The Information Commissioner's Office (ICO) has issued two central government departments with enforcement notices following serious breaches of the Data Protection Act.

HM Revenue and Customs lost two discs containing the financial details of 25 million families, while the Ministry of Defence lost a laptop containing the personal details of 600,000 people.

To comply with the notices the departments must adhere to all the recommendations on the respective Burton and Poynter reviews into the incidents, published today.

Information commissioner Richard Thomas described the incidents as " deplorable failures" and said they were not isolated events.

"While these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases," he said. "It is deeply worrying that many other incidents have been reported, some involving even more sensitive data."

The departments could be fined if they do not comply with the enforcement notices, and must provide annual progress reports for the next three years.

Chancellor Alistair Darling said that 39 of the Poynter inquiry's 45 recommendations have already been implemented and that HMRC is spending £155 million on improving data security.

"It is quite clear the loss was entirely avoidable," Darling told the House of Commons. "I apologise unreservedly."

The Ministry of Defence has accepted all of Sir Edmund Burton's 51 recommendations and has prepared a comprehensive action plan to implement them.

"I am absolutely determined to make sure that we learn the lessons arising from the loss of this data and that we should do everything possible to make sure that this type of thing does not happen again," said permanent under secretary for defence Bill Jeffrey.