Richard Thomas announced he would take action against HMRC for the loss of 25 million child benefit claims and MoD for the loss of a laptop containing unencrypted records on 600,000 recruits.
His announcement came after the publication of a series of reports that highlighted endemic failures around data security management within both departments. The Poynter report and a report from Independent Police Complaints Commission both lambasted HMRC for its "woefully inadequate" information security practices that led to a data breach incident that was "entirely avoidable".
Similarly, a report published by Sir Edmund Burton into the loss of data at the MoD, said the overall management of its recruitment project "lacked rigour".
The Burton report stated the MoD is "not treating information, knowledge and data as key operational and business assets".
It also said the department was in breach of several principles of the Data Protection Act when it implemented its recruitment database, called TAFMIS, on unencrypted laptops. However, the principles of the Act "are not precise: they require judgement. The department will therefore need to seek guidance on the exercise of that judgement from the Information Commissioner."
Thomas said all three reports revealed "deplorable failures at both HMRC and MOD" and it is "beyond doubt" that both departments have breached Data Protection requirements.
The Information Commissioner's Office (ICO) intends to serve formal enforcement notices on the agencies.
He also said that these breaches "are not isolated cases".
"It is deeply worrying that many other incidents have been reported, some involving even more sensitive data. It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations," he said. "No chief executive can now say that data protection doesn’t matter."
HMRC and the MoD will have to implement all the recommendations outlined in the reports to comply with the terms of the enforcement notices. The ICO said it will require progress reports to be published after 12, 24 and 36 months that documents how the recommendations have been implements to improve compliance.