he Information Commissioner has this week established that few Whitehall departments have any real idea of their legal responsibilities under the Data Protection Act, and fewer still have any idea of how to manage IT systems securely.

His findings were made public this week as two government departments face enforcement action under the Act: HM Revenue and Customs, and the Ministry of Defence. Both departments have been in the spotlight this year for serious breaches of data security, along with the Home Office and the NHS.

The Independent Police Complaints Commission (IPCC) and Poynter review found that there was a lack of meaningful systems, no understanding of the importance of data security and a “muddle through” culture at HMRC when it lost 25 million benefits records in internal post.

HMRC was described as having “an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability”.

The MoD’s loss of 600,000 personnel details was slammed in a report by Sir Edmund Burton, who also blamed poor management. The MOD’S Chief of the General Staff has ordered an inquiry to investigate whether there are grounds disciplinary action.

Information Commissioner Richard Thomas, said: “The reports that have been published today show deplorable failures at both HMRC and MoD. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations.

“It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them.”

• See Editor's Blog for more on this week's public sector IT and data meltdown.