Encryption Order on M&S Laptops

By Dave Nixon

Following the theft last May of an unencrypted laptop which contained the personal information of 26,000 M&S employees, the Information Commissioner’s Office have given Marks & Spencer two months to encrypt all its laptop hard drives.

The laptop, which was stolen from the home of an M&S contractor, contained details of the pension arrangements of M&S employees.

“In light of the nature of the information contained on the laptop, it is the ICO’s view that M&S should have had appropriate encryption measures in place to keep the data secure,” the commissioner’s office said.

An enforcement notice from the ICO was issued to M&S which orders the company to ensure that all laptop hard drives are fully encrypted by April. Failure to conform to the notice is a criminal offence and may result in the ICO taking further action against the company.

Mick Gorrill, assistant commissioner at the ICO, said: “It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption.”

“The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.”

Gordon Brown announced that the ICO would be given increased powers to conduct spot-checks of government departments in a response to the loss of 25 million child benefit records last year. The information commissioner wants these powers to be extended to encompass all public bodies and private sector organisations.