Marks & Spencer broke the law when it allowed the details of 26,000 employees to be held on a laptop without the protection of encryption, according to the Information Commissioner's Office (ICO).
The laptop, and the information on it, has been stolen.
The retailer must ensure that all laptop hard drives are encrypted by April of this year. If it fails to comply with an enforcement notice issued against it by the ICO it could face criminal charges.
"It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information, for example, password protection and encryption," said Mick Gorrill, assistant commissioner at the ICO.
"The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act."
M&S said that it would not appeal the issuing of the notice, and that it has already started the process of encrypting laptop hard drives.
"We will be doing everything we can in order to meet the ICO's deadline," said a spokeswoman for the company. "We started the encryption process in October."
M&S employed a company to change the pension plans of its employees, a process which led to that un-named company having access to 26,000 workers' details.
A laptop containing all of these was stolen from the home of the managing director of that company last April.
"The Commissioner takes the view that in this case the personal data held on the laptop computer should have been encrypted so that in the event of its theft it would not have been possible to view the personal data in a readable format," said the enforcement notice.
"The Commissioner has come to the view that the data controller’s processing contravenes the Seventh Data Protection Principle in that it failed to take appropriate measures to ensure the security of its data."
The ICO was willing to accept a less formal resolution to the problem, according to the notice, which said it was prepared simply to accept undertakings from M&S that it would comply with the Data Protection Act (DPA).
The enforcement notice, though, said that M&S was not prepared to accept that those undertakings would be made public, which was "not acceptable to the Commissioner", according to the notice.
The notice orders M&S to: "ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Schedule 1 Part I of the Act and, in particular, ensure that the process of laptop hard drive encryption commenced by the data controller in October 2007 is completed by 1st April 2008".