico-issues-fine-for-security-lapses","status":"publish","type":"post","link":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/","title":{"rendered":"Data processors, beware: UK ICO issues fine for security lapses"},"content":{"rendered":"\n<p>The UK\u2019s Information Commissioner\u2019s Office (the \u201c<strong>ICO<\/strong>\u201d) has fined a service provider, Advanced Computer Software Group Ltd (\u201c<strong>Advanced<\/strong>\u201d), \u00a33.07 million for failing to comply with certain data security obligations under the UK General Data Protection Regulation (the \u201c<strong>UK GDPR<\/strong>\u201d). The incident impacted the personal information of 79,404 individuals in the UK.<\/p>\n\n\n\n<p>The fine follows a 2022 ransomware attack on Advanced\u2019s health and care subsidiary, which compromised critical healthcare systems. This included disruption to NHS 111, an online service operated by National Health Service (\u201c<strong>NHS<\/strong>\u201d) England.<\/p>\n\n\n\n<p>Although this incident occurred in the UK, it is important for Canadian third-party organizations that handle personal information or personal health information on behalf of other organizations to be aware that, in some jurisdictions, privacy regulators can enforce privacy laws directly against third party service providers. In Canada, such actions are typically taken against the entities that have custody or control of, and ultimate accountability for, that personal information \u2013 referred to as \u201ccontrollers\u201d under the UK GDPR, or in Canada, sometimes as the \u201corganization,\u201d \u201ccustodian,\u201d or \u201ctrustee.\u201d Nevertheless, there are potential risks for third party service providers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The cost of skipping MFA: What led to the advanced cyberattack<\/h2>\n\n\n\n<p>Advanced provides IT and software services to various organizations, including the UK\u2019s NHS. The August 2022 cyberattack occurred when external threat actors gained access to the company&#8217;s systems through a customer account that lacked multi-factor authentication (\u201c<strong>MFA<\/strong>\u201d). The breach caused significant disruptions to healthcare services and exposed sensitive personal information of thousands of individuals, including details on how to access the homes of 890 people receiving care at home.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Investigation findings<\/h2>\n\n\n\n<p>The ICO\u2019s investigation found that Advanced\u2019s health and care subsidiary had <strong>inadequate security measures<\/strong>, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>incomplete deployment of <strong>MFA;<\/strong><\/li>\n\n\n\n<li>insufficient <strong>vulnerability scanning; and<\/strong><\/li>\n\n\n\n<li><strong>weak patch management<\/strong> practices.<\/li>\n<\/ul>\n\n\n\n<p>The ICO initially intended to fine Advanced <strong>\u00a36.09 million<\/strong> but reduced the penalty after considering the company\u2019s <strong>proactive engagement<\/strong> with cybersecurity agencies, law enforcement, and its mitigation efforts. The ICO and Advanced agreed to a voluntary settlement and the imposition of a reduced fine.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Important to remember<\/h2>\n\n\n\n<p>This decision is important because it reinforces privacy and security expectations for third-party service providers. Regulators in the UK and some other jurisdictions will not hesitate to impose penalties on service providers, particularly for organizations handling sensitive personal information or providing services in the healthcare sector.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Considerations under Canadian law<\/h2>\n\n\n\n<p>Similar to the UK GDPR and European data protection law, under the <em>Personal Information Protection and Electronic Documents Act<\/em> (\u201c<strong>PIPEDA\u201d)<\/strong>, organizations that collect, use, or disclose personal information must implement appropriate security safeguards to protect against breaches of personal information, including when such information is handled by third parties.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Statutory duties for service providers under PIPEDA<\/h2>\n\n\n\n<p>The UK GDPR contains specific requirements on service providers regarding security measures (Article 32(1)). While <strong>PIPEDA does not specifically refer to \u201cservice providers,\u201d<\/strong> companies that provide services to other organizations with respect to personal information controlled by those entities would still be considered <strong>\u201corganizations\u201d<\/strong> under PIPEDA and are therefore subject to its security provisions. This includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>technological safeguards<\/strong> (for example, encryption, MFA, and secure authentication mechanisms);<\/li>\n\n\n\n<li><strong>administrative safeguards<\/strong> (for example, security training or regular security audits); and<\/li>\n\n\n\n<li><strong>physical safeguards<\/strong> (for example, physically restricted access).