M&S appeals against data protection ruling

M&S is appealing the ICO decision

Marks and Spencer (M&S) is appealing against a ruling by the Information Commissioner’s Office (ICO) that the company breached the Data Protection Act (DPA), Computing has learned.

The case will set a precedent on whether or not companies need to encrypt laptops to comply with the DPA.

In January this year, the ICO issued an enforcement notice to the firm to encrypt its laptop hard drives, following the theft from a sub-contractor in April 2006 of a computer containing details of the pension arrangements of 26,000 M&S staff.

The ICO said the laptop was not encrypted, and M&S has never publicly denied this.

Data protection experts believe that the case will revolve around whether the phrase “appropriate technical and organisational measures shall be taken against ...accidental loss …of personal data,” ­ enshrined in the seventh principle of the DPA ­ means laptops should be encrypted.

“The ICO guidance recommends encryption ­ the guidance will be persuasive to a court, but it is not law,” said Charlotte Walker-Osborne, IT & e-commerce lawyer at Eversheds.

The ICO confirmed that the decision had been appealed, but said no date had been set for the hearing.

“It is legal suicide. M&S might consider its lawyers to be better but the ICO’s case is watertight,” said a source close to the ICO.

M&S declined to comment.