Information security, particularly in central government, is undoubtedly improving, but several common problems remain, says the Information Commissioner's Office (ICO).
A lack of awareness of information security is chief among them, deputy information commissioner David Smith told the first annual Human Factors in Information Security Conference in London.
"In many cases, there is still a long way to go on security awareness and understanding obligations, especially in terms of the Data Protection Act," he said.
Organisations often address security awareness only in a once-off training session, but it is something that needs to be ongoing, said Smith.
"A lack of communication and training around security has come up time after a time when there have been data breaches," he said.
Failure to put existing security policies into effect is another common failing, said Smith, showing that people remain one of the biggest challenges to getting information security right.
Another common thread running through most data breaches both past and present is that personal data is not properly valued, he said, mainly due to a lack of proper management structures.
This all means that improving governance and accountability is still "absolutely key" for many public and private organisations, said Smith.
The ICO's mission will also be aided by other legislative changes, such as the possible introduction of a data breach notification law in the UK, said Smith.
"Within 18 months data breach notification will be required by law in the telecoms sector in line with EU directives and I can see this being extended across all sectors within three years," he said.
Custodial sentences for individuals found guilty of deliberately selling information or gathering information under false pretences are also a possibility, said Smith.
"The government is consulting on prison sentences for these types of data offences, but we are unlikely to see any new legislation before the general election," he said.