The Information Commissioner, Richard Thomas, has launched a coruscating attack on British business’s “horrifying” lack of concern for data protection.

Speaking at the launch of his annual report, Thomas called on UK CEO’s to take greater responsibility for protecting the security of employees’ and customers’ personal information. 

“Over the last year we have seen far too many careless and inexcusable breaches of people’s personal information,” he said.

Thomas added that the number of companies which has admitted serious breaches of information security in the past year was “frankly horrifying”.

He criticised companies which allowed employees to take laptops containing sensitive material out of the office without using strong encryption to protect the data.

Yet for all the ferocity of the attack, it seems unlikely that the Information Commissioner’s Office will provide the impetus for change any time soon.

Thomas has championed individuals’ data protection rights since taking office in 2002, but knows that he has limited powers to protect those rights. The ICO has a huge remit, acting as regulator for both the Data Protection Act and the Freedom of Information Act. That ensures that the ICO can only tackle the most serious and flagrant breaches of data protection laws – carelessness by companies comes a way down that list.

Where the ICO has been most successful has been in educating the UK public over their rights. In its annual report, the ICO notes that in 2006 public awareness of data protection rights had risen to 82%.

The ICO will need that awareness to translate in to tangible consumer pressure if UK enterprise leaders are to take data protection rules seriously.