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Beyond PIPEDA: Health privacy laws at the provincial level<\/h2>\n\n\n\n<p>When it comes to organizations providing services involving the processing of personal health information, it is important for such service providers to consider the application of provincial health privacy legislation, such as Ontario\u2019s <em>Personal Health Information Protection Act, 2004<\/em> (\u201c<strong>PHIPA<\/strong>\u201d) or Alberta\u2019s <em>Health Information Act <\/em>(\u201c<strong>HIA<\/strong>\u201d), which govern the collection, use, and disclosure of personal health information by health information custodians or custodians.<\/p>\n\n\n\n<p>While service providers are not themselves considered \u201ccustodians\u201d under these Acts, this does not mean they are free from statutory obligations. Service providers become subject to the legislation upon contracting with a custodian should they be rendered an \u201caffiliate\u201d or \u201cinformation manager\u201d (in Alberta), or an \u201cagent,\u201d \u201celectronic service provider,\u201d or \u201chealth information network provider\u201d (\u201c<strong>HINP<\/strong>\u201d) (in Ontario), as defined in the respective legislation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Alberta HIA: Responsibilities of information managers<\/h3>\n\n\n\n<p>For example, under the HIA, a service provider that qualifies as an \u201cinformation manager\u201d within the meaning of s. 66(1) \u2013 that is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>a person or body that processes, stores, retrieves or disposes of health information;<\/li>\n\n\n\n<li>strips, encodes or otherwise transforms individually identifying health information to create non\u2011identifying health information; or<\/li>\n\n\n\n<li>provides information management or information technology services in a manner that requires the use of health information \u2013<\/li>\n<\/ul>\n\n\n\n<p>is required to comply with the HIA, its regulations, and the terms of an information management agreement (\u201c<strong>IMA<\/strong>\u201d).<\/p>\n\n\n\n<p>An information manager who knowingly breaches the terms and conditions of an IMA may be held liable for an offence and subject to a penalty under s. 107(4) of the HIA.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ontario PHIPA: Stringent obligations for HINPs and other service providers<\/h3>\n\n\n\n<p>PHIPA and Regulation 329\/04 (the \u201c<strong>Regulation<\/strong>\u201d) set out specific obligations for agents, electronic services providers, and HINPs, which are defined as:<\/p>\n\n\n\n<p style=\"padding-right:var(--wp--preset--spacing--50);padding-left:var(--wp--preset--spacing--50)\"><em>\u201ca person who provides services to two or more health information custodians where the services are provided primarily to custodians to use electronic means to disclose personal health information to one another. \u2026\u201d<\/em>.<\/p>\n\n\n\n<p>The obligations on HINPs set in the Regulation are very prescriptive. Among other things, a HINP is required to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>enter into a written agreement with each health information custodian setting out the services and describing the administrative, technical and physical safeguards that are in place to protect the confidentiality and security of the information;<\/li>\n\n\n\n<li>conduct and provide to each health information custodian a copy of the results of a threat and risk assessment and privacy impact assessment; and<\/li>\n\n\n\n<li>comply with PHIPA and the Regulation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Enforcement and reputational risks<\/h2>\n\n\n\n<p>Even where breaches of privacy legislation do not result in penalty, an investigation by the applicable Information and Privacy Commissioner and publication of unfavourable findings can cause significant reputational harm.<\/p>\n\n\n\n<p>In Ontario, amendments to PHIPA have significantly expanded the investigation, review, and enforcement powers of the Commissioner. In addition to its general order-making authority and the ability to prosecute offences under PHIPA, the Commissioner also has the power to impose administrative penalties against a person if the Commissioner is of the opinion that the person has contravened PHIPA and the Regulation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The takeaway: Know your legal obligations across jurisdictions<\/h2>\n\n\n\n<p>These are examples of the types of statutory obligations that may apply directly to service providers. Health privacy legislation varies by province, and there are differences between these statutes. Regardless of jurisdiction, however, awareness and understanding of specific privacy legislation are critical to ensuring compliance and avoiding risks arising from privacy or security breaches.<\/p>\n\n\n\n<p>If you have questions about your organization\u2019s obligations under privacy legislation \u2013 or need guidance on how to mitigate data protection risks \u2013 our <a href=\"https:\/\/www.millerthomson.com\/en\/expertise\/technology-ip-and-privacy\/privacy-and-cybersecurity\/\">Privacy and Cybersecurity Group<\/a><strong> <\/strong>is here to help. We can assist in navigating the complexities of provincial and federal requirements to ensure your compliance framework is both robust and up to date.<\/p>\n\n\n\n<p><strong>Contact us<\/strong> to learn more about how we can support your organization in meeting its privacy and security obligations.