A very interesting enforcement notice has been published by the Information Commissioner against Marks & Spencer plc – see here.
The case itself is a classic – a theft of an unsecured laptop from a data processor (in this case, containing 26,000 employees’ personal data). What is noteworthy is that the case got as far as needing the Information Commissioner to issue an enforcement notice. One of the reasons appears to be Marks & Spencer’s unwillingness to enter into public voluntary undertakings.
Another point to note is that the data processor at fault has not been named. Data controllers carry the can if data processors mess up.