You know the ritual. A laptop computer, smartphone or memory stick goes missing and, a few weeks or months later, some shamefaced public body admits that the device contained sensitive personal data.

Over the past year, however, the Information Commissioner’s Office (ICO) has started getting tougher with delinquent data handlers. As well as prosecuting offenders it now has the power to impose monetary penalties on organisations ‘in the most serious situations’.

A remarkable proportion of these ‘serious situations’ seem to occur in public bodies. Of nine penalties issued last year, seven went to local authorities. (The remaining two were a solicitors' firm, ACS:Law and an employment services company, A4e Limited.) We’re talking fairly serious money - £130,000 imposed on Powys county council, £120,000 on Surrey county council and £100,000 on Hertfordshire.

These were all exceptional cases, involving highly sensitive information - including, incredibly, details of child protection cases - being sent to the wrong recipients. Someone should be punished. But is it right to hit the organisation with a monetary penalty, especially if all you’re doing is cycling money back to the exchequer? (The ICO is at pains to point out that the penalties go to the Treasury’s Consolidated Fund, not to pay for champagne parties at its Wilmslow HQ.)

One opponent of this money-go-round is the Taxpayers’ Alliance pressure group. It reckons that financial penalties mean citizens are hit with a double tax - once to pay for collecting the data, and once for losing it. It has proposed instead that responsible managers be held personally liable for data lost while in their care.

In principle, that sounds reasonable to me - and, as a registered data controller in a small business, I know I’m potentially in a glasshouse myself.

The arguments against seem to be, first, that putting managers on such a spot would reduce the public sector to such a state of fear that nothing would ever get done. Possibly that’s what the Taxpayers’ Alliance has in mind.

However, the second objection may have more force - the practical difficulty of imposing liability on people who would typically be employed staff, even at chief executive level. I’d welcome thoughts, especially from colleagues in local government and the NHS. If the whole personal liability idea is bonkers, it’s best to kill it off now before it gains political traction.

After all, whatever efforts we make to promote good data governance, those memory sticks and mobiles will keep going astray.