The Information Commissioner's Office (ICO) has imposed only six monetary penalties against organisations for data breaches since gaining the power in April 2010, says deputy commissioner David Smith.

"These penalties are not imposed for losing data, but for failing to meet the requirement of addressing the risk and having appropriate measures in place," he told attendees of a Trusted Computing seminar, hosted by Wave Systems in London in association with ISSA-UK.

Smith highlighted several other trends that have emerged from the ICO's data breach investigations and audits.

"It's hard to believe, but UK organisations continue to lose portable storage media containing unencrypted personal data," he said.