Local Councils Leak Personal Data
Two councils in the Black Country let confidential information out almost 300 times over three years.
Research by Big Brother Watch found Sandwell and Wolverhampton Councils had among the highest rates in the country - Sandwell was the second highest in the UK.
The group's calling for a harsh punishments for those that use it maliciously and custodial sentences to be introduced for the most serious data breaches.
Dan Nesbitt is from the group. He says: "There's no mandatory reporting of data breaches to the victims - it would be good to see that happening in many cases, if it's very serious.
"If, for example, your information's been lost or compromised in a way that could do some harm then it would be very helpful for that to happen but at the moment there isn't that requirement."
Both authorities say they report lots of data breaches and that's why they're higher up the list.
A spokesman for Wolverhampton City Council said: "The figures are more than a year old. Since then, all City of Wolverhampton Council employees have completed mandatory training in how to better protect people's information.
"We take this issue extremely seriously and realise that in the past our performance in this area was not as good as it should have been. We have worked with the Information Commissioner to review and strengthen our procedures."
Chief Executive of Sandwell Council Jan Britton said: "We believe we report data breaches that others don't. We've never had any fines or regulatory action taken against us by the Information Commissioner.
"While we may appear second in this list, this may well be because we take the issue so seriously and because staff tell us about incidents.
"The vast majority of all reported incidents invariably turn out to be either internal mis-directed emails or mis-addressed letters. These account for 130 of these incidents.
"In all cases the council's first response will always be to either get the information back or to confirm it has been destroyed so it doesn't get passed on. Where the situation does contain sensitive personal data we always communicate these incidents to the ICO.
"One of the reasons for Sandwell having such a high figure of incidents follows on from a successful internal campaign to highlight what constitutes data incidents.
"In addition, training means our staff are not only aware of their responsibilities in handling data but better trained to report potential incidents. This ensures a prompt and robust investigation is carried out."