The Information Commissioner’s Office (ICO) has said it will be investigating Marks and Spencer’s security procedures after the company admitted losing a notebook containing the information of 26,000 employees.

The notebook contained salary details, addresses, dates of birth, national insurance and phone numbers. It was taken from a printing firm, which had been given the personal information in order to write to Marks and Spencer employees about pension changes.

In a statement the ICO said, that it would " expect a full explanation from Marks and Spencer to establish what and how this has happened."

"We will want to ensure that the company has robust procedures in place and that these are followed to protect personal information in future.

"The Information Commissioner's Office takes security breaches very seriously [and]
organisations which process personal information must ensure it is held securely. 

"This is an important Principle of the Data Protection Act,” it added.

However, Marks and Spencer’s could find itself in hot water after a representative for the company confirmed that the notebook was only “password protected.”

“The notebook had no encryption in place,” she told Computeractive.

This, according to Tony Jackson business development manager for Data Company Vigil software would not be enough to ensure the safety of information,

“Potentially if there is an encryption programme, in place that uses many algorithms as well as two factor authentications then the information installed in the notebook will be more or less secure," he told Computeractive.

“If this is not the case then information will easily be accessible, as getting through a password is not difficult.” he added.

In light of the incident which happened three weeks ago, Marks and Spencer’s has said it will review its security policies but could “not confirm” what these would be or entail. 

The retailer has also given employees affected by the breach unlimited credit checks and set up a number of helplines and email contacts to advise them.

The Marks and Spencer's incident follows a number of incidents over the past year. Late last year the Metropolitan police admitted to losing three notebooks carrying personal information about employees and only last week the NHS admitted a laptop containing the names, addresses and bank details of some 10,000 employees had been stolen from a building in Truro, Cornwall.

This week the Information Commissioner also called for stronger power to enable his office to carry out inspections and audits of organisations without consent to ensure effective compliance with the Data Protection Act.