TheInformation Commissioner's
Office (ICO)has takenenforcement action against Marks &
Spencer, with the retailer ordered to encrypt
all hard drives by April 2008.
The ICO found Marks & Spencer in breach of the Data
Protection Act. This followed the
theft of an unencrypted laptop last year, which contained the
personal information of 26,000 M&S employees.
An ICO investigation revealed that the laptop, which contained
details of the pension arrangements of M&S employees, was
stolen from the home of an M&S contractor.
In light of the nature of the information contained on the
laptop, Marks & Spencer should have had appropriate encryption
measures in place to keep the data secure, said the Information
Commissioner's Office.
Mick Gorrill, assistant commissioner at the ICO, said, "It is
essential that before a company allows personal information to
leave its premises on a laptop, there are adequate security
procedures in place to protect personal information, for example,
password protection and encryption.
"The ICO has issued
clear guidance to help employers understand their obligations
under the Data Protection Act."
The ICO has now issued Marks & Spencer with an enforcement
notice, which orders the company to ensure that all laptop hard
drives are fully encrypted by April 2008.
Failure to comply with the enforcement notice is a criminal
offence and may result in the ICO taking further action against the
company.
Last year, prime minister Gordon Brown announced that the
Information Commissioner's Office would be given increased powers
to
conduct spot checks on government departments. The information
commissioner has called for these powers to be extended to cover
all public bodies and private sector organisations too.
Information commissioner's plea to businesses >>
Data breaches need policing, warns consumer body >>
What CIOs should be doing about security in 2008 >>