At the moment the Act is a nonsense, more celebrated in the breach than the observance, especially by Government Agencies.
There is no adequate concept of "need to know" enshrined in the Act. Not only can those who do not "need to know" get ready access, but also those who "need to know" some information should be prevented for accessing other data.
The punishments scheduled in the Act are derisory for serious individual breaches and utterly pointless when the infringment is by a government or quasi government agency.
For example: what is the punishment to be meted out to the DVLA if they were to make conviction records freely available over the phone? As at the moment.
For example: If your car is covered by police operated CCTV and you could prove by access to those images that you had not parked where the fine indicated, you may not see the footage until a charge is brought and then, on application it will only be supplied to your solicitor (not you) because you might see the numbers of other cars present at the time of the imagined offence.
For example: The NHS is attempting to create a central database of NHS patients. Who will police the security of that database, under what legislation and against what penalty if infringement proves to be systemic?