Reporting on Graham's comments made at a security event this week, Kable – part of the Guardian group – says that the powers to fine errant organisations, which were increased in April of this year, "give the ICO the teeth that many people in the past said it lacked".
Graham, who was speaking at the public sector publisher's conference on Wednesday, said that, if HMRC committed a data breach similar to its loss of 25m people's details in 2007, he would apply "the max" penalty, describing it as "the horror benchmark".
The industry, he went on to say, can learn from HMRC's troubles, adding that the ICO will consider the size of an organisation when applying fines: "Are we dealing with an industrial giant or a small district council?" he told his audience.
According to Kable, the information commissioner detailed the types of losses that the ICO has seen from different kinds of organisations.
As expected, the NHS was found to have reported the greatest number of losses as of 29 October, with 377 incidents, 30% of all the 1254 breaches reported to date.
This, says the public sector publisher's website, compares with 360 from the private sector, 184 from local government, 97 from central government and 149 from other public sector bodies.
Kable reports that health service data losses were dominated by stolen data or hardware, making up 136 – 36% – of its reported incidents, followed by 109 cases of lost data or hardware. However, the biggest category of errors in local government came from information disclosed in error, with 62 incidents. “There's just far too much", Graham told his audience.
"He also defended his decision to tell Google to delete the fragments of personal data it accidentally gathered from wireless networks when taking pictures of streets for its Street View service, which are likely to include passwords, URLs and emails, rather than levying a fine", noted the public sector publisher's website.