Marks & Spencer broke the law when it allowed the details of 26,000 employees to be held on a laptop without the protection of encryption, according to the Information Commissioner's Office (ICO).
The laptop, and the information on it, has been stolen.
The retailer must ensure that all laptop hard drives are encrypted by April of this year. If it fails to comply with an enforcement notice issued against it by the ICO it could face criminal charges.
"It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption," said Mick Gorrill, assistant commissioner at the ICO.
"The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act."
M&S said that it would not appeal the issuing of the notice, and that it has already started the process of encrypting laptop hard drives.
"We will be doing everything we can in order to meet the ICO's deadline," said a spokeswoman for the company. "We started the encryption process in October."
M&S employed a company to change the pension plans of its employees, a process which led to that un-named company having access to 26,000 workers' details.
Have you read these related articles?
Newsletter:
