Marks & Spencer loses 26,000 staff details

Retailer Marks & Spencer could face prosecution if it does not comply within two months to the overhaul of its data-security procedures, after losing 26,000 employees' pension details.

The Information Commissioner's Office (ICO) has threatened the retail giant with prosecution after a laptop containing unencrypted data was stolen from a contractor in April 2007.

Affected UK employees' names, addresses, national insurance numbers and information about pension plans, including wages but not bank account details, were on the machine.

Marks & Spencer (M&S) now has until 1 April to ensure all laptop hard drives are fully encrypted.

The ICO served the enforcement notice on 23 January after M&S refused to allow the watchdog to publish the changes it demanded in data security at the company.

A spokesman for the ICO said: "There is no evidence that any employees suffered ID fraud but there is always that risk with this type of information."

Mick Gorrill, assistant commissioner at the ICO, added in a statement: "It is essential that, before a company allows personal information to leave its premises on a laptop, there are adequate security procedures in place to protect personal information — for example, password protection and encryption."

"If organisations fail to introduce safeguards to protect information, they risk losing the trust and confidence of both employees and customers," added Gorrill.

The laptop was stolen from the home of the managing director of a company that was preparing pension-change statements for M&S.

The ICO found that M&S breached the Data Protection Act by failing to make sure the data on the laptop was encrypted.

The enforcement notice states that the information commissioner, Richard Thomas, takes the view that damage or distress is likely as a result of personal data getting into the hands of unauthorised persons.

A spokeswoman for M&S said: "We have been working with the ICO since we knew what had happened. We have been encrypting all hard drives since October last year."

The spokeswoman said the firm had informed all employees by letter as soon as it found out about the theft, set up a helpline for affected workers and provided them with unlimited credit checks with Experian.

Last year, the prime minister, Gordon Brown, announced that the ICO would be given increased powers to conduct spot checks of government departments.

The information commissioner has called for these powers to be extended to cover all public bodies and private-sector organisations.