The Information Commissioner's Office has said that, on the facts known, the UK government is "bang to rights" over the loss of 25 million personal records.
The government admitted on Tuesday that HM Revenue & Customs had lost two password-protected discs, which were unencrypted, containing the details of everybody in the UK claiming child benefits. Up to 7.25 million families could be affected.
The ICO severely criticised the breach, and drew attention to the possibility of legal action over the incident.
"This is the biggest privacy disaster by our government," said Jonathan Bamford, assistant information commissioner. "There is no doubt that [chancellor of the exchequer] Alistair Darling and others will have to deal with the fact there are legally enforceable [privacy] standards. In Britain we have the phrase 'bang to rights'. Someone is bang to rights over that breach. Clearly on the facts available there appears to be a major contravention of data-protection laws."
Speaking on Wednesday at "Fine Balance", a conference in Westminster on privacy-enhancing technologies, Bamford said that some of the eight principles of the Data Protection Act, including that personal information be kept secure, had "clearly been breached".
Bamford added that there should be tougher penalties for persistent or serious breaches of data laws. At present, the toughest legal penalty for the persistent or serious flouting of data laws in the UK is a £5,000 fine — and criminal prosecution is only possible after the ICO has served notice due to an information breach, and another breach occurs.
"Where there is flagrant breaching of data-protection principles, there should be tougher sanctions. This breach underlines the need for penalties to fit the crime."
Louise Townsend, a data-protection law specialist at Pinsent Masons solicitors, agreed that there was a need for tougher sanctions, and said it would encourage companies to build privacy and security into their systems from the beginning.
"Unless there are tougher sanctions, it would be hard to get people to change their mindset and do the work upfront for [data protection] compliance to happen," said Townsend. She added that it is possible for victims of a data breach to sue, but they must show they have suffered "tangible damage" to be awarded any compensation.