Economy
ICO takes action against Marks & Spencer Print E-mail
Friday, 25 January 2008
Marks & Spencer has been ordered to encrypt all hard drives by April 2008 after losing a laptop containing personal information on 26,000 M&S employees.

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act.

An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. 

The ICO said that M&S should have had appropriate encryption measures in place to keep the data secure, in light of the nature of the information contained on the laptop.

Adequate security procedures 

Mick Gorrill, assistant commissioner at the ICO, said that it is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.

He added that the ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.

An important principle of the Act is that organisations which process personal information must ensure that information is secure.

“If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of both employees and customers,” Gorrill said.

Enforcement Notice 

The ICO has now issued M&S with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008.

Failure to comply with the Enforcement Notice is a criminal offence and may result in the ICO taking further action against the company.

Last week the ICO found Carphone Warehouse and its sister company TalkTalk in breach of the Data Protection Act after investigating complaints concerning the way in which both organisations processed and stored personal information.

The ICO has now ordered Carphone Warehouse and TalkTalk to improve their data protection practices or face prosecution after both companies failed to meet the basic principles of the Data Protection Act. 

The investigation revealed that Carphone Warehouse and TalkTalk had been opening customer accounts in the wrong name and passing inaccurate information on to credit reference agencies and debt collection agencies. 

Security failings had also led to customers being able to view other customers' account details online. In addition, the ICO found that the companies had not responded to requests by individuals for information held about them.

Real damage and distress 

Gorrill said that the Data Protection Act gives us all important rights, including the right to correct inaccurate information and to find out what information an organisation holds on us.

He stressed that organisations that process personal information must comply with the Act and that, where this is not the case, the ICO will take enforcement action.

“Carphone Warehouse and TalkTalk’s use of inaccurate and incorrect personal data has caused real damage and distress to customers. We have now ordered them to take the necessary steps to ensure customers’ personal information is sufficiently protected,” Gorrill added.

The ICO has issued Carphone Warehouse and TalkTalk with Enforcement Notices ordering them to comply with the principles of the Data Protection Act.

Last year Gordon Brown announced that the ICO would be given increased powers to conduct spot checks of government departments.

The Information Commissioner has called for these powers to be extended to cover all public bodies and private sector organisations.

Related articles

Related links
 

DOF NewsletterSubscribe to our weekly newsletter for top jobs, news and more

Get the latest senior finance job roles, news, features, industry moves and opinion delivered direct to your inbox every week. Sign up here.