By Eduardo Ustaran
Regulator cancels M&S enforcement notice
The information commissioner cancelled an enforcement notice served to UK retailer Marks & Spencer following an appeal by the company at the Information Tribunal. The commissioner had served the notice on M&S alleging that the company had breached the Data Protection Act when a supplier's unencrypted laptop was stolen, citing the requirement that all laptops be encrypted by 1 April. M&S appealed the notice because, in view of the offer of compliance undertakings by M&S to the commissioner, it argued that there was no requirement for an enforcement notice to ensure compliance with the law.
A full hearing was due to take place in September, but in the meantime, Marks & Spencer showed that its laptop encryption programme was complete and that the company would continue a suitable encryption programme in the future. Accordingly, in an unprecedented decision, the commissioner agreed to cancel the enforcement notice before the hearing.
Enforcement notices issued to government departments
The day after the Information Commissioner's Office (ICO) cancelled the M&S enforcement notice, it issued notices to HM Revenue and Customs (HMRC) and the Ministry of Defence, following recent high profile data breaches at those organizations. HMRC famously lost two discs holding the personal data of up to 25 million individuals last autumn. The Ministry of Defence later reported that a Royal Navy recruiter's laptop computer was stolen from a car that had been left overnight in a car park. The computer held the personal data of approximately 600,000 recruits or potential recruits. The MoD report also referred to other data losses on a lesser scale involving the theft of laptop computers holding personal data.
In response to these incidents, the government commissioned two investigations which ultimately resulted in detailed recommendations concerning the adoption and implementation of suitable data protection and security procedures. Accordingly, the ICO has required HMRC and the MoD to use their best endeavours to give effect to the relevant recommendations within 39 and 9 months respectively. Failing to comply with an enforcement notice is a criminal offence.
Eduardo Ustaran is head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP, based in London. He is a member of the IAPP Education Advisory Board, co-chair of Knowledge-Net London, editor of Data Protection Law & Policy and co-author of E-Privacy and Online Data Protection. He may be reached at Eduardo.email@example.com.