computing.co.uk

Search

M&S has encrypted 4,352 laptops

M&S appeal dropped as it encrypts laptops

Retailer was encrypting laptops at the same time as appealing ICO enforcement notice telling it to do so

Written by Tom Young

Computing, 25 Sep 2008

An appeal by Marks and Spencer (M&S) against a decision by the Information Commissioner's Office (ICO) ordering the retail giant to encrypt all its laptops has been dropped for a strange reason - M&S has completed a laptop encryption programme.

The apparent confliction between the laptop encryption scheme and the decision to appeal the enforcement notice has been given different explanations by different sources.

In January this year, the ICO issued an enforcement notice to the firm to encrypt its laptop hard drives, following the theft from a sub-contractor in April 2006 of a computer containing details of the pension arrangements of 26,000 M&S staff.

The ICO said the laptop was not encrypted, and M&S has never denied this. Earlier this year Computing reported that M&S was appealing the enforcement notice.

But the ICO has since dropped the case. On 8 July, Darrel Stein, IT director at M&S, wrote to the ICO to confirm that the retail giant had completed a programme of encrypting all its 4,352 laptops with software from Utimaco.

“Marks & Spencer will continue to ensure that personal data stored on laptops, including those that are acquired in the future, are encrypted,” wrote Stein.

The ICO subsequently cancelled the enforcement notice.

Computing was told by a source close to the case that M&S changed tack and decided to comply with the enforcement notice rather than appeal it because the retailer had originally over-estimated its legal position and did not think the ICO would pursue the case to court.

However, a spokeswoman for M&S denied this. “We appealed the notice because we thought it was unfair given that by that point we had already begun the process of encrypting our laptops,” she said.

This reflects what another source close to M&S told Computing at the time of the enforcement notice.

“The company was surprised by the over-aggressive behaviour of the ICO, given that they knew that M&S had already started an encryption programme,” said the source at the time.

ICO guidance recommends firms deploy encryption technology to achieve compliance with the Data Protection Act (DPA). However, the principles-based nature of the DPA means encryption is not legally required unless proved to be an “appropriate technical measure” as defined by the seventh principle of the act and no case has yet set a precedent for this.

reader comments

Integration

M&S implements gift card management system

Cost savings are expected as retailer runs gift card management in-house 04 Aug 2008

Security

M&S appeals against data protection ruling

Sources say retail giant's chances of success are small 29 May 2008

The keep out of jail free card

Jon Fell and John Skelton study the legal implications of keeping data safe from e-criminals, and keeping on the right side of the law 24 Apr 2008

Do you know where your data is?

Mark Surguy introduces our special report on data protection by looking at the legal implications and technology requirements 24 Apr 2008

HM Revenue and Customs

Drugs giant set for legal showdown with taxman

AstraZeneca dispute with taxman over transfer pricing is likely to set a precedent for other multinationals that transfer goods and services between countries 15 Jan 2009

Security