Marks and Spencer has breached the Data Protection Act in not encrypting employee data held on a laptop, according to the Information Commissioner's Office (ICO).

The system contained pension details for 26,000 employees and was stolen from the home of a contractor.

Protecting such information is crucial, according to ICO assistant commissioner Mick Gorrill.

"It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information such as password protection and encryption," he said.

The ICO has issued Marks and Spencer with an enforcement notice ordering the company to ensure all laptop hard drives are fully encrypted by April.

Failure to comply is a criminal offence and can result in further action against the company.

But such power is still not tough enough to be an effective deterrent, Information Commissioner Richard Thomas told the Commons Justice Committee last December.

"We have been dissatisfied for some time with our powers," he said.

The ministry of Justice is currently considering proposals from the ICO to make first time breaches of the Data Protection Act a criminal offence and to increase his powers of inspection.

HM Revenue and Customs, which lost the personal details of 25 million people in December, also send the information in unencrypted form.