The number of data breaches reported to the UK's Information Commissioner's Office (ICO) has soared to 277 in almost a year, new figures released Wednesday revealed.
In almost 12 months, 80 of those breaches concerned the private sector, 75 within the NHS and other health bodies, 28 reported by central government, 26 by local authorities, and 47 by the rest of the public sector.
But Thomas also noted that the amount of data breaches that have been reported to the ICO is might "still be well short of the total."
In the past year, the ICO has taken enforcement action regarding data losses against HM Revenue & Customs, the Ministry of Defence, the Department of Health, the Foreign and Commonwealth Office, Virgin Media, Skipton Financial Services, Carphone Warehouse, TalkTalk and Orange.
In his keynote at RSA Europe 2008 in London yesterday, Thomas said accountability rests at the top, and it is up to CEOs to ensure they minimize the amount of data they hold and implement robust governance. Chief executives need to stop leaving data security up to IT workers, lawyers and human resources, said Thomas.
Thomas also revealed that the Information Commissioner's Office could be set to receive more powers and more resources in only a few weeks time. The ICO has been lobbying for more powers, stronger sanctions and more resources for years. Earlier this year, parliament granted the ICO the power to impose penalties for deliberate or reckless breaches of data. In July the Ministry of Justice has published a consultation on changes to the powers and funding of the ICO, stating it needed more money and more powers to be effective.
The Queen's speech, slated for 3 December, is expected to reveal that the ICO would be granted the power to do spot inspections of firms. At the moment, the ICO has to receive permission from the firm that they want to inspect. He could also receive more resources to conduct audits. Currently the entire ICO team that conduct audits is only five people strong.
Thomas expressed concerns about the government's recent move to roll out large centralized databases, such as the communications database.
"The more databases that are set up and the more information exchanged from one place to another, the greater the risk of things going wrong. The more you centralize data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made," he said.
"As government, public, private and third sectors harness new technology to collect vast amounts of personal information, the risks of information being abused increases. It is time for the penny to drop," said Thomas.