7 April 2025
Advanced Computer Software Fine: Are Poor Procurement Processes Really to Blame?
By Jess Pembroke, Director of Information Law Services
The recent £3.07 million fine imposed on Advanced Computer Software Group Ltd (Advanced) by the Information Commissioner’s Office (ICO) [1] has sparked significant concerns about the NHS’s role in this data breach. While Advanced is responsible for failing to implement adequate security measures, a deeper issue remains: why did it take a data breach to expose these shortcomings?
As a Data Protection Officer (DPO), my role involves scrutinising suppliers to ensure they have robust security controls. This includes assessing technical security measures and verifying compliance with frameworks such as the Data Security and Protection Toolkit (DSPT). Advanced had completed the DSPT assessment, which should have signalled their commitment to data security. However, this breach suggests that mere completion of the DSPT may not be sufficient proof of adequate security.
This incident raises critical questions: Did NHS trusts conduct thorough due diligence before engaging Advanced? Did they take the supplier’s DSPT assessment at face value? The DSPT is a key assurance measure across the NHS, but is it fair to expect individual Trusts to conduct separate due diligence on suppliers?
The DSPT outlines essential security requirements, including:
- 4.5.3: IT suppliers must enforce multi-factor authentication for all remote access and privileged user accounts.
- 9.2.1: Regular vulnerability scans must be undertaken.
- Supported systems must be kept up to date with the latest security patches.
The ICO identified all these as failings by Advanced in this breach. This raises further questions:
- How did Advanced self-assess as “Exceeding Expectations”[2] for several years?
- Is NHS Digital, which oversees the DSPT, exerting sufficient oversight to validate supplier submissions?
- The DSPT mandates an independent audit of submissions, yet these security failings were only exposed after the breach. Why weren’t they identified earlier?
Another key concern is whether DPOs have adequate influence in procurement decisions. Ensuring that data protection is central to supplier selection is crucial, yet in practice, DPOs often lack the authority to veto engagements with non-compliant suppliers. Furthermore, the ICO’s policy of not fining public sector organisations[3] removes a key incentive for senior leaders to prioritise cybersecurity over other pressures.
While this ICO action may serve as a warning to data processors, real change will only come when DPOs, procurement teams, and regulatory bodies collectively push suppliers to prioritise security. Without this, procurement processes will continue to favour convenience over robust cybersecurity.
The cyberattack, widely reported at the time, disrupted critical services such as NHS 111 and blocked healthcare staff from accessing vital patient records. This incident serves as a stark reminder of the shared responsibility between suppliers and NHS trusts in safeguarding patient data. The question remains: will procurement practices change before the next major breach?
Would you like more information on how to manage data processors? Take a look at our CPD UK accredited course Information Sharing, Data Processors and Contracts available in-house or online on 15th October 2025. Book here: https://www.eventbrite.com/e/1047964749777
Naomi Korn Associates Team of professionals can help your organisation ensure that risks and requirements of the law are considered and implemented in a supportive way. We provide consultancy services checking contracts and due diligence of third parties. To find out more please contact info@naomikorn.com.
[1] advanced-penalty-notice-20250327.pdf