The ICO and multi-factor authentication and other key lessons

Recent reprimands issued by the Information Commissioner’s Office have provided valuable guidance as to regulatory expectations concerning the maintenance of the security of personal data. 

Article 5(1) of the UK GDPR requires that where personal data is processed, security is maintained via the use of appropriate technical and organisational measures. Personal data breaches are the most obvious instances where such measures have failed. Whether a data controller will be culpable for a failure will depend on the approach taken by the data controller. A lack of investment, inadequate resourcing and insufficient attention to the changing security landscape can result in censure or even fines. While the healthcare sector has invested in a variety of security controls, gaps may remain, and it is important not to allow complacency to creep in.

GRS (Roadstone) Limited was reprimanded following a cyber attack in which an unauthorised third party was able to exfiltrate the individual personal data of current and former employees.  The entry point for the breach was a Remote Desktop Service operated by a GRS (Roadstone) Limited subsidiary. GRS did not have appropriate security measures in place, including multi-factor authentication (MFA) – despite ICO Ransomware and data protection compliance stating that “You should not use single factor authentication on internet facing services, such as remote access, if it can lead to access to personal data”.  The company also failed to engage in vulnerability scanning.

Finham Park Multi-Academy Trust also received a reprimand. They did not have MFA in place, their employees had not received sufficient training on password management (including that passwords should not be reused), and the password encryption in use at the Trust was reversible.  The failings were brought to the attention of the ICO when three similar data breach incidents were reported by the Trust to the ICO. The situation may not have resulted in a reprimand except that guidance provided by the ICO after each incident regarding implementation of appropriate security measures was not followed, underscoring the needs to pay heed to such advice and make substantive changes in a timely manner.

The need to have appropriate policies in place, even for seemingly benign processes such as address changes, is also highlighted by the reprimand for Charnwood Borough Council.  Due to a lack of a clear, written process and a failure to appropriately flag the relevant file, the Council disclosed the address of an individual to their allegedly abusive ex-partner.  Organisations that process special category or otherwise sensitive data are expected to engage high security measures, even for routine processing.

Finally, the importance of physical security should not be overlooked. NHS Fife received a reprimand after an unauthorised person entered a hospital ward and accessed the personal information of 14 patients, The main lesson from the incident was the need for ID verification and effective access control mechanisms for physical spaces.

Do get in touch if you'd like support with any of the issues discussed here.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.