The realisation is growing that data protection is not somebody else’s responsibility.

Moves to make individuals liable for the loss or disclosure of personal information held by public sector bodies or by companies are an inevitable response to the data loss scandals we have seen in recent months.

Until now, the Data Protection Act has focused responsibility on senior executives of an organisation, who are held to task for failures of staff under their charge. But the reality is that those workers are rarely motivated by the need to protect their bosses or their employer’s reputation.

When someone else takes the blame, why should you care if you make a mistake?

The most common concern of IT leaders looking to introduce data protection or risk management policies is how to create a culture that supports the rules and regulations put in place. Having a policy is one thing ­ making staff buy into it can be quite another. Ultimately, a culture exists only in the collective hearts and minds of a group of individuals, it cannot be imposed from above or through a set of rules.

From a government perspective then, legislation appears to be the only answer.

But no law will be effective ­ other than in increasing the prison population ­ without education to go alongside it.

Data privacy is perhaps the biggest single challenge facing the technology industry. Information security is not the issue ­ technical controls exist to secure the vast volumes of electronic data being generated ­ but the access to, and authorisation of the use of that data is about people, not technology.

For every government employee who inappropriately accesses citizen records (see www.computing.co.uk/2215705), how many would protest if someone did the same to their personal details?

People need to realise the impact on others of their actions, and to be given training and advice to ensure they are aware of their responsibilities. The best way to do that is to ask the question: What if it were you?