M&S Data Protection Pants?

A very interesting enforcement notice has been published by the Information Commissioner against Marks & Spencer plc – see here.

 The case itself is a classic – a theft of an unsecured laptop from a data processor (in this case, containing 26,000 employees’ personal data).  What is noteworthy is that the case got as far as needing the Information Commissioner to issue an enforcement notice.  One of the reasons appears to be Marks & Spencer’s unwillingness to enter into public voluntary undertakings.

Another point to note is that the data processor at fault has not been named.  Data controllers carry the can if data processors mess up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s