The ICO really is impotent, isn't it? I thought they could issue fines as soon as they proved a breach of the data protection act. How naive I was.
So when they find an organisation breaking the DPA on a massive scale they make them say "Sorry. It won't happen again".
When they find that breaches are continuing unabaited they tell them off with "You'd better not do that again".
What next? Send them to the headmaster's office?
Even the excuses are childish. "We process over 100,000,000 transactions". So what? We make over 4,000,000,000 products a year and many of them contain data that is sensitive to the banks! If we leaked any of that we'd be out of business.
The legislation is pointless without effective enforcement.