An appeal by Marks and Spencer (M&S) against a decision by the Information Commissioner's Office (ICO) ordering the retail giant to encrypt all its laptops has been dropped for a strange reason - M&S has completed a laptop encryption programme.
The apparent confliction between the laptop encryption scheme and the decision to appeal the enforcement notice has been given different explanations by different sources.
In January this year, the ICO issued an enforcement notice to the firm to encrypt its laptop hard drives, following the theft from a sub-contractor in April 2006 of a computer containing details of the pension arrangements of 26,000 M&S staff.
The ICO said the laptop was not encrypted, and M&S has never denied this. Earlier this year Computing reported that M&S was appealing the enforcement notice.
But the ICO has since dropped the case. On 8 July, Darrel Stein, IT director at M&S, wrote to the ICO to confirm that the retail giant had completed a programme of encrypting all its 4,352 laptops with software from Utimaco.
“Marks & Spencer will continue to ensure that personal data stored on laptops, including those that are acquired in the future, are encrypted,” wrote Stein.
The ICO subsequently cancelled the enforcement notice.
Computing was told by a source close to the case that M&S changed tack and decided to comply with the enforcement notice rather than appeal it because the retailer had originally over-estimated its legal position and did not think the ICO would pursue the case to court.
However, a spokeswoman for M&S denied this. “We appealed the notice because we thought it was unfair given that by that point we had already begun the process of encrypting our laptops,” she said.
This reflects what another source close to M&S told Computing at the time of the enforcement notice.
“The company was surprised by the over-aggressive behaviour of the ICO, given that they knew that M&S had already started an encryption programme,” said the source at the time.
ICO guidance recommends firms deploy encryption technology to achieve compliance with the Data Protection Act (DPA). However, the principles-based nature of the DPA means encryption is not legally required unless proved to be an “appropriate technical measure” as defined by the seventh principle of the act and no case has yet set a precedent for this.
reader comments