The Information Commissioner's Office (ICO) has found Marks & Spencer in breach of the Data Protection Act.

The ruling follows the theft of a laptop in May 2007 which contained unencrypted personal information on 26,000 M&S employees.

An ICO investigation revealed that the laptop, which contained details about pension arrangements, was stolen from the home of an M&S contractor.

The UK data watchdog said that the sensitive nature of the information meant that M&S should have had appropriate encryption measures in place to keep the data secure.

Mick Gorrill, assistant commissioner at the ICO, said: "It is essential that before a company allows personal information to leave its premises on a laptop there are adequate security procedures in place to protect personal information.

"The ICO has issued clear guidance to help employers understand their obligations under the Data Protection Act.

"Organisations which process personal information must ensure that information is secure. If organisations fail to introduce safeguards to protect information they risk losing the trust and confidence of employees and customers."

The ICO has issued M&S with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008.

Failure to comply is a criminal offence and may result in the ICO taking further action against the company.