Protecting Personal Data - Marks & Spencer issued with enforcement notice

View the previous news item for Data Protection

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act. This follows the theft of an unencrypted laptop which contained the personal information of 26,000 M&S employees.

An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor.

The Data Protection Act 1998 includes eight Data Protection Principles, the seventh of which states:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to, personal data."

In explaining the application of this Principle, the Act provides that:

"Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b the nature of the data to be protected."

And, because the laptop was in the possession of a third-party contractor, compliance with the seventh principle also requires that

"Where processing of personal data is carried out by a data processor on behalf of the data controller, the data controller must…

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures." Given the nature of the information contained on the laptop, the Information Commissioner has taken the view that, in this case, the personal data held on the laptop computer should have been encrypted so that, in the event of its theft, it would not have been possible to view the personal data in a readable format. The Commissioner has come to the view that the data controller's processing contravenes the Seventh Data Protection Principle in that it failed to take appropriate measures to ensure the security of its data.

The ICO has now issued M&S with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008. Failure to comply with the Enforcement Notice is a criminal offence and may result in the ICO taking further action against the company.

Last year Gordon Brown announced that the ICO would be given increased powers to conduct spot checks of government departments. The Information Commissioner has called for these powers to be extended to cover all public bodies and private sector organisations.

A copy of the Enforcement Notice can be downloaded from the Information Commissioner's website.

...UK Payroll News - Latest

Further information:
ICO takes enforcement action against Marks & Spencer
Enforcement Notice

The UK Payroll News is sponsored by HRD & Payroll Solutions

Discuss this news item in the PayPerShop Forum

Top News Category Index Send E-mail Home Page








Payroll & Human Resources - PayPerShop Logo For Payroll and Human Resource Professionals

UK Payroll & HR US Tax Resources Worldwide Payroll & HR
Google
Home Contact

Copyright © 2006 PayPerShop Ltd - Payroll, Human Resources (HR) & Payroll Taxes


Popular UK Pages:
UK Payroll News Categories | Payroll & HR Events - Photos | Payroll | UK Payroll Software A-Z | Payroll Software Downloads | Payroll Question | Payroll Search / Swicki | Deductions From Wages | UK Holiday Pay | National Insurance Numbers | Tax Codes | Employed or Self-Employed | Data Protection | Identity Fraud | BACS Payment - BACSTEL-IP

Popular US Pages:
US Payroll Software A-Z | Income Tax Withholding | Prevailing Wages and Hours | US Minimum Wage | US Workers' Compensation | US Labor Standards | US Unemployment Insurance | US State Holidays / Legal Holidays