The Information Commissioner's Office has confirmed it is investigating complaints into Play.com.

The online seller of DVDs, CDs and games last week sent out dozens of order confirmation emails to the wrong recipients. One Reg reader received some 24 emails with personal details of 24 people.

A spokesperson for the Information Commissioner’s Office said: "Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure. This is an important principle of the Data Protection Act.

"Failure to protect personal details could lead to information falling into the wrong hands and ultimately the loss of customers’ trust and confidence. We have received a small number of complaints regarding Play.com which we are looking into.”

Of course the ICO has long been lobbying for stronger powers to deal with companies, and government departments, which break data protection laws. Its powers are very limited, especially in the case of a first incident. But European law may force the goverment to adopt a data breach law - making companies admit to data losses.

In other news Michael Wills, minister of state at the Ministry of Justice, told Parliament yesterday that he was opening a consultation on civil penalties for data losses. The government proposes maximum civil monetary penalties of £500,000. Data controllers can let the minister know what they think, or respond via declared the ICO's website. ®

Related stories

• Government consults on possible £500,000 data breach fines (12 November 2009)
• Regulator warns on school CCTV schemes (9 November 2009)
• Play.com emails customer details to other customers (9 November 2009)
• Data-losing companies may be forced to spill to public (28 October 2009)
• UK data losses keep growing (27 October 2009)
• Data watchdog jacks up charges (1 October 2009)