ICO takes enforcement action against Marks & Spencer
M&S ordered to encrypt all hard drives by April 2008
The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.
An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.
Mick Gorrill, Assistant Commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption. The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.
“Organisations which process personal information must ensure that information is secure – this is an important principle of the Act. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers.”
The ICO has now issued M&S with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008. Failure to comply with the Enforcement Notice is a criminal offence and may result in the ICO taking further action against the company.
Last year Gordon Brown announced that the ICO would be given increased powers to conduct spot checks of government departments. The Information Commissioner has called for these powers to be extended to cover all public bodies and private sector organisations.
A copy of the Enforcement Notice can be downloaded at www.ico.gov.uk .