Two penny worth ..
Breaches like this aren't unusual and we can be confident that considerably more are happening than we ever see in the media. By the way we have to thank the media as we do not have any statutory obligations upon organisations to disclose data breaches. Unlike in the US. So it's our closest thing to an ally with regards privacy in this information economy.
Yep it is a monumental problem, though the Council is being a little naive with comments which reflect their opinion that nothing much seems to have happened with regards these lost details. Experience of working within this field has shown that the modus operandi of cyber theft is to store details and create identities and exploit over longer periods of time. Maybe they should get their security specialist back in to explain this.
Comments about the ICO are fine, but I have a lot of sympathy for the department. The Commissioner has made it clear that the state of Data Protection is pretty poor in the UK. He along with the National Consumer Council's CEO want better protection of the citizen’s data. However their current powers and enforcement capabilities are pretty limited in comparison to the amount of data out there and the number of organisations subject to Data Protection Act.
I do however agree with comments that a maximum fine of £5000 is not an effective deterrent. It is a little inequitable when compared to fines handed out for £900,000 for loss of banking information. It is, after all, just different parts of financial information about the individual.
I do believe that attitudes within the public sector will hopefully change. "Trust" will be an essential part of the relationship between society and the state in the future. When I use the terms “Trust” I mean in the people who gather, use and manage information about us in the public and private sectors. Not the IT / ICT systems. After all they do what we tell them to! And in this case they failed, for whatever reason, to adequately assess the risk and control this.
What could make a difference in driving organisations to take data protection seriously? If Newcastle Council received 54,000 complaints someone would have a lot more explaining to do. So in another way the more effective tool would be the general public because they vote for the Councillors to whom the CEO is accountable.