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The UK\u2019s Information Commissioner\u2019s Office (the \u201cICO\u201d) has fined a service provider, Advanced Computer Software Group Ltd (\u201cAdvanced\u201d), \u00a33.07 million for failing to comply with certain data security obligations under the UK General Data Protection Regulation (the \u201cUK GDPR\u201d). The incident impacted the personal information of 79,404 individuals in the UK. The fine follows a [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":32387,"parent":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[557],"insight-format":[416],"class_list":["post-32389","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology-ip-and-privacy"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Data processors, beware: UK ICO issues fine for security lapses | Miller Thomson<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data processors, beware: UK ICO issues fine for security lapses | Miller Thomson\" \/>\n<meta property=\"og:description\" content=\"The UK\u2019s Information Commissioner\u2019s Office (the \u201cICO\u201d) has fined a service provider, Advanced Computer Software Group Ltd (\u201cAdvanced\u201d), \u00a33.07 million for failing to comply with certain data security obligations under the UK General Data Protection Regulation (the \u201cUK GDPR\u201d). The incident impacted the personal information of 79,404 individuals in the UK. The fine follows a [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\" \/>\n<meta property=\"og:site_name\" content=\"Miller Thomson\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MillerThomsonLaw\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-01T18:25:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-01T20:47:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1098\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Katherine Chan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@millerthomson\" \/>\n<meta name=\"twitter:site\" content=\"@millerthomson\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Katherine Chan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\"},\"author\":{\"name\":\"Katherine Chan\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/5473b50a564d1e37f327fdd79cb348f6\"},\"headline\":\"Data processors, beware: UK ICO issues fine for security lapses\",\"datePublished\":\"2025-05-01T18:25:57+00:00\",\"dateModified\":\"2026-04-01T20:47:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\"},\"wordCount\":1174,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg\",\"articleSection\":[\"Technology, IP and Privacy\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#respond\"]}]},{\"@type\":[\"WebPage\",\"ItemPage\"],\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\",\"url\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\",\"name\":\"Data processors, beware: UK ICO issues fine for security lapses | Miller Thomson\",\"isPartOf\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg\",\"datePublished\":\"2025-05-01T18:25:57+00:00\",\"dateModified\":\"2026-04-01T20:47:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage\",\"url\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg\",\"contentUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg\",\"width\":1920,\"height\":1098,\"caption\":\"Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet with Cloud Server Icon and Visualisation.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.millerthomson.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data processors, beware: UK ICO issues fine for security lapses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#website\",\"url\":\"https:\/\/www.millerthomson.com\/en\/\",\"name\":\"Miller Thomson\",\"description\":\"National law firm providing business law expertise and litigation and disputes services for businesses across Canada since 1957.\",\"publisher\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.millerthomson.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#organization\",\"name\":\"Miller Thomson\",\"url\":\"https:\/\/www.millerthomson.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg\",\"contentUrl\":\"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg\",\"width\":380,\"height\":50,\"caption\":\"Miller Thomson\"},\"image\":{\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/MillerThomsonLaw\/\",\"https:\/\/x.com\/millerthomson\",\"https:\/\/www.linkedin.com\/company\/miller-thomson-llp\/\",\"https:\/\/www.youtube.com\/@millerthomson\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/5473b50a564d1e37f327fdd79cb348f6\",\"name\":\"Katherine Chan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/da8a18c240b27905220d948a87957ba19ab6de326b44a2ce3072235c121f996f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/da8a18c240b27905220d948a87957ba19ab6de326b44a2ce3072235c121f996f?s=96&d=mm&r=g\",\"caption\":\"Katherine Chan\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data processors, beware: UK ICO issues fine for security lapses | Miller Thomson","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/","og_locale":"en_US","og_type":"article","og_title":"Data processors, beware: UK ICO issues fine for security lapses | Miller Thomson","og_description":"The