Companies recklessly breaking the rules will face fines from 2010
The number of incidents of loss or theft of personal data has risen to an "unacceptable" level in the past year, the privacy watchdog has warned.
The Information Commissioner's Office (ICO) said NHS hospitals holding private medical records were among the worst offenders.
In total, 434 organisations reported data security breaches in the past 12 months, up from 277 the year before.
From next year, companies that break the rules recklessly will face fines.
In the two years since 25 million child benefit records - including names, addresses and bank account details - went missing when a disk was lost in the post, there have been 711 reported security breaches.
More than 200 hospitals and 200 companies reported breaches of the Data Protection Act in that period.
Deputy information commissioner David Smith said: "The majority of organisations get data protection right, but regrettably a significant minority of management teams are failing to take data protection seriously enough.
"Unacceptable amounts of data are being stolen, lost in transit or mislaid by staff. Far too much personal data is still being unnecessarily downloaded from secure servers on to unencrypted laptops, USB sticks, and other portable media."
Companies and public bodies that recklessly or deliberately break the rules face fines of up to half a million pounds from 2010.
The Ministry of Justice is considering allowing the ICO to impose fines in the most serious cases.