UK\u2019s Information Commissioner\u2019s Office (the \u201cICO\u201d) has fined a service provider, Advanced Computer Software Group Ltd (\u201cAdvanced\u201d), \u00a33.07 million for failing to comply with certain data security obligations under the UK General Data Protection Regulation (the \u201cUK GDPR\u201d). The incident impacted the personal information of 79,404 individuals in the UK. The fine follows a [&hellip;]","og_url":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/","og_site_name":"Miller Thomson","article_publisher":"https:\/\/www.facebook.com\/MillerThomsonLaw\/","article_published_time":"2025-05-01T18:25:57+00:00","article_modified_time":"2026-04-01T20:47:06+00:00","og_image":[{"width":1920,"height":1098,"url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg","type":"image\/jpeg"}],"author":"Katherine Chan","twitter_card":"summary_large_image","twitter_creator":"@millerthomson","twitter_site":"@millerthomson","twitter_misc":{"Written by":"Katherine Chan","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#article","isPartOf":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/"},"author":{"name":"Katherine Chan","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/5473b50a564d1e37f327fdd79cb348f6"},"headline":"Data processors, beware: UK ICO issues fine for security lapses","datePublished":"2025-05-01T18:25:57+00:00","dateModified":"2026-04-01T20:47:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/"},"wordCount":1174,"commentCount":0,"publisher":{"@id":"https:\/\/www.millerthomson.com\/en\/#organization"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage"},"thumbnailUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg","articleSection":["Technology, IP and Privacy"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#respond"]}]},{"@type":["WebPage","ItemPage"],"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/","url":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/","name":"Data processors, beware: UK ICO issues fine for security lapses | Miller Thomson","isPartOf":{"@id":"https:\/\/www.millerthomson.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage"},"thumbnailUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg","datePublished":"2025-05-01T18:25:57+00:00","dateModified":"2026-04-01T20:47:06+00:00","breadcrumb":{"@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#primaryimage","url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg","contentUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2025\/04\/insights_technology_servers.jpg","width":1920,"height":1098,"caption":"Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet with Cloud Server Icon and Visualisation."},{"@type":"BreadcrumbList","@id":"https:\/\/www.millerthomson.com\/en\/insights\/technology-ip-and-privacy\/data-processors-beware-uk-ico-issues-fine-for-security-lapses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.millerthomson.com\/en\/"},{"@type":"ListItem","position":2,"name":"Data processors, beware: UK ICO issues fine for security lapses"}]},{"@type":"WebSite","@id":"https:\/\/www.millerthomson.com\/en\/#website","url":"https:\/\/www.millerthomson.com\/en\/","name":"Miller Thomson","description":"National law firm providing business law expertise and litigation and disputes services for businesses across Canada since 1957.","publisher":{"@id":"https:\/\/www.millerthomson.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.millerthomson.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.millerthomson.com\/en\/#organization","name":"Miller Thomson","url":"https:\/\/www.millerthomson.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg","contentUrl":"https:\/\/www.millerthomson.com\/wp-content\/uploads\/2024\/10\/miller-thomson.svg","width":380,"height":50,"caption":"Miller Thomson"},"image":{"@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/MillerThomsonLaw\/","https:\/\/x.com\/millerthomson","https:\/\/www.linkedin.com\/company\/miller-thomson-llp\/","https:\/\/www.youtube.com\/@millerthomson"]},{"@type":"Person","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/5473b50a564d1e37f327fdd79cb348f6","name":"Katherine Chan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.millerthomson.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/da8a18c240b27905220d948a87957ba19ab6de326b44a2ce3072235c121f996f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/da8a18c240b27905220d948a87957ba19ab6de326b44a2ce3072235c121f996f?s=96&d=mm&r=g","caption":"Katherine Chan"}}]}},"_links":{"self":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/32389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/comments?post=32389"}],"version-history":[{"count":1,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/32389\/revisions"}],"predecessor-version":[{"id":48876,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/posts\/32389\/revisions\/48876"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/media\/32387"}],"wp:attachment":[{"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/media?parent=32389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/categories?post=32389"},{"taxonomy":"insight-format","embeddable":true,"href":"https:\/\/www.millerthomson.com\/en\/wp-json\/wp\/v2\/insight-format?post=32